Terms & Conditions
Privacy Policy & Term and Condition
Last updated: 2026-01-08
This Privacy Policy explains how Kretsia (“Kretsia”, “we”, “us”, or “our”) processes personal data in connection with our recruitment and relationship management platform, including our Applicant Tracking System (ATS), CRM, career pages, analytics and dashboards, job parsing and sorting, interview workflows, digital references, digital signatures, and databases for candidates, employees, and clients (together, the “Services”). This Privacy Policy also explains what rights you have under applicable data protection laws, including the EU General Data Protection Regulation (GDPR), and how you can exercise those rights
Scope – Who This Privacy Policy Applies To This Privacy Policy describes how Kretsia processes personal data if you: Use Kretsia’s Services on behalf of a Kretsia customer, for example as a recruiter, HR professional, hiring manager, or administrator (“User”). Represent a Kretsia customer in a contractual, financial, or operational capacity, such as signing an agreement or acting as a billing contact (“Customer’s Contact Person”). Represent a company that Kretsia has identified as a potential customer (“Potential User”). Represent a supplier, technology partner, or integration partner working with Kretsia (“Partner’s Contact Person”). Contact Kretsia via our website, email, support channels, events, or other means without belonging to the categories above (“Other Contact Person”). This Privacy Policy also explains what rights you have and how you can exercise them.
Important clarifications If your personal data is processed by a company that uses Kretsia’s Services (for example, when you apply for a job via a customer’s career page), that company is responsible for its own processing of your personal data. Please refer to that company’s privacy policy. If you apply for a job directly at Kretsia, the processing of your personal data is governed by a separate candidate privacy policy available on Kretsia’s career page. When we mention “Kretsia”, “we”, or “us”, we refer to the legal entity operating the Kretsia platform. Full company details are provided in Section 9 below.
1) About Processing of Personal Data
1.1 Definition of personal data Personal data is any information relating to an identified or identifiable natural person. This includes information such as first name, last name, email address, phone number, postal address, IP address, CVs, candidate profiles, and online identifiers.
1.2 What processing means Processing includes any operation performed on personal data, whether automated or manual. Examples include collecting, recording, structuring, storing, updating, analyzing, sharing, transferring, anonymizing, and deleting personal data.
1.3 Applicable data protection legislation Kretsia processes personal data in accordance with applicable data protection laws. A key regulation governing our processing activities is the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). Depending on your location, additional national or regional laws may apply.
Under the GDPR, different obligations apply depending on whether an organization acts as a data controller or a data processor: A data controller determines the purposes and means of processing personal data. A data processor processes personal data solely on behalf of, and in accordance with instructions from, a data controller.
2) Is Kretsia a Data Controller or Data Processor?
2.1 Users of the Services When a company subscribes to Kretsia’s Services and grants you access as a User, that company acts as the data controller for personal data processed within the Service for recruitment, HR, and client management purposes. In this context, Kretsia acts as a data processor, processing personal data strictly in accordance with the customer’s instructions and the applicable data processing agreement. However, Kretsia also processes certain personal data about Users for its own independent purposes, such as account administration, billing, security, analytics, product improvement, and customer support. For these processing activities, Kretsia acts as a data controller, and this Privacy Policy applies.
2.2 All other categories of individuals For Customer’s Contact Persons, Potential Users, Partner’s Contact Persons, and Other Contact Persons, Kretsia processes personal data as a data controller. This Privacy Policy fully applies to such processing.
3) What Personal Data Do We Process?
Depending on your relationship with Kretsia, we may process the following categories of personal data:
3.1 Identification and contact data First name, and last name, Email address, Phone number, Postal address, Job title, and professional role, Company name, Candidates profile.
3.2 Recruitment and candidate-related data (processed on behalf of customers) Candidate profiles and application data CVs, cover letters, and attachments Education, employment history, and skills Interview notes, evaluations, and assessments Digital reference information Offer letters, contracts, and digitally signed documents
3.3 Employee, client, and CRM data Employee profiles and records Client and customer contact details Communication history and relationship notes
3.4 Technical, usage, and log data IP address Login and access logs Activity within the Services Date, time, and duration of usage.
