Privacy policy.

This policy explains what personal data Commit Talent Ltd ("Commit Talent", "we", "us") collects, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For a focused summary of your rights and how to exercise them, see our GDPR & your data page.

1. Who is the data controller

Commit Talent Ltd is the data controller for any personal data we collect through this website or in the course of providing recruitment services. Commit Talent Ltd is registered in Scotland under Companies House number SC890527 and is registered with the Information Commissioner's Office under reference ZC154591.

2. What data we collect

We collect different categories of data depending on who you are and how you interact with us.

If you submit our contact form:

• Your name and email address.
• Whether you indicated you are hiring, job-hunting, or contacting us for another reason.
• The content of your message.
• Standard technical metadata (IP address, timestamp, browser type) collected by our hosting infrastructure for security and abuse prevention.

If you are a candidate we are engaging with:

• Your CV and the information it contains (employment history, education, skills, contact details).
• Our notes from any technical screening or follow-up calls.
• Email correspondence.
• Your stated salary expectations, location, notice period and right-to-work status.

If you are a client (or prospective client):

• Business contact details for the people we communicate with at your organisation.
• Role briefs, salary bands and other commercial information you share with us.
• Records of placements and invoices.

3. Why we collect it and our lawful basis

Under UK GDPR, we need a lawful basis for processing your data. We rely on:

• Legitimate interest — for sourcing and screening candidates, corresponding with clients, and operating the agency. We have assessed that this processing is necessary and does not override your rights and freedoms. Our screening uses software that ranks and filters CVs against a role's requirements; a person reviews candidates before they are put forward. See the GDPR & your data page for your rights around this.
• Consent — where you submit our contact form, explicitly opt in to be contacted about specific roles, or accept analytics cookies. You can withdraw consent at any time.
• Contract — to perform our obligations under any engagement letter or contract for services.
• Legal obligation — to comply with tax, employment, and recruitment regulations (including the Conduct of Employment Agencies and Employment Businesses Regulations 2003).

4. Who we share data with

We only share data where it is necessary to do our work or to comply with the law.

• Clients — we share candidate CVs and our screening notes with clients in the context of an active recruitment brief. We will tell candidates which client we are sharing their information with before doing so.
• Email service provider — we use a third-party transactional email provider to send correspondence. The provider is named in section 7.
• Google Analytics — if you accept analytics cookies, we use Google Analytics 4 to understand how the website is used in aggregate. It does not run unless you opt in. The provider is detailed in section 7.
• Professional advisers — accountants and legal advisers, where necessary, under appropriate confidentiality obligations.
• Authorities — where required by law (HMRC, ICO, courts).

We do not sell personal data. We do not share data with marketing-list brokers, lead generation services, or any third party for their own marketing purposes.

5. How long we keep data

• Candidate data: retained for up to 24 months from the last meaningful interaction. After 24 months of no contact, we delete or anonymise the record unless you have asked us to keep your details on file longer.
• Client records and invoices: retained for 7 years after the end of the commercial relationship, in line with HMRC requirements.
• Contact form submissions where no recruitment relationship begins: retained for 12 months, then deleted.
• Server logs: retained for 30 days, used only for security and abuse prevention.

6. International transfers

Some of our service providers (see section 7) operate servers outside the United Kingdom. Where personal data is transferred outside the UK, we rely on the UK Government's adequacy decisions or, where none applies, on UK International Data Transfer Agreements with the provider.

In particular, if you accept analytics cookies, Google Analytics data is processed by Google LLC in the United States. We rely on the UK extension to the EU–US Data Privacy Framework, under which Google is certified, for that transfer.

7. Data processors we use

We use the following categories of third-party processor. Specific provider names will be confirmed before the site is launched to a wider audience:

• Transactional email — Amazon SES (Amazon Web Services, Inc.) — for sending replies to contact-form enquiries and ongoing recruitment correspondence. This processes the recipient's email address and the content of the message. International transfers are handled as described in section 6.
• Website analytics — Google Analytics 4 (Google LLC) — for understanding aggregate site usage. Google Analytics sets first-party cookies and processes a pseudonymous identifier together with technical data such as a truncated IP address. It is loaded only after you accept analytics cookies, and never on our candidate or client portals. Lawful basis: your consent (see section 3). See section 8 for the specific cookies and how to change your choice.

We do not currently use a candidate-facing ATS or CRM, nor do we run automated background checks. If we add such processors in the future, we will update this policy and contact existing candidates and clients.

8. Cookies and similar technologies

This website uses a minimal set of cookies:

• Strictly necessary — a session cookie issued by our application to keep contact-form submissions secure (CSRF protection). This is required for the site to work, so it is not subject to consent.
• Analytics — if you accept, Google Analytics sets the cookies _ga and _ga_<id> to measure aggregate usage. These are set only after you opt in, and never on our candidate or client portals. Decline and they are never set.

You choose whether to allow analytics cookies the first time you visit, and you can change your mind at any time: Manage cookie preferences

We do not use advertising cookies, social media trackers, or third-party tracking pixels.

9. Security

Personal data is held on UK or EU-hosted servers, transmitted over HTTPS, and access is restricted to the people who need it to do their work. We use modern password hashing, multi-factor authentication where supported, and encrypted backups.

10. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, port, or object to our processing of your personal data, and to withdraw any consent you have given. See the GDPR & your data page for the specifics and how to exercise these rights.

11. How to complain

We would always prefer to address concerns directly, so please raise them with us first via the contact form. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at any time, at ico.org.uk/make-a-complaint.

12. Changes to this policy

We will update this policy when our practices change or when the law requires it. The "last updated" date at the top of the page will reflect the most recent revision.