Privacy Notice

For Job Applicants Last updated: 16.12.2025

USPIO LTD (the “Company” or “we” or “us”) is committed to protecting and respecting your privacy.

This Privacy Notice (“Privacy Notice”) explains how we collect and process your personal data in connection with our recruitment activities. It applies both where you submit an application for a role with us (including via the careers form on uspio.ltd and through related recruitment channels) and where we proactively approach you about potential opportunities. In all cases, we will provide you with this Privacy Notice and will process your personal data in accordance with it as part of the recruitment process. It sets out what personal data we hold about you, how we collect it, how we use it, and with whom we may share it. We provide this information to you in line with the EU General Data Protection Regulation (“GDPR”) and applicable Cyprus data protection law, including the Protection of Natural Persons With Regard to the Processing of Personal Data and for the Free Movement of Such Data Law of 2018 (Law 125(I)/2018), as amended.

Please ensure you read this Privacy Notice carefully, along with any other similar notices we may provide when collecting or processing your personal data. If you are hired, your personal data will be processed under our employee/staff privacy notice.

1. Who Collects Your Data COLLECTS YOUR DATA

USPIO LTD is a controller in the recruitment process.

  • Our details are as follows:
  • Company Name: USPIO LTD
  • Reg. No.: HE 431350
  • Reg. Address: 117, Makariou III Avenue & Sisyfou, Synoikia Apostolon Petrou & Pavlou, Fl. 5th, 3021, Limassol, Cyprus
  • Telephone: +357 955 44005
  • Email: info@uspio.ltd, privacy@uspio.ltd

Currently, we have not appointed a Data Protection Officer (DPO). However, you may direct any questions or concerns regarding your personal data or this Privacy Notice by contacting us at privacy@uspio.ltd.

2. What Aata We Collect, Why And How Long We Keep It

The table below summarises the data we collect and hold, how and why we do so, how we use it, with whom it may be shared and for how long we keep it. We may also need to share certain personal data set out in table below with other parties, such as recruiters and recruitment agencies, external lawyers, professional advisers and consultants, as well as with the cloud-based software providers like candidates database, e-mail and messengers’ providers. We apply appropriate technical and organisational measures, such as encryption in transit/at rest where appropriate, access controls, and minimisation. The recipient of the data will be bound by confidentiality obligations. We may also be required to share some personal data as required to comply with the law.
We seek to ensure that our data collection and processing is always proportionate. We will notify you of material changes to data we collect or to the purposes for which we collect and process it.
We do not ask you to provide special-category personal data (e.g., health data, political opinions, religious beliefs) unless explicitly requested. Please do not include it in your CV or messages unless it is strictly necessary for the recruitment process (for example, requesting a reasonable adjustment). If you choose to provide special-category personal data, we will only use it where strictly necessary for recruitment (for example, to consider a reasonable adjustment), will apply enhanced safeguards, and will retain it only for as long as necessary (see Section III and the table below).

Data we collect How we collect  Who may access Purposes Legal basis Who we share it with (recipients) Retention Period

Recruitment and applicant records:

  • name, contact details, location;
  • CV/resume, cover letter, employment & education history, qualifications, language skills;
  • portfolio/links you provide (e.g., LinkedIn, GitHub);
  • interview notes, assessment/test results (if used);
  • correspondence with you;
  • offer/negotiation details (if applicable).
  • From you (careers form, email, interviews, tests);
  • From recruitment partners (where applicable);
  • From publicly available professional sources you share or that are relevant (e.g., LinkedIn), where appropriate.
  • Hiring managers & interviewers;
  • HR / recruitment staff;
  • IT/security (for systems operation and incident handling); and
  • Legal and privacy function (for incident and breach assessment and response).
  • Manage recruitment and assess suitability;
  • Communicate with you and run selection steps;
  • Make and administer an offer (where applicable);
  • Maintain recruitment records and defend potential claims;
  • Where offered and you opt in: keep your details for future opportunities (talent pool).
  • Legitimate interests (running an efficient recruitment process; improving recruitment; defending claims);
  • Steps prior to entering into a contract (where applicable);
  • Establishment, exercise or defence of legal claims (where applicable);
  • Consent (only where offered and you opt in to a talent pool / future opportunities; you can withdraw at any time, and withdrawal will not affect your current application).
  • Internal recipients on a need-to-know basis;
  • Service providers/processors supporting recruitment operations, such as:
    • Applicant tracking system (ATS);
    • HR consulting & strategy services provider if involved on our instructions;
    • Email/collaboration and video conferencing tools (if used);
  • Professional advisers (e.g., lawyers) under confidentiality (where needed);
  • Authorities/courts where required by law (e.g. Migration Authorities).

