Privacy Policy
How we handle your personal data.
How we handle your personal data.
Last updated: 10 May 2026
This Privacy Policy explains how The ROSE Network ("we", "us", "our"), operated as a function of the Intelligence Corps Association (ICA), Registered Charity No. 1175211, collects, uses, stores, and protects your personal data when you use our website at www.therosenetwork.co.uk.
It also acts as our public-facing data-handling statement: it identifies every third-party processor we use, where each item of personal data is physically stored, the operational-security ("OPSEC") undertaking that members give on signing in, and the levels of data each type of user can see.
Data is shared with us voluntarily. At every stage — registration, mentor application, business listing, opportunity submission, RSVP, contact form — you choose what to share, and we ask for no more than is necessary. In almost all cases this is information you have already published elsewhere or would readily share in a professional networking context (your name, employer, professional summary, business details, a link to a public role or tender). You are in control of what you submit, and you can amend or withdraw it at any time using the rights in section 10.
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller for personal data collected through this website is:
Intelligence Corps Association
Headquarters ICA
Contact: Mrs Hazel Donald
Email: ica_hq@roseandlaurel.uk
We may collect the following categories of personal data:
GTM-WS8WK4Q9): pages visited, time on site, referral source, browser, device, and approximate (country/city) geography. Only loaded if you accept analytics cookies; runs under Google Consent Mode v2 with ads-data redaction.js-eu1.hs-scripts.com.We use your personal data for the following purposes:
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Responding to enquiries and contact form submissions | Legitimate interest (Article 6(1)(f)) |
| Reviewing, listing, and managing opportunity, event, business directory, and tender submissions | Legitimate interest (Article 6(1)(f)) |
| Contacting submitters about their submission (e.g. to clarify or confirm details) | Legitimate interest (Article 6(1)(f)) |
| Processing mentor applications and matching mentors with Service Leavers | Legitimate interest (Article 6(1)(f)) |
| Creating and administering member accounts and providing access to member services | Performance of a contract (Article 6(1)(b)) |
| Sending occasional updates and communications about ROSE Network activities, events, opportunities, and initiatives | Legitimate interest (Article 6(1)(f)) — you may opt out at any time |
| Website analytics and improvement | Consent (Article 6(1)(a)) — via cookie consent |
We do not sell, rent, or trade your personal data. The following third-party processors handle your data on our behalf. Each is engaged under a written data-processing agreement and processes data only on documented instructions from us.
| Processor | Purpose | Data sent | Storage region |
|---|---|---|---|
| Supabase (Supabase Inc.) | Primary database, authentication, file storage (member-assets bucket), and scheduled edge functions. Project ID dqpbazgduzhzsdqmklhd. |
All structured records: profiles, mentors, businesses, jobs, events, tenders, appointments, member interactions, OPSEC acknowledgements, and member-uploaded images. | AWS eu-west-2 (London, United Kingdom) |
| Vercel (Vercel Inc.) | Static site hosting, serverless API functions (form notifications, CRM sync webhooks, RSS feed), and Vercel Web Analytics. | Request logs (IP, user-agent, URL), serverless function payloads in transit, and aggregated cookieless pageview pings. | Global edge network with primary regions in the EU; logs retained per Vercel's standard policy. |
| HubSpot (HubSpot Inc., portal 148068634) | Customer-relationship management for approved members, mentors, and businesses; contact-form processing; behavioural analytics (consent gated). | Approved member, mentor, and business records (synchronised by webhook on approval); contact-form submissions; consented browsing data. | EU (eu1) data centre — covered by the UK adequacy decision. |
| Resend (Resend, Inc.) | Transactional email delivery for form-submission notifications sent to info@therosenetwork.co.uk and account communications sent from notifications@therosenetwork.co.uk. | Recipient address, sender address, subject, and body of the email (which can include the submitter's name, email, and submission summary). | EU / United States; Standard Contractual Clauses in place. |
| Sentry (Functional Software Inc., trading as Sentry) | Browser-side error monitoring (legitimate interest — site reliability). | Error message, stack trace, page URL, browser, approximate geography, and IP address. Form values are scrubbed before transmission. | Sentry EU (Frankfurt, Germany) — endpoint js-de.sentry-cdn.com. |
| Google (Google Ireland Ltd.) | Google Tag Manager and Google Analytics 4. Loaded only after you accept analytics cookies. | Pageviews, events, anonymised IP, browser, device, approximate geography. | Google data centres globally; transfers protected by Standard Contractual Clauses approved by the ICO. |
| Sendible (Sendible Ltd.) | Social-media scheduling for the public content of approved opportunities and events (consumes our RSS feed at /api/jobs.xml). |
Public listing fields only (title, summary, link, image). Submitter contact details and members-only listings are excluded. | UK / EU. |
| Google Fonts & jsDelivr CDN | Delivery of typography (fonts.googleapis.com, fonts.gstatic.com) and the Supabase JavaScript client (cdn.jsdelivr.net). |
Standard request metadata only (IP, user-agent). No application data. | Global CDN. |
Job and contract listings are ingested from the public APIs below by scheduled Supabase Edge Functions. We do not send your personal data to these services; they are listed for transparency about where opportunities on the site originate:
Public-facing submissions (approved opportunities, events, business listings, tenders) are published on the website. Submitter contact details are held internally and are not published unless you expressly include them in the public content.
