Feedzai Candidate Privacy Policy
Effective as of 19 December, 2024
Feedzai – Consultadoria e Inovação Tecnológica, S.A. and its group companies (“Feedzai”, “we”, “us” or “our”) respects your privacy and is committed to protecting your personal data.
The purpose of this Candidate Privacy Policy is to provide candidates for job opportunities with information about how and why we process their personal data and to tell them about their privacy rights and how the law protects them.
With that in mind, this Candidate Privacy Policy is designed to describe:
- Who we are and how to contact us
- Your rights relating to your personal data
- What personal data we collect
- Personal data from Third-Party Sources
- How we use your personal data and why
- Who we share your personal data with
- Data transfers
- How we keep your personal data secure
- How long we store your personal data
Important notes:
- This Candidate Privacy Policy is intended to meet our duties of transparency under applicable data protection laws, namely the General Data Protection Regulation 2016/679 (the “EU GDPR”), the EU GDPR as it forms part of the laws of the United Kingdom (the “UK GDPR”) (together, the “GDPR”), the Brazilian data protection law no. 13709/2018 (Lei Geral de Proteção de Dados Pessoais or “LGPD”), and others.
- It is important you read this Candidate Privacy Policy so that you are aware of how and why we are using your personal data, your rights and how the law protects you.
- This Candidate Privacy Policy does not form an operative part of any future contract you may have with Feedzai and is not intended to create any employment relationship or other engagement between you and Feedzai.
- You should be aware that if you fail to provide certain personal data when requested, we may not be able to perform steps necessary to enter into a contractual relationship with you or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our workers).
We may update this Candidate Privacy Policy from time to time. You will be able to see all prior versions in the link provided at the beginning of the policy.
Who we are and how to contact us
Who we are.
Feedzai is the Controller (as defined in the applicable data protection laws, namely the GDPR) for the purposes of the processing of your personal data described in this Candidate Privacy Policy. Where you are applying for a job opportunity with a Feedzai group company, certain other of our group companies may also act as a Controller. For a full list of controllers, see Annex 1.
How to contact us.
To contact us, you can either:
- email us at privacy@feedzai.com; or
- write to us at the postal address noted above.
Your rights relating to your personal data
Your rights in connection with your personal data
Under certain circumstances, by law you have the right to:
- Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data. This right exists where we are relying on a Legitimate Interest (defined below) as the legal basis for our processing and there is something about your particular situation, which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data (data portability). We will provide to you, or a third party you have chosen, your personal data which you have provided to us, in a structured, commonly used, machine-readable format. Note that this right only applies to personal data we process by automated means which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent. This right only exists where we are relying on consent to process your personal data.
How to exercise your rights
If you want to exercise any of the rights described above, please contact us using the contact details shown in the “Who We Are and How to Contact Us” section above.
We may need to request specific information from you to help us confirm your identity and verify your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information to assist us in responding to your request.
Typically, you will not have to pay any fee to access your personal data (or to exercise any of the other rights). However, except in relation to withdrawal of your consent (see above), we may charge a reasonable fee if your request is clearly unfounded or excessive, or we may refuse to comply with your request in these circumstances.
Please also note that in certain circumstances the rights above will not apply and/or in certain circumstances some categories of personal data will be exempt from the scope of those rights. We will notify you where this is the case.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Complaints
If you would like to make a complaint regarding this Candidate Privacy Policy, you can contact us using the contact details shown in the “Who We Are and How to Contact Us” section above. We will reply to your complaint as soon as we can.
If you feel that your complaint has not been adequately resolved, please note that applicable data protection laws also give you the right to make a complaint directly to the data protection regulator in your habitual place of residence.
What personal data we collect
All the personal data we collect, both from you and from third parties about you, is outlined in the table below.
Category of personal data collected
What this may include
Identity Data
First name, middle name(s), surname, title, national identification and/or passport details, national insurance / social security number or other tax-related information, driver’s licence, photographs.
Contact Data
Your home address, work address, email address and telephone numbers.
Biographical Data
First name, middle name(s), surname, maiden name, marital/civil partnership status, title, date of birth, gender (if you choose to provide this information), ethnicity (if you choose to provide this information), education history, professional history, professional qualifications and memberships, references, information relating to references such as referees’ names and contact details, information contained within letters of application and CVs, language proficiencies and other skills, certifications, certification expiration dates and information necessary to complete background checks.
Immigration Data
National identification and/or passport number, details of residency and/or work permit and other information that would allow us to verify your eligibility to work for us in your relevant role.
Professional Data
Title and description of your prior roles, department, work location, dates of prior employment/engagement, employment/engagement status and type (e.g., full-time/part-time), terms of employment/engagement, contracts, work history (current, past, or prospective), training and learning program participation, termination date(s) and reason, length of service, current salary, desired salary, employment/engagement preferences, information necessary to complete background checks, licenses, permits, memberships, and certifications. May also include job preferences, such as desired position and compensation, location preferences and willingness to relocate.
Facilities Data
Information about your access to Feedzai offices and facilities.
