Candidate Privacy Policy

Purpose

Reachdesk is committed to protecting the privacy and security of your personal information. This privacy notice explains, in general terms, how Reachdesk collects and uses personal data about job applicants and candidates.

Data privacy laws vary across jurisdictions where Reachdesk operates and recruits. Reachdesk’s policy is to comply with local laws, including any requirements to provide country-specific notices and, in some cases, obtain consent. Where local laws are stricter than this notice, we apply additional local practices to meet those requirements. Where local laws are less strict, the protections in this notice apply.

This notice applies to all job applicants and candidates. It is not a contract and does not form part of any contract of employment or offer of employment. We may update this notice from time to time and will provide an updated copy as soon as reasonably practical.

If you have questions or need this notice in an alternative format due to a disability, please contact the Legal Department at legals@reachdesk.com.

Who is the controller?

Reachdesk is a “controller,” meaning we decide how and why we process your personal information. The controller is the Reachdesk entity named in the relevant job advertisement or offer documentation (for example, Reachdesk Ltd for UK roles, Reachdesk Inc for US roles, and Reachdesk Unipessoal Lda for roles in Portugal).

Data protection principles

We comply with applicable data protection laws. This means the personal information we hold about you must be:

1. Used lawfully, fairly, and transparently.
2. Collected only for valid purposes we have clearly explained, and not used in ways incompatible with those purposes.
3. Relevant and limited to what is necessary for those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes explained to you.
6. Kept securely.

The information we hold about you

“Personal data” (or “personal information”) means any information about an individual from which that person can be identified. It does not include anonymous data (where your identity has been removed).

Some types of personal data require a higher level of protection (for example, health information or sexual orientation). Information about criminal convictions and offences also requires additional safeguards.

Categories of personal information we may collect

We may collect, store, and use the following categories of personal information:

• Identifiers: such as name, title, addresses, telephone numbers, and personal email addresses; and, where required for recruitment, a government identification number and/or passport number or similar identifier.
• Gender.
• Professional or employment-related information: including recruitment information (such as right to work documentation, references, and information in a CV, cover letter, or application responses) and employment records (including job titles and work history).
• Recruitment assessment information: such as interview notes, scoring/feedback, screening outcomes, and recommendations or flags generated by tools used to support recruitment (for example, duplicate-application detection or CV screening indicators).
• Inferences/derived data: where we generate insights from your application data (for example, role-fit indicators), we treat these as personal data about you.
• Audio, electronic, visual, or similar information: such as photographs.
• Other information you choose to share: for example, hobbies, social preferences, or other information included in free-text responses.

Sensitive personal information

Where permitted by applicable law, we may also collect, store, and use the following sensitive personal information:

• Information about race or ethnicity, religious beliefs, sexual orientation.
• Information about your health, including medical conditions, where necessary to provide adjustments during the recruitment process.
• Information about criminal convictions and offences (where appropriate for the role and where we are legally able or legally required to do so).

How your personal information is collected

We collect personal information through the application and recruitment process:

• Directly from you, or sometimes from an employment agency or background check provider.
• From third parties where appropriate, such as former employers, credit reference agencies, or other background check providers.
• From publicly available sources, such as public social media profiles (for example, LinkedIn), for recruitment purposes.

How we use your personal information

We will only use your personal information where the law allows us to do so. Most commonly, we rely on:

1. Steps at your request prior to entering into a contract with you.
2. Compliance with a legal obligation.
3. Legitimate interests pursued by us or a third party, where your interests and fundamental rights do not override those interests.

We may also use your personal information in limited circumstances:

1. Where necessary to protect your interests (or someone else’s interests).
2. Where needed in the public interest or for official purposes.

