Last Revised
1. Introduction
This privacy notice explains how Planhat collects and uses personal data about candidates throughout our recruitment process. It applies whether you have applied to a role yourself, been sourced or referred to us, been introduced through an external recruiter or headhunter, or asked us to keep you in mind for future opportunities.
The notice covers our entire recruitment process, including the use of AI tools to support screening of applications, transcription and note-taking from interviews, and structured summarisation of interview content. We have written it to give you a clear picture of what we do with your data, why we do it, and the rights you have.
2. Who is responsible for your data
Planhat acts as the data controller for your personal data in our recruitment process. The Planhat entity that is your controller depends on where you apply or where the role is based:
Where you apply / are based | Controller |
|---|---|
EEA (incl. Sweden) | Planhat AB |
United Kingdom | Planhat Ltd. |
United States | Planhat, Inc. |
In this notice, we refer to all companies in the Planhat group together as “Planhat”, “we”, “us” or “our”. Where you apply or are considered for a role at one entity but the recruitment process is supported by another entity in the group, those entities cooperate to process your data for the purposes described in this notice.
3. Where we get your personal data from
We collect personal data from a number of sources:
Directly from you, when you apply for a role, take part in interviews or technical exercises, or otherwise communicate with us.
From professional networks and other publicly available sources, where we identify and approach candidates who appear to be a good fit for a role.
From people who refer you to us, such as employees or business contacts of Planhat.
From external recruiters and headhunters who introduce you to us as a candidate. These external recruiters and headhunters decide for themselves how to source candidates and act as separate controllers when they do so. They are responsible for informing you about their own processing and for confirming with you before sharing your CV with us.
From background check, reference, assessment or similar providers, where we engage them in connection with a specific role and have informed you in advance.
4. The personal data we process
We process the personal data we need for the recruitment process. The exact information depends on the role and the stage of the process, but typically includes:
Identification and contact details, such as your name, email address, phone number and location.
Application materials, such as your CV, cover letter, portfolio or work samples, and answers to application questions.
Professional information, such as your work history, education, skills, qualifications, languages, salary expectations, availability, notice period and right to work.
Information about your interactions with us during the recruitment process, including correspondence, interview notes, recordings and transcripts of interviews and technical exercises (where you have been informed in advance), and assessments or scorecards generated by us or our service providers, including AI-assisted outputs.
Information from references, background checks or assessments, where relevant for the role and where you have been informed in advance.
Diversity-related information that you choose to share with us on a voluntary and anonymous basis, where we run such surveys.
Technical and usage information collected when you visit our careers site or use our application platform, such as device and browser information, IP address, and pages or features you interact with. This is collected through cookies and similar technologies (see Section 13 for details).
Personal data we process about you may, incidentally, reveal information that is considered sensitive, for example because it appears in your CV. We do not ask for such information and we do not use it as a criterion when evaluating your application. Where we process such data, we rely on applicable employment law to do so.
5. Why we process your personal data and our legal basis
We process your personal data for the purposes set out in the table below. The legal basis on which we rely depends on the purpose.
Why we process your data | Legal basis |
|---|---|
Running the recruitment process for the role you have applied for or are being considered for. | Article 6(1)(b) GDPR – processing is necessary in order to take steps at your request before entering into a possible employment or engagement contract. |
Using AI tools to support our recruitment process, including screening of applications, AI-assisted note-taking and transcription of interviews and technical exercises, and structured summarisation of interview content for our interviewers. | Article 6(1)(f) GDPR – our legitimate interest in using AI tools to support the efficiency, consistency and quality of our recruitment process. We have balanced this interest against your interests, rights and freedoms in formal legitimate interests assessments and have put safeguards in place, including human review of AI outputs before any decision is communicated to you, restrictions on what AI tools may be asked to assess, and contractual measures that prevent your data from being used to train our providers' AI models. You can object to this processing at any time. |
Considering you for a role where you have been sourced or referred (e.g. through a headhunter or professional network) and have not yet applied | Article 6(1)(f) GDPR – our legitimate interest in identifying and approaching suitable candidates. We have balanced this interest against your interests, rights and freedoms; you can object at any time. |
Keeping you in our talent pool for future opportunities | Article 6(1)(a) GDPR – Your consent. You can withdraw your consent at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. After you withdraw your consent, we will delete your data. |
Keeping records of the recruitment process to be able to demonstrate fair and lawful hiring and to defend against potential claims | Article 6(1)(f) GDPR – our legitimate interest in being able to evidence our decisions and defend against potential claims. |
Processing personal data revealed incidentally in your application materials that may be considered sensitive (e.g. information disclosed in a CV that touches on health, religion or ethnicity) | Article 9(2)(b) GDPR – processing is necessary for the purposes of carrying out our obligations and exercising specific rights in the field of employment, in so far as authorised under applicable law. We do not request such information and do not use it as an evaluation criterion. |
6. How we use AI tools in our recruitment process
We use AI tools to support our recruitment process. These tools are provided to us by specialist service providers acting as our processors and are used for purposes such as:
Screening of applications and CVs against role-specific criteria, including a small number of objective eligibility criteria (for example, whether we are legally able to engage you for the role) and a broader set of criteria that involve human judgement.
Recording, transcription and AI-assisted note-taking from interviews and technical exercises, where you have been informed in advance.
Structured analysis or summarisation of interview content to support our interviewers, for example to highlight points to follow up on or to provide a structured second view.
We have designed our use of AI tools around the principle that AI assists and humans decide. In practice this means:
Decisions about whether to take your application forward are made by people at Planhat. AI outputs are advisory and a person is part of the process before any decision is communicated to you.
