Job Applicant Privacy Notice (GDPR)

Last updated: 15 August 2025

1) Who we are and scope
This notice explains how QUANLOOP LIMITED, Reg. No. ΗΕ 460171, 131, Gladstonos str, Kermia Court, 1st floor, 3032 Limassol, Cyprus (“Quanloop”, “we”, “us”) processes personal data about job applicants, candidates referred by others, candidates submitted by recruitment agencies, and individuals who take part in assessments or job‑alerts/talent‑pool communications for roles in Cyprus, Estonia, and Lithuania.
Contact for privacy matters: [email protected]. We have not appointed a Data Protection Officer or an EU representative.

2) What data we collect
We collect only what is needed for recruitment. This includes identification and contact such as name, email, phone, city/country; career profile such as CV/résumé, cover letter, skills, work history, education, qualifications, portfolio/GitHub/LinkedIn links; process data such as interview and assessment scheduling, interviewer notes, communications with you, status/outcomes; assessments such as results and reports from technical/aptitude or similar tests (where used); right‑to‑work/background checks, where for all roles we verify identity and eligibility to work and additional checks (e.g., criminal record or credit) only where lawful and proportionate for the role and jurisdiction, usually at offer stage; referrals/agency submissions such as referrer/agency contact details and any notes provided; website and consent logs such as application timestamps, IP address and device metadata, cookie/consent preferences, email subscription and unsubscribe events; optional diversity and equal‑opportunity data, where if you choose to provide it we may collect self‑identification data on protected characteristics aligned with EU and national laws (e.g., gender, age range, disability status, ethnic/racial origin, sexual orientation; optionally, family status such as marital or parental responsibilities to monitor potential barriers), which is voluntary, processed with your explicit consent, kept separate from selection decisions, and used in aggregate form only for monitoring and reporting purposes; and reasonable accommodation such as information you provide about accessibility needs (e.g., health-related adjustments) so we can support you in the process.

Please avoid including special‑category or other sensitive data unless we specifically request it for the purposes above.

3) How we collect data
We collect data directly from you by email to [email protected] or (if enabled) via a simple web form, including any voluntary self‑identification for equal‑opportunity monitoring or reasonable accommodation requests (all handled via [email protected]); from referrers or recruitment agencies acting on your instruction or under contract with us; from assessments or screening providers we instruct; and from public professional sources you share with us (e.g., LinkedIn, GitHub) and from our corporate email and collaboration tools used during recruitment.

4) Why we use your data and our lawful bases
We use your data to evaluate and progress your application, arrange interviews, make decisions, and issue offers, which is necessary to take steps at your request prior to entering a contract (GDPR Art. 6(1)(b)); to maintain a talent pool and send job‑alerts to those who opt in, which is based on consent (Art. 6(1)(a)) and you may withdraw consent at any time; to operate, secure, and improve the careers site, prevent abuse, detect fraud, maintain logs, and defend legal claims, which is based on our legitimate interests (Art. 6(1)(f)) and we balance these interests against your rights; to meet legal obligations (e.g., right‑to‑work verification at offer/onboarding, equality reporting where required), which is based on legal obligation (Art. 6(1)(c)); and to process any special‑category data (if collected), which is based on explicit consent for equal‑opportunity monitoring (Art. 9(2)(a)) and, for reasonable accommodations in recruitment, employment and social protection law where applicable (Art. 9(2)(b)).

5) Cookies and analytics (summary)
We use an EU‑compliant consent model. Non‑essential cookies (including analytics) load only after your consent. Google Analytics is configured with IP masking and limited retention. See our Cookie Policy for details and to change preferences at any time.

6) Who we share data with
We share data with internal recipients such as authorised Quanloop hiring managers, interviewers, and HR/operations with a need to know; service providers such as email and collaboration tools, assessment providers, background/right‑to‑work check providers (where lawful), analytics and consent‑management providers, and secure hosting, which act as our processors under written contracts; group companies and professional advisers for recruitment oversight, legal advice, or establishment/defence of legal claims; and public authorities or courts if required by law or to protect rights, security, or property.

7) International transfers
If personal data is transferred outside the EEA/UK (e.g., to a service provider’s support location), we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where required, transfer risk assessments and supplementary measures.

8) How long we keep data (retention)
We apply default Cyprus‑aligned retention, applied unless a longer period is required to establish, exercise, or defend legal claims. This includes unsuccessful applications and interview notes, which we delete or review for deletion at 12 months from the final decision; assessment results/reports, which we delete or review at 12 months from the final decision; background/right‑to‑work checks, where we retain only the pass/fail outcome in the recruitment record and delete underlying documents within 6 months from the decision or onboarding (if hired); talent‑pool profiles and job‑alerts (consent‑based), which we keep for 24 months from opt‑in with renewal reminders before expiry and delete sooner if you withdraw consent; and system/consent logs and security events, which we keep for 24 months unless needed longer for security or legal purposes.

Localisation notes (EE/LT)
Estonia (EE): Under the Personal Data Protection Act and Employment Contracts Act, retention for unsuccessful candidates is typically limited to 1 year (or less if not justified) and we align to 12 months but review earlier if requested; criminal‑record or credit checks are not generally lawful unless strictly necessary for the role (e.g., finance/security) and based on a clear legal ground, conduct late in the process (post‑offer) and use summaries only; national ID and tax details collected only at onboarding; complaints to Estonian Data Protection Inspectorate (www.aki.ee).
Lithuania (LT): Labour Code and Law on Legal Protection of Personal Data suggest 1–2 years max for unsuccessful applications and we cap at 12 months with periodic reviews; background checks (e.g., criminal records) must be necessary, permitted by law, and proportionate, avoid retaining originals, right‑to‑work verification for all roles with enhanced checks only for sensitive positions (e.g., privileged access); family status data (if collected for diversity) is protected against discrimination; complaints to State Data Protection Inspectorate (www.vdai.lrv.lt).
In both EE and LT, we ensure processing complies with national labour laws alongside GDPR, including minimising sensitive data collection.

9) Your rights
Subject to conditions and exemptions, you have the right to access your personal data and obtain a copy; correct inaccurate or incomplete data; delete your data in certain circumstances; restrict or object to processing, including any profiling for recruitment; data portability (for data you provided to us); withdraw consent at any time for processing based on consent (e.g., talent‑pool or job‑alerts); and lodge a complaint with a supervisory authority.

Primary supervisory authority
Cyprus: Office of the Commissioner for Personal Data Protection. You may also complain to your local authority if you live or work in the EEA (e.g., as noted in localisation above for EE/LT).

How to exercise your rights
Email [email protected] with “Data rights request” in the subject. We may ask for information to verify your identity. We aim to reply within one month.

10) Children
The Site and our recruitment processes are not directed to individuals under 18. We do not knowingly collect children’s data for recruitment.

11) Security
We implement reasonable technical and organisational measures appropriate to the risks of recruitment processing (e.g., access control, encryption in transit, least‑privilege access, secure retention/deletion, vendor due diligence). We respond to incidents in line with our legal obligations.

12) Automated decision‑making
We do not make solely automated decisions that produce legal or similarly significant effects. If this changes (e.g., for screening), we will explain the logic and your rights.

13) Agencies and referrals
We do not accept unsolicited CVs from agencies. Where an agency is engaged under contract, it must provide candidates with this notice or an equivalent notice at source and collect any required consents. Referrers must ensure the candidate agrees to be referred.

14) Changes to this notice
We may update this notice. Changes take effect when posted on the Site. The “Last updated” date appears at the top.