We will never share your data with commercial recruitment agencies or employment brokers. The ROSE Network does not act as a recruitment intermediary.
The ROSE Network website was designed, built, and is managed entirely pro bono by Hermes Digital UK on behalf of the Intelligence Corps Association. No money changes hands; the site sits on Hermes's existing digital infrastructure (Vercel hosting, Supabase database, monitoring and CRM tooling already in place) because doing so is the most efficient way to give the Corps Family a professional digital platform without diverting charitable funds.
This arrangement exists because the Chair of The ROSE Network, Stephen James, also chairs Hermes Digital UK and the independent organisation British Veteran Owned (BVO). We disclose this openly because:
If you have any concern about this relationship or wish to ask further questions about how it is governed, please contact ica_hq@roseandlaurel.uk.
For full transparency, the table below maps each item of personal data to the Supabase table or storage location that holds it. All items live in the project listed in section 5 (London, eu-west-2) and are protected by row-level security (RLS) so users can read only what their role permits.
| Data | Supabase location |
|---|---|
| Login credentials (email + hashed password) | auth.users (managed by Supabase Auth) |
| Member profile (name, role, military status, ICA membership, phone, optional clearance level, optional avatar path) | public.profiles |
| OPSEC acknowledgements (user, version, full text, timestamp, user-agent) | public.member_security_acknowledgements (append-only) |
| Mentor applications and anonymous-mentor fields | public.mentors (public projection through the mentor_directory view) |
| Business directory listings | public.businesses |
| Opportunities | public.jobs |
| Tenders & contracts | public.tenders |
| Public appointments | public.appointments |
| Events & RSVPs | public.events, public.event_attendance |
| Member-to-member interactions (saves, hides, notes) | public.member_interactions |
| Profile photos, mentor photos, business logos | Supabase Storage bucket member-assets |
Because The ROSE Network serves Regulars, Reserves, Veterans, and the wider Corps Family, the member area is governed by an active operational-security undertaking. You are required to read and tick this acknowledgement before you can enter the dashboard, and again whenever the wording is updated. The current text reads:
This member area is for the Corps Family and carefully selected trusted partners only. I will not post or share information that is personally sensitive, commercially sensitive, or operationally sensitive. I understand that even informal comments, introductions, or discussions may carry sensitivity when viewed in a wider context. I will not share member details, opportunities, contracts, or conversations beyond this trusted community without clear permission. I will maintain sound OPSEC at all times, particularly when discussing transition plans, employment matters, or commercially sensitive activity. If in doubt, I will treat information as restricted and seek guidance from The ROSE Network team before posting or sharing.
Each acknowledgement is stored in the public.member_security_acknowledgements table with the notice version, the verbatim text accepted, the timestamp of acceptance, and the user-agent of the browser used. The table is append-only — superseding a notice creates a new row rather than overwriting old ones — so historical evidence is preserved. You can request a copy of your own acknowledgement record at any time using your rights in section 9.
