GDPR Compliance Statement

1. Introduction

NOESIS HIRING LTD ("NoesisHiring", "NH", "we") operates an AI-supported applicants' selection process in hiring (the "Platform"), enabling employer organisations ("Tenant Companies") to receive, process, and assess job applications.

This statement describes how NoesisHiring complies with the UK General Data Protection Regulation (Regulation 2016/679 as retained in UK law) and the Data Protection Act 2018. The personal data processed through the Platform consists primarily of applicant identification data, CV content, application metadata, core skills assessment (TRIAGE™), AI-generated assessment outputs (the CVs' AI Assessment), deterministic assessment outputs (COB, EQ, LAA, TRIO™), and candidate-authored communications.

NoesisHiring acts as a data processor on behalf of Tenant Companies for the majority of processing activities, and as a joint controller with the Tenant Company for the CVs' AI Assessment specifically (see Section 10). The binding allocation of roles and responsibilities is set out in the Data Processing Agreement ("DPA").

2. Lawful Basis for Processing

NoesisHiring processes personal data under the following lawful bases.

2.1 Applicant Personal Data — Explicit Consent

The Platform collects explicit consent (Article 6(1)(a) UK GDPR) from each Applicant at the point of application via the tenant-branded application page. The consent record is captured through the Platform's auditable consent-capture mechanism. Without this consent, the Application cannot proceed.

The consent covers:

• Storage and transmission of CV content and application data;
• Processing of CV content through the CVs' AI Assessment (AI-powered analysis described in Section 5);
• Operation of the deterministic assessments TRIO™ aggregation (COB, EQ, LAA), when included;
• Storage of TRIAGE™ (responses to the core skills assessment) for direct use by the Tenant Company;
• AI-assisted candidate communications between the Platform's AI agent (NoaH) and the Applicant and viceversa.

Applicants may withdraw their consent at any time (see Section 4).

2.2 Tenant Company Personnel Data — Contract Performance

NoesisHiring processes Tenant Company user account data (name, work email, role, account activity and usage logs) under the performance of the Terms of Service — Article 6(1)(b) UK GDPR.

2.3 Security, Fraud Prevention, Legal Compliance

NoesisHiring processes technical data (IP address, browser information, timestamps) for security, fraud prevention, and abuse detection under legitimate interests (Article 6(1)(f) UK GDPR), and processes data for legal compliance and dispute resolution under legal obligation (Article 6(1)(c) UK GDPR).

2.4 Special-Category Data (Article 9 UK GDPR)

The Platform is not designed to collect special-category data within the meaning of Article 9 UK GDPR. Applicants are encouraged to anonymise their CVs by removing information that could reveal protected characteristics. Where special-category data is inadvertently included in CV content, it is processed only as necessary to store and display the CV to the Tenant Company, and is not used as a deliberate input to the CVs' AI Assessment beyond such storage and display.

3. Categories of Personal Data

The Platform processes the following categories of personal data.

3.1 Applicant Data

• Identity data: name, contact details (email; optionally phone/LinkedIn)
• CV content: employment history, education, qualifications, skills, and any other information included by the Applicant
• Application content: message to the recruiter (free-text, optional)
• Assessment responses: answers to deterministic questionnaires (COB, EQ, LAA) and to TRIAGE™ Employer-designed questions
• Assessment outputs: AI-generated CVs' AI Assessment (KSCE), deterministic COB/EQ/LAA scores, deterministic TRIO™ aggregation
• Candidate-authored communications: free-text emails exchanged with the Platform's AI agent (NoaH)
• Technical data: IP address, browser information, timestamps

3.2 Tenant Company User Account Data

• Name, work email address, role (SuperAdmin, Admin, Regular user, Consultant, Partner)
• Account activity and usage logs

4. Data Subject Rights

Under the UK GDPR, data subjects (Applicants and Tenant Company users) have the following rights:

• Right of access (Article 15) — request a copy of personal data held;
• Right to rectification (Article 16) — request correction of inaccurate data;
• Right to erasure (Article 17) — request deletion of personal data;
• Right to restrict processing (Article 18);
• Right to data portability (Article 20) — receive personal data in a structured, machine-readable format;
• Right to object (Article 21) — object to processing based on legitimate interests (e.g., security and fraud-prevention processing);
• Right to withdraw consent (Article 7(3)) — where processing is based on consent, withdraw at any time without affecting the lawfulness of processing before withdrawal;
• Rights related to automated decision-making (Article 22 — see Section 5).