Some providers may process data outside the EEA/UK. Where this happens, we use appropriate safeguards (e.g., adequacy decisions and/or SCCs plus supplementary measures where required).

  • If you are not hired: we retain your recruitment record for 6 months from the recruitment decision date and then delete it, unless a longer period is required by law or is necessary for the establishment, exercise or defence of legal claims.;
  • If you accept our offer, we retain and use your data from offer acceptance until your start date to complete pre-employment steps;
  • If you are hired: moved to personnel file under our employee/staff retention rules (Employment + 7 years);
  • Talent pool (optional): see the “Talent pool” row below for retention where you opt in;
  • Longer where needed for legal obligations or legal claims.

Reference and verification data (where relevant and lawful)

  • References (if you provide referees or request us to contact them);
  • Right-to-work / work eligibility information (where required).
  • From you;
  • From referees you provide (where contacted, after your explicit permission);
  • From competent authorities/verification sources (where applicable).
  • HR / recruitment staff;
  • Relevant hiring managers (as needed);
  • Legal/Compliance (if needed for checks).
  • Conduct reasonable checks necessary for the role and/or required by law;
  • Record hiring decisions and defend potential claims.
  • Legal obligation (where required);
  • Legitimate interests (protecting our business; ensuring trust and safety);
  • Legal claims (where applicable).
  • Internal recipients on a need-to-know basis (such as HR / recruitment staff, hiring managers);
  • Service providers/processors supporting recruitment operations, such as:
    • Applicant tracking system (ATS);
    • HR consulting & strategy services provider if involved on our instructions;
    • Email/collaboration and video conferencing tools (if used);
  • Where applicable: referees; verification providers; competent authorities (e.g., immigration/right-to-work) as required/appropriate;
  • Relevant service providers/processors supporting the recruitment workflow.
  • International transfers and safeguards: as described above, where a provider is outside the EEA/UK.
  • If you are not hired: 6 months;
  • If you accept our offer, we retain and use your data from offer acceptance until your start date to complete pre-employment steps;
  • If you are hired: moved to personnel file under our employee/staff retention rules (Employment + 7 years);
  • Talent pool (optional): see the “Talent pool” row below for retention where you opt in;
  • Longer where needed for legal obligations or legal claims.

Identity Information*: ID/Passport/ARC, domicile, nationality, Tax Registration Number, Social Insurance Number

From you, post-offer / pre-employment checks. Collection is limited to what’s legally required and only requested after conditional offer (or when sponsorship is pursued).

  • HR / recruitment staff;
  • Legal and privacy function (for incident and breach assessment and response).
  • Contract administration;
  • Right-to-work verification.
  • Steps prior to entering into a contract;
  • To comply with our legal obligations (immigration & labour laws);
  • Legitimate interest: to maintain contract records and good employment practice.
  • Internal recipients on a need-to-know basis (such as HR / recruitment staff, hiring managers, legal department);
  • Migration Authorities;
  • If you are not hired: 6 months;
  • If you accept our offer, we retain and use your data from offer acceptance until your start date to complete pre-employment steps;
  • If you are hired: moved to personnel file under our employee/staff retention rules (Employment + 7 years);
  • Longer where needed for legal obligations or legal claims.

Nationality, immigration status *:
ie passport/ARC, work permit, entry permit

From you, post-offer / pre-employment checks. Collection is limited to what’s legally required and only requested after conditional offer (or when sponsorship is pursued).