3.5 Device information Browser type and version Operating system Device type Language preferences Screen resolution and similar technical identifiers
3.6 Communication data Messages submitted via website forms Email correspondence Support tickets and chat communications Feedback, survey responses, and reviews
4) Where Do We Receive Your Personal Data From?
4.1 All categories We collect personal data from: You, when you create an account, use the Services, communicate with us, attend events, or request information The company you represent, for example to set up user access, manage subscriptions, or handle billing Publicly available sources, such as professional networking platforms or company websites.
4.2 Potential Users For Potential Users, we may also receive personal data from: Business and technology partners Lead generation and marketing service providers Public directories and professional databases You may contact us at any time to request information about the specific sources of your personal data.
5. Purposes of Processing, Legal Basis, and Retention Periods
This section explains:
The purposes for which we process personal data.
The categories of personal data involved.
The legal basis under the GDPR.
How long the data is retained.
5.1 Common purposes for all categories :- Providing information, demos, and support We process personal data to respond to inquiries, provide demos, deliver requested information, and document our communication. Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Retention: Up to 3 years after last contact, unless a longer period is required. Operation, security, and improvement of the Services We process data to operate, maintain, test, secure, and improve our Services, including fraud prevention and misuse detection. Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Retention: Varies depending on data type; log data is typically retained up to 12 months. Analytics and statistics We create aggregated and, where possible, anonymized statistics to understand how our Services and websites are used. Legal basis: Legitimate interest (Article 6(1)(f) GDPR). Retention: For the duration of the anonymization or aggregation process. Legal obligations and claims We process personal data to comply with legal obligations and to establish, exercise, or defend legal claims. Legal basis: Legal obligation (Article 6(1)(c) GDPR) and legitimate interest (Article 6(1)(f) GDPR). Retention: As required by applicable law.
5.2 Users Service communication, surveys, and feedback We may contact Users regarding service updates, surveys, or feedback related to the Services. Legal basis: Legitimate interest. Retention: For the duration of the customer relationship and up to 3 years thereafter. Marketing of relevant services and events We may market services and events that are relevant to Users. Users can opt out at any time. Legal basis: Legitimate interest. Retention: Up to 3 years after the customer relationship ends.
5.3 Customer’s Contact Persons and Partner’s Contact Persons. Contract administration and billing We process personal data to enter into, administer, and document agreements, and to handle invoicing and payments. Legal basis: Legitimate interest and legal obligation (accounting laws). Retention: Contract duration and up to 7–10 years thereafter, depending on legal requirements.
5.4 Potential Users Sales and marketing activities, We process personal data to market our Services, contact you about potential cooperation, and tailor our communications. Legal basis: Legitimate interest. Retention: Up to 2 years from last contact.
6. Whom Do We Share Your Personal Data With?
We may share personal data with: Kretsia customers (when you use the Services on their behalf). Service providers and sub-processors (e.g. hosting, analytics, support systems, digital signature providers). Business partners involved in joint events or content. Authorities or other parties when required by law or legal proceedings. Parties involved in a merger, acquisition, or sale of assets. All recipients process personal data under appropriate confidentiality and data protection agreements.
7. Transfers of Personal Data Outside the EU/EEA
Kretsia primarily processes personal data within the EU/EEA. Where personal data is transferred outside the EU/EEA, we ensure that appropriate safeguards are in place, such as: Adequacy decisions by the European Commission EU Standard Contractual Clauses Additional technical and organizational security measures You may contact us for more information about international transfers and applied safeguards.
8. What Rights Do You Have, and How Can You Exercise Them?
Under the EU General Data Protection Regulation (GDPR) (Articles 12–23), the UK GDPR, and other applicable data protection laws, you have specific rights in relation to the personal data that Kretsia processes about you. The scope of these rights may vary depending on applicable law, your location, and whether Kretsia acts as a data controller or a data processor.
