privacy policy.

Last updated: 2 June 2025

hireful Ltd ("we", "our", or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and share your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and forthcoming legislative updates.

1. Data Controller

hireful Ltd is the data controller responsible when processing personal data for internal recruitment and providing our recruitment services.

2. Data Processor

When providing our Applicant Tracking System (ATS) software to clients, hireful Ltd acts solely as a data processor. In this role, we process personal data strictly under the instructions and authority of our clients, who act as data controllers. We ensure compliance through appropriate data processing agreements (Our DPA - hireful.com), implementing necessary security measures, and handling data in alignment with our clients' obligations under the UK GDPR.

3. Personal Data We Collect

We may collect the following categories of personal data:

• Identity data (name, job title, date of birth)
• Contact data (email address, telephone number, postal address)
• Professional data (employment history, CVs, qualifications)
• Visa and other right to work or identity information
• Bank, national insurance and tax (payroll) information
• Information contained in references and pre-employment checks from third parties
• Information that you choose to provide when posting or otherwise contributing content while using our online communities
• Transcript data or recordings from video calls
• Technical data (IP address, browser type, device information)
• Usage data (profile information and information on how you use our software and services)
• Your marketing preferences

We may obtain your personal data from the following sources (please note that this list is not exhaustive):

• You (e.g. a Curriculum Vitae, application or registration form)
• A client
• Other candidates
• Online jobsites
• Marketing databases
• The public domain
• Social Media
• At interview
• Conversations on the telephone or video conferencing (which may be recorded)
• Notes following a conversation or meeting
• Our websites and software applications

Where you are a Candidate and we have obtained your personal data from a third party such as an online job board, it is our policy to advise you of the source when we first communicate with you.

‍4. How We Use Your Personal Data

We process your data lawfully, fairly, and transparently, primarily for the following purposes:

• Providing recruitment services and evaluating job applications
• Managing our relationship with you (e.g., responding to enquiries, complaints, feedback)
• Sending relevant marketing communications
• Introducing and/or supplying you to actual or potential Clients
• Engaging you for a role with us or with our Clients including any related administration e.g. timesheets and payroll
• Collating market or sector specific information and providing the same to our Clients
• Sending information to third parties with whom we have or intend to enter into arrangements which are related to our Recruitment Services
• Enabling you to participate in our online communities
• Providing information to regulatory authorities or statutory bodies, and our legal or other professional advisers including insurers
• To market our Recruitment Services
• Retaining a record of our dealings
• Establishing quality, training and compliance with our obligations and best practice
• For the purposes of backing up information on our computer systems
• Improving and optimising our website and services

Use of AI in Candidate Assessment

We use Anthropic Claude (via AWS Bedrock), an artificial intelligence (AI) tool, to assist our recruitment team in evaluating candidate applications. This AI technology analyses application data and provides recommendations to our recruitment professionals.
‍
Important: No automated decision-making occurs. All recruitment decisions are made solely by human recruiters.

5. Legal Basis for Processing

We process personal data under the following legal bases:
‍

• Consent: We may process your personal data on the basis that you have consented to us doing so for a specific purpose. For example:

• If you apply for a specific role you may have consented to our processing of the data that has been provided for the purpose of progressing your application and considering your suitability for that role

• If you attend an in-person workshop or online webinar, virtual conference, panel discussion or other event organised by us, you consent that we may publish to publicly available platforms either the entire recording of the event, or create and publish new content using edited and/or modified excerpts from the recording of the event

• Enabling you to use and participate in our online communities

• Sending marketing communications

• Using cookies where required.

• Contractual Necessity: Processing necessary to fulfil contracts or provide requested services.

• Legal Obligation: Compliance with legal obligations, such as employment law and financial reporting.

• Legitimate Interests: Internal administrative purposes, fraud prevention, and improving our recruitment services.

6. Data Sharing, Transfers, and International Data Transfers

Your personal data may be shared with:

• Individuals, hirers and other third parties necessary for the provision of our Recruitment Services (with your explicit permission)
• Legal or regulatory authorities, where required by law
• Third-party service providers (e.g., cloud hosting, IT support, email marketing providers)

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
‍

• Candidate Data: Retained for 5 years after the last interaction unless consent is renewed (for long-term talent pool purposes).
• Employee Records: Retained for 6 years post-employment for legal compliance.
• Marketing Data: Retained until you withdraw your consent or opt-out.

8. Your Data Protection Rights

You have the following rights under UK data protection laws:
‍

• Right to Access: Request copies of your personal data.
• Right to Rectification: Correct inaccurate or incomplete data.
• Right to Erasure: Request deletion of your data, subject to legal exceptions.
• Right to Restrict Processing: Limit processing of your data under specific circumstances.
• Right to Object: Object to data processing based on legitimate interests.
• Right to Data Portability: Receive your data in a structured, commonly used format.
• Rights related to automated decision-making: Although we do not perform automated decision-making, you have the right to ensure human involvement.

To exercise these rights, contact our Data Protection Officer using the details provided below. We aim to respond within one month.

9. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for high-risk data processing activities, including the use of AI in recruitment. These assessments help identify and mitigate potential data protection risks.

‍10. Security

We are ISO27001:2022 and Cyber Essential certified and maintain robust security measures to protect your data from unauthorised access, disclosure, alteration, or destruction. Our third-party providers uphold equivalent standards.

‍11. Changes to This Privacy Policy

We may update this policy periodically to reflect legal, technological, or business changes. Regularly review this page for updates.

‍12. Contact Us

For questions, requests, or complaints about this policy or our data practices, please contact our DPO:
‍

• Email: steve@hireful.co.uk
• Postal Address: 15-17 Strixton Manor Business Centre, Strixton, Northamptonshire, NN29 7PA, UK

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.