Candidate Privacy Statement
This Candidate Privacy Statement describes how Xone (the “Company”, “we”, “us”, or “our”) collects, uses, discloses, and protects the personal information of individuals who apply for roles, are considered as candidates, or otherwise engage in our recruitment process (collectively, “candidates”, “you”, “your”).
This Statement supplements our main Privacy Policy and applies during the recruitment lifecycle—from application to final decision and, if applicable, onboarding.
1. Scope
This Statement is intended to be consistent with applicable laws including, as relevant, GDPR (EU), PIPL (China), U.S. federal/state privacy laws (e.g. CCPA/CPRA), and other local data protection laws.
2. Controller / Responsibility
- The Company operating the recruitment process is the data controller of candidates’ personal data.
- In jurisdictions where required, we may designate a representative or appoint a data protection officer (DPO).
- We may engage third‑party service providers (such as applicant tracking systems, background check vendors, assessment platforms) who act as data processors, processing data according to our instructions.
3. Categories of Personal Data Collected
We may collect or derive various categories of personal data about you, depending on the stage of recruitment and legal requirements, including but not limited to:
| Category | Examples | Purpose | Essential? | Retention |
|---|---|---|---|---|
| Identity & Contact | Name, address, email, phone number, date of birth, national ID / passport number | Identify and contact the candidate during recruitment | Yes | 6 months – 2 years |
| Application Materials | CV, cover letter, portfolio, references, transcripts, certifications | Evaluate candidate qualifications and suitability | Yes | 6 months – 2 years |
| Employment & Experience | Job history, roles, salaries, responsibilities, skills, trainings | Assess candidate's work background and capabilities | Yes | 6 months – 2 years |
| Education & Qualifications | Academic records, degrees, licenses, certifications | Verify academic credentials and qualifications | Yes | 6 months – 2 years |
| Right to Work / Immigration | Passport, visa, work permit, citizenship or immigration status | Ensure legal right to work in applicable jurisdictions | Yes | As required by law |
| Assessments & Tests | Results of aptitude, technical, and psychometric tests | Evaluate relevant skills and cognitive traits | No | Until hiring decision is made |
| Interview Records | Notes, recordings, feedback, evaluation forms | Document and assess candidate interactions | Yes | 6 months – 2 years |
| Background Checks | Criminal records, credit reports, reference verifications | Verify candidate integrity and compliance | Sometimes | As permitted by law |
| Technical / Device Data | IP address, browser type, OS, device identifiers, logs | Security monitoring and platform diagnostics | No | Short-term (session-based) |
| Communication Data | Emails, interview scheduling, internal correspondence | Facilitate application management and communication | Yes | 6 months – 2 years |
| Optional / Voluntary Data | Diversity info (race, gender, disability), salary expectations | Support DEI initiatives and process transparency | No | With consent or anonymized |
We generally do not collect sensitive personal data (also called special categories) unless required by law or with your explicit consent (for example, disability status for accommodations).
4. Legal Basis for Processing
Depending on your jurisdiction and the type of data, we rely on one or more of the following legal bases:
- Legitimate Interests: For the purposes of evaluating your application, conducting recruitment, verifying information, selecting candidates.
- Contract / Pre‑contractual Steps: Where necessary to take steps before entering an employment contract.
- Consent: In some cases (e.g., optional diversity data, or where required by law), we may request your explicit consent. You may withdraw consent at any time (subject to legal constraints).
- Legal Obligation / Compliance: To fulfill statutory or regulatory obligations (e.g. verifying eligibility to work).
We will always ensure that our processing is proportionate, minimized, and respects your rights.
