Candidate Privacy Policy

Foreko, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Foreko, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to personal data received from the European Union and the United Kingdom. If there is any conflict between the terms in this notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more and view our certification, visit dataprivacyframework.gov.

In compliance with the EU-U.S. DPF and the UK Extension, Foreko, Inc. commits to resolve DPF Principles-related complaints. EU and UK individuals with inquiries or complaints regarding our handling of personal data should first contact us at privacy@foreko.com.

Foreko, Inc. commits to cooperate with the advice of EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) regarding unresolved complaints concerning human resources data received in reliance on the EU-U.S. DPF and its UK Extension.

Foreko, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). Under certain conditions, you may invoke binding arbitration for complaints not resolved by other DPF mechanisms. See Annex I of the DPF Principles for more information.

We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Foreko, Inc. remains responsible and liable under the EU-U.S. DPF Principles if third-party agents we engage to process personal data on our behalf do so in a manner inconsistent with these principles, unless we can prove we are not responsible for the event giving rise to the damage.

We comply with data protection law. Your data will be:

• Used lawfully, fairly, and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you, and not used in any way incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Retained only for as long as necessary for the purposes we have told you about, in relation to the recruitment exercise.
• Kept securely and protected against unauthorized or unlawful processing and against accidental loss or destruction using appropriate technical and organizational measures.

Personal data means any information about an individual from which that person can be identified. The categories of personal data we may collect include:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
• CVs, cover letters, or any other supplementary documents included as part of the application process.
• Information regarding your work history, qualifications, professional memberships, education, experience, or employment references.
• Video recordings submitted as part of the recruitment process.
• Photographs if included on CVs or supplementary documents.
• Results of any personality profiling assessment carried out as part of the recruitment process.

We may also collect, store, and use the following special categories of sensitive personal data:

• Information about whether you have a disability for which we need to make reasonable adjustments during the recruitment process.
• Information about criminal convictions and offenses, where the nature of the job requires this.

We collect personal data about candidates from the following sources:

• You, the candidate.
• Your named referees: full name, periods of previous employment, and performance during previous employment.
• Publicly accessible sources such as LinkedIn, where we collect your name, email, work history, and other data included on your profile.

We will use the personal data we collect about you to:

• Assess your skills, qualifications, and suitability for the role.
• Carry out background and reference checks, where applicable.
• Communicate with you about the recruitment process.
• Keep records related to our hiring processes.
• Comply with legal or regulatory requirements.

It is in our legitimate interests to decide whether to appoint you to the role. We also need to process your personal data to decide whether to enter into a contract with you.

Having received your CV and any supporting materials, we will process that data to decide whether you meet the basic requirements for the role. If you do, we will decide whether to invite you for an interview. If we make an offer, we may take up references and conduct any other required checks before confirming your appointment.

If you fail to provide personal data when requested that is necessary for us to consider your application, we may not be able to process it further. For example, if references are required for the role and you fail to provide relevant details, we will not be able to take your application forward.

We will use your sensitive personal data only as permitted by law:

• We will use data about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example during a test or interview.
• We will use data about your nationality or ethnicity to assess whether a work permit or visa will be necessary for the role.

You will not be subject to decisions that have a significant impact on you based solely on automated decision-making.

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the People Team, relevant hiring managers and interviewers, and IT staff where access is necessary for the performance of their roles.

Foreko will only share your data with authorized third parties engaged for the purposes of assessing your application, such as our applicant tracking system. If we make an offer of employment, we may contact your nominated referees and, where required by the nature of the role, conduct criminal records checks.

Your data may be transferred outside the European Economic Area (EEA) as part of the recruitment process. We have put in place appropriate measures to ensure your personal information is treated in a way consistent with EU data protection law.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. We limit access to your personal data to those with a business need to know, and they process it only on our specific instructions under a duty of confidentiality.

We have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator where legally required.

We will retain your personal data for a period of 3 years after your last application date. If you are unsuccessful, we retain your personal data for 6 months, or for 3 years upon your explicit consent. We retain this data to demonstrate that recruitment has been conducted fairly and transparently, and in case a suitable role becomes available in the future.

After the applicable retention period, we will securely destroy your personal data in accordance with our data retention policy.

Under applicable law, you have the right to:

• Request access to your personal data (a "data subject access request") to receive a copy of the data we hold about you.
• Request correction of incomplete or inaccurate personal data.
• Request erasure of your personal data where there is no good reason for us to continue processing it.
• Object to processing of your personal data where we rely on a legitimate interest, or where we process it for direct marketing purposes.
• Request restriction of processing, for example while we establish the accuracy of your data.
• Request transfer of your personal data to another party.

If personal data covered by this policy is to be used for a new purpose materially different from the purpose for which it was originally collected, or disclosed to a non-agent third party not specified in this policy, Foreko, Inc. will provide you with an opportunity to choose whether your personal data may be so used or disclosed. Opt-out requests should be directed to us using the contact information below.

Foreko, Inc. will not use or disclose sensitive personal data for any purpose other than the purpose for which it was originally collected or subsequently authorized, unless we have received your affirmative and explicit consent.

To exercise any of your rights or raise a concern, contact us at privacy@foreko.com.

If you believe we have not complied with your data protection rights, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. A list of National Data Protection Authorities in the EEA can be found at ec.europa.eu/justice/data-protection.