Example Privacy Policy for your recruitment website

Created by Aaron Refari, Modified on Fri, 17 Jul at 6:20 AM by Aaron Refari

This article gives you a complete example privacy policy that you can adapt for your recruitment website. Recruitment websites collect a lot of personal information: CVs, work histories, referee details, referral recommendations and hiring manager contacts. A clear, well-structured privacy policy tells candidates and clients how you look after that information, and most privacy laws require you to publish one. The template below is written for recruitment teams operating anywhere in the world, so it covers the concepts that global privacy laws (such as the GDPR in Europe, the UK GDPR, the CCPA in California and the Privacy Act in Australia) expect to see.

Disclaimer: this is an example document provided for general information only. It is not legal advice, and Refari is not a law firm. Privacy laws differ between countries and change over time, and your policy must reflect what your company actually does with personal information. Always have a qualified legal adviser in the regions where you operate review your privacy policy before you publish it.

How to use this template

The template is a starting point, not a finished document. Work through these steps before anything goes on your website:

  1. Replace every [highlighted placeholder] with your own details, such as your company name, contact information and retention periods.
  2. Delete anything that does not apply to you. For example, if you do not run a referral programme, remove the referrals section rather than leaving text that describes something you do not do.
  3. Check the table below and keep (or expand) the parts of the "Your privacy rights" section that match the regions where you recruit and where your candidates live.
  4. Make sure every statement is true for your business. A privacy policy that promises things you do not actually do is worse than no policy at all, because regulators treat it as a misleading statement.
  5. Have a qualified lawyer review the finished document, then publish it on your website (typically linked from your footer and from any forms that collect personal information) and review it at least once a year.

Which privacy laws might apply to you

Privacy laws generally follow the person whose information you hold, not just the country where your office is registered. A recruitment company based in Sydney that places candidates into London roles will usually need to think about UK rules as well as Australian ones. These are the major laws a global recruitment company is most likely to meet:

LawWhen it is likely to apply to you
GDPR (European Union)You have an office in the EEA, or you recruit candidates or serve clients located in the EEA, even from outside Europe.
UK GDPR and Data Protection Act 2018 (United Kingdom)The same idea as the EU GDPR, but for people in the UK. Applies to UK offices and to overseas companies recruiting people based in the UK.
Privacy Act 1988 and the Australian Privacy Principles (Australia)You operate in Australia or hold information about people in Australia. Most recruitment companies above the small-business threshold are covered.
Privacy Act 2020 (New Zealand)You do business in New Zealand or hold information about people there, regardless of where your company is based.
CCPA / CPRA (California, United States)You are a larger business handling information about California residents, including job applicants. Several other US states now have similar laws.
PIPEDA (Canada)You collect or use personal information in the course of commercial activity involving people in Canada.
PDPA (Singapore)You collect, use or disclose personal information about people in Singapore.
Note: this table is a simplified orientation guide, not a compliance checklist. Thresholds, definitions and penalties differ between laws, and several countries not listed here (for example Brazil, South Africa and Japan) have their own privacy regimes. Your legal adviser can confirm exactly which laws apply to your company.
Idea: if your website runs Refari (your job board, application forms or referral tools), Refari processes candidate and referral information on your behalf, so it sits under the "service providers" part of section 7 in the template. For how consent and communication preferences are recorded inside Refari, see Managing candidate consent, privacy and marketing preferences in Refari.

The example privacy policy

Everything inside the box below is the template. Copy it into your own document, work through the steps above, and remember that the [highlighted placeholders] all need replacing before it goes live.

Privacy Policy of [Your Company Name]

Last updated: [Date]

1. Who we are

[Your Company Name] ([company registration number / ABN / equivalent]) ("we", "us" or "our") provides recruitment services, including advertising roles, introducing candidates to employers and running referral programmes. We are responsible for the personal information described in this policy, and in regions with data protection laws such as the GDPR we act as the "controller" of that information unless we say otherwise.

2. Scope of this policy

This policy explains how we collect, use, share and protect personal information when you use our website, job board, application and referral forms, candidate portal and related online services, or when you deal with us directly as a candidate, client, hiring manager, referrer, referee or supplier. It applies to everyone whose personal information we handle, wherever they are located.