8.1 Your data protection rights. Where Kretsia acts as a data controller, you have the following rights: Right of access (Article 15 GDPR) You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, access to that personal data and related information. Right to rectification (Article 16 GDPR) You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. Right to erasure – “right to be forgotten” (Article 17 GDPR) You have the right to request the deletion of your personal data where, for example, the data is no longer necessary for the purposes for which it was collected, consent has been withdrawn, or the data has been unlawfully processed. Right to restriction of processing (Article 18 GDPR) You have the right to request that the processing of your personal data be restricted in certain circumstances, such as where the accuracy of the data is contested or where the processing is unlawful but you oppose erasure. Right to data portability (Article 20 GDPR) Where processing is based on consent or on a contract and carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible. Right to object (Article 21 GDPR) You have the right to object, on grounds relating to your particular situation, to processing based on Kretsia’s legitimate interests. Where personal data is processed for direct marketing purposes, you have the unconditional right to object at any time. Right not to be subject to automated decision-making (Article 22 GDPR) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless permitted by law. Right to withdraw consent (Article 7(3) GDPR) Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal. Right to lodge a complaint (Article 77 GDPR) You have the right to lodge a complaint with a supervisory authority. In the EU/EEA, this is typically the authority in your country of residence, place of work, or where the alleged infringement occurred. In the UK, this is the Information Commissioner’s Office (ICO).
8.2 Processing on behalf of Kretsia customers (data processor role) Where Kretsia processes personal data on behalf of a customer (for example, within the ATS, CRM, or recruitment workflows), Kretsia acts as a data processor and processes personal data in accordance with the customer’s instructions and a Data Processing Agreement (DPA). In such cases: The customer is the data controller Requests to exercise data subject rights should primarily be directed to the relevant customer. Kretsia will assist the customer in fulfilling such requests in accordance with the DPA and applicable law.
8.3 How to exercise your rights To exercise your rights, you may contact Kretsia using the contact details in Section 9. We may request additional information to verify your identity before responding. We will respond to your request without undue delay and within the time limits set out in applicable data protection law (generally within one month).
9. Where Do You Turn With Comments or Questions?
If you have any questions, comments, or concerns regarding this Privacy Policy or Kretsia’s processing of personal data, you may contact us at:
Kretsia AB
Pumpgatan 1, 417 55 Göteborg Sweden
Email: support@kretsia.com
Website: www.kretsia.com
If required under applicable law, Kretsia has appointed an internal data protection contact or Data Protection Officer (DPO). check section Annex B – Data Processing Agreement (DPA). Requests and inquiries submitted using the contact details above will be routed to the appropriate privacy function. For Users whose personal data is processed by Kretsia on behalf of a customer, privacy-related inquiries may also be addressed to the relevant customer acting as data controller.
10. Updates to This Privacy Policy
Kretsia may update this Privacy Policy from time to time to reflect changes in: Applicable data protection laws (including GDPR, UK GDPR, or non-EU legislation). Our Services or processing activities. Legal, regulatory, or business requirements. When material changes are made, we will update the “Last updated” date at the top of this Privacy Policy and, where required by law, provide additional notice through our website or other appropriate communication channels. We encourage you to review this Privacy Policy periodically to remain informed about how we process and protect personal data.
Annex A – Jurisdiction-Specific Privacy Notices
This Annex supplements the Kretsia Privacy Policy and applies depending on your place of residence or the applicable law.
Annex A.1 – United States Privacy Notice
This section applies to individuals residing in the United States, including California, Colorado, Virginia, Connecticut, Utah, and other U.S. states with comprehensive privacy laws.
A.1.1 Categories of personal data processed Kretsia may process the following categories of personal data, as defined under applicable U.S. privacy laws: Identifiers (e.g. name, email address, IP address) Professional or employment-related information Internet or network activity information Customer service and communications data Kretsia does not sell personal data and does not share personal data for cross-context behavioral advertising as defined under the California Consumer Privacy Act, as amended by the CPRA.
A.1.2 Your U.S. privacy rights Depending on your state of residence, you may have the right to: Know what personal data is collected, used, disclosed, or shared. Access your personal data. Correct inaccurate personal data. Delete personal data, subject to legal exceptions. Opt out of certain processing activities, where applicable. Not be discriminated against for exercising your rights.
