Privacy and Cookie Policy

Learn how Employ Wizard protects your personal data and respects your privacy.

Employ Wizard Ltd is a company registered in England and Wales (Company No. 16704324) with its registered office at 20 Wenlock Road, London, N1 7GU. We are committed to protecting your personal data and respecting your privacy.

If you have questions about this policy, contact us at info@employwizard.com. Our Data Protection Officer (DPO) is Dr. Faiz Haque.

What Data We Collect

We may collect and process the following information:

  • Recruiter and customer details: name, company, role, business email, login credentials, billing details
  • Candidate CV data uploaded by recruiters: education, experience, skills, qualifications, identifiers, and special category data including protected characteristics (such as race, ethnicity, religion, gender, age, marital status) which are removed during the anonymisation purposes based on user preferences.

How We Use Your Data

We process personal data to provide and manage accounts and services, authenticate users and ensure security, handle billing and comply with legal obligations, deliver customer support, and provide users with CV analysis and ranking tools.

Special Category Data Processing: We process special category data (protected characteristics) from CVs solely for the purpose of anonymisation before AI analysis. This anonymisation step helps ensure unbiased candidate scoring by removing potential sources of discrimination. The anonymisation is performed by a dedicated AI model, and anonymised data is used only for scoring against job requirements. Original identifiers and special category data are removed before analysis and attached separately to candidate records.

Automated Decision-Making: As part of our AI-powered CV analysis service, we use automated processing to evaluate and score candidate CVs against job requirements. This involves:

  • Analysing CV content using machine learning algorithms
  • Generating suitability scores and rankings based on job criteria
  • Identifying missing essential requirements

All automated decisions include reasoning and scores that are made available for human review. You have the right to obtain human intervention, express your point of view, and contest automated decisions that significantly affect candidates.

Candidate CV data is processed only on the recruiter's instructions. We do not use CVs for training, marketing, or resale.

Legal Basis

We rely on the following legal bases under UK GDPR:

  • Contract: to provide services and manage accounts
  • Legal obligation: for financial and compliance requirements
  • Legitimate interests: for fraud prevention, security, and service integrity
  • Consent: if marketing communications are introduced (not by default)
  • Legitimate interests (for special category data anonymisation): ensuring fair and unbiased recruitment processes

International Data Transfers

We use Mistral AI SAS API services for CV analysis. Mistral AI SAS is a French company that processes data within the EU and maintains GDPR compliance. Data transfers to Mistral AI SAS are protected under the EU's adequacy decision for France and through our data processing agreement.

Our application servers are located in London, UK, hosted in OVHcloud's ISO27001 certified datacenters. All data processing occurs within the UK/EU region.

Data Security

We implement appropriate technical and organisational measures to protect personal data:

  • Encryption: Data is encrypted at rest using AES256 encryption and transmitted via SSL/TLS
  • Access Controls: Strict role-based access controls and multi-factor authentication
  • Secure Infrastructure: ISO27001 certified datacenters with 24/7 monitoring
  • Backup Security: Encrypted backups transmitted via FTPS to secure offsite datacentres in France
  • Regular Assessments: Periodic security audits and vulnerability assessments

Sharing Data

We may share personal data with:

  • Mistral AI SAS: As our AI processing provider (under data processing agreement)
  • Payment processors: Independent controllers for billing transactions
  • Service providers: That support hosting, security, and administration (under data processing agreement)
  • Regulators or authorities: If legally required

We do not sell personal data.

Retention

  • Candidate CVs: Original documents are retained for thirty days, then deleted. Plain text versions may be retained longer
  • Recruiter and customer accounts: Retained for the duration of the contract plus thirty days
  • Billing data: Retained for six years to meet statutory obligations
  • Security logs: Retained for up to ninety days
  • Special category data: Removed during anonymisation process and not retained

Children's Data

We do not collect or process personal data from children under 16 years of age. Our services are designed for professional recruitment use and are not intended for or directed at children.

Marketing and Communications

We do not currently engage in targeted marketing. If marketing communications are introduced in the future, we will obtain explicit consent and provide clear opt-out mechanisms in user settings.

Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

  • Notify affected individuals without undue delay
  • Provide details of the breach and recommended actions
  • Publish a public notice on our website
  • Notify the Information Commissioner's Office within 72 hours where required

Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these external sites. We encourage users to review the privacy policies of any third-party sites they visit.

Technical Data

We use localStorage in users' browsers to remember preferences such as dark mode settings. This data is stored locally on the user's device and is not transmitted to our servers.

Your Rights

You have the right to:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data (subject to legal obligations)
  • Restriction: Request limitation of processing
  • Objection: Object to processing based on legitimate interests
  • Data Portability: Receive your data in a structured, machine-readable format
  • Automated Decisions: Contest automated decisions and request human review

For detailed instructions on how to exercise these rights, please visit our Data Subject Rights page.

If you are a candidate, please contact the recruiter who uploaded your CV, as they are the data controller for your candidate data. If you are a recruiter or customer, contact us at info@employwizard.com.

We will respond within thirty days, or up to sixty days for complex requests where we notify you of the extension. Data exports will be provided in CSV or JSON format.

Complaints

You may raise a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Cookies

Employ Wizard Ltd does not use tracking cookies.

We may use privacy-preserving, cookieless analytics to understand website usage. These analytics do not identify you and do not require consent.

If in the future we introduce cookies that require consent, a cookie banner will appear on our website giving you clear choices to accept or reject them.

Last Updated: October 2025