Situations in which we process your personal information

We process your personal information primarily to assess your suitability for employment and to comply with legal obligations. We may also process personal information to pursue legitimate interests, provided your interests and fundamental rights do not override those interests. This includes:

• Making recruitment decisions and managing the hiring process.
• Determining the terms under which you may be engaged.
• Determining engagement status (including whether your engagement is deemed employment) and issuing any required status determination statements.
• Verifying eligibility, including references and qualifications and, where permitted by law, right to work and background checks.
• Business management and planning, including accounting and auditing.
• Fraud prevention and protecting the company.
• Equal opportunities monitoring.
• Compliance with laws and regulations (for example, labour and employment, health and safety, tax, and anti-discrimination laws), and exercising or defending legal rights (including under judicial authorisation where required).
• Day-to-day operational purposes such as accounting, financial reporting, and business planning.
• General assessments of applicants and candidates.
• Corporate transactions, such as a merger, acquisition, or restructuring.

If you fail to provide personal information

If you do not provide certain information when requested, we may be unable to progress your application, assess your suitability, or comply with legal obligations (for example, verifying right to work).

Change of purpose

We will only use your personal information for the purposes we collected it for, unless we reasonably consider we need to use it for another compatible purpose. If we need to use your personal information for an unrelated purpose, we will notify you and explain the legal basis for doing so.

Please note we may process your personal information without your knowledge or consent where required or permitted by law.

How we use sensitive personal information

Sensitive personal information requires higher levels of protection. We maintain appropriate safeguards and any required policy documentation. We may process sensitive personal information:

1. With your explicit written consent (in limited circumstances).
2. To carry out our legal obligations or exercise rights in connection with recruitment.
3. Where required to promote the public interest, such as equal opportunities monitoring.
4. Where necessary to protect you or another person from harm.

Less commonly, we may process sensitive personal information where needed in relation to legal claims, where you have made the information public, or where you are not capable of giving consent and processing is necessary to protect your interests (or someone else’s interests).

Specific situations

• To provide appropriate adjustments during recruitment where required, based on information about your physical or mental health or disability status.
• If we reasonably believe you or another person is at risk of harm, and processing is necessary to protect physical, mental, or emotional well-being.
• For equal opportunities monitoring and reporting under applicable law, using information about race, national or ethnic origin, religious/philosophical/moral beliefs, or sexual orientation. Where provided, we use this information for monitoring and reporting purposes (typically in aggregated form) and it is not used to make recruitment decisions about you.

Do we need your consent?

We do not need your consent where we process sensitive personal information to carry out legal obligations or exercise specific rights in recruitment and employment law, in line with our written policy. In limited circumstances, we may ask for your written consent to process certain particularly sensitive data. If we do, we will explain what information we want, why we need it, and your options. Agreeing to consent is not a condition of your application.

Information about criminal convictions

We only process information about criminal convictions and offences where the law allows. We will only collect this information where appropriate given the nature of the role and where we are legally able or required to do so. Where applicable, we may use this information to determine suitability to work on specific customers that require Reachdesk to conduct background checks. We maintain appropriate safeguards as required by law.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention.

We use automated tools to support parts of our recruitment process (for example, to help detect duplicate applications, manage candidate pipelines, and prioritise applications for review). In some cases, these tools may automatically reject an application where our systems identify it as a duplicate application or a repeat application from a candidate who has previously been unsuccessful. This identification typically uses information such as identifiers you provide (for example, name, email address, and application history) and matching rules designed to reduce duplicate processing and help manage recruitment at scale. We apply this process only within the period we retain recruitment records (see “Data retention” below).

These automated checks are based on identifiers and application history, and we do not use special category data (such as health, race/ethnicity, or sexual orientation) to make automated rejection decisions.

Your right to challenge and request human review
If your application is automatically rejected and you believe this is incorrect or you would like the decision reconsidered, you can request a review. You may request human intervention, provide additional information or your point of view, and challenge the outcome. To do so, contact us at legals@reachdesk.com with the subject line “Recruitment automated decision – review request”, and include the role you applied for and any relevant details. We will review your request and respond without undue delay. Where appropriate, we may reconsider the decision and re-open your application for review.

