Privacy Notice (Candidates)
Shortlister Solutions Limited (SSL) provides software platforms that support assessment and selection activities and employability preparation, including admissions and recruitment processes. Our platforms operate under the brands Shortlister and Shortlist.Me. We are committed to protecting the personal data of all candidates who use our services.
This Privacy Notice explains what personal data we collect, how we use it, and how we keep it secure, in accordance with UK data protection laws and the EU General Data Protection Regulation (GDPR).
1. Our Role as Data Processor
Data Processor:
Shortlister Solutions Limited (SSL) acts as a data processor on behalf of a third party (the Data Controller), which may be an organisation, employer,
recruiter, educational institution, or other entity engaging our platform to help assess, select, train, or prepare candidates.
The Data Controller determines the purposes and means of processing your personal data; we only process your data under their instructions.
Contact:
If you have any questions about how your personal data is handled, you can reach our data protection contact by emailing
privacy@shortlister.com.
2. Children and Young People
Our platform is not intended for use by individuals under the age of 13.
Where an organisation (such as a school, college, university or employer) invites individuals aged 13 or over to participate in assessment, selection, preparation or training activities, the organisation is responsible for ensuring the platform is used appropriately and for providing any required information to participants.
If you are under 18 and have questions about how your personal data is used, you can contact the organisation that invited you to use the platform or email privacy@shortlister.com.
3. Personal Data We Collect
The personal data we process will depend on what the Data Controller has enabled and what is required for the activity you are taking part in. Not all data types will be collected in every scenario.
Data We Receive from the Data Controller
- Contact details (such as your name, email address and, where provided, mobile number)
- Candidate identifier (such as an applicant reference number), where provided
- Application details (such as the role, course, programme or opportunity), where provided
- Application documents (such as your CV and supporting documents), where provided
Data We Collect Directly from You
- Video or audio responses
- Written responses
- Assessment responses and results (for example aptitude, situational judgement, or other assessment responses), where enabled
- Files or evidence you upload (for example documents, portfolios, presentations, screenshots or other attachments), where enabled
- Practice or preparation content (for example practice recordings or draft answers), where enabled
Technical Information
- IP address
- Device and browser information (where necessary for troubleshooting and service optimisation)
- Usage data (such as pages visited within the platform and feature interactions)
Identity Verification
Where identity verification (IDV) is enabled, we may process identity verification information and verification results provided via our IDV partner.
4. Special Category Data
Please do not include special category personal data (such as information about your health, disability, race or ethnicity, religious beliefs, political opinions, trade union membership, genetic data, biometric data, or sexual orientation) in your responses, recordings, uploads or written answers unless the organisation has specifically requested this information and provided guidance on why it is needed.
If you provide special category personal data, SSL will only process it on the instructions of the Data Controller and in accordance with their legal basis and safeguards.
5. Lawful Basis for Processing
The Data Controller is responsible for determining the lawful basis for processing your personal data under UK GDPR.
SSL processes your personal data on behalf of the Data Controller and in accordance with our contractual obligations with them. Without your personal data, we may not be able to provide or facilitate your participation in the relevant assessment, selection, preparation or training activity.
6. How We Use Your Data
SSL only uses your personal data to provide and support the services the Data Controller has asked us to deliver. This includes:
- Providing access to the platform and administering your participation in assessment, selection, preparation and training activities
- Collecting, recording and presenting your submitted responses and results to the Data Controller
- Enabling identity verification (where enabled)
- Sending service communications such as invitations, reminders, verification links and completion confirmations
- Providing technical support and responding to queries
- Maintaining platform security and preventing misuse
- Monitoring and improving platform performance, reliability and user experience
- Converting data into anonymised or aggregated form (where appropriate) to analyse usage trends and improve our services
The organisation that invited you to use the platform will have access to your submitted responses and results as part of their assessment, selection, preparation or training process.
AI-Assisted Features
Some platform features may use artificial intelligence (AI) to support the creation of summaries, suggested feedback and insights, for example by analysing transcripts, candidate responses, or extracted document content (such as parsed CV data), where enabled. AI is used to support human review and improve efficiency.
Decisions relating to admissions, recruitment, assessment or selection are made by the organisation (or its representatives), not by SSL.
7. Data Sharing with Third Parties (Sub-Processors)
To deliver our services, SSL may share your personal data with third-party providers (sub-processors) as instructed by the Data Controller. Some suppliers are only used where specific features are enabled (for example transcription, document parsing, identity verification or AI-assisted insights).
| Company | Information shared | Purpose | Data location |
|---|---|---|---|
| Heroku | Contact details and service usage data (where applicable) | Application hosting and data processing | EU |
| Amazon Web Services | Uploaded documents, video/audio responses, assessment files | Data and media storage | EU |
| Mailgun | Name and email address | Email delivery | EU |
| Better Stack | IP address and technical logs | Logging, monitoring and technical diagnostics | EU |
| Rev.com | Audio recordings (where enabled) | Transcription and/or audio processing | EU |
| Textkernel (Bullhorn) | CVs and uploaded documents (where provided) | Document parsing and extraction of structured data | EU |
| OpenAI | Transcripts and extracted document content (such as parsed CV data), where AI features are enabled | AI-assisted summaries, suggested feedback and insights | EU |
| Yoti | Identity verification information and verification results (where enabled) | Identity verification (IDV) | UK/EU |
| *targetconnect | Name, email and feedback URL (where enabled) | Aggregation of data | EU |
*Enablement subject to Data Controller authorisation.
8. International Data Transfers
Where it is necessary to transfer your personal data outside of the UK or European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) (or UK Addendum), and implement additional safeguards as appropriate.
9. Security Measures
We take information security seriously. Our safeguards include:
- Encryption in transit and at rest
- Strict access controls and strong password policies
- Regular security reviews and updates
- Access limited to authorised personnel only
These measures help protect your data against unauthorised access, alteration, disclosure, or destruction.
10. Retention of Personal Data
Unless the Data Controller instructs otherwise, SSL will typically retain your personal data for 12 months from the date you complete the relevant activity (for example an assessment, selection activity, or preparation/training activity), after which it will be deleted or anonymised.
The Data Controller may instruct SSL to delete personal data sooner or retain it for longer in accordance with their retention policy, legal obligations, or regulatory requirements.
SSL retains technical and security logs for limited periods to maintain platform security, diagnose faults and provide support, using appropriate retention periods based on the type of log data collected.
11. Your Rights
Under data protection laws, you have the right to:
- Withdraw consent (where processing is based on your consent)
- Access your data (request a copy of the personal data held about you)
- Rectify inaccuracies (request correction of inaccurate or incomplete data)
- Delete your data (request deletion where applicable)
- Restrict processing
- Object to processing (for example where processing is based on legitimate interests)
- Data portability (where applicable)
As SSL acts as a data processor, you should direct rights requests to the Data Controller. If you contact us, we will forward your request to them.
12. How to Make a Complaint
If you are dissatisfied with how your personal data has been handled or if you feel your rights have not been upheld, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13. Cookies and Tracking Technologies
We may use strictly necessary cookies or similar technologies to:
- Maintain session details (for example, keeping you logged in)
- Enable video streaming and other interactive features
These cookies do not collect personal data beyond what is necessary to provide the service. We do not use cookies for profiling or targeted advertising.
14. Updates to This Notice
We may update this Privacy Notice to reflect changes in our practices or legal requirements. Any updates will be posted with a clear effective date. We encourage you to review this Notice periodically.
15. Contact Us
If you have any questions about this Privacy Notice or wish to know more about how we handle your personal data, please email us at: privacy@shortlister.com.
