Privacy Policy

Pasfleet is committed to protecting your personal data and respecting your privacy rights. This Privacy Policy explains how we collect, use, share, and protect your information when you use our applicant tracking system (ATS) platform and related services.

This policy applies to all users of our services, including:

• Visitors to our website and platform • Candidates whose data is processed through our ATS • Customers who use our platform to manage recruitment • Customer administrators and users who operate the platform

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Spanish data protection laws, including the Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales ("LOPDGDD").

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

Company Identity

The data controller responsible for your personal data is:

Pasfleet Inc. (trading as "Pasfleet") Registration Number: [Registration Number] [Street Address] [City], [Postal Code] [Country]

Data Protection Officer

You can contact our Data Protection Officer (DPO) for any questions about this Privacy Policy or how we process your personal data:

Email: dpo@pasfleet.com

General Contact

For general inquiries or legal matters:

Email: legal@pasfleet.com Website: www.pasfleet.com

EU Representative

As Pasfleet is established in Spain (an EU Member State), we are not required to appoint an EU representative under Article 27 GDPR.

We collect different types of personal data depending on how you interact with our services:

3.1 Website Visitors

When you visit our website, we automatically collect:

• Technical Data: IP address, browser type and version, time zone setting, browser plug-in types, operating system and platform, device type • Usage Data: Information about how you use our website, including page views, navigation paths, time spent on pages, and referring URLs • Cookie Data: Information collected through cookies and similar tracking technologies (see our Cookie Policy)

3.2 Candidate Data (Processed on Behalf of Our Customers)

When you apply for jobs through our platform, our customers (employers) collect:

• Identity Data: Full name, date of birth, nationality, work authorization status • Contact Data: Email address, telephone number, postal address • Professional Data: CV/resume, cover letter, work history, education, qualifications, certifications, references, salary expectations • Application Data: Application form responses, interview notes, assessment results, hiring decisions • Diversity Data (optional, if provided): Gender, ethnicity, disability status (for equal opportunity monitoring) • Special Category Data (where legally permitted): Information revealing racial or ethnic origin, health data (disability accommodations), or other sensitive information you voluntarily provide

Important: For candidate data, Pasfleet acts as a data processor on behalf of our customers (the employers). The employer is the data controller and determines how your application data is used. Please refer to the employer's privacy policy for information about their data practices.

3.3 Customer Account Data

When you register for a Pasfleet account, we collect:

• Account Information: Company name, your name, job title, email address, telephone number, password (encrypted) • Billing Information: Billing address, payment method details, transaction history • Company Information: Number of employees, industry sector, company registration details • Usage Data: How you use our platform, features accessed, settings preferences

3.4 Data You Provide to Us

We also collect data you voluntarily provide:

• Support Requests: When you contact customer support, we collect your name, email, description of the issue, and any attachments you provide • Survey Responses: Feedback, opinions, and suggestions you provide in surveys or feedback forms • Event Registrations: Information you provide when registering for webinars, events, or training sessions • Marketing Preferences: Your communication preferences and marketing consent

Under GDPR Article 6, we process your personal data based on the following legal grounds:

4.1 Contractual Necessity (Article 6(1)(b))

We process data necessary to:

• Provide our ATS platform and services to customers • Create and manage customer accounts • Process payments and maintain billing records • Deliver customer support and technical assistance • Communicate about service updates and changes

4.2 Legitimate Interests (Article 6(1)(f))

We process data based on our legitimate interests to:

• Improve our platform functionality and user experience • Conduct analytics to understand platform usage and performance • Detect and prevent fraud, security threats, and technical issues • Enforce our Terms and Conditions • Defend against legal claims • Market our services to existing customers (unless you opt out)

We have assessed that these legitimate interests are not overridden by your rights and freedoms.

4.3 Legal Obligation (Article 6(1)(c))

We process data to comply with legal obligations, including:

• Tax and accounting requirements • Anti-money laundering and fraud prevention laws • Responding to lawful requests from courts, regulators, and law enforcement • Data protection and privacy law compliance

4.4 Consent (Article 6(1)(a))

Where required by law, we process data based on your explicit consent:

• Marketing communications (you can withdraw consent anytime) • Non-essential cookies (you can manage preferences in cookie settings) • Processing special category data (where applicable)

4.5 Special Category Data (Article 9)

When processing special category data (e.g., diversity information, health data for accommodations), we rely on:

• Explicit consent (Article 9(2)(a)) - You provide clear, informed consent • Employment purposes (Article 9(2)(b)) - Where permitted under employment law • Substantial public interest (Article 9(2)(g)) - Equal opportunity monitoring

4.6 Candidate Data Processing

For candidate data, our customers (employers) determine the legal basis. Common bases include:

• Contractual necessity (taking steps to enter into an employment contract) • Legitimate interests (recruitment and selection purposes) • Legal obligations (right-to-work checks, background verification) • Consent (where specifically required, e.g., reference checks)

We use your personal data for the following purposes:

5.1 Service Delivery

• Platform Access: Create and manage customer accounts, authenticate users, provide platform functionality • Recruitment Processing: Enable customers to post jobs, receive applications, manage candidates, conduct interviews, and make hiring decisions • Communication: Send service-related notifications, respond to inquiries, provide customer support • Payment Processing: Process subscription fees, manage billing, issue invoices

5.2 Platform Improvement

• Analytics: Analyze usage patterns, identify popular features, understand user behavior • Product Development: Develop new features, improve existing functionality, optimize performance • Testing: Conduct A/B testing, quality assurance, and user experience research • Feedback: Collect and analyze customer feedback to improve our services

5.3 Security and Fraud Prevention

• Security Monitoring: Detect and prevent unauthorized access, cyber attacks, and security breaches • Fraud Detection: Identify and prevent fraudulent transactions, fake accounts, and misuse • System Integrity: Monitor system performance, diagnose technical issues, maintain platform stability

5.4 Legal Compliance

• Regulatory Compliance: Meet legal obligations under data protection, tax, and other applicable laws • Legal Proceedings: Establish, exercise, or defend legal claims • Law Enforcement: Respond to lawful requests from courts, regulators, and authorities

5.5 Marketing and Business Development

• Direct Marketing: Send promotional emails about our services, features, and updates (with opt-out option) • Market Research: Conduct surveys, analyze market trends, understand customer needs • Events: Organize webinars, conferences, and training sessions • Lead Generation: Identify potential customers and business opportunities

5.6 Candidate-Specific Processing (On Behalf of Customers)

When processing candidate data as a processor, we enable our customers to:

• Application Management: Receive, store, and organize candidate applications • Screening: Review CVs, assess qualifications, shortlist candidates • Communication: Send application updates, interview invitations, and hiring decisions • Assessment: Conduct interviews, skills tests, and evaluation processes • Onboarding: Facilitate hiring processes for successful candidates • Compliance: Maintain records for equal opportunity monitoring and legal compliance

Note: Customers determine the specific purposes for candidate data processing. Please refer to the employer's privacy policy for details.

We share your personal data with the following categories of recipients:

6.1 Service Providers (Data Processors)

We engage trusted third-party service providers who process data on our behalf:

• Cloud Hosting: Infrastructure providers for platform hosting and data storage • Payment Processors: Secure payment gateway providers for transaction processing • Email Services: Email delivery and communication platforms • Customer Support: Helpdesk and ticketing system providers • Analytics Tools: Website and application analytics services • Security Services: Cybersecurity, fraud detection, and monitoring services • Development Tools: Software development and testing platforms

All service providers are contractually bound to:

• Process data only according to our instructions • Implement appropriate security measures • Maintain confidentiality • Comply with GDPR requirements (Article 28 Data Processing Agreements)

6.2 Business Transfers

In the event of:

• Merger, acquisition, or sale of all or part of our business • Corporate restructuring or reorganization • Bankruptcy or insolvency proceedings

Your personal data may be transferred to the successor entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.3 Legal Disclosures

We may disclose your personal data when required by law or to:

• Law Enforcement: Respond to lawful requests from police, courts, or regulatory authorities • Legal Protection: Protect our legal rights, prevent fraud, or investigate potential violations • Public Safety: Protect the safety and security of our users and the public • Legal Proceedings: Comply with court orders, subpoenas, or legal processes

6.4 Customer-Controlled Sharing (Candidate Data)

For candidate data, our customers (employers) control sharing decisions:

• Hiring Teams: Customer employees and managers involved in recruitment • Third-Party Recruiters: External recruitment agencies engaged by the customer • Background Check Providers: Verification and screening services • Assessment Tools: Third-party testing and evaluation platforms

Candidates should refer to the employer's privacy policy for details about their data sharing practices.