5. Purposes of Processing
We process candidates’ data for one or more of the following purposes:
- To manage and assess job applications
- To communicate with you about your application status
- To schedule interviews, assessments, and other recruitment steps
- To verify or validate information provided (e.g. background checks)
- To perform assessments or tests relevant to the role
- To evaluate qualifications, competencies, and suitability
- To compare multiple candidates and make hiring decisions
- To maintain internal records and audit trails
- To consider you for other roles / pipelines (subject to your consent)
- To comply with legal, audit, regulatory, or governmental requirements
- To defend or enforce our legal rights (e.g. litigation, investigations)
6. Retention Period
We retain your personal data only as long as necessary for the purposes listed above or as required by law. After the recruitment process concludes, we may:
- Retain limited data for record‑keeping, audit, or legal defense
- With your consent, keep your data in our talent pool or for future opportunities
- Delete, anonymize, or securely dispose of data not needed
Typically, retention periods might range from 6 months to 2 years, depending on jurisdiction and business needs—unless law requires otherwise.
7. Data Sharing & Recipients
We may share your personal data (within legal bounds) with:
- Internal stakeholders involved in recruitment (HR, hiring managers, interviewers)
- Third‑party service providers (ATS vendors, background check companies, assessment platforms, cloud hosting providers)
- Affiliates or subsidiaries of the Company
- Government, law enforcement, or regulatory bodies where required by law or court order
- In the event of a merger, acquisition, or sale, with prospective or final counterparties
All recipients will be obligated to handle your data consistent with applicable laws and confidentiality obligations.
8. International / Cross‑Border Transfers
Your data may be transferred to or stored in jurisdictions outside your home country (e.g. data centers, service providers). Where such transfers occur, we implement appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs) or equivalent legal instruments
- Encryption and technical security controls
- Explicit consent (where required)
- Ensuring adequacy under applicable regulation
9. Security Measures
We implement administrative, technical, and physical safeguards to protect your personal data from unauthorized access, loss, destruction, alteration, or disclosure. These may include:
- Encryption, anonymization, pseudonymization
- Access controls, role-based permissions
- Audit logs, monitoring, intrusion detection
- Regular security reviews, backups, incident response plans
However, no system is perfectly secure—if a breach occurs, we will follow legal obligations (e.g. notify you and relevant regulators where required).
10. Your Rights
Depending on applicable laws, you may have rights such as:
- Access: Request a copy of your data we hold
- Rectification: Correct or update inaccurate data
- Erasure (“Right to be forgotten”): Under certain conditions, request deletion of your data
- Restriction: Limit the processing of your data
- Object: Object to certain processing (e.g. profiling, direct marketing)
- Data Portability: Request data in a machine-readable format
- Withdraw Consent: Where processing is based on consent, withdraw it
- Complaint: Lodge a complaint with a supervisory authority or regulator
If you wish to exercise any of these rights, contact us using the contact info provided below. We will respond within applicable legal timeframes, unless legal exceptions apply.
Please note: exercising certain rights may limit or affect your application (for example, if key data is deleted, we may be unable to consider you further).
11. Automated Decision Making / Profiling
Where permitted by law, we may use automated tools or profiling (e.g. scoring algorithms, candidate matching systems) to assist with screening or evaluating candidates. However:
- Any final hiring decision is made or reviewed by humans
- Where required, we will inform you of profiling logic, significance, and rights to object or request human review
12. Changes to This Statement
We may update this Candidate Privacy Statement periodically to reflect changes in legal requirements, business practices, or recruitment tools. When material changes are made, we will notify you via email or on our website. The “Last Updated” date will be revised accordingly.
13. Contact & Complaints
For any help or support, please contact us:
Support: support@xone.org
Official: hello@xone.org
Work: job@xone.org
Busines: busines@xone.org
Compliance: compliance@xone.org
Labs: labs@xone.org
Grants: grants@xone.org
News: Medium
Community: Telegram | Twitter | Discord | Forum | YouTube | Reddit | ChatMe | Coingecko | Github
If you are in a jurisdiction that permits you to lodge a complaint with a supervisory authority or regulator (e.g. data protection authority in EU, China’s regulatory body, U.S. state attorney general), you may do so to the relevant authority.