Data sharing

We may share your personal information with:

• Third-party service providers, and
• Other entities in the Reachdesk group,
  where required by law, necessary to administer the recruitment process, or where we have another legitimate interest in doing so.

We require third parties to respect the security of your data and treat it in accordance with the law. We do not allow third-party service providers to use your personal data for their own purposes; they may only process it for specified purposes and in accordance with our instructions.

We may transfer your personal information outside the country where it was originally collected, including to countries with different privacy protections. Where we do so, we will ensure appropriate safeguards are in place so your personal information receives a similar degree of protection.

CCPA notice (California)

For the avoidance of doubt, we do not sell or share your personal information (including sensitive personal information) as defined under California law. For the purposes of this notice, under the California Consumer Privacy Act (CCPA):

• “Sell” means disclosing personal information for monetary or other valuable consideration (excluding, for example, a transfer as an asset as part of a merger, bankruptcy, or other disposition of all or part of our business).
• “Share” means disclosing personal information for cross-context behavioural advertising.

If the CCPA applies to you, please refer to the information disclosure chart below for additional information on how we process your personal information.

CCPA information disclosure chart

Categories of personal information we collect and to whom we disclose personal information for a business purpose:

• Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, email address, account name, or similar identifiers)
  Disclosures: affiliates or subsidiaries; data analytics providers; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, applicant tracking systems, recruitment management tools, scheduling/communications tools, hosting, and security providers); professional services organisations (including auditors and law firms).
• Characteristics of protected classifications (e.g., age, sex, race, ethnicity, physical or mental handicap)
  Disclosures: affiliates or subsidiaries; government entities (as needed to comply with law or prevent illegal activity); professional services organisations (including auditors and law firms).
• Internet or other electronic network activity information (e.g., browsing history, search history, interaction with a website, application, or advertisement)
  Disclosures: affiliates or subsidiaries; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, hosting and security providers); professional services organisations (including auditors and law firms).
• Audio, electronic, visual, thermal, olfactory, or similar information
  Disclosures: affiliates or subsidiaries; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, hosting and security providers); professional services organisations (including auditors and law firms).
• Professional or employment-related information
  Disclosures: affiliates or subsidiaries; data analytics providers; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, applicant tracking systems, recruitment management tools, scheduling/communications tools, hosting, and security providers); professional services organisations (including auditors and law firms).
• Non-public education information (as defined in the Family Educational Rights and Privacy Act)
  Disclosures: affiliates or subsidiaries; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, hosting and security providers); professional services organisations (including auditors and law firms).
• Inferences drawn from the information listed above
  Disclosures: affiliates or subsidiaries; data analytics providers; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, applicant tracking systems, recruitment management tools, scheduling/communications tools, hosting, and security providers); professional services organisations (including auditors and law firms).
• Additional categories of personal information described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (e.g., signature, physical characteristics or description)
  Disclosures: affiliates or subsidiaries; data analytics providers; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, hosting and security providers); professional services organisations (including auditors and law firms).
• Sensitive personal information (where applicable) (e.g., government identification, health information for recruitment adjustments, and information about criminal convictions and offences where appropriate)
  Disclosures: affiliates or subsidiaries; government entities (as needed to comply with law or prevent illegal activity); service providers that support our recruitment and IT operations (for example, applicant tracking systems, recruitment management tools, background check providers where applicable, hosting, and security providers); professional services organisations (including auditors and law firms).

Why we share personal information with third parties

We share personal information with third parties where required by law, where necessary to administer recruitment, or where we have another legitimate interest in doing so.

Third-party service providers

Third-party service providers may support activities such as IT services, recruitment, and recruitment management services.

Sharing within the Reachdesk group

We may share personal information within the Reachdesk group for reporting activities, business reorganisation or restructuring, system maintenance support, and hosting of data.

Other disclosures

We may share personal information:

• In connection with the possible sale or restructuring of the business.
• With regulators or to otherwise comply with the law (including where required for reporting obligations).
• Where we reasonably believe disclosure is required to comply with applicable law, regulation, legal process, or government authority.
• To exercise, establish, or defend legal rights (including enforcing agreements and policies).
• To protect Reachdesk’s rights or property.
• To protect Reachdesk, our customers, or the public from harm or illegal activities.
• To respond to an emergency where disclosure is needed to prevent harm.
• With your consent.