The site is built around five access tiers, enforced both in the navigation and at the database layer through Supabase row-level security:
| Tier | Who | What they can see |
|---|---|---|
| Public visitor | Anyone, signed-out | Public marketing pages (Home, About, Transition, Professional Network, Enterprise, Insights, Case Studies, Get Involved, Contact, public Events) and the subset of opportunities and events that submitters have not marked as members-only. No mentor directory, no business directory, no contracts feed, no other members. |
| Pending member | Registered, awaiting administrator approval | The same public content, plus a holding page confirming approval is in progress. No member directory, mentors, businesses, or contracts. Must accept the OPSEC notice on first sign-in. |
| Approved member (non-ICA) | Approved Networkers, Service Leavers, family members, and trusted civilian/corporate partners whose ICA membership is not set | The full member dashboard, the Mentor directory (anonymous mentors appear under their alias only), Events, Opportunities and Businesses that are not marked members-only, the ability to submit jobs, events, business listings and mentor applications, and the ability to manage their own submissions. |
| Approved ICA member | As above, with profiles.ica_member = true |
Everything an approved member sees, plus opportunities, events and business listings flagged members-only, and access to the Contracts & Tenders feed. Enforced server-side by the public.is_ica_member() RLS function. |
| Administrator | ICA / ROSE Network officers granted the admin role |
All member, mentor, business, opportunity, tender, event, appointment, interaction, and OPSEC-acknowledgement records, including pending and rejected entries. Administrators can approve or reject submissions, edit listings, view audit columns, and use a "view-as" preview to see the site as another role would. Administrative access is logged. Enforced server-side by the public.is_admin() RLS function. |
Within each tier, a user can always see and manage their own submissions in full; they can see other members' data only at the level above. Anonymous mentors' real names, photos, civilian roles and locations remain administrator-only and are excluded from the HubSpot CRM sync.
Discretionary access by the Chair. The Chair of The ROSE Network has discretion to grant ICA-member-equivalent access (the fourth tier above) to individuals who bring clear value to the Network even where they are not ICA members and not Service or ex-Service. To preserve an audit trail, the Chair will only do so where two existing members are willing to propose and second the candidate; the proposer, the seconder, the date, and the Chair's decision are recorded against the user's profile in Supabase. This route does not bypass the approval workflow, the OPSEC acknowledgement in section 7, or any of the other safeguards in this policy.
Across the network, submitters choose how visible their submissions are. The two controls below operate independently and can be combined:
members-only flag. When set, the listing is visible only to authenticated ICA members and to administrators; anonymous visitors and non-ICA authenticated users do not see the row at all. This is enforced at the database layer by the row-level security policies referenced in section 8 and by the public.is_ica_member() check, not just in the page UI.Combined, these controls allow an ICA member to post an opportunity or event that does not identify them publicly and that is shown only to other ICA members. Administrators retain access to the full record for moderation, abuse handling, and to allow follow-up where necessary.
You can fully delete your own account and the data we hold about you, and you can request an export of that data, in line with UK GDPR and the Data Protection Act 2018. You do not need a reason and there is no charge.
You also have the full set of rights granted by UK GDPR:
To exercise any of these rights, or for anything else relating to your data, contact us at info@therosenetwork.co.uk. We will respond within one calendar month. The data controller of record is the Intelligence Corps Association — see section 2 for the formal controller address.
To opt out of marketing communications from The ROSE Network (e.g. updates about events, opportunities, or initiatives), email info@therosenetwork.co.uk or click the unsubscribe link in any message we send. Opting out does not affect communications about an active submission or your member account.
We take appropriate technical and organisational measures to protect your personal data, including:
member-assets storage bucket.Some of our third-party processors (notably Google) may transfer data outside the UK. Where this occurs, appropriate safeguards are in place, including Standard Contractual Clauses approved by the Information Commissioner's Office (ICO).
HubSpot processes data in the EU (eu1 region), which is covered by the UK adequacy decision.
Our website uses cookies. For full details of the cookies we set, how they are used, and how to manage your preferences, please see our Cookie Policy.
Our website contains links to external sites including the ICA main site, Veterans Gateway, SSAFA, the Royal British Legion, and COBSEO. We are not responsible for the privacy practices of these external sites and encourage you to read their privacy policies.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We may update this Privacy Policy from time to time. Any changes will be published on this page with an updated "Last updated" date. We encourage you to review this page periodically.