Privacy Policy
Privacy Policy
Last update: January 1, 2025 · Published: January 1, 2025
Contents
- Introduction and Scope
- Role Clarifications
- Data We Collect and Why
- Legal Basis & Key Principles
- Data Sharing
- International Transfers
- Security Measures
- Individual Rights and Choices
- Retention Periods
- Complaints and Dispute Resolution
- Miscellaneous Provisions
- Contact Details
- Company and Registration Information
1. Introduction and Scope
This Privacy Policy (“Policy”) explains how (the “Company,” “we,” “us,” or “our”) processes professional data in compliance with the UK GDPR, the Data Protection Act 2018, and other applicable laws and regulations. Although we are a small, highly specialised service provider, we regularly engage with large-scale enterprises (including financial services organisations) that have rigorous data protection and compliance standards.
1.1 Who We Are
- We offer proprietary technology to facilitate professional connections, talent identification, and business insights (collectively, the “Services”).
- Our platform processes business-focused or publicly available professional data.
- We do not disclose any technical or algorithmic details of our proprietary methods to protect our intellectual property.
1.2 Data Protection Officer (DPO)
- Email: DPO@contxt.network
- Post: Data Protection Officer, 2-8 Victoria Ave, City of London, London EC2M 4NS, England
Note: We designate a DPO on a voluntary basis to maintain high standards of accountability and to align with the expectations of our enterprise partners.
1.3 Policy Updates
We review and update this Policy periodically to ensure alignment with changing legal requirements, industry practices, and client expectations. We will notify registered users or relevant client stakeholders of material changes.
2. Role Clarifications
2.1 Controller vs. Processor
- Controller Activities: In certain operations (e.g., collecting publicly available professional data for basic indexing), we may act as a Data Controller under Article 4(7) UK GDPR, determining the means and purposes of processing.
- Processor Activities: When clients (such as large financial institutions) supply us with candidate or employee information—e.g., from an Applicant Tracking System (ATS)—we typically act as a Data Processor under Article 4(8) UK GDPR, processing data solely on the client’s instructions and behalf.
- Client Responsibilities: Our clients remain responsible for ensuring their own legal basis to share or export data to us and must handle any additional compliance requirements (e.g., employee privacy notices, internal corporate policies).
3. Data We Collect and Why
3.1 Professional Data
We may process the following categories of non-sensitive, professional data:
- Identifiers: Name, professional title or role, publicly available business email.
- Work History: Past and current employment details, qualifications, project histories.
- Affiliations: Business relationships, corporate networks, professional achievements.
- Client-Provided Data: Information shared by the client for authorised purposes (e.g., ATS profiles, resumes, references).
Proprietary & Confidential: This Policy does not grant any license or right to our proprietary systems, algorithms, or trade secrets.
3.2 Sources of Data
- Licensed Data Providers: We obtain professional data exclusively through licensed commercial data providers who warrant compliance with applicable regional data protection laws and provide appropriate legal basis documentation.
- Direct Submissions: Individuals who voluntarily supply or update their professional details.
- Client Systems: Data imported from a client’s environment (e.g., ATS data) under explicit data processing agreements where the client acts as data controller.
3.3 Purpose of Processing
- Professional Networking: We surface relevant information to help clients identify potential candidates, collaborators, or rehires (Article 6(1)(f) – Legitimate Interests).
- Analysis & Insights: We apply our proprietary algorithms to highlight relevant skill sets, experiences, or connections.
- Quality & Service Enhancements: We may use aggregated, non-identifying metrics to improve our platform.
4. Legal Basis & Key Principles
4.1 Legitimate Interests Assessment
Where we rely on legitimate interests under Article 6(1)(f) UK GDPR, we have conducted documented assessments that consider:
Our Legitimate Business Interests
- Facilitating professional connections for career development
- Enabling efficient talent identification for legitimate recruitment purposes
- Supporting business networking within professional contexts
Necessity Test
- Processing is limited to professional identifiers and work history only
- No personal contact details, sensitive data, or private information processed
- Alternative methods (manual research, individual networking) would be disproportionately burdensome
Balancing Assessment
- Data subjects reasonably expect that professional information shared with commercial providers may be used for business networking
- Processing is limited to contexts that benefit the individual’s professional opportunities
- Robust opt-out mechanisms provide individual control
- No automated decision-making with legal or significant effects
Ongoing Review: We review our legitimate interests assessments regularly and following any material changes to our processing activities.
4.2 No Negative Profiling
- We do not create blacklists or negative ratings about individuals.
- If any individual expresses any preference not to re-engage with someone, that preference is recorded as the feedback giver’s personal data and does not affect the other individual’s profile.
4.3 Minimising Automated Decision-Making
- We do not conduct solely automated decision-making producing legal or similarly significant effects under Articles 22(1)–(3) UK GDPR.
- All hiring or re-hiring decisions remain at the client’s discretion (human review is always required).
5. Data Sharing
5.1 Authorised Clients
- We share relevant professional data with our clients—often large financial institutions—under strict contractual obligations (Data Processing Agreements, “DPAs”).
- Each client has a robust internal compliance structure that ensures lawful handling of any personal data within their control.
5.2 Service Providers
- We may engage trusted third-party vendors (e.g., secure hosting, IT support) who process data on our instructions.
- These providers are bound by confidentiality and must demonstrate adequate security (ISO certifications, SOC 2, or equivalent, if relevant).
5.3 Liability Disclaimer
- Client Use: Once data is shared with a client, the client becomes responsible for subsequent uses. We disclaim liability for any uses by the client that exceed or contravene our agreed scope.
- Indemnification: Our standard Master Services Agreements (MSAs) or DPAs may contain indemnities or liability provisions addressing how data protection claims are allocated between us and our clients.
6. International Transfers
6.1 Transfers Outside the UK/EEA
Where data is transferred outside the UK or EEA, we ensure compliance through:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK Addenda.
- Adequacy Regulations where applicable.
- Transfer Impact Assessments (TIAs): For key routes to third countries (in line with Schrems II guidance).
6.2 Client Responsibilities
For cross-border transfers initiated by our clients or involving their own systems (e.g., cloud ATS hosting in the US), the client remains the primary controller and must ensure compliance with relevant data transfer rules.
7. Security Measures
We implement technical and organisational measures consistent with the risk of our processing and the expectations of large, risk-averse enterprises:
- Encryption (at rest and in transit) to protect personal data.
- Access Controls ensuring only authorised staff or sub-processors can access personal data.
- Secure Infrastructure leveraging reputable cloud providers that meet industry standards.
- Regular Testing & Monitoring: Vulnerability scans and penetration tests, proportionate to our scale, to maintain a secure environment.
- Incident Response: A documented plan for notifying data subjects, clients, and regulators (e.g., ICO) in case of a notifiable breach, pursuant to Articles 33–34 UK GDPR.
8. Individual Rights and Choices
8.1 Data Subject Rights
Depending on applicable law, you may have the right to:
- Access (Article 15) – Request a copy of your data.
- Rectification (Article 16) – Correct incomplete or inaccurate data.
- Erasure (Article 17) – Request deletion under certain conditions.
- Restriction (Article 18) – Limit how we use your data.
- Objection (Article 21) – Object to processing based on legitimate interests.
- Portability (Article 20) – Receive data in a structured, machine-readable format, where applicable.
8.2 Opt-Out Process
Immediate Opt-Out:
- Email: DPO@contxt.network with subject “OPT-OUT REQUEST”
- Response within 5 business days, processing halt within 24 hours
- Verification Process: We may require reasonable identity verification to prevent fraudulent requests, typically requiring name and professional email address.
- Right to Object: You may object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights and freedoms.
9. Retention Periods
9.1 General Retention
- Active Data: Retained for up to 36 months following the last relevant activity (e.g., a role update or client engagement).
- Opt-Out: We maintain minimal records of opt-out requests indefinitely to ensure we do not reprocess your data.
9.2 ATS or Client Data
- For client-supplied data (e.g., Applicant Tracking System information), we retain it for the duration agreed in our DPA or until (a) the client instructs us to delete it, or (b) 36 months from the last use for recruitment.
- Upon contract termination, data is securely deleted or anonymised unless otherwise required by law or ongoing legitimate interests.
10. Complaints and Dispute Resolution
10.1 Contact Us First
If you have concerns about our processing:
- Email: DPO@contxt.network
- Post: Data Protection Officer, 2-8 Victoria Ave, City of London, London EC2M 4NS, England
We aim to resolve issues promptly and transparently.
10.2 Regulatory Authorities
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or another competent data protection authority in your country (Articles 77–79 UK GDPR).
11. Miscellaneous Provisions
11.1 No License to Proprietary Technology
This Policy does not grant any license, interest, or rights to our confidential algorithms, software code, or intellectual property. All such rights are expressly reserved.
11.2 Multi-Jurisdictional Compliance
We take reasonable steps to accommodate global data protection requirements (e.g., alignment with EU GDPR principles for cross-border data transfers). However, clients bear responsibility for ensuring local law compliance in the jurisdictions where they operate.
11.3 Liability & Indemnities
Our liability for data protection violations is governed by the provisions of our Master Services Agreement or Data Processing Agreement with each client. We disclaim liability for any client’s misuse of data once it leaves our platform or scope of instructions.
11.4 Governing Law and Dispute Resolution
Unless otherwise specified in a governing contract, this Policy shall be interpreted under the laws of England and Wales without prejudice to the mandatory protections afforded under applicable law.
12. Contact Details
- Privacy Inquiries: DPO@contxt.network
Typical Response Times:
- Rights Requests: 30 days
- Complaints: 5 business days
- Security Incidents: 24 hours
13. Company and Registration Information
- Registered in England & Wales
- Company Number: 16073133
- ICO Registration: C1634608
- Registered Office: 2-8 Victoria Ave, City of London, London EC2M 4NS, England
— End of Policy —
This Policy is intended to provide a transparent overview of our data processing practices. It does not constitute legal advice. For specific queries, consult our Data Protection Officer.