6.5 Aggregate and Anonymous Data

We may share aggregated or anonymized data that cannot identify you:

• Industry reports and benchmarks • Market research and analysis • Platform usage statistics • Product development insights

6.6 With Your Consent

We may share your data with other third parties when you provide explicit consent for specific purposes.

International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). See Section 8 for details about international data transfers.

7.1 Our Use of Automated Decision-Making

Pasfleet does not make automated decisions that produce legal effects or similarly significantly affect you.

We may use automated tools to:

• Resume Parsing: Automatically extract information from CVs to populate candidate profiles (does not make hiring decisions) • Duplicate Detection: Identify duplicate applications or accounts • Spam Filtering: Detect and filter fraudulent or spam applications • Analytics: Generate usage statistics and platform insights

These automated processes support decision-making but do not replace human judgment. All significant decisions (e.g., hiring, account suspension) involve human review.

7.2 Customer Use of Automated Decision-Making

Our customers (employers) may use platform features to:

• Candidate Scoring: Assign scores to candidates based on qualifications, skills, or experience • Automated Screening: Filter applications using predefined criteria (e.g., must-have qualifications) • AI-Assisted Matching: Use AI tools to match candidates to job requirements

Important for Candidates:

If a customer uses automated decision-making that significantly affects you (e.g., automatic rejection without human review), you have the right under GDPR Article 22 to:

• Be informed about the automated decision • Obtain human intervention • Express your point of view • Contest the decision

Please contact the employer (data controller) directly to exercise these rights. Refer to the employer's privacy policy for their specific practices.

7.3 Profiling

We may use profiling for:

• Service Personalization: Customize platform experience based on usage patterns • Marketing: Target relevant content based on your interests (you can opt out) • Platform Improvement: Analyze user behavior to improve features

Profiling does not produce legal effects or significantly affect you. You can object to profiling for marketing purposes by contacting dpo@pasfleet.com.

8.1 Transfers Outside the EEA

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) where our service providers operate.

Countries outside the EEA may not provide the same level of data protection as EU law. We ensure appropriate safeguards are in place:

8.2 Transfer Safeguards

We rely on the following legal mechanisms for international transfers:

• Adequacy Decisions (Article 45 GDPR): Transfers to countries recognized by the European Commission as providing adequate data protection (e.g., UK, Canada for commercial organizations, Japan, Switzerland)

• Standard Contractual Clauses (Article 46 GDPR): EU-approved standard contractual clauses (SCCs) with service providers in countries without adequacy decisions (e.g., United States)

• Binding Corporate Rules (Article 47 GDPR): For transfers within multinational organizations that have approved binding corporate rules

• Derogations (Article 49 GDPR): In specific situations:

• With your explicit consent for the transfer
• Necessary for contract performance
• Important reasons of public interest
• Legal claims or vital interests

8.3 Specific Transfer Examples

Common service providers involving international transfers:

• Cloud Hosting (US): Amazon Web Services (AWS) - Standard Contractual Clauses • Email Services (US): Email delivery platforms - Standard Contractual Clauses • Analytics (US): Website analytics tools - Standard Contractual Clauses or Consent • Payment Processing (Various): Payment gateways may process in multiple jurisdictions - Contractual necessity and SCCs

8.4 Data Transfer Impact Assessment

We conduct Transfer Impact Assessments (TIAs) to ensure that, in practice, transferred data receives protection essentially equivalent to EU standards, considering:

• Legal framework of the destination country • Technical and organizational measures implemented • Effectiveness of safeguards and enforceable rights

8.5 Your Rights Regarding Transfers

You have the right to:

• Request information about where your data is transferred • Obtain copies of the safeguards in place (e.g., Standard Contractual Clauses) • Object to transfers in certain circumstances

Contact dpo@pasfleet.com for transfer-related inquiries.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction, or alteration.

9.1 Technical Security Measures

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256) • Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA), and principle of least privilege • Network Security: Firewalls, intrusion detection systems (IDS), DDoS protection • Secure Development: Security-by-design principles, regular code reviews, vulnerability scanning • Data Backup: Regular automated backups with encrypted storage and tested recovery procedures • Monitoring: 24/7 security monitoring, logging, and incident detection systems

9.2 Organizational Security Measures

• Employee Training: Regular data protection and security awareness training • Confidentiality Agreements: All employees sign confidentiality and data protection agreements • Access Management: Strict employee access controls, regular access reviews • Vendor Management: Due diligence and security assessments of third-party providers • Incident Response: Documented incident response plan with defined roles and procedures • Data Protection Policies: Comprehensive internal policies and procedures

