Take Flight
Take Flight

Recruitment Privacy Notice

1. Introduction

This Recruitment Privacy Notice explains how Finch LLC, a company registered in the State of Utah (United States), (“Finch”, “we”, “our”), collects, uses, stores and protects your personal information when you apply for a role with us.

This notice applies to all candidates and applicants globally, regardless of the country from which you apply.

By submitting an application, you acknowledge that your information will be processed as described below. You may opt out or request deletion at any time.

2. What personal data we collect

We collect only the information necessary to evaluate your application and manage our recruitment processes, including:

2.1. Identification and contact information

  • Name and surname
  • Email address
  • Phone number
  • Country and city
  • Any additional contact information you provide voluntarily

2.2. Professional information

  • Resume/CV, LinkedIn profile, portfolio and similar materials
  • Employment and education history
  • Skills, qualifications and certifications
  • Interview notes and assessment results
  • Communications sent by email or through our ATS

2.3. System and technical information

  • Candidate profile ID
  • Application history
  • Activity logs related to your use of the ATS
  • IP address or general device information (to ensure platform integrity)

We do not request or process sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, sexual orientation, or union membership.

  1. Why we process your data

We process your personal data for the following purposes:

  1. To assess your suitability for the role you applied for
  2. To contact you regarding your application
  3. To manage interview and evaluation processes
  4. To maintain a candidate pool for future opportunities
  5. To prevent abuse of the recruitment process
  6. To comply with legal obligations (where applicable)

Lawful basis under GDPR

For candidates in the European Union, processing is based on:

  • Article 6(1)(b) GDPR – processing necessary to take steps at your request prior to entering into an employment contract
  • Article 6(1)(f) GDPR – Finch’s legitimate interest in maintaining an efficient recruitment process, assessing applicants, and managing a candidate pool
  • When applicable: Article 6(1)(c) – compliance with legal obligations

We do not rely on consent as the primary basis for processing applicant data.

4. Data retention period

To maintain an efficient recruitment process and allow consideration for future roles, Finch retains candidate information for the following periods:

  • Candidates applying from the European Union (EU/EEA): 12 months
  • Candidates applying from all other countries: 24 months

If you take no action, your profile will be automatically deleted or anonymized at the end of the applicable retention period.

Before deletion, you may receive a notice allowing you to extend retention if you wish to remain in our candidate pool.

You may also opt out or request deletion at any time (see Section 11).

5. Opt-out of future contact

You may opt out of being contacted about future opportunities at any time through:

  • The privacy preferences link included at the bottom of all Finch recruitment emails, or
  • By requesting it via email (see Section 13)

Opting out does not automatically delete your candidate profile. If you also want your information erased, you must submit a deletion request.

6. Deletion requests (Right to erasure)

If you request deletion of your data:

  1. Your candidate profile, CV, interview notes and any associated data will be deleted or anonymized.
  2. We may retain a minimal record (such as a hashed email) in our Suppression List to ensure you are not contacted again by mistake.
  3. This minimal retention is based on Finch’s legitimate interest (Article 6(1)(f) GDPR) to prevent accidental re-contact.

7. Suppression List (Do Not Contact Registry)

Finch maintains a secure, limited-access Suppression List, used exclusively to:

  • Respect a candidate’s request not to be contacted
  • Avoid re-contacting candidates who requested deletion
  • Block future contact with individuals who engaged in fraud, threats, harassment, or other serious misconduct during the recruitment process

What we keep

  • A hashed version of the email address
  • Reason code (e.g., erasure request, opt-out, misconduct)
  • Date of entry

What we do NOT keep

  • CVs
  • Interview notes
  • Personal details
  • Any sensitive data

Data in the suppression list is stored only for the purpose of preventing future contact and is not used for recruitment evaluation.

8. Data sharing

We may share your information with:

  • Internal Finch teams involved in recruitment
  • Authorized third-party service providers (such as our Applicant Tracking System, background-check vendors, or communication tools)
  • Third-party partners assisting in hosting, analytics or system maintenance

These providers may only process your data according to Finch’s instructions, and under appropriate contractual and technical safeguards.

We do not sell personal information.

9. International transfers

Because Finch operates globally, your personal data may be transferred to countries outside your country of residence.

Our Applicant Tracking System is hosted on Amazon Web Services (AWS).

When transferring data internationally, we apply appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) for EU/EAA data
  • Data Transfer Impact Assessments
  • Technical and organizational measures including encryption, role-based access control, and audit logging
  • AWS’s industry-standard security certifications (ISO 27001, SOC 2, etc.)

10. Data security

Finch takes reasonable technical and organizational measures to protect personal data, including:

  • Encryption in transit and at rest
  • Restricted, role-based access to candidate information
  • Secure cloud hosting with industry-standard certifications
  • Audit logging and monitoring
  • Regular security reviews and vulnerability assessments
  • Mandatory internal training on data protection and information handling

These measures are aligned with recognized standards, such as those referenced in global frameworks like ISO 27001.

11. Your rights (GDPR, CPRA and applicable laws)

Depending on your location, you may have the following rights:

  • Access your personal data
  • Rectify inaccurate or incomplete information
  • Request deletion of your data
  • Restrict or object to processing
  • Opt out of future contact
  • Opt out of selling or sharing personal information (where applicable)
  • Withdraw consent (if we ever request it for a specific purpose)
  • Lodge a complaint with a supervisory authority

Finch will respond to all valid requests within the timeframes set by applicable law.

12. How to exercise your rights

You may exercise your rights through:

  1. The Privacy Preferences link included in all recruitment emails
  2. Emailing hr@finch.com (or the designated privacy contact)

If you request deletion, your data will be erased except for the minimal suppression record described in Section 7.

  1. Changes to this notice

We may update this Recruitment Privacy Notice from time to time. Updates will be posted on our careers site or provided through our communication channels when required.

14. Contact

For questions about this notice or your personal data, please contact:

Finch LLC – Talent Acquisition Team
Email: hr@finch.com
Registered Office: State of Utah, United States