Privacy Notice

1.Controller and contact details

1. 1.1The controller of personal data processed for the purposes described in this Notice is XpressApply Ltd, Registration No. HE 000000, with registered office at Spyrou Kyprianou Avenue, 3070 Limassol, Republic of Cyprus.
2. 1.2You may contact us in relation to this Notice or the processing of your personal data by email at privacy@xpressapply.com or in writing at our registered office.
3. 1.3We have appointed a Data Protection Officer who may be contacted at dpo@xpressapply.com.
4. 1.4Where an employer (a "Customer") uses the Service to assess candidates, that Customer is the controller of the candidate personal data processed for its recruitment purposes and we act as a processor on its behalf in accordance with our Data Processing Addendum.

2.Interpretation

1. 2.1In this Notice, "personal data", "processing", "controller", "processor", "data subject" and "supervisory authority" have the meanings given to them in the GDPR.
2. 2.2References to "you" are to the individual whose personal data we process, whether a website visitor, a candidate or a representative of a Customer.
3. 2.3Headings are included for convenience only and do not affect the interpretation of this Notice.

3.Scope of this Notice

1. 3.1This Notice applies to visitors to the Website, to candidates who register for and use the Service, and to representatives of prospective and existing Customers.
2. 3.2Where we act as a processor on behalf of a Customer, the relevant Customer's own privacy notice governs the processing of candidate personal data for that Customer's recruitment purposes, and this Notice describes only the processing for which we are the controller.
3. 3.3This Notice does not apply to third-party websites, products or services that may be linked from the Website, which are governed by their own privacy notices.

4.Categories of personal data we process

Depending on how you interact with us, we process the following categories of personal data:

1. 4.1Identity and contact data, including your name, email address, telephone number, location and account credentials.
2. 4.2Profile and preference data, including your work history, skills, role preferences and any information you choose to add to your profile.
3. 4.3Interview data, including the audio recording and transcript of your structured interview and the scorecard generated against the applicable role rubric. To the extent any such data reveals special categories of personal data within the meaning of Article 9 GDPR, we process it only on the basis of your explicit consent or as otherwise permitted by law.
4. 4.4Application and engagement data, including the roles you view, save or apply to, your status within each recruitment pipeline and messages exchanged through the Service.
5. 4.5Technical and usage data, including IP address, device and browser information, approximate location, and identifiers set through cookies and similar technologies.
6. 4.6Communications data, including the content of enquiries and support requests and our responses to them.

5.Sources of personal data

1. 5.1Directly from you, when you register, complete your profile, take an interview, apply to roles or contact us.
2. 5.2Automatically, through your use of the Website and the Service, by means of cookies and similar technologies.
3. 5.3From Customers and third parties, where you are referred to the Service or where a Customer shares limited data to invite you to interview.

6.Purposes and legal bases of processing

We process personal data only where a lawful basis under Article 6 (and, where relevant, Article 9) GDPR applies, as set out below:

1. 6.1To create and administer your account and to provide the Service — Article 6(1)(b) (performance of a contract to which you are party).
2. 6.2To conduct and score your interview and to generate scorecards — Article 6(1)(b) and, in respect of voice recordings and any special category data, Article 6(1)(a) and Article 9(2)(a) (explicit consent).
3. 6.3To match you to suitable roles and to disclose your interview evidence to a Customer to which you apply — Article 6(1)(b) and your consent given at the point of application.
4. 6.4To secure the Service and to prevent fraud, abuse and misuse — Article 6(1)(f) (our legitimate interest in protecting users and the integrity of the Service).
5. 6.5To maintain, improve and develop the Service, using aggregated or de-identified data wherever practicable — Article 6(1)(f).
6. 6.6To send you service-related communications and, where you have opted in, marketing communications — Article 6(1)(b) and (f), and Article 6(1)(a) for marketing.
7. 6.7To comply with our legal and regulatory obligations — Article 6(1)(c).
8. 6.8We do not sell personal data, and we do not use your interview content to train models for purposes unrelated to providing and improving the Service.

7.Automated decision-making and profiling

1. 7.1The Service includes an automated assessment that evaluates your interview answers against a role-specific rubric and produces a scorecard. This constitutes automated processing within the meaning of Article 22 GDPR.
2. 7.2We apply safeguards to keep the assessment fair: every candidate for a role family is assessed against the same rubric; the interview is recorded as evidence; and job-relevant language is assessed on the CEFR scale without penalising accent.
3. 7.3You have the right to obtain human intervention, to express your point of view and to contest any automated outcome. Where a human review changes the outcome, the revised result replaces the automated one in your record. Further detail is set out in our AI Transparency Notice.