9.3 Physical Security

• Data Centers: SOC 2 Type II certified facilities with physical access controls • Environmental Controls: Fire suppression, temperature monitoring, power redundancy • Visitor Management: Strict visitor procedures and surveillance systems

9.4 Security Certifications and Compliance

We maintain compliance with recognized security standards:

• ISO 27001: Information Security Management System (planned/in progress) • SOC 2 Type II: Security, availability, and confidentiality controls (planned/in progress) • GDPR Article 32: Technical and organizational measures

9.5 Data Breach Response

In the event of a personal data breach:

• We will assess the risk to your rights and freedoms • If high risk, we will notify you without undue delay (within 72 hours) • We will notify the supervisory authority (Spanish Data Protection Agency) as required • We will document all breaches and our response measures

9.6 Your Security Responsibilities

To protect your account:

• Use strong, unique passwords • Enable multi-factor authentication (where available) • Keep login credentials confidential • Report suspicious activity immediately • Log out after using shared devices

9.7 Limitations

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your data. You provide data at your own risk.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

10.1 Retention Periods

Customer Account Data

• Active Accounts: Retained for the duration of your subscription plus 90 days after cancellation • Billing Records: 7 years from the end of the financial year (tax and accounting requirements) • Contracts and Agreements: 6 years after contract termination (statute of limitations for contractual claims) • Support Tickets: 3 years after closure (customer service improvement and legal defense)

Website Visitor Data

• Analytics Data: 26 months from collection (cookie consent validity period) • Log Files: 90 days (security monitoring and troubleshooting) • Cookie Data: As specified in our Cookie Policy (typically 6-24 months)

Marketing Data

• Newsletter Subscribers: Until you unsubscribe plus 30 days (processing opt-out requests) • Marketing Consent Records: 3 years after withdrawal (demonstrating compliance) • Campaign Analytics: 3 years (marketing effectiveness analysis)

Candidate Data (Processed on Behalf of Customers)

Retention periods for candidate data are determined by our customers (employers):

• Successful Candidates: Typically transferred to HR systems and retained as employee records • Unsuccessful Candidates: Retention varies by employer policy, commonly 6-24 months • Talent Pools: May be retained longer with candidate consent for future opportunities

Candidates should refer to the employer's privacy policy for specific retention periods.

Upon expiration of the customer's retention period, we delete candidate data from our systems within 90 days unless legally required to retain it longer.

10.2 Legal Hold

We may retain data beyond stated periods when:

• Legal proceedings are ongoing or reasonably anticipated • Regulatory investigations require data preservation • Legal obligations mandate longer retention • You have exercised your right to restrict processing

10.3 Deletion Methods

When retention periods expire, we:

• Secure Deletion: Permanently delete data using industry-standard methods • Anonymization: Convert data to anonymous form that cannot identify you • Archival: Move data to secure offline storage (where legal retention applies)

10.4 Backup Retention

Deleted data may persist in encrypted backup systems for up to 90 days before permanent deletion. Backups are securely stored and not used for operational purposes.

10.5 Your Deletion Rights

You can request earlier deletion of your data under certain circumstances (see Section 11 - Your Rights). We will comply unless legal obligations require retention.

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

11.1 Right of Access (Article 15)

You have the right to request:

• Confirmation of whether we process your personal data • A copy of your personal data • Information about processing purposes, categories, recipients, and retention periods

How to Exercise: Email dpo@pasfleet.com with subject "Data Access Request"

Response Time: Within 30 days (may extend to 60 days for complex requests)

11.2 Right to Rectification (Article 16)

You have the right to correct inaccurate or incomplete personal data.

How to Exercise: • Update your account settings directly in the platform, or • Email dpo@pasfleet.com with corrections

Response Time: Without undue delay, typically within 7 days

11.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the purposes collected • You withdraw consent and there's no other legal basis • You object to processing and there are no overriding legitimate grounds • Data was unlawfully processed • Deletion is required for legal compliance

Exceptions: We may refuse deletion when processing is necessary for: • Legal obligations or public interest tasks • Legal claims (establishment, exercise, or defense) • Archiving, research, or statistical purposes

How to Exercise: Email dpo@pasfleet.com with subject "Deletion Request"

Response Time: Within 30 days with confirmation or explanation of refusal

11.4 Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

• You contest the accuracy of data (during verification) • Processing is unlawful but you prefer restriction over deletion • We no longer need the data, but you need it for legal claims • You have objected to processing (pending verification of legitimate grounds)