International transfers

We may transfer personal information to other countries or jurisdictions (including the United States, United Kingdom, or European Union), or to a country where a service provider is located, to support recruitment. If a destination country is not deemed to provide an adequate level of protection, we will implement appropriate safeguards consistent with applicable law. Where required, this includes the European Commission’s Standard Contractual Clauses and, where the UK GDPR applies, the UK Addendum to the SCCs and/or the UK International Data Transfer Agreement (IDTA), together with any additional safeguards required by law.

Further information about our protective measures, including a copy of the executed Standard Contractual Clauses, is available from the Legal Department.

Data security

We have appropriate security measures to prevent personal information from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised way. Access is limited to employees, agents, contractors, and other third parties with a business need to know, and they must process personal information only on our instructions and subject to confidentiality obligations.

We have procedures to deal with suspected data security breaches and will notify you and any applicable regulator where legally required.

Data retention

We retain personal information only as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, or reporting requirements.

As a general rule:

• If your application is unsuccessful, we retain recruitment records for 24 months after the end of the recruitment process to manage recruitment, respond to queries, demonstrate a fair process, and defend or bring legal claims.
• If you are hired, recruitment records will be retained as part of your personnel file in line with our employee privacy notice and retention schedule.

We determine retention periods based on the amount, nature, and sensitivity of the data; the risk of harm from unauthorised use or disclosure; the purposes for processing; and applicable legal requirements.

In some circumstances, we may anonymise your personal information so it can no longer be associated with you. We may use anonymised information without further notice.

Your rights

Your duty to inform us of changes

Please keep us informed if your personal information changes during the recruitment process, so our records remain accurate and current.

Your rights in connection with personal information

Depending on applicable law, you may have the right to:

• Request access to your personal information (a “data subject access request”), subject to legal limitations (for example, where disclosure is prohibited by law or would harm the rights of another).
• Request correction of incomplete or inaccurate personal information.
• Request erasure of your personal information where there is no good reason to continue processing it, subject to exceptions (for example, where needed to protect legal rights or where we are required to keep it by law).
• Object to processing where we rely on legitimate interests and you have grounds relating to your particular situation.
• Request restriction of processing (for example, while verifying accuracy or the reason for processing).
• Request data portability, where applicable.

To exercise your rights, contact the Legal Department at legals@reachdesk.com. We will not discriminate against applicants who exercise their data privacy rights.

No fee usually required

You will not usually have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply if a request is clearly unfounded or excessive.

What we may need from you

We may need specific information to confirm your identity and ensure your right to access the information (or exercise other rights). This helps protect your personal information from unauthorised disclosure.

Use of authorised agents

In some circumstances, you may designate an authorised agent to submit a request on your behalf to access, correct, or delete your personal information. To do so, you must:

1. provide the authorised agent with written, signed, and notarised permission to submit the request; and
2. verify your identity directly with us.

If you are submitting a request on behalf of another person, please contact our data privacy manager and provide written and notarised proof that you are authorised to act on their behalf. We may deny requests where sufficient proof of authorisation is not provided.

Right to withdraw consent

Where you have provided consent for a specific purpose, you may withdraw that consent at any time by contacting the Legal Department. Once withdrawn, we will stop processing for that purpose unless we have another lawful basis to continue.

Data privacy manager and complaints

We have appointed a data privacy manager to oversee compliance with this notice. If you have questions about this notice or how we handle your personal information, contact the Legal Department at legals@reachdesk.com.

If you are in the European Union or United Kingdom and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Changes to this notice

We may update this privacy notice at any time and will provide a new notice when we make substantial updates. We may also notify you in other ways from time to time about how we process your personal information.

If you have any questions about this notice, please contact legals@reachdesk.com.