Privacy Policy

1. Data controller

Berrypie Ltd is the data controller for personal data we collect about Employer users. Where you receive candidate data through Berrypie, you become an independent data controller (or joint controller, depending on context) and have your own GDPR obligations toward those candidates. Contact our DPO at [email protected].

2. Categories of personal data we collect

• Account data: name, email, password hash, job title, profile photo.
• Company data: company name, address, registration number, billing details.
• Payment data: Stripe customer ID, invoice history (we never store card numbers).
• Job posting content: titles, descriptions, screening questions, skill requirements.
• Usage data: IP address, device, audit logs of actions you take in the dashboard.

3. Lawful bases (UK GDPR Art 6)

• Contract (Art 6(1)(b)): account, billing, job posting management.
• Legitimate interests (Art 6(1)(f)): fraud prevention, audit logs.
• Legal obligation (Art 6(1)(c)): retaining payment records for tax purposes.
• Consent (Art 6(1)(a)): optional marketing emails.

4. Candidate data shared with you

When candidates apply to your jobs, you receive their skills scores, verification status, psychometric profiles, employment history, and contact details. Per our Terms, you must:

• Use this data only to evaluate the candidate for the role they applied to.
• Honor data subject rights when candidates contact you directly.
• Delete candidate data within 12 months unless you have a separate lawful basis to retain.
• Not share, sell, or resell candidate data to third parties.

For your role as data controller of received candidate data, you should publish your own privacy notice describing how you process applicant data on your side.

5. Sub-processors

• Stripe (US/IE) — payment processing.
• Anthropic (US) — AI generation of skill test suggestions and challenges.
• Cloudflare (US/IE) — bot mitigation and edge delivery.
• Google (Maps & Places) (US/IE) — geocoding and location autocomplete for job postings.

6. International transfers

Some processors are located outside the UK/EEA (primarily the United States). For these transfers we rely on the UK International Data Transfer Agreement and the EU Standard Contractual Clauses, supplemented by additional safeguards where required.

7. Retention

• Account & company data: while your account is active, plus 30 days after deletion.
• Job posting content: while published plus 24 months for analytics.
• Payment records: 7 years (UK tax law).
• Audit logs: 24 months.

8. Your rights

You have the same UK GDPR rights as Candidates (see the Candidate Privacy Policy). Contact [email protected].

9. Cookies

We use strictly-necessary cookies for session management and CSRF protection. We use one optional analytics cookie. No third-party advertising trackers.