How to Exercise: Email dpo@pasfleet.com with subject "Restriction Request"

Effect: We will store data but not use it (except with your consent or for legal purposes)

11.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller when:

• Processing is based on consent or contract • Processing is carried out by automated means

How to Exercise: Email dpo@pasfleet.com with subject "Data Portability Request"

Format: JSON or CSV file containing your data

Response Time: Within 30 days

11.6 Right to Object (Article 21)

You have the right to object to processing based on:

• Legitimate interests: Object at any time; we must stop unless we demonstrate compelling legitimate grounds • Direct marketing: Absolute right to object; we will stop immediately • Profiling: Object to profiling for marketing purposes

How to Exercise: • Click "Unsubscribe" in marketing emails (for marketing objections), or • Email dpo@pasfleet.com with subject "Processing Objection"

Response Time: Immediate for marketing; within 30 days for other objections

11.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to solely automated decisions with legal or significant effects, including:

• Right to obtain human intervention • Right to express your point of view • Right to contest the decision

How to Exercise: Email dpo@pasfleet.com with subject "Automated Decision Appeal"

Note: This primarily applies to customer decisions regarding candidates. Contact the employer directly.

11.8 Right to Withdraw Consent (Article 7)

Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to Exercise: • Update consent preferences in account settings • Click "Unsubscribe" in emails • Email dpo@pasfleet.com

Effect: We will stop processing based on that consent

11.9 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of:

• Your habitual residence • Your place of work • The place of the alleged infringement

Spanish Supervisory Authority:

Agencia Española de Protección de Datos (AEPD) Calle de Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es Email: internacional@aepd.es

11.10 Exercising Your Rights

General Process:

1. Submit Request: Email dpo@pasfleet.com with your request
2. Verification: We may request proof of identity (to prevent unauthorized disclosure)
3. Processing: We will process your request and respond within 30 days
4. Extension: Complex requests may require up to 60 additional days (we will inform you)

No Fee: Requests are free of charge unless manifestly unfounded, excessive, or repetitive.

For Candidates: If your request concerns data processed on behalf of a customer (employer), we will forward your request to the customer or direct you to contact them directly, as they are the data controller.

We use cookies and similar tracking technologies to improve your experience, analyze platform usage, and deliver relevant content.

Types of Cookies Used:

• Essential Cookies: Required for platform functionality (authentication, security, preferences) • Performance Cookies: Analyze platform usage and identify technical issues • Functional Cookies: Remember your preferences and settings • Marketing Cookies: Deliver relevant advertisements and measure campaign effectiveness

Managing Cookies:

You can control cookie preferences through:

• Cookie Banner: Manage preferences when first visiting our website • Browser Settings: Configure your browser to block or delete cookies • Opt-Out Tools: Use industry opt-out tools for advertising cookies

More Information:

For detailed information about the specific cookies we use, their purposes, and retention periods, please see our Cookie Policy at www.pasfleet.com/legal/cookies.

Do Not Track:

Our website does not currently respond to Do Not Track (DNT) signals due to lack of industry consensus on DNT interpretation.

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices • New legal or regulatory requirements • Platform features and functionality updates • Feedback from users and supervisory authorities

Notification of Changes:

• Material Changes: We will notify you by email (to your registered address) and/or prominent notice on our platform at least 30 days before changes take effect • Minor Changes: We will update the "Last Updated" date at the top of this policy and may provide in-platform notifications

Your Continued Use:

Continued use of our services after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree with changes, you may close your account by contacting support@pasfleet.com.

Last Updated: This Privacy Policy was last updated on the date specified in the version information at the top of this page.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Data Protection Officer:

Email: dpo@pasfleet.com

General Inquiries:

Email: support@pasfleet.com Website: www.pasfleet.com/contact

Legal Department:

Email: legal@pasfleet.com

Postal Address:

Pasfleet Inc. [Street Address] [City], [Postal Code] [Country]

Response Time:

We aim to respond to all inquiries within 5 business days. For data subject rights requests, we will respond within the timeframes specified in Section 11.

Supervisory Authority:

You also have the right to contact the Spanish Data Protection Agency (AEPD) regarding data protection matters:

Agencia Española de Protección de Datos Calle de Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es Email: internacional@aepd.es Phone: +34 901 100 099

Thank you for trusting Pasfleet with your personal data. We are committed to protecting your privacy and handling your information responsibly in accordance with applicable data protection laws.