Talent Showcase Logo

Privacy Policy & Data Processing Agreement

How we collect, use, and protect your data

Privacy Policy

Last updated: 10 April 2025

This Privacy Policy explains how Talent Showcase ("we", "our", or "us") collects, uses, stores, and protects your personal information when you interact with our platform, website, or services.

We take your privacy seriously and are committed to handling personal data in a way that is transparent, secure, and lawful, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about how we manage your data or wish to exercise your rights, please contact our Data Protection Officer, Joe Draper, at joe@talentshowcase.co.uk.

1. What this policy covers

This notice outlines:

  • What types of personal data we collect;
  • How and why we use it;
  • When we may share it;
  • Your rights regarding your data.

This policy applies to all data processed through our website and platform.

2. What data we collect

Depending on how you interact with Talent Showcase, we may collect and process the following categories of personal data:

a) Identity & Contact Details

Includes: name, email address, phone number, job title, and any other details you provide to create an account or contact us.

b) Candidate Data (Submitted by Agencies)

Includes: resumes, employment history, qualifications, summaries, and other content uploaded by recruitment agencies to our platform.

c) Technical Data

Includes: IP address, browser type, operating system, device type, time zone, and interaction logs.

d) Usage & Preferences

Includes: how you use the site, features accessed, settings, communication preferences, and feedback.

We may also create aggregated and anonymised data (e.g. platform usage stats), which cannot be used to identify you.

3. Special category data

We do not intentionally collect any sensitive personal data (e.g. health, racial or ethnic data, political opinions). Recruitment agencies using our service are responsible for ensuring they do not upload such data unless legally permitted to do so.

4. If you don't provide your data

If you choose not to provide necessary personal information, we may be unable to offer you access to certain features or fulfil our obligations to you or your organisation.

5. Legal bases for processing

We only process personal data when the law allows. The lawful bases we rely on include:

a) Contractual necessity

When data is needed to provide our services, manage accounts, or fulfil agreements with users or their employers.

b) Consent

In some cases, we rely on your consent – such as when you sign up for newsletters or agree to cookies. You can withdraw consent at any time.

c) Legitimate interests

We may process data to improve our services, respond to enquiries, detect abuse, or manage platform security—only where your interests or rights do not override ours.

d) Legal obligation

We may need to retain or disclose certain data to comply with applicable laws and regulations.

6. How we use your data

We may use your data to:

  • Create and manage your account;
  • Process and anonymise candidate resumes;
  • Generate anonymised candidate profiles for agency clients;
  • Maintain platform security and monitor performance;
  • Respond to support requests or enquiries;
  • Send system or service-related communications;
  • Conduct internal research, analytics, or troubleshooting.

7. Cookies and tracking

We use cookies and similar technologies to:

  • Remember preferences and log-in states;
  • Analyse site usage and performance;
  • Improve user experience.

When you first visit our site, we'll ask for your cookie preferences. You can manage your choices anytime through your browser settings.

8. Automated processing

We use AI tools (via OpenAI) to help anonymise candidate resumes submitted by agencies. This involves sending CV content to a third-party API to redact or summarise information. The output is then returned and stored on our servers. No decisions are made solely through automation that would have legal or similarly significant effects.

9. Third parties and sub-processors

We may share your data with trusted service providers (sub-processors) who help us operate our platform. These include:

  • Supabase – data hosting and user account storage;
  • OpenAI – AI-powered resume anonymisation.

All third parties are bound by data protection agreements and only act on our instructions.

We never sell or rent personal data.

10. International data transfers

We may use processors located outside the UK or EU. In such cases, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to maintain the same level of protection as under UK GDPR.

11. Data security

We implement technical and organisational measures to protect your data, including:

  • Encryption (TLS in transit, at rest);
  • Role-based access controls (RLS);
  • Activity monitoring and audit logs;
  • Regular backups and system updates.

12. How long we keep data

We retain personal data only for as long as necessary to:

  • Provide services and fulfil contracts;
  • Comply with legal obligations;
  • Support dispute resolution or audit processes.

When no longer needed, data is securely deleted or anonymised.

13. Your data rights

Under data protection law, you have the right to:

  • Access a copy of your personal data;
  • Request correction or deletion;
  • Object to certain processing;
  • Withdraw consent where applicable;
  • Request data portability;
  • Lodge a complaint with the Information Commissioner's Office (ICO) (https://ico.org.uk).

