Privacy Policy

EMNET Ltd is the data controller responsible for your personal data.

• Company: EMNET Ltd
• Company number: SC876518 (registered in Scotland)
• Registered office: Edinburgh, Scotland, United Kingdom
• Privacy contact: info@emnet.co

If you have any questions about this policy, want to exercise your rights, or wish to make a complaint, please contact us using the details above.

This policy applies to personal data we process about:

• Candidates — individuals seeking new roles, who apply for positions through us, or whose details we source from professional networks and job boards;
• Clients and prospective clients — companies and their representatives engaging us for retained search, embedded recruiter or project hiring services;
• Website visitors — anyone visiting emnet.co or our subdomains;
• Newsletter subscribers and lead magnet recipients — people who provide their contact details to receive content, insights, reports or other resources from us;
• Suppliers and business contacts.

3.1 Candidates

• Name, email address, telephone number, location and country of residence;
• CV / résumé content including employment history, education, qualifications, professional certifications, skills, salary expectations and notice period;
• LinkedIn profile URL and other publicly available professional profile information (e.g. GitHub, personal portfolio sites);
• Cover letter, application notes and correspondence with us;
• Right-to-work information where required for a specific role;
• References (only where you provide them or authorise us to take them);
• Interview notes, assessment outcomes and feedback from us or our clients;
• Any additional information you choose to share with us during our conversations.

3.2 Clients and prospective clients

• Name, job title, business email, business phone number and the company you represent;
• Information about your hiring needs, role briefs, requirements and budget;
• Correspondence, meeting notes and contract details;
• Billing information and records of services provided.

3.3 Newsletter subscribers and lead magnet recipients

• Email address (required to subscribe);
• Optionally, name, company, job title and country where you provide them in exchange for a free resource (a "lead magnet"), report, guide, template or similar content;
• Engagement data such as whether you opened or clicked links in our emails, where our email service provider supports this.

3.4 Website visitors

• IP address, device type, browser type and operating system;
• Pages visited, referring URL, time on page and similar usage data;
• Information collected through cookies and similar technologies (see Section 11).

3.5 Special category data

We do not actively seek "special category" data (e.g. racial or ethnic origin, health, religion, sexual orientation). If such information is included on a CV you submit, or is necessary for a specific recruitment process (e.g. accessibility adjustments), we will only process it where we have an appropriate lawful basis and an additional condition under Article 9 UK GDPR, normally your explicit consent.

• Directly from you — when you apply for a role, contact us, register for our newsletter, request a lead magnet, attend an event, or correspond with us by email, phone or social media;
• From third-party sources — including LinkedIn and other professional networks, job boards, sourcing platforms, publicly available websites, and recruitment databases, where we identify potential candidates as part of our retained search and embedded recruiter services;
• From referrals — when an existing candidate, client or contact recommends you;
• From our clients — when they share details about roles, hiring panels or interview feedback;
• Automatically — through cookies and analytics when you use our website.

Under UK GDPR we must have a lawful basis to process your personal data. We rely on the following bases:

5.1 Legitimate interests (Article 6(1)(f))

We rely on legitimate interests for most of our recruitment activity, including:

• Identifying, contacting and assessing candidates for roles that match their experience and career interests;
• Sharing relevant candidate profiles with our clients (with the candidate's awareness and, where appropriate, consent);
• Maintaining a talent pool of professionals we may approach about future opportunities;
• Marketing our services to existing and prospective business clients (B2B);
• Network security, fraud prevention and protecting our business interests.

We have carried out a balancing test to ensure our legitimate interests are not overridden by your rights and freedoms. You may object to this processing at any time (see Section 9).

5.2 Consent (Article 6(1)(a))

We rely on consent for:

• Sending newsletters and marketing emails to individual subscribers;
• Delivering free lead magnets, reports and similar resources;
• Sharing your CV with a specific named client for a specific role;
• Storing analytics, marketing or non-essential cookies on your device;
• Processing any special category data (see Section 3.5).

You can withdraw consent at any time without affecting prior processing.

5.3 Performance of a contract (Article 6(1)(b))

We process client and candidate data where necessary to perform services under a recruitment agreement, place a candidate, manage an engagement, or take steps at your request before entering into a contract.

5.4 Legal obligation (Article 6(1)(c))

We process certain data to comply with legal obligations, including accounting, tax, anti-money-laundering and right-to-work checks where applicable.

• To provide retained search, embedded recruiter and project hiring services;
• To match candidates to roles and assess suitability;
• To contact candidates about opportunities, take and store interview notes, and present shortlists to clients;
• To negotiate offers and support successful placements;
• To manage client relationships, contracts, invoicing and payments;
• To respond to enquiries submitted via our contact form, email or phone;
• To send newsletters, market updates, insights and lead magnet content you have requested;
• To improve our website, services and marketing;
• To meet legal, regulatory and reporting obligations;
• To detect, prevent and respond to fraud and security incidents.