3. The information we collect

If you are a candidate, we may collect:

  • Identity and contact details, such as your name, email address, phone number and location
  • Your CV or resume, including your work history, education, skills and qualifications
  • Your right-to-work status, and visa or work-permit information where relevant to a role
  • Salary expectations, notice period, work preferences and availability
  • Referee details and the references they provide
  • Interview notes, assessment results and our correspondence with you
  • Information from your public professional profiles, such as LinkedIn

Sensitive information. Some information is treated as sensitive or "special category" under privacy law, such as health information, diversity and inclusion data, or criminal-record checks. We only collect it where the law allows it, where it is genuinely needed (for example, health information to arrange workplace adjustments, or background checks required for a specific role) and, where the law requires it, with your explicit consent.

If you are a client or hiring manager, we collect your business contact details, information about the roles you are hiring for and our correspondence with you.

If you refer someone to us, or someone refers you, we collect the referrer's name and contact details, their relationship to the person referred, and the referred person's name, contact details and any CV or profile information shared with the referral.

If you visit our website, we collect technical and usage information such as your IP address, browser and device type, the pages you view and how you arrived at our site. See section 11 on cookies for more detail.

4. How we collect your information

  • Directly from you, when you apply for a role, register with us, upload a CV, subscribe to job alerts, refer someone or otherwise contact us
  • From someone who refers you to us for a role or introduces you as a potential candidate
  • From job boards, professional networks and publicly available sources
  • From your referees, and from background-check or verification providers where checks are required (with your consent where the law requires it)
  • Automatically, through cookies and similar technologies when you use our website

5. Why we use your information, and our legal bases

We use personal information to:

  • Match candidates with roles and introduce them to prospective employers
  • Contact you about opportunities, applications, referrals and our services
  • Verify identity, qualifications, references and the right to work
  • Run our referral programme, including paying any referral rewards we offer
  • Operate, secure and improve our website and services
  • Send marketing and job alerts, where you have agreed to receive them or the law otherwise permits it
  • Meet our legal and regulatory obligations, and establish or defend legal claims

Where laws such as the GDPR and UK GDPR apply, we rely on one or more of these legal bases: your consent (which you can withdraw at any time), the fact that processing is necessary for a contract with you or to take steps at your request before entering one, our legal obligations, and our legitimate interests in running an effective recruitment service, where those interests are not overridden by your rights.

6. Referrals

Our referral programme lets people recommend candidates to us. If you refer someone, you confirm that you know them, that the information you provide is accurate, and that you have their permission to share their details with us. When we receive a referral, we tell the referred person that we have their details, explain where they came from and point them to this policy. If a referred person does not want us to hold their information, they can ask us to delete it at any time using the contact details in section 18.

7. Who we share your information with

  • Prospective employers. If you are a candidate, we share your profile with employers whose roles match your skills. We will not send your details to an employer without first telling you about the role [or: without your consent].
  • Our group companies, where we operate through more than one entity.
  • Service providers who process information on our behalf, such as our recruitment software and website platform, applicant tracking system, email and communication tools, analytics providers, background-check providers and payment processors. They act under contract, only on our instructions, and must protect your information.
  • Professional advisers, such as lawyers, accountants and insurers, where necessary.
  • Regulators, courts and law enforcement, where the law requires or permits it.
  • A buyer or successor, if we sell, merge or reorganise our business, in which case your information remains protected by this policy.

We do not sell your personal information, and we do not share it with third parties for their own advertising purposes.

8. International data transfers

We operate [globally / in the countries where we have offices], and some of our service providers are based overseas, so your information may be transferred to and stored in countries other than your own. Where those countries do not offer the same level of privacy protection as yours, we use recognised safeguards, such as transfers to countries with an adequacy decision, standard contractual clauses approved by the relevant authorities, or your consent where the law allows it. You can contact us for more information about the safeguards we use.