A.1.3 Exercising your rights You may exercise your rights by contacting Kretsia as described in Section 9 of the Privacy Policy. We may verify your request as permitted by law. Where Kretsia processes personal data on behalf of a customer, requests may need to be directed to that customer as the data controller or business.
Annex A.2 – Canada Privacy Notice (PIPEDA)
This section applies to individuals in Canada and is intended to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws.
A.2.1 Purposes and consent Kretsia collects, uses, and discloses personal information only for purposes that a reasonable person would consider appropriate under the circumstances. Where required, consent is obtained expressly or implied, depending on the sensitivity of the information and legal requirements.
A.2.2 Your rights under Canadian law You have the right to: Access your personal information. Request correction of inaccurate or incomplete information. Withdraw consent, subject to legal or contractual restrictions.
A.2.3 Cross-border transfers Personal information may be transferred outside Canada for processing. Kretsia uses contractual and technical safeguards to ensure a comparable level of protection.
Annex A.3 – Asia-Pacific (APAC) Privacy Notice
This section applies to individuals in APAC jurisdictions, including but not limited to Singapore (PDPA), Australia (Privacy Act), Japan (APPI), and similar frameworks.
A.3.1 Legal bases and purposes Kretsia processes personal data in accordance with applicable APAC privacy laws, relying on consent, contractual necessity, legitimate business purposes, or other lawful bases permitted by local legislation.
A.3.2 Your rights Depending on your jurisdiction, you may have the right to: Access personal data. Request correction. Withdraw consent. Request deletion, subject to legal exceptions.
A.3.3 International transfers
Where personal data is transferred across borders, Kretsia implements appropriate safeguards consistent with applicable APAC data transfer requirements.
Annex B – Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the agreement between Kretsia and its customer (“Customer”) where Kretsia processes personal data on behalf of the Customer.
1. Definitions
Terms such as “personal data,” “processing,” “controller,” “processor,” and “supervisory authority” have the meanings given in the GDPR and UK GDPR.
2. Roles of the Parties
The Customer acts as the data controller. Kretsia acts as the data processor. Kretsia processes personal data solely on documented instructions from the Custome.
3. Scope and Purpose of Processing
Kretsia processes personal data for the purpose of providing its recruitment, ATS, CRM, analytics, digital signature, and related Services. Categories of data subjects may include:
1) Candidates
2) Employees
3) Contractors
4) Client contacts
5) Users of the Services
4. Processor Obligations
Kretsia shall:
Process personal data only on documented instructions from the Customer. Ensure confidentiality of personnel. Implement appropriate technical and organizational security measures. Assist the Customer in responding to data subject rights requests. Assist with data protection impact assessments (DPIAs) where required. Notify the Customer without undue delay of a personal data breach. Delete or return personal data upon termination of the Services, unless retention is required by law.
5. Sub-Processors
The Customer authorizes Kretsia to engage sub-processors necessary to deliver the Services. Kretsia shall: Enter into written agreements with sub-processors. Impose data protection obligations equivalent to this DPA. Remain responsible for sub-processor performance. An up-to-date list of sub-processors may be made available upon request.
6. International Data Transferscessors
Where personal data is transferred outside the EU/EEA or UK, Kretsia shall ensure appropriate safeguards, including: EU Standard Contractual Clauses. UK International Data Transfer Addendum. Adequacy decisions. Additional technical and organizational measures.
7. Audits and Compliance
Upon reasonable request, Kretsia shall make available information necessary to demonstrate compliance with this DPA and allow for audits, subject to confidentiality and security requirements.
8. Liability
Liability under this DPA shall be subject to the limitations set out in the main agreement between the parties, to the extent permitted by applicable law.
9. Governing Law
This DPA shall be governed by the same law and jurisdiction as the main agreement between Kretsia and the Customer, unless otherwise required by applicable data protection law.
Company information:
Org nr: 5595474114
Kretsia AB
Pumpgatan 1, 417 55 Gothenburg Sweden
Email: Support@kretsia.com