To exercise any of these rights, contact us at joe@talentshowcase.co.uk. We may need to verify your identity before responding.

14. Communications

When you contact us (e.g. by email or live chat), we retain your details to follow up and provide support. This data is used only for service delivery and support tracking.

15. Changes to this policy

We may update this policy from time to time to reflect changes in law or our services. Any changes will be posted on this page with a revised "last updated" date. If changes are significant, we may notify you by email or platform alert.

16. Contact

For questions, concerns, or to exercise your rights, please contact:

Joe Draper
Data Protection Officer
joe@talentshowcase.co.uk

Data Processing Agreement (DPA)

Last Updated: April 10, 2025

This Data Processing Agreement ("Agreement") is entered into between:

  • Controller: The customer (recruitment agency) who has agreed to the Terms of Service at https://talentshowcase.co.uk, referred to as the "Controller";
  • Processor: Talent Showcase Ltd, a UK company, registered at [insert address], referred to as the "Processor".

Together: the "Parties".

1. Background

This Agreement governs how the Processor handles personal data on behalf of the Controller, in accordance with the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU GDPR.

This DPA is part of and subject to the Terms of Service between the Parties.

2. Subject Matter

The Processor provides a software platform that allows the Controller to upload candidate CVs, which are then parsed, anonymized, and published as temporary, anonymized web profiles. The Processor stores and processes this data only as instructed by the Controller.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • Storing uploaded CVs or candidate information;
  • Sending CV content to an AI service (OpenAI) for anonymization;
  • Creating and hosting anonymized candidate profiles;
  • Providing access to Controller's users;
  • Logging usage and providing support.

4. Categories of Data Subjects

Job candidates whose personal data is uploaded by the Controller.

5. Types of Personal Data

The following types of personal data may be processed:

  • Contact details (name, email, phone – if present in CV);
  • Employment history;
  • Education details;
  • Any other information submitted in the CV or metadata;
  • IP addresses and metadata from platform usage (if relevant).

The Controller must ensure that no special category data (e.g. health, ethnicity) is uploaded unless lawful to do so.

6. Duration of Processing

The Processor will retain and process personal data only for as long as the Controller maintains an active account or until instructed to delete data. Upon termination, the Processor will delete or return all personal data unless required by law to retain it.

7. Obligations of the Controller

The Controller agrees that:

  • It has a lawful basis for processing personal data;
  • It has informed data subjects of the processing and use of sub-processors;
  • It will not upload any data it does not have permission to process.

8. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller;
  • Ensure that persons authorized to process data are under confidentiality obligations;
  • Implement appropriate technical and organizational measures to ensure data security;
  • Assist the Controller in responding to data subject rights requests;
  • Notify the Controller without undue delay after becoming aware of a data breach;
  • At the Controller's choice, delete or return all personal data after processing ends;
  • Make available all information necessary to demonstrate compliance.

9. Sub-Processors

The Controller authorizes the Processor to use the following sub-processors:

  • Supabase (data hosting & storage)
  • OpenAI (resume parsing & anonymization)

The Processor will ensure all sub-processors are bound by written agreements with obligations equivalent to this DPA and will notify the Controller of any intended changes.

10. International Data Transfers

Where personal data is transferred outside the UK or EEA, the Processor will ensure appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs) or compliance with any applicable UK adequacy decisions.

11. Security Measures

The Processor has implemented technical and organizational measures including:

  • Row-Level Security (RLS) for database access control;
  • Encryption of data in transit and at rest;
  • Access controls, role-based permissions;
  • Audit logging;
  • Regular review of sub-processor agreements and safeguards.

12. Audit Rights

Upon reasonable notice, the Controller may request information about the Processor's compliance. Where appropriate, audits may be carried out by a third party, subject to confidentiality.

13. Liability

Each Party is liable for its own breach of data protection laws. Nothing in this DPA limits either Party's liability under the law or the main Terms of Service.

14. Term and Termination

This Agreement remains in force for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the Processor will delete or return the data as instructed.

15. Governing Law

This Agreement shall be governed by the laws of England and Wales. Disputes shall be resolved in the courts of England.

16. Contact

For data protection matters:

  • Controller: Contact details as per account registration;
  • Processor: privacy@talentshowcase.co.uk

Signed electronically by use of the platform and acceptance of the Terms of Service.