Privacy Policy

This Privacy Policy explains how The Candidate Group Ltd (referred to as “we”, “us” or “our”) collects, uses, shares and protects personal data when you use our platform and related services.

We operate as a UK-based organisation at:
Suite RA01, 195–197 Wood Street, London, E17 3NU.

We act as an independent data controller for the candidate and employer data we process in connection with the operation of the Platform. Employers using the Platform are separate controllers for any data they export into their own systems.

1. Data we collect

What data we collect

• Account identifiers — name, email address, password hash, and optional contact details.
• Profile and employment data — CVs, profile text, skills, employment history, certificates, photos, promo videos and candidate cards.
• Usage and interaction data — applications, shortlists, messages, interview scheduling and employer interactions with candidate cards.
• Technical and security data — IP address, device/user agent details, login history, audit logs, error logs and security events.

2. Why we use it (lawful bases)

Why we collect it

• Contract — to create and operate user accounts, process job applications, manage messaging, shortlists, interviews and employer access to candidate cards.
• Legitimate interests — to secure the Platform, prevent fraud and abuse, analyse usage, improve matching, and support candidates and employers in making better hiring decisions.
• Consent — for optional activities such as marketing emails, where shown clearly and where you can opt in or out at any time.

3. Data sharing

Who we share data with

• Employers and recruiters — we share candidate information, including candidate cards and media, in line with candidate preferences and Platform rules (for example, anonymous mode vs open identity).
• Service providers — carefully selected providers for hosting, storage, logging, analytics, security and communications, under appropriate data protection terms.
• Legal, regulatory or enforcement bodies — where required by law, court order or to protect the rights and safety of users and the Platform.

4. Retention & deletion

Retention & deletion

We retain personal data for as long as necessary to provide the Platform, comply with our legal obligations and resolve disputes. This typically includes:

• Automatic expiry or archiving of inactive accounts and older files after defined periods.
• Rotation of security and audit logs based on risk and compliance requirements.
• Retention of certain records where required for tax, accounting or fraud prevention.

You can request account deletion or export of your data via the in-app tools (for example, the candidate settings “Danger Zone”) or by contacting us using the details below.

5. Security & privacy by design

Security & privacy by design

We implement a layered security approach, including (without limitation):

• Secure sessions with appropriate cookie flags and CSRF protection on forms and APIs.
• Modern password hashing (e.g. Argon2id or bcrypt), rate limiting and login audit trails.
• Content Security Policy (CSP) with nonces and restricted script origins.
• Strict validation for file uploads and media handling, with server-side checks.

We design our information security and privacy management systems to align with ISO/IEC 27001 and ISO/IEC 27701, and we reference ISO/IEC 27017 and ISO/IEC 27018 for cloud security and privacy, ISO 9001 for quality, and ISO/IEC 42001 for AI governance where applicable. Certification status and scope may evolve over time and will be confirmed on request.

Security is a shared responsibility. Employers are expected to apply equivalent care when handling candidate data they access via the Platform.

For more detail on our risk assessment and mitigations, you can review our DPIA overview where applicable.

6. Your rights

Your rights

• Access to the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”) in appropriate circumstances.
• Restriction or objection to certain types of processing.
• Data portability where technically feasible and legally applicable.
• Withdrawal of consent at any time where consent is the basis of processing.

You can exercise many of these rights directly through your account. Where that is not possible, contact us using the details below and we will respond in line with applicable data protection laws.

7. Contact & complaints

Contact

For privacy or data protection queries, or to exercise your rights, you can contact us at:

• The Candidate Group Ltd
• Suite RA01, 195–197 Wood Street, London, E17 3NU
• Email: support@thecandidategroup.ltd

You also have the right to lodge a complaint with the relevant supervisory authority in your country. In the UK, this is the Information Commissioner’s Office (ICO).

This Privacy Policy may be updated from time to time. We will highlight material changes within the Platform or by email where appropriate.