4.1 How to Exercise Rights

Requests may be submitted to privacy@noesishiring.ai. NoesisHiring will respond within one month of receipt, or notify the data subject of an extension (up to two further months) where the request is complex or numerous.

4.2 Routing Between Processor and Controller

Because NoesisHiring acts as a processor for the majority of activities:

• Requests relating to the CVs' AI Assessment methodology and assessment scores are handled by NoesisHiring directly (per DPA §2.3).
• Requests relating to hiring decisions, employment offers, or rejection rationale are routed to the relevant Tenant Company.
• Where routing is unclear, NoesisHiring acknowledges receipt, informs the Tenant Company, and the parties cooperate to respond within the statutory deadline.

4.3 Complaint to the Supervisory Authority

Data subjects also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues: www.ico.org.uk, helpline 0303 123 1113.

5. Automated Decision-Making (Article 22)

NoesisHiring's position. The Platform generates AI-assisted assessment outputs (the CVs' AI Assessment) that inform Tenant Company hiring decisions. NoesisHiring's position is that the use of the Platform does not, in itself, constitute solely automated decision-making within the meaning of Article 22 UK GDPR, because consequential hiring decisions (hire, reject, advance) are made by human Hiring Managers at the Tenant Company.

5.1 Safeguards Built into the Platform

• Human Hiring Managers retain final authority on all consequential decisions.
• Designated never-automated action categories — including rejection communications, employment offers, salary negotiation, contract dispatch, and background-check initiation — are always human-driven.
• Compensatory reasoning prevents inferred gaps in a candidate's profile from being treated as final negatives without human-reviewable explanation.
• AI-anomaly perceived by candidate can be flagged for hiring manager verification.
• Candidates who believe AI assessment are flawn can require hiring manager direct involvement.
• All AI-composed candidate communications require Hiring Manager intent input and are Hiring Manager's verifiable at sending.
• The Platform does not autonomously recommend, select, or exclude Applicants in a way that replaces the hiring manager' discretion (see Terms of Service §2.3).

5.2 Tenant Company Responsibility

As the controller for hiring decisions, the Tenant Company is responsible for ensuring meaningful human review of AI-generated assessments in accordance with DPA §6.3 and the deployer obligations under the EU AI Act (see EU AI Act Compliance Statement).

5.3 Applicant Right to See Scores and Request Review

NoesisHiring provides Applicants with a copy of their CVs' AI Assessment scores and a general explanation of what those scores represent, in accordance with DPA §6.4. Applicants who consider that they have been subject to a decision based solely on automated processing may request a human review by contacting privacy@noesishiring.ai or the relevant Tenant Company.

6. Data Retention

Personal data is retained no longer than necessary for the purposes for which it is processed.

Data Category	Retention Period
Applicant CV content and assessment outputs	24 months from the Applicant's last activity, or until deleted by the Tenant Company or by Applicant request, whichever is sooner
Talent Pool data (where the Applicant has consented to inclusion via the opt-out clause in candidate communications)	Same 24-month period from last activity, unless the Applicant has expressly indicated "I prefer you NOT to keep my profile in your records," in which case data is deleted at the end of the active recruitment cycle
Candidate-authored communications	Same retention as the Applicant record they relate to
Tenant Company account data	Duration of the contract plus 6 years (UK statutory limitation period)
Tenant Company activity and usage logs	12 months
Security and audit logs	12 months
AI sub-processor processing logs	Up to 30 days (Anthropic Claude API) and up to 55 days (Google Gemini API) for abuse monitoring only — see DPA Schedule 2

On termination of the Tenant Company contract, NoesisHiring provides a 30-day data export window before deletion, in accordance with DPA §3.7.

7. International Data Transfers

Personal data processed through the Platform is stored primarily in Google Cloud Platform (Firestore) in the europe-west4 region (Amsterdam, Netherlands). Limited transfers to the United States occur where AI inference is performed by Anthropic Claude API or Google Gemini API, and where Google Cloud Platform performs backup operations.

