Data & Compliance — McGregor Sceptre

1. Our Compliance Framework

McGregor Sceptre operates at the intersection of immigration law, labor regulations, and data protection. We maintain a structured compliance framework covering three pillars:

Immigration Compliance Labor & Employment Law Data Protection

2. Immigration & Visa Compliance

H-2A (Temporary Agricultural Workers)

We assist employers in meeting all DOL and USCIS requirements for H-2A petitions:

Temporary Labor Certification (TLC) filing with the Department of Labor.
Prevailing wage and adverse effect wage rate (AEWR) compliance.
Housing and transportation provisions as required by 20 CFR 655 Subpart B.
Three-fourths guarantee rule adherence.
Proper I-129 petition filing and consular coordination.

H-2B (Temporary Non-Agricultural Workers)

For hospitality, landscaping, construction, and other non-agricultural sectors:

Temporary need justification (seasonal, peak-load, intermittent, or one-time).
Prevailing wage determination from the National Prevailing Wage Center.
U.S. worker recruitment and domestic labor market testing.
Compliance with the H-2B cap and return worker exemptions.
Correspondence with USCIS and the Department of State.

3. Labor & Employment Law

We ensure all placements comply with:

Fair Labor Standards Act (FLSA) — minimum wage, overtime, and recordkeeping requirements.
Migrant and Seasonal Agricultural Worker Protection Act (MSPA) — disclosure of employment terms, housing standards, and transportation safety for H-2A workers.
OSHA Standards — employers must provide safe working conditions; we verify workplace safety commitments.
Anti-Discrimination Laws — Title VII, INA anti-discrimination provisions (8 USC §1324b), and applicable state laws.
Anti-Trafficking — zero tolerance for trafficking, forced labor, or debt bondage. We comply with the Trafficking Victims Protection Act (TVPA).
No Worker-Paid Fees — in accordance with federal regulations, workers are never charged recruitment or placement fees.

4. Data Handling Practices

4.1 Data Categories

We process several categories of sensitive data:

Personally Identifiable Information (PII): names, addresses, dates of birth, phone numbers, email addresses.
Government-Issued IDs: passport numbers, visa details, Social Security Numbers (employer-side only, post-hire).
Employment Records: work history, skills assessments, reference checks, employment contracts.
Financial Data: employer billing details and payment records processed through Stripe (PCI-compliant; we do not store card numbers).
Platform Usage Data: profile unlock records (which employer viewed which candidate and when), used for enforcing subscription credit limits and monitoring engagement.

4.2 Data Flow

Data moves through our systems in a controlled pipeline:

Collection — via the portal application form, employer dashboard, or direct communication.
Storage — encrypted at rest in Supabase (PostgreSQL) with row-level security policies.
Processing — used for candidate matching, compliance checks, and petition preparation.
Sharing — shared only with the matched employer and relevant government agencies.
Retention & Deletion — retained per legal requirements, then anonymized or purged.

4.3 Technical Safeguards

TLS 1.2+ encryption for all data in transit.
Encryption at rest in our database.
Row-level security (RLS) in Supabase ensuring role-appropriate data access.
Role-based access control (RBAC) — admin, employer, and worker permission tiers.
Secure authentication via Supabase Auth with hashed credentials (no cookies — sessions stored in browser local storage).
Admin API routes require Bearer token authentication restricted to @mcgregorsceptre.com accounts.

4.4 Breach Response

In the event of a data breach:

We will investigate and contain the incident within 24 hours of discovery.
Affected individuals will be notified within 72 hours.
We will report to relevant authorities as required by applicable state breach notification laws.
We will document the incident and remediation steps for compliance records.

5. State-Specific Data Privacy

Depending on the states where our employers and workers operate, additional regulations may apply:

California (CCPA/CPRA): California residents have the right to know, delete, and opt out of the sale of personal information. We do not sell personal data.
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA): Similar rights to access, correct, delete, and opt out of targeted advertising. We honor these rights upon request.
Texas (TDPSA): Effective July 2024, Texas residents have data access, correction, and deletion rights.

To exercise any state-specific rights, contact info@mcgregorsceptre.com.

6. International Data Considerations

Worker applicants may be located outside the United States during the application process. By submitting an application, international applicants consent to the transfer and processing of their data in the United States, where our servers and operations are based. We apply the same security standards regardless of the data's origin.

7. Document Retention Schedule

I-9 Forms: 3 years after hire or 1 year after termination, whichever is later.
H-2 Petition Records: 3 years from the date of filing.
Payroll Records: 3 years (FLSA requirement).
Recruitment Records: 3 years from the date of certification (DOL requirement for H-2B).
Portal Account Data: Duration of active use plus 2 years, then purged.

8. Audits & Accountability

We maintain internal compliance logs and conduct periodic self-audits.
We cooperate fully with DOL, USCIS, and any lawful government audit or investigation.
Employers using our platform agree to permit reasonable compliance checks as part of our service agreement.

9. Reporting Concerns

If you believe there has been a compliance violation, data misuse, or unethical practice, please contact us immediately:

Compliance Team
Email: info@mcgregorsceptre.com

We take all reports seriously. Retaliation against anyone who reports a concern in good faith is strictly prohibited.