Personal data submitted through our website (including contact form submissions, newsletter sign-ups, lead magnet requests and job applications, including any CV files you upload) is stored in our secure cloud backend, which uses managed PostgreSQL database services and encrypted file storage on our behalf.

Access to this backend is restricted to authorised EMNET personnel via authenticated accounts and role-based permissions. The database enforces row-level security so that personal data is only accessible to users with the appropriate role. CVs and other uploaded documents are stored in a private (non-public) storage bucket.

We may also process your data in supporting business systems such as our email and calendar provider, applicant tracking system, customer relationship management (CRM) tool, accounting platform, email marketing platform and analytics tools. All such providers act as data processors under written contracts that meet UK GDPR requirements.

We share personal data only where necessary, with:

• Our clients — when we present you as a candidate for a specific role. Where the assignment is confidential or you have asked us to seek consent first, we will only share your CV after obtaining your agreement;
• Service providers and processors — including cloud hosting, database, file storage, email, CRM, analytics, email marketing, scheduling and IT support providers acting under our instructions;
• Job boards, sourcing platforms and professional networks — such as LinkedIn, where we use them to identify, contact or reference-check candidates as part of our recruitment work;
• Background and reference checking providers — where this is required for a specific role and you have been informed in advance;
• Professional advisers — accountants, lawyers and insurers where necessary;
• Authorities — where we are legally required to disclose data (e.g. to HMRC, regulators, law enforcement or in response to a valid court order);
• Successors — in connection with a sale, reorganisation or merger of our business.

We do not sell your personal data to anyone.

You have the following rights in relation to your personal data:

• Right of access — to receive a copy of the personal data we hold about you;
• Right to rectification — to have inaccurate or incomplete data corrected;
• Right to erasure ("right to be forgotten") — to ask us to delete your data in certain circumstances;
• Right to restrict processing — to ask us to limit how we use your data;
• Right to data portability — to receive certain data in a structured, machine-readable format;
• Right to object — to processing based on legitimate interests, including direct marketing;
• Right to withdraw consent — at any time, where we rely on consent;
• Rights in relation to automated decision-making — we do not currently make decisions about you using solely automated means.

To exercise any of these rights, email info@emnet.co. We will respond within one month, as required by UK GDPR. We may ask you to verify your identity before fulfilling a request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first.

We only keep personal data for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting and reporting requirements.

• Candidate data: retained for up to 24 months after our last meaningful contact with you. After this period we will either delete your data or contact you to confirm whether you would like us to continue holding it;
• Placed candidates: certain data may be kept longer where required to evidence the placement, satisfy contract terms or meet legal obligations;
• Client and prospective client records: retained for the duration of the relationship and for up to 7 years afterwards to comply with contract, accounting and tax requirements;
• Newsletter and lead magnet contacts: retained until you unsubscribe or ask to be removed; we may also remove contacts who have been inactive for an extended period;
• Contact form submissions: retained for up to 24 months after our last interaction;
• Website analytics: retained for the period set in our analytics tool (typically 14 months).

Our website uses cookies and similar technologies to make the site function and to understand how it is used. Strictly necessary cookies are set automatically. Analytics, performance and marketing cookies are only set with your consent through our cookie banner.

You can withdraw or change your consent at any time by clearing your browser cookies or revisiting our cookie settings. Most browsers also allow you to block or delete cookies via their settings.

Where possible, we store and process personal data within the United Kingdom or the European Economic Area (EEA). However, some of our service providers (for example, cloud hosting, email, CRM, analytics and marketing tools) may process data in countries outside the UK and EEA, including the United States.

Where we transfer personal data outside the UK, we put in place appropriate safeguards as required by UK GDPR. These safeguards typically include:

• Transferring to a country covered by UK adequacy regulations;
• Using the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses together with the UK Addendum;
• Relying on certified frameworks such as the UK Extension to the EU – US Data Privacy Framework, where applicable.

You can request more information about these safeguards by contacting us using the details in Section 1.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest;
• Authenticated access to our backend and admin tools, with role-based permissions;
• Row-level security on the database so users only see data they are authorised to access;
• Private (non-public) storage for CVs and other uploaded documents;
• Regular reviews of access, suppliers and security configurations;
• Staff training on data protection and confidentiality.

Despite our efforts, no method of transmission over the internet or method of electronic storage is 100% secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, inform you without undue delay.

Our services are aimed at professionals and businesses. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

Our website and emails may contain links to third-party websites, plugins and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will indicate when changes were made. If we make material changes, we will notify you where appropriate (for example, by email or a prominent notice on the website).

If you have any questions about this Privacy Policy or how we handle your personal data, please contact:

EMNET Ltd
Edinburgh, Scotland, United Kingdom
Company number: SC876518
Email: info@emnet.co