Data from the application process
Phone-screens, interviews, evaluations and outcomes of recruiting exercises
Other Data
This might include data not listed above that you provide to us, such as your feedback and survey responses where you choose to identify yourself.
Personal data from Third-Party Sources
In addition to the personal data that we collect from you directly, in certain circumstances, we may also collect personal data from third-party sources. Please see below for a list of the types of third-party sources from which we may collect your personal data (including whether the source of that personal data is publicly available):
- Agencies or recruiters that refer you to us.
- Job board websites you may use to apply for a job with us.
- Prior employers, companies or persons, when they provide us with references.
- Professional references that you authorise us to contact.
- Your educational institutions.
- Providers of background check, credit check, or other screening services (where permitted by law).
- Your social media profiles, such as LinkedIn or other publicly-available sources (information gathered from these sources is publicly-available).
- Other Company personnel.
How we use your personal data and why
In respect of each of the purposes for which we use your personal data, applicable data protection laws require us to ensure that we have a “legal basis” for that use. Most commonly, we will rely on one of the following legal bases:
- Where we need to take steps at your request prior to entering into a contract with you (“Contractual Necessity”).
- Where we need to comply with a legal or regulatory obligation (“Compliance with Law”).
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests (“Legitimate Interests”). More detail about the specific legitimate interests pursued in respect of each purpose we use your personal data for is set out in the table below.
The table below shows at a very high-level how we may use your personal data and the relevant legal bases we rely upon for that use.
Purpose
Legal basis
Pre-contractual performance. We may process your personal data (including sharing it with third parties, where appropriate) where necessary to take pre-contractual steps relating to your potential employment or engagement, including managing the recruitment process and taking any associated steps you may request prior to entering into any contract with you.
Contractual Necessity.
Talent management. We may process your personal data (including associated sharing with third parties, where appropriate) for talent management purposes, including for the purposes of considering you for current or future job application and determining whether, and on what terms, to make an offer to employ or engage you.
Legitimate Interests.
Facilities management. We may process your personal data (including sharing it with third parties, where appropriate) to operate, manage and secure our premises and facilities.
Legitimate Interests.
Compliance and protection. We may process your personal data (including sharing it with third parties, where appropriate) for compliance and protection purposes (including the establishment, exercise or defence of legal claims).
Depending on the circumstances: Compliance with Law or Legitimate Interest.
Privacy Protective Steps. We may create aggregated, de-identified and/or anonymised data from your personal data.
Legitimate Interests.
Further uses. In some cases, we may use your personal data for further uses, in which case we will ask for your consent to such use of your personal data for those further purposes in so far as they are not compatible with the initial purpose for which information was collected and where consent is necessary.
Consent or the original legal basis where the relevant further use is compatible with the initial purpose and where consent is necessary.
In addition to establishing a legal basis, where we use any ‘special categories’ of personal data (e.g., your health-related data), we also have to satisfy an additional condition to process such personal data, because it is considered to be more sensitive in nature. The condition that may apply will depend on the circumstances and the purposes of the relevant processing. However, as examples of the conditions that we may rely upon:
- We may need to process that data because it is necessary for reasons of substantial public interest (e.g., for equal opportunities monitoring, preventing or detecting unlawful acts etc).
- We may need to process that data because it is necessary for the establishment, exercise or defence of legal claims (including regulatory, administrative or any out-of-court procedure, and seeking advice).
Who we share your personal data with
As part of our business and in relation to your application, we may share your personal data with certain third parties – please see the list below for information about the categories of such third-party recipients:
Affiliates. Our affiliates. For example, this may occur to enable our organisation to operate shared infrastructure, systems and technology.
Service Providers. Providers of services to Feedzai or our group that provide us with services that help us manage the recruiting process and operate our business, such as job boards, recruiters, interviewing and testing, IT systems and support, information and physical security, pre-employment screening, interview travel booking and expense reimbursement (where applicable), relocation (where applicable), and recruitment analytics.
Professional advisers. Accountants, auditors, lawyers, immigration advisors, insurers, bankers, and other professional advisors.
Compliance and protection related sharing. We may need to or may have a legitimate interest in, sharing your personal data with entities that regulate or have jurisdiction over us (such as regulatory authorities, public bodies and judicial bodies). We may also share your personal data in the context of protecting our, your or others’ rights, privacy, safety or property (including by establishing, making and defending legal claims).
Business transfer participants. Parties (and their advisors) to transactions and potential transactions pursuant to which we sell or transfer some or all of our business or assets, including your personal information, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Data transfers
We may share your personal data with third parties who may be based outside of the EU/UK. In such circumstances, those parties’ processing of your personal data will involve a transfer of your personal data outside of the EU/UK where privacy laws may not be as protective as those in the EU/UK. In such a case, we will endeavour to implement appropriate safeguards designed to give personal data effectively the same protection as it has in the EU/UK.
You may contact us if you want further information on the specific mechanism used by us when transferring your personal information using the contact details shown in the “Who We Are and How to Contact Us” section above.