  • HR / recruitment staff;
  • Legal and privacy function (for incident and breach assessment and response).
  • To carry out right to work checks;
  • To establish & maintain legal right to work/reside;
  • To obtain sponsor permits;
  • To comply with migration checks;

Performance of a contract / steps at your request prior to entering into a contract (GDPR Art. 6(1)(b)) where relevant;

  • Compliance with a legal obligation (GDPR Art. 6(1)(c)) where we must verify right to work and comply with immigration/labour requirements;
  • Legitimate interests (GDPR Art. 6(1)(f)) to run a lawful recruitment process and prevent fraud.
  • Internal recipients on a need-to-know basis (such as HR / recruitment staff, hiring managers, legal department);
  • Migration Authorities;
  • Labour Authorities.
  • For the period of migration check + 6 months if you fail the check;
  • If you are hired: moved to personnel file under our employee/staff retention rules (Employment + 7 years);
  • Longer where needed for legal obligations or legal claims;

Criminal-offence data (GDPR Art. 10) & Medical examinations*: (only where strictly necessary and legally permitted)

  • Criminal record extract / equivalent official document (if required);
  • Information confirming eligibility/compliance status;
  • Medical examinations as required by migration authorities
    • (and of the spouse/dependants if applicable for third country nationals only)

Note: We do not process personal data relating to your spouse/partner or dependants as part of the recruitment process. If you are hired and immigration sponsorship requires us to process such data, this will be handled under our employee/staff privacy information and, where required, we will provide the relevant individuals with a separate privacy notice (or otherwise provide the information required under GDPR Article 14).

Important: If we need to process personal data relating to your spouse/partner or dependants for immigration/family reunification purposes, we will provide them with a separate privacy notice (or otherwise provide the information required under GDPR Article 14) unless an exemption applies.

From you and/or from competent authorities/official sources, only where applicable, post-offer / pre-employment checks. Collection is limited to what’s legally required and only requested after conditional offer.

  • HR / recruitment staff responsible for checks;
  • Legal and privacy function (for incident and breach assessment and response).
  • To complete mandatory eligibility/compliance and/or immigration/right-to-work checks for specific roles where required/authorised by law;
  • To obtain valid work/residence permit (for its family members);
  • To comply with employment/health and safety obligations and migration checks.
  • GDPR Art. 10 — processed only where authorised under Union or Member State law and subject to appropriate safeguards; and
  • GDPR Art. 6(1)(c) (compliance with a legal obligation) where the check is required for immigration/right-to-work purposes; and, where relevant,
  • GDPR Art. 6(1)(f) (legitimate interests) limited to protecting our organisation and ensuring compliance, where this does not override your rights and freedoms;
  • GDPR Art. 6(1)(b) (steps prior to entering into a contract), where the assessment is necessary to proceed with the recruitment process; and/or
  • GDPR Art. 6(1)(c) (legal obligation), where we are required by applicable law to carry out health/fitness checks; and/or
  • GDPR Art. 6(1)(f) (legitimate interests), where strictly necessary to ensure workplace safety and suitability for the role, taking into account your rights and expectations.

Additional condition for special-category personal data (GDPR Art. 9):
We process health data only where permitted under GDPR Art. 9, typically:

  • Art. 9(2)(b) (employment, social security and social protection law), where applicable; and/or
  • Art. 9(2)(h) (occupational medicine / assessment of working capacity), where carried out under professional confidentiality or equivalent safeguards; and/or
  • Art. 9(2)(f) (legal claims), where necessary to establish, exercise or defend legal claims.
  • Internal recipients on a need-to-know basis (such as HR / recruitment staff, legal department);
  • Competent public authorities where required by law;
  • Verification providers (if used) acting on our instructions and under appropriate contractual safeguards;
  • Otherwise, not shared externally except where legally required.
  • Retained only for the shortest period necessary to complete the relevant check and meet legal requirements then delete within 30 days;
  • If you are hired a minimal audit record (that the check was done + date + outcome) shall be kept in your personnel file under our employee/staff retention rules (Employment + 7 years);
  • Longer where needed for legal obligations or legal claims;

Where a copy must be retained by law: we will retain it only for the legally required period and apply enhanced access controls.

Third Country National’s Candidates’ Family Dependants (spouse/partner and children/dependants): identity & civil-status docs, passports/IDs, photos, birth/marriage certificates, immigration forms/history, translations/apostilles; police clearance certificates for 16+ where mandated; medical/insurance certificates

From you (and/or spouse/partner). Only requested after conditional offer.

Family members (spouse/partner and dependants, incl. children) of Third Country employees.

  • To submit, manage residence-permit (family reunification) applications;
  • To liaise with Migration authorities and comply with migration checks.

Consent; where any health data are included: Explicit consent.

  • Internal recipients on a need-to-know basