GDPR Compliance

1. Our commitment to data protection

Eldev LTD is committed to protecting the privacy and personal data of all individualwho interact with the Candid8 platform. We comply fully with the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018.

Data protection is not an afterthought at Candid8 — it is embedded into how we design features, store data, and manage access. This page explains our approach to GDPR compliance in plain terms.

2. Data controller and processor responsibilities

Candid8 operates in two distinct roles:

As a data controller: Eldev LTD determines the purposes and means of processing personal data relating to our business clients, website visitors, and platform administrators. As controller, we bear full responsibility for that data.

As a data processor: When our clients use the Platform to collect and assess candidate data, Eldev LTD acts as a data processor on their behalf. Our clients are the data controllers for candidate data and are reonsible for ensuring they have a lawful basis for that processing. We process candidate data strictly in accordance with our clients' instructions and our Data Processing Agreement.

This distinction is important. Candidates who wish to exercise their data rights in relation to a specific job application should contact the relevant employer (our client) directly, as they are the data controller for that data. For any data Eldev LTD holds in its capacity as controller, requests should be directed to sales@candid8s.com.

3. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

Contract (Article 6(1)(b)): Processing necessary to provide our services to business clients and to operate candidate accounts on the Platform. Legitimate Interests (Article 6(1)(f)): Improving platform security, preventing fraud, monitoring platform performance, and developing new features, where these interests are not overridden by individual rights. We document our legitimate interests assessments and make them available on request. Legal Obligation (Article 6(1)(c)): Where processing is required to comply with applicable UK law, including tax and accounting obligations. Consent (Article 6(1)(a)): Where you have explicitly opted in to specific processing, such as marketing communications. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.

Where we process special category data (such as health information voluntarily provided by candidates), we rely on explicit consent under Article 9(2)(a).

4. Your rights under UK GDPR

Under UK GDPR, individuals have the following rights. We take these rights seriously and will respond to all requests within 30 days:

Right of access (Article 15): You may request a copy of all personal data we hold about you, along with information about how it is processed. Right to rectification (Article 16): You may request correction of any inaccurate or incomplete personal data. Right to erasure (Article 17): You may request deletion of your personal data where there is no legitimate reason for us to continue processing it, subject to legal retention requirements. Right to restrict processing (Article 18): You may request that we limit how we process your data in certain circumstances, for example while a rectification request is pending. Right to data portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) where processing is based on consent or contract. Right to object (Article 21): You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds. Rights relating to automated decision-making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce significant effects. You may request human review of any such decision.

To exercise any of these rights, contact us at sales@candid8s.com. We will acknowledge your request within 5 business days and respond in full within 30 days. We may ask you to verify your identity before processing your request.

5. Data retention schedules

We retain personal data only for as long as necessary. Our retention schedules are as follows:

Candidate application data: Retained for the duration of the recruitment process and for 12 months thereafter, after which it is securely deleted unless the client instructs earlier deletion or longer retention is legally required. Client account and billing data: Retained for 6 years from the end of the contractual relationship, in accordance with UK tax and accounting obligations. Platform usage logs: Retained for 12 months for security and debugging purposes. OTP verification codes: Deleted or invalidated immediately upon use or expiry. Marketing communications opt-ins: Retained until consent is withdrawn.

At the end of each retention period, data is permanently deleted from our systems and from those of our data processors.

6. Data security measures

We implement the following technical and organisational security measures to protect personal data:

Technical measures: All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 encryption. Access to production systems is restricted to authorised personnel only, using multi-factor authentication. API keys and service credentials are stored as server-side environment variables and are never exposed to client-side code. Regular automated security monitoring is in place for our infrastructure.

Organisational measures: Access to personal data is granted on a least-privilege basis. Personnel with access to personal data are trained on data protection obligations. We conduct regular reviews of our security practices. Third-party processors are subject to data processing agreements requiring equivalent security standards.

7. Data breach procedures

We have documented procedures for detecting, investigating, and reporting personal data breaches. In the event of a breach that poses a risk to the rights and freedoms of individuals, we will: notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach; notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms; document all breaches in our internal breach register, regardless of whether notification is required.

We will also notify affected business clients promptly so they can fulfil their own notification obligations as data controllers.

8. Data Processing Agreement

As a data processor, Eldev LTD enters into a Data Processing Agreement (DPA) with each business client. The DPA sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data processed, and the obligations and rights of both parties.

Our DPA includes the required provisions under Article 28 of UK GDPR, including obligations relating to sub-processors, security measures, data subject rights assistance, and deletion or return of data upon termination. Business clients who require a copy of our standard DPA should contact sales@candid8s.com.

9. Sub-processors

As a data processor, we use the following sub-processors to deliver our services. We have Data Processing Agreements in place with each of them and take responsibility for their compliance:

Supabase Inc — database hosting and storage (servers located within the EEA). Vercel Inc — application hosting and content delivery. Resend Inc — transactional email delivapier Inc — webhook automation integrations (only where enabled by the client).

We will notify business clients of any intended changes to our sub-processor list with at least 14 days notice, providing them the opportunity to object.

10. Contact and complaints

For any GDPR-related enquiries, data subject requests, or concerns about how we handle personal data, please contact us at sales@candid8s.com or write to Eldev LTD, 4th Floor, Silverstream House, 45 Fitzroy Street, London, W1T 6EB.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk or by calling 0303 123 1113.