7.1 Transfer Mechanisms

Sub-processor	Location	Transfer Mechanism
Google Cloud Platform (Firebase/Firestore)	EU/UK primary (europe-west4); USA (backup only)	UK Adequacy Regulations; UK Addendum to the EU Standard Contractual Clauses (SCCs); International Data Transfer Agreement (IDTA)
Anthropic PBC (Claude API)	USA	SCCs / IDTA; Data Processing Agreement with Anthropic
Google LLC (Gemini API)	USA	SCCs / IDTA; Data Processing Agreement with Google

7.2 Supplementary Measures

AI sub-processors operate under commercial API agreements that prohibit use of processed data for AI model training, and retain processed data for limited periods (30 days Anthropic; 55 days Google) for abuse monitoring only. NoesisHiring does not allow its AI sub-processors to use Applicant Data for model training.

8. Data Protection Officer

NoesisHiring's designated Data Protection Officer is Antonio Specchia, who operates independently in accordance with Article 38 UK GDPR and reports directly to the company's executive leadership. The DPO can be contacted by data subjects, supervisory authorities, and the Information Commissioner's Office on any privacy-related matter.

9. Breach Notification

NoesisHiring maintains security monitoring, anomaly detection, and incident response procedures designed to identify potential personal data breaches as defined in Article 4(12) UK GDPR.

9.1 Notification to Tenant Companies

When NoesisHiring becomes aware of a personal data breach affecting Applicant data processed on behalf of a Tenant Company, NoesisHiring notifies the Tenant Company without undue delay and in any event within seventy-two (72) hours, in accordance with DPA §4 and Article 33(2) UK GDPR.

9.2 Notification to the Supervisory Authority

Where NoesisHiring is the controller (i.e., for breaches affecting Tenant Company user account data or breaches affecting joint-controller activities), NoesisHiring notifies the Information Commissioner's Office (ICO) within 72 hours of becoming aware where the breach is likely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 UK GDPR.

9.3 Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, NoesisHiring (or the Tenant Company, as applicable) notifies the affected data subjects without undue delay, in accordance with Article 34 UK GDPR.

9.4 Cooperation

NoesisHiring cooperates with Tenant Companies and supervisory authorities in the investigation, mitigation, and remediation of any breach.

10. Joint Controller Provisions

NoesisHiring and the Tenant Company act as joint controllers within the meaning of Article 26 UK GDPR for one specific processing activity:

• CVs' AI Assessment — CV parsing, semantic comprehension, and evaluation of Knowledge, Skill, Competence, and Experience (KSCE). NoesisHiring determines the assessment methodology; the Tenant Company determines the purpose for which the assessment outputs are used.

The respective responsibilities of NoesisHiring and the Tenant Company for this joint-controller activity are allocated in Section 2.3 of the Data Processing Agreement. The DPA contains the binding allocation table; Tenant Company attestation to the DPA constitutes acceptance of this allocation.

Information to Applicants. The essence of this joint-controller arrangement is made available to Applicants through both parties' respective privacy notices.

Contact point. Applicants may exercise their rights against either joint controller. The party receiving a request informs the other and the parties cooperate to respond.

11. Tenant Obligations

Tenant Companies act as data controllers for Applicant data processed through the Platform on their behalf. As controllers, Tenant Companies are responsible for:

• Informing Applicants of NoesisHiring's role as processor and of the joint-controller arrangement described in Section 10;
• Ensuring meaningful human review of all consequential hiring decisions, in accordance with DPA §6.3;
• Honouring data subject requests forwarded by NoesisHiring within statutory deadlines;
• Maintaining the Tenant Company's own UK GDPR documentation (records of processing activities under Article 30, DPIAs under Article 35 where required) and responding to ICO inquiries directed at the Tenant Company;
• Notifying NoesisHiring promptly of any personal data breach the Tenant Company becomes aware of that may affect data processed through the Platform;
• Ensuring TRIAGE™ questions and any other Tenant-configured content are lawful, non-discriminatory, and appropriate for the role (see Terms of Service §5.3).

12. Updates to this Statement

NoesisHiring may update this statement to reflect changes in applicable data protection law, sub-processors, processing activities, or platform features.

Material changes — including any new sub-processor, any change to the lawful-basis position, any expansion of cross-border transfers, or any new high-risk processing activity — will be notified to Tenant Company Super Admins at least thirty (30) days before taking effect and will require re-attestation via the Account Settings page.

Non-material changes (typographical corrections, clarifications, updated cross-references) will be reflected in the version history without re-attestation.