Privacy Policy

People Culture HR Privacy Policy

Effective Date: September 19, 2025

Last Updated: September 19, 2025

People Culture HR (“we,” “us,” or “our”) is a staffing and recruitment agency committed to protecting the privacy and security of personal information entrusted to us by candidates, clients, and other individuals. This Privacy Policy (“Policy”) explains how we collect, use, disclose, store, and protect personal data in connection with our services, including our website, email communications, Applicant Tracking System (ATS), and other business activities.

We operate in compliance with applicable data protection laws and regulations, including but not limited to:

  • The General Data Protection Regulation (GDPR) (EU) 2016/679 and the UK GDPR;
  • The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA);
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada;
  • India’s Digital Personal Data Protection Act, 2023 (DPDPA);
  • Other relevant U.S. state privacy laws (e.g., Colorado Privacy Act, Virginia Consumer Data Protection Act);
  • And any other applicable international, federal, state, or local laws governing data privacy, such as those related to email communications (e.g., CAN-SPAM Act in the U.S., Canada’s Anti-Spam Legislation (CASL)).

This Policy applies to all personal data we process, including data from candidates, clients, website visitors, and other third parties. By using our services, submitting information to us, or interacting with our website, you acknowledge that you have read and understood this Policy.

If you are a resident of a jurisdiction with specific data protection rights (e.g., EU/UK under GDPR, California under CCPA/CPRA), additional provisions may apply as outlined below.

1. Information We Collect

We collect various types of personal data to provide our staffing and recruitment services. Personal data means any information that identifies or relates to an identifiable individual. The categories of personal data we may collect include:

  • Contact and Identification Information: Name, email address, phone number, postal address, and other contact details.
  • Professional and Employment Information: Resume/CV details, work history, education, skills, references, job preferences, and salary expectations.
  • Sensitive Personal Data (High-Risk Data): Where necessary for recruitment purposes, we may process sensitive information such as Employment Insurance (EI) numbers (Canada), Permanent Account Numbers (PAN) (India), Social Security Numbers (SSN) or equivalents, health information (e.g., for accommodations), racial or ethnic origin, or other protected categories. We only collect this with explicit consent or as required by law.
  • Client Data: For clients (e.g., employers), we collect business contact information, job requirements, confidential hiring needs, and financial details (e.g., billing information, payment history).
  • Technical and Usage Data: IP address, browser type, device information, website usage patterns, and cookies (see our Cookie Policy for details).
  • Communication Data: Content from emails, forms, or other interactions.
  • Other Data: Any additional information you provide voluntarily, such as feedback or survey responses.

We do not collect personal data from children under 16 years of age without verifiable parental consent, and our services are not directed at children.

2. How We Collect Your Information

We collect personal data through:

  • Direct Interactions: When you submit a job application, register on our website, sign up for newsletters, or communicate with us via email, phone, or forms.
  • Automated Technologies: Cookies, web beacons, and analytics tools on our website to track usage and improve services.
  • Third-Party Sources: Referrals from clients or candidates, public sources (e.g., LinkedIn with your consent), background check providers, or partners.
  • Applicant Tracking System (ATS): Candidates’ data is uploaded or entered into our secure ATS for recruitment purposes.
  • Email Communications: When you opt-in to receive job alerts, newsletters, or updates.

We only collect data that is necessary for our legitimate business purposes and obtain consent where required (e.g., for sensitive data or marketing emails).

3. How We Use Your Information

We use personal data for the following purposes:

  • Recruitment and Staffing: Matching candidates to job opportunities, processing applications, conducting interviews, and facilitating placements.
  • Client Services: Fulfilling client requests, managing contracts, and handling billing/invoicing.
  • Communications: Sending job alerts, updates, and marketing emails (with consent; see Section 4 below).
  • Compliance and Legal Obligations: Verifying identity, conducting background checks, complying with tax or employment laws, and responding to legal requests.
  • Security and Improvement: Protecting against fraud, improving our website and ATS, and analyzing usage trends.
  • Business Operations: Administering our services, auditing, and resolving disputes.

Our legal bases for processing under GDPR/UK GDPR include:

  • Consent (e.g., for marketing or sensitive data).
  • Contract performance (e.g., processing applications).
  • Legitimate interests (e.g., improving services, security).
  • Legal obligations (e.g., tax reporting).

We do not sell personal data as defined under CCPA/CPRA or other laws. We may share de-identified or aggregated data for analytics.

4. Consent Mechanisms for Email Communications

We send a high volume of emails for recruitment purposes, such as job alerts and client updates. All marketing emails require your explicit opt-in consent, obtained via clear checkboxes or forms on our website or during registration.