8.Marketing communications

1. 8.1Where you have given your consent, or where otherwise permitted by law, we may send you communications about features, content and opportunities that may be of interest to you.
2. 8.2You may withdraw your consent and opt out of marketing communications at any time, without charge, by using the unsubscribe mechanism in the relevant communication or by contacting us. Opting out of marketing does not affect service communications necessary to operate your account.

9.Disclosure of personal data

We disclose personal data only as necessary and to the following categories of recipient:

1. 9.1Customers to which you apply, who receive your profile and interview evidence for so long as your sharing consent remains in place and who may not reuse it once that consent is withdrawn.
2. 9.2Processors and service providers (sub-processors) that host data, assist AI assessment, support scheduling, process payments, monitor security and deliver communications on our behalf under written contracts imposing data-protection obligations consistent with Article 28 GDPR.
3. 9.3Professional advisers, auditors and insurers, where necessary and subject to confidentiality.
4. 9.4Competent authorities, courts and regulators, where we are required to do so by law or to establish, exercise or defend legal claims.
5. 9.5A successor entity, in connection with a merger, acquisition or reorganisation, subject to this Notice.

10.International transfers

1. 10.1Our default is to host candidate personal data within the European Economic Area (the "EEA").
2. 10.2Where personal data is transferred to a country outside the EEA, we rely on an adequacy decision of the European Commission or, in its absence, on appropriate safeguards under Article 46 GDPR, principally the Standard Contractual Clauses together with any supplementary measures required following a transfer impact assessment.
3. 10.3You may request a copy of the relevant safeguards by contacting us at the address in clause 1.

11.Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, after which it is deleted or anonymised:

1. 11.1Account and profile data is retained for the duration of your account and for a limited wind-down period after closure.
2. 11.2Interview recordings, transcripts and scorecards are retained on a defined retention schedule so that an assessment may be reviewed or audited if you or a Customer so require, and are thereafter deleted or anonymised.
3. 11.3Technical and security logs are retained for a limited period for security and troubleshooting purposes.
4. 11.4You may request erasure of your personal data before the expiry of these periods, subject to any retention required by law.

12.Your rights

Subject to the conditions and exceptions in the GDPR, you have the following rights in relation to your personal data:

1. 12.1the right of access to your personal data and to obtain a copy of it;
2. 12.2the right to rectification of inaccurate or incomplete personal data;
3. 12.3the right to erasure (the "right to be forgotten");
4. 12.4the right to restriction of processing and the right to object to processing carried out on the basis of legitimate interests;
5. 12.5the right to data portability;
6. 12.6the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal; and
7. 12.7the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
8. 12.8You may exercise these rights through your privacy settings or by contacting us at privacy@xpressapply.com. We will respond within one month of receipt of your request, which period may be extended by two further months where necessary, in accordance with Article 12 GDPR. We do not charge a fee unless a request is manifestly unfounded or excessive.

13.Right to lodge a complaint

1. 13.1If you consider that our processing of your personal data infringes data-protection law, you have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection (https://www.dataprotection.gov.cy), which is the supervisory authority in the Republic of Cyprus, or with the supervisory authority of your EEA place of residence or work.
2. 13.2We would, however, appreciate the opportunity to address your concerns before you approach the supervisory authority, and encourage you to contact us in the first instance.

14.Cookies and similar technologies

1. 14.1The Website uses cookies and similar technologies as described in our Cookie Policy, which forms part of this Notice.

15.Security

1. 15.1We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including encryption of data in transit and at rest, access controls operating on a least-privilege basis, monitoring and a documented incident-response process. Further detail is set out in our Security Statement.

16.Children

1. 16.1The Service is intended for persons who are at or above the minimum working age applicable in their jurisdiction. We do not knowingly collect personal data from children, and we will delete such data if we become aware that we hold it.

17.Links to other websites

1. 17.1The Website may contain links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
2. 17.2We do not control those third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy notice of every website you visit.

18.Changes to this Notice

1. 18.1We may amend this Notice from time to time to reflect changes in the Service, our practices or applicable law. The version in force is identified by the effective date stated at the head of this document.
2. 18.2Where changes are material, we will provide notice within the Service or by email before they take effect. Your continued use of the Service after the effective date constitutes acknowledgement of the amended Notice, save where your consent is required.