Privacy Policy
Last updated: 10 June 2026
This Privacy Policy explains how RoleRoot ("RoleRoot", "we", "our", or "us") collects, uses, discloses and safeguards your information when you visit https://example.com (the "Site") or otherwise engage our B2B recruitment, talent‑sourcing and headhunting services (the "Services"). By using the Site or Services you acknowledge the practices described below. If you do not agree, please do not use the Site or Services.
This policy is drafted to satisfy the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act of 2018 as amended by the CPRA (the "CCPA/CPRA"), and equivalent global privacy frameworks.
1. Data Controller
RoleRoot acts as the data controller for personal data collected through the Site and during the candidate sourcing process. When RoleRoot processes candidate data on behalf of a hiring client, RoleRoot acts as an independent controller for its own recruitment operations and, where contractually agreed, as a processor for that client's separate processing activities.
- Contact: legal@example.com
- Phone: (contact via email)
- Website: https://example.com
2. Categories of Personal Data We Process
Depending on whether you are a candidate, a hiring client (partner), a website visitor, or a public contact, we may process:
- Identification data — full name, preferred pronouns, date of birth (where lawful), nationality, profile photo (where voluntarily provided).
- Contact data — email address, phone number, WhatsApp handle, postal/business address, social profile URLs (LinkedIn, GitHub, portfolio).
- Professional data — CV/résumé content, cover letters, work history, education, certifications, skills, language proficiency, salary expectations, references, voice‑note pitches and interview recordings.
- Sensitive recruitment data — only where strictly necessary and lawful, and never used for automated decisions affecting your rights without human review.
- Commercial data (clients) — company name, billing details, hiring briefs, role requirements, internal feedback on candidates.
- Technical data — IP address, device identifiers, browser type, time‑zone setting, log files, cookie identifiers, referring URLs.
- Usage data — pages viewed, features used, search queries, candidate shortlist views, magic‑link portal activity.
- Communications — emails, WhatsApp messages, calls, voice notes and any attachments exchanged with our team.
3. Sources of Personal Data
We collect personal data: (a) directly from you when you apply, submit a hiring brief, fill out a form, send us a message, or speak with our team; (b) automatically as you interact with the Site (cookies, server logs, analytics); and (c) from third‑party sources such as public professional networks, public registries, and referrals — only where such collection is lawful and aligned with your reasonable expectations.
4. Purposes & Legal Bases (GDPR Art. 6)
| Purpose | Lawful basis |
|---|---|
| Operating the Site and delivering the Services | Performance of a contract / pre‑contractual steps |
| Sourcing, screening and presenting candidates to hiring clients | Legitimate interests (operating a recruitment business) and, where required, your consent |
| Communicating with you about applications, interviews, or briefs | Performance of a contract / legitimate interests |
| Storing your profile in our talent database for future opportunities | Consent (you may withdraw at any time) |
| Complying with employment, tax, anti‑fraud and KYC laws | Legal obligation |
| Defending or pursuing legal claims | Legitimate interests |
| Marketing and analytics | Consent (cookies) / legitimate interests (aggregated metrics) |
5. Sharing & Disclosure
We share personal data only with:
- Hiring clients (partners) — to evaluate your candidacy. Each partner receives access through a private, expiring magic‑link portal scoped to a single hiring brief.
- Service providers (processors) — hosting (e.g. Cloudflare/Supabase), email delivery, CRM, analytics, payment processors. They act under written instructions and contractual confidentiality obligations.
- Professional advisers — lawyers, accountants and auditors subject to confidentiality.
- Authorities — when compelled by law, court order, or to protect our rights, your safety or that of others.
- Successors — in the context of a merger, acquisition, restructuring or sale of assets, subject to equivalent protections.
We never sell personal data and we do not engage in cross‑context behavioural advertising under the CCPA/CPRA.
6. International Transfers
Where personal data leaves the EEA / UK / Switzerland, we rely on adequacy decisions, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent safeguards, supplemented by technical and organisational measures.
7. Retention
We retain personal data only as long as necessary for the purposes set out above. Default retention windows:
- Active candidates: duration of the relevant search + 24 months (or until consent is withdrawn).
- Hired candidates / clients: for the term of the engagement + the statutory limitation period (typically 6–7 years).
- Marketing contacts: until consent is withdrawn.
- Server/security logs: up to 12 months.
We anonymise or securely delete data when it is no longer required.
8. Security
We apply appropriate technical and organisational measures including: TLS encryption in transit, encryption at rest, role‑based access control, principle‑of‑least‑privilege admin accounts, audit logging, periodic backups, vendor due‑diligence, and breach‑response procedures. No system can be made 100% secure; we will notify you and competent authorities of any qualifying personal data breach without undue delay and, where feasible, within 72 hours.
9. Your Rights
Subject to local law you may have the right to: access, rectification, erasure ("right to be forgotten"), restriction, data portability, object, withdraw consent, and lodge a complaint with a supervisory authority (e.g. your national Data Protection Authority, the UK ICO, or the California Attorney General).
California residents additionally have the right to know, the right to delete, the right to correct, the right to opt‑out of any "sale" or "sharing" (we do neither), and the right to non‑discrimination.
To exercise any right, contact us at legal@example.com. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before acting on a request.
10. Cookies & Tracking
The Site uses strictly necessary cookies for authentication and session management and, where you consent, analytics cookies to understand aggregate usage. You can manage cookies through your browser settings; disabling certain cookies may impair Site functionality.
11. Automated Decision‑Making
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing without meaningful human review.
12. Children
The Site and Services are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified through the Site or by email where appropriate. The "Last updated" date at the top of this Policy indicates when it was last revised.
14. Contact
Questions, complaints or rights requests:
- Email: legal@example.com
- Phone: (contact via email)
- Mail: RoleRoot, Legal & Privacy Team
© 2026 RoleRoot. All rights reserved.