9. How we keep your information secure

We protect personal information with technical and organisational measures appropriate to the risk, including encryption of data in transit, access controls so that only authorised staff can view your information, multi-factor authentication on our core systems, staff training and due diligence on the providers we use. No method of storage or transmission is completely secure, but if a data breach affects your information we will notify you and the relevant regulator where the law requires it.

10. How long we keep your information

We keep personal information only as long as we need it for the purposes described in this policy, and then delete or anonymise it. As a guide, we keep candidate profiles for [X years] after our last meaningful contact with you, so we can consider you for future roles, and we keep records connected to a completed placement for longer where tax, employment or other laws require it. You can ask us to delete your information sooner; see section 14.

11. Cookies and similar technologies

Our website uses cookies and similar technologies. Some are essential for the site to work (for example, keeping you signed in or remembering your job search filters), while others help us understand how the site is used so we can improve it, or support marketing. Where the law requires it, we ask for your consent before setting non-essential cookies, and you can also manage cookies through your browser settings. [Link to your cookie policy or cookie settings page, if you have one.]

12. Marketing communications

If you subscribe to job alerts or newsletters, or where the law otherwise permits, we may send you emails about roles, industry news and our services. You can opt out at any time using the unsubscribe link in any message or by contacting us, and opting out of marketing does not affect emails we need to send about your applications or referrals.

13. Automated decision-making and AI

We may use software, including tools with artificial intelligence features, to help search, match and rank candidate profiles against roles. These tools support our recruiters; a human is always involved in any decision that significantly affects you, such as whether to put you forward for a role. Where the law gives you rights over automated decisions, you can ask for human review of a decision, express your point of view and contest the outcome using the contact details in section 18.

14. Your privacy rights

Wherever you are, you can ask us to:

  • Tell you what personal information we hold about you, and give you a copy of it
  • Correct information that is inaccurate or out of date
  • Delete your information, or restrict or object to how we use it
  • Give you your information in a portable format, or send it to another provider, where the law provides for this
  • Withdraw any consent you have given, at any time

Some rights depend on where you live and which law applies, for example:

  • European Economic Area and United Kingdom. You have the rights set out in the GDPR and UK GDPR, including the right to complain to your local supervisory authority (in the UK, the Information Commissioner's Office).
  • Australia. You can access and correct your information under the Australian Privacy Principles, and complain to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.
  • New Zealand. You can access and correct your information under the Privacy Act 2020, and complain to the Office of the Privacy Commissioner.
  • California, United States. You have the right to know, correct and delete the personal information we hold about you, to opt out of any "sale" or "sharing" of it (we do not sell personal information), and not to be discriminated against for exercising these rights.
  • Canada. You can access and correct your information under PIPEDA and complain to the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us using the details in section 18. We may need to verify your identity before acting on a request, we will respond within the time the applicable law allows, and we will not charge you unless the law permits a fee for repeated or excessive requests.

15. Children's privacy

Our services are designed for people of working age and are not directed at children under [16 / 18, per local law]. We do not knowingly collect personal information from children, and if we learn that we have done so we will delete it.

16. Links to other websites

Our website may link to other websites, such as an employer's careers page or a job board. We are not responsible for the privacy practices of other websites, so check their privacy policies when you visit them.

17. Changes to this policy

We may update this policy from time to time. The date at the top shows when it last changed, and if we make a significant change we will take reasonable steps to bring it to your attention, for example by email or a notice on our website.

18. How to contact us

For any question, request or complaint about your privacy, contact us at:

  • Email: [privacy@yourcompany.com]
  • Post: [Postal address]
  • Phone: [Phone number]

[If required where you operate, add the contact details of your Data Protection Officer and, if you are outside the EU or UK but covered by the GDPR or UK GDPR, your EU or UK representative.]

Final Notes

A privacy policy only protects you while it stays accurate. Whenever you add a new tool to your website, start collecting a new type of information or expand into a new country, revisit the policy and update it. And one last reminder: this template is general information, not legal advice, so have a qualified legal adviser review your finished policy before you publish it.

Other articles you might be interested in:  Example 'Referral scheme terms and conditions'  |  Managing candidate consent, privacy and marketing preferences in Refari  |  Refari Data Security

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article