  • You can withdraw consent at any time by clicking the “unsubscribe” link in any email or contacting us (see Section 13).
  • Transactional emails (e.g., application confirmations) do not require consent but comply with laws like CAN-SPAM and CASL.
  • We maintain records of consents and use double opt-in where appropriate to verify email addresses.

5. Protection of Candidate Data in the ATS

Candidate data stored in our ATS is protected through:

  • Access controls: Limited to authorized personnel on a need-to-know basis.
  • Encryption: Data at rest and in transit using industry-standard protocols (e.g., AES-256).
  • Regular audits: Vulnerability scans and penetration testing.
  • Data minimization: We only store necessary data and delete it when no longer needed (see Section 8).

6. Confidentiality and Security of Client Data

Client requirements, financial information, and other confidential data are handled with strict confidentiality:

  • Non-disclosure agreements (NDAs) with staff and vendors.
  • Segregated storage: Client data is isolated from candidate data.
  • Secure transmission: Via encrypted channels for financial details.
  • Access logs: Monitored for unauthorized access.

7. Security Measures for High-Risk Personal Information

For sensitive data like EI numbers, PAN numbers, SSNs, or health information:

  • We apply enhanced safeguards, including multi-factor authentication, pseudonymization, and restricted access.
  • Processing is limited to essential purposes (e.g., payroll setup) with explicit consent.
  • We comply with sector-specific regulations, such as those under PIPEDA for EI data or DPDPA for PAN data.
  • Regular risk assessments and employee training on data handling.

Overall security includes firewalls, intrusion detection, data backups, and compliance with standards like ISO 27001.

8. Data Storage, Retention, and Deletion

  • Storage: Data is stored on secure servers in [specify locations, e.g., the U.S., EU, or Canada, based on operations]. We use cloud providers with robust security certifications.
  • Retention: We retain data only as long as necessary for the purposes outlined (e.g., candidate data for 2 years post-application unless placed; client data for 7 years for tax purposes). Retention periods comply with applicable laws.
  • Deletion: Upon request or at the end of retention, data is securely deleted or anonymized. Automated processes ensure timely deletion.

9. Sharing and Disclosure of Information

We may share personal data with:

  • Clients (for candidate matching, with consent).
  • Service providers (e.g., ATS vendors, background check firms) under strict data processing agreements.
  • Affiliates or successors in a business transaction.
  • Authorities for legal reasons (e.g., subpoenas).

We do not share data with third parties for their marketing purposes without consent.

10. Cross-Border Data Transfers

If we transfer data outside your jurisdiction (e.g., from EU to U.S.), we use approved mechanisms:

  • Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements.
  • Adequacy decisions where applicable.
  • Binding Corporate Rules for intra-group transfers.

We assess transfer risks and implement supplementary measures as required under GDPR Schrems II rulings.

11. Data Subject Rights

You have rights under applicable laws, including:

  • Access: Request a copy of your data.
  • Rectification: Correct inaccurate data.
  • Erasure (“Right to be Forgotten”): Delete data where no legal basis exists to retain it.
  • Restriction/Objection: Limit processing or object to it (e.g., for marketing).
  • Portability: Receive data in a structured format.
  • Do Not Sell/Share (CCPA/CPRA): Opt-out of sales/sharing (though we do not sell data).
  • Automated Decisions: Not be subject to solely automated decisions with legal effects (we do not use such for core services).

To exercise rights, contact us (Section 13). We respond within statutory timelines (e.g., 30 days under CCPA, 1 month under GDPR). No fee unless requests are excessive.

For California residents: We collected the categories listed in Section 1 in the past 12 months for the purposes in Section 3. Contact us for a Notice of Financial Incentive if applicable.

12. Breach Notification Procedures

In the event of a personal data breach, we follow these steps:

  • Assess and contain the breach.
  • Notify affected individuals without undue delay if the breach poses a high risk to rights and freedoms (e.g., within 72 hours under GDPR to supervisory authorities; as required under CCPA/CPRA or PIPEDA).
  • Report to relevant authorities (e.g., ICO in UK, OPC in Canada, DPDP Authority in India).
  • Maintain incident logs and cooperate with investigations.

We notify via email or other means, providing details on the breach, risks, and mitigation steps.

13. Changes to This Policy

We may update this Policy to reflect changes in laws or practices. Updates will be posted on our website with the “Last Updated” date. Continued use of services constitutes acceptance. For material changes, we may notify you via email.

14. Contact Us

For questions, rights requests, or complaints, contact our Data Protection Officer:

People Culture HR
Street Address: F 1012, Titanium City Center, Satellite,
City: Ahmedabad
Country: India
Zip/Pin Code: 380015
Email: hello@peopleculturehr.com

If unsatisfied, you may complain to your local data protection authority (e.g., CNIL in France, FTC in U.S.).

This Policy is governed by the laws of [specify jurisdiction, e.g., the State of California, USA], without regard to conflict of laws principles.