Privacy Policy

1. Who we are

Candid8 is a recruitment technology platform operated by Eldev LTD, a company registered England and Wales. Our registered office is at 4th Floor, Silverstream House, 45 Fitzroy Street, London, W1T 6EB. References to "we", "us", or "our" in this policy refer to Eldev LTD.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use candid8s.com and its associated services. We are committed to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Our role as data processor and controller

Candid8 operates in two distinct capacities depending on the context:

Data Processor: When candidate data is collected through job listings created by our business clients ("Clients"), we act as a data processor on behalf of those Clients, who are the data controllers. In this capacity, we process candidate personal data only on documented instructions from our Clients and in accordance with our Data Processing Agreement.

Data Controller: For data relating to our business Clients, website visitors, and users of our administrative platform, we act as an independent data controller and are responsible for determining how and why that data is processed.

3. What personal data we collect

We collect the following categories of personal data:

From candidates: Full name, email address, phone number, location, CV and work history, cover letters, video interview recordings, assessment responses and scores, personality test results, situational judgement responses, meeting booking information, and application progress data.

From business clients and administrators: Name, work email address, company name, job title, billing and payment information, and usage data relating to the platform.

From website visitors: IP address, browser type, pages visited, time on site, and cookie data (see our Cookie Policy for details).

4. How we use personal data

We use personal data for the following purposes:

To provide the Candid8 platform and its features to business clients and candidates. To process and manage candidate applications on behalf of our clients. To send transactional emails including OTP verification codes, application confirmations, and pipeline stage notifications. To communicate with business clients regarding their accounts, invoices, and support requests. To improve and develop our platform through anonymised usage analytics. To comply with our legal and regulatory obligations.

We do not use candidate personal data for any purpose beyond facilitating the recruitment process for the relevant client. We do not sell personal data to third parties under any circumstances.

5. Legal basis for processing

We rely on the following lawful bases under UK GDPR:

Contract: Processing necessary to provide our services to business clients and to fulfil our obligations under our Terms of Service. Legitimate Interests: Improving platform security, preventing fraud, and developing our product, where these interests are not overridden by individual rights. Legal Obligation: Where processing is required to comply with applicable law. Consent: Where you have explicitly consented to a specific processing activity, such as marketing communications. You may withdraw consent at any time by contacting us at sales@candid8s.com.

6. Third-party data processors

We share personal data with the following trusted third-party processors who assist us in delivering our services. All processors are subject to data processing agreements and are required to handle data securely and in compliance with UK GDPR:

Supabase Inc (USA) — database hosting and storage. Data is stored on servers located within the European Economic Area. Vercel In(USA) — cloud infrastructure and application hosting. Resend Inc (USA) — transactional email delivery. Zapier Inc (USA) — webhook integrations, where enabled by our clients.

We do not transfer personal data to any other third parties without your knowledge except where required by law or where necessary to protect the safety of individuals.

7. International data transfers

Some of our third-party processors are based outside the UK and EEA. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), adequacy decisions, or other lawful transfer mechanisms. By using our platform, you acknowledge that your data may be transferred to and processed in countries outside the UK.

8. Data retention

We retain personal data only forng as necessary for the purposes described in this policy, unless a longer retention period is required by law.

Candidate data: Retained for the duration of the relevant recruitment process and for up to 12 months thereafter, unless the client instructs earlier deletion. Client account data: Retained for the duration of the contractual relationship and for 6 years thereafter for legal and tax purposes. Website visitor data: Retained for up to 12 months. OTP codes: Deleted or invalidated immediately upon use or expiry.

You may request deletion of your data at any time by contacting sales@candid8s.com.

9. Your rights under UK GDPR

You have the following rights in relation to your personal data:

Right of access: Request a copy of the personal data we hold about you. Right to rectification: Request correction of inaccurate or incomplete data. Right to erasure: Request deletion of your personal data where there is no legitimate reason for us to continue processing it. Right to restrict processing: Request that we limit how we use your data in certain circumstances. Right to data portability: Receive your personal data in a structured, machine-readable format. Right to object: Object to processing based on legitimate interests or for direct marketing purposes. Rights relating to automated decision-making: Request human review of any automated decisions that significantly affect you.

To exercise any of these rights, contact us at sales@candid8s.com. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include encrypted data transmission using TLS, encrypted data storage, access controls limiting data access to authorised personnel only, regular security reviews and monitoring, and secure API key management. In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay.

11. Cookies

We use cookies to operate our platform, maintain your session, and understand how our website is used. For full details of the cookies we use and how to manage them, please see our Cookie Policy.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify business clients of material changes by email and will update the "Last updated" date at the top of this page. Your continued use of the platform following notification of changes constitutes acceptance of the updated policy.

13. Contact us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us at sales@candid8s.com or write to us at Eldev LTD, 4th Floor, Silverstream House, 45 Fitzroy Street, London, W1T 6EB. We aim to respond to all enquiries within 5 business days.