In a limited number of situations, your application may not be progressed solely on the basis of an objective eligibility criterion (for example, where we are legally unable to engage you in your location). Where this happens, you can ask us to review the decision, express your point of view or contest it, and we will arrange for a person to look at it.
AI tools are configured so that your data is not used by the providers to train their models, and we have data processing terms in place with our AI service providers.
We do not use AI to infer your personality, character, emotions or other internal states from your voice, facial expressions or behaviour, and we do not use AI to make hire or no-hire recommendations. The instructions we give our AI tools are reviewed before use to keep them within these limits.
7. Who we share your personal data with
We do not sell your personal data and we share it only where there is a clear reason to do so. Recipients fall into the following categories:
Recipient category | Why they receive your data |
|---|---|
Other companies in the Planhat group | Where you may be considered for a role with another Planhat entity, or where group functions (such as people operations or legal) support the recruitment process. |
Our applicant tracking system provider | To host candidate data and run the recruitment workflow. |
AI service providers | To provide AI-assisted screening of applications, transcription and note-taking from interviews, and analysis or summarisation of interview content to support our interviewers. |
Communication, collaboration and productivity providers | To send and receive emails, schedule and conduct interviews, manage internal coordination of the recruitment process, and host the careers site. |
External recruiters and headhunters | Where a candidate has been introduced to us by an external recruiter or headhunter, we exchange status updates with them. External recruiters and headhunters act as separate controllers in respect of their own sourcing activities and have their own privacy notices. |
Background check, reference and assessment providers | Where relevant for a particular role, and only where you have been informed in advance. |
Professional advisors and authorities | Where reasonably necessary, for example to obtain legal advice or to comply with legal obligations or lawful requests. |
Our service providers act as our processors and are bound by written terms that require them to process your data only on our instructions and to keep it secure. External recruiters and headhunters act as separate controllers for their own sourcing of candidates.
8. International transfers
Some of our service providers and group entities are located outside the European Economic Area and the United Kingdom, including in the United States. Where your personal data is transferred to a country that has not been recognised as providing an adequate level of protection, we put in place appropriate safeguards, in particular by entering into the standard contractual clauses approved by the European Commission (with equivalent safeguards for transfers from the United Kingdom).
You can ask us for more information about the safeguards we have in place for a specific transfer using the contact details in Section 14.
9. How long we keep your personal data
We keep your personal data only for as long as we need it for the purposes set out in this notice. The table below sets out our standard retention periods.
Situation | How long we keep your data |
|---|---|
You apply or are sourced for a specific role and are not hired. | Up to 2 years from the end of the recruitment process, so we can demonstrate that the process was fair and to defend against potential claims. |
You are placed in our talent pool for future opportunities. | 12 months from the date you give consent, renewable if you confirm continued interest. You can withdraw your consent at any time, after which we will delete your data. |
You have been sourced or referred and indicated you are not interested and want to be removed. | Deleted promptly, except for a minimal record that we have already approached you to avoid contacting you again. |
Records required to demonstrate compliance with legal obligations or to defend against legal claims. | Retained for as long as needed for those purposes, after which they are deleted or anonymised. |
10. Automated decision-making
Our recruitment decisions are made by people. AI tools support and inform those decisions, but a person is involved before a decision about you is communicated.
In a small number of situations, your application may not be progressed solely on the basis of an objective eligibility criterion that does not involve human judgement (for example, where we are legally unable to engage you in your location). Where this happens, we will tell you in our communication with you. You can ask for a person at Planhat to review the decision, express your point of view about it, and contest it. We will then arrange for a review.
11. How we keep your personal data secure
We use appropriate technical and organisational measures to protect your personal data, including access controls, encryption in transit, and limits on who can see candidate information. Our service providers are required to maintain appropriate security measures of their own. We review our arrangements periodically and will respond promptly to any incidents that may affect your data.
12. Your rights
Subject to applicable law, you have the following rights in relation to your personal data:
Right | What it means |
|---|---|
Access | You can ask us to confirm whether we hold personal data about you and to receive a copy of it. |
Rectification | You can ask us to correct personal data that is inaccurate or incomplete. |
Erasure | You can ask us to delete your personal data in certain circumstances. |
Restriction | You can ask us to limit how we use your personal data, for example while we look into a request. |
Objection | You can object to processing that we carry out on the basis of our legitimate interests, including our use of AI tools in the recruitment process and our processing of candidates that have been sourced or referred without applying. |
Portability | You can ask us to provide a copy of certain personal data you have given us in a portable format, or to transmit it to another controller where technically feasible. |
Withdrawal of consent | Where we rely on your consent (for example, the talent pool), you can withdraw it at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal. |
Human review of automated decisions | You can ask for a human to review any decision about your application that has been made through automated means and to express your point of view or contest the decision. |
Complaint | You can lodge a complaint with a data protection authority (see Section 14). |
You can exercise these rights by contacting us using the details in Section 14. We may need to verify your identity before responding. We will respond within the time limits required by applicable law.
13. Cookies and the careers site
Our careers site and the application platform we use may set cookies and similar technologies, for example to make the site work properly, to remember your preferences and to understand how candidates use the site. You can manage your cookie preferences through the controls provided on the site or in your browser. The application platform provider has its own privacy notice covering its use of these technologies.
14. How to contact us and how to complain
If you have any questions about this notice or about how we handle your personal data, or if you would like to exercise any of your rights, please contact us at:
Email: compliance@planhat.com | Data Protection Officer: dpo@planhat.com
If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in the country where you live, work or believe an issue has occurred. The lead supervisory authority for Planhat AB is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY, www.imy.se). The data protection authority for Planhat Ltd. in the United Kingdom is the Information Commissioner’s Office (ICO, www.ico.org.uk). You can also contact the data protection authority in your own country.