How we keep your personal data secure
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal data to those employees, contractors, and other staff who have a business need to have such access. All such people are subject to a contractual duty of confidentiality.
We have put in place procedures to deal with any actual or suspected personal data breach. In the event of any such breach, we have systems in place to work with applicable regulators. In addition, in certain circumstances (e.g., where we are legally required to do so) we may notify you of breaches affecting your personal data.
How long we store your personal data
Feedzai’s retention periods for personal data are based on business needs and legal requirements. We retain personal data for as long as is necessary for the processing purpose(s) for which it was collected, as set out in this Candidate Privacy Policy, and any other permissible, related purposes. For example, we may retain certain information to comply with regulatory requirements regarding the retention of such data, or in the event a litigation hold is imposed.
When personal data is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the personal data.
Annex 1 – Additional Controllers
Name
Address
Contact information
Feedzai, Inc.
(“Feedzai US”)
400 Concar Dr, 3rd Floor, Suite 124, San Mateo, CA 94402, USA
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai AU PTY, Ltd.
(“Feedzai AU”)
Level 9, Grosvenor Place, 225 George Street, Sydney, NSW, 2000
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai Hong Kong, Limited
(“Feedzai HK”)
Unit B, 17/F, United Centre, 95 Queensway, Admiralty, Hong Kong
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai Spain, S.L.U.
(“Feedzai ES”)
Paseo de la Castellana 43, Planta 6, Oficina 105, 28046 Madrid, Spain
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai UK Limited
(“Feedzai UK”)
Acre House, 11/15 William Road, London, United Kingdom, NW1 3ER
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai Singapore PTE., Limited
(“Feedzai SGP”)
6 Shenton Way, 33-00, Singapore 068809
Name: Privacy Team
Contact Details: privacy@feedzai.com
Feedzai Malta Limited
(“Feedzai Malta”)
Level 1, LM Complex, Brewery Street, Zone 3, Central Business District, Birkirkara, CBD 3040, Malta
Name: Privacy Team
Contact Details: privacy@feedzai.com
Annex 2 – Notice to Brazilian Users
General
Where this Notice to Brazilian users applies. The information provided in this ‘Notice to Brazilian users’ section applies only to individuals located in Brazil.
Controller. Feedzai is the “controller” in respect of the processing of your personal information covered by this Candidate Privacy Policy for purposes of the LGPD. See the “Who we are” and “How to contact us” sections above for our contact details.
Data Protection Officer (“DPO”). Our appointed DPO is Lígia Gutierrez Setúbal. You can contact us by sending an email to dpo@feezai.com.
Your additional rights
General. The LGPD gives you certain rights regarding your personal data in certain circumstances. If you are located in Brazil, you may ask us to take the following actions in relation to your personal information that we hold:
- Confirmation. Provide you with information on whether we process your personal data.
- Access. Provide you with information about our processing of your personal information and give you access to your personal information.
- Correct. Update or correct inaccuracies in your personal information.
- Portability. Transfer to you or a third party of your choice a machine-readable copy of your personal information which you have provided to us.
- Manage and Withdraw Consent. When we use your personal data based on your consent, you have the right to (i) be informed on the consequences of not giving your consent for a certain purpose, (ii) withdraw that consent at any time, and (iii) request your personal data to be deleted.
- Delete. Delete your personal data where there is no good reason for us continuing to process it – you also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
Exercising These Rights. You may submit these requests by contacting us using the contact details shown in the “Who We Are and How to Contact Us” section above.
We may request specific information from you to help us confirm your identity and process your request. Whether or not we are required to fulfill any request you make will depend on a number of factors (e.g., why and how we are processing your personal information), if we reject any request you may make (whether in whole or in part) we will let you know our grounds for doing so at the time, subject to any legal restrictions. All data subject requests are free of charge and may either be answered immediately or within 15 days, depending on the subject matter.
Your right to file a Complaint with ANPD. Although we urge you to contact us first to find a solution for any concern you may have, in addition to your rights outlined above, if you are not satisfied with our response to a request you make, or how we process your personal data, you can make a complaint to ANPD using the available means to make a request.
Data Processing outside Brazil. Most of our service providers, advisers, partners or other recipients of data are based outside Brazil, in Europe, and in the United States. This means that, if you use the Products and Services, your personal data may be accessed and processed abroad. We try to ensure a similar degree of protection is afforded by using specifically appropriate safeguards, such as standard contractual clauses or other standard-form contracts approved by relevant authorities for this purpose.
Uncover Your Hidden Fraud Risk
and Save Money
Don’t let outdated, legacy fraud detection solutions cost you.
Most systems are blind to the subtle patterns and emerging threats that cost businesses millions, but Feedzai goes deeper.
We’ve successfully replaced every major provider, reducing fraud losses each time. Schedule a free risk assessment, and we’ll uncover hidden vulnerabilities in your current defenses, revealing the true cost of fraud to your business.
Page printed in December 23, 2024. Plase see https://www.feedzai.com/legal/feedzai-candidate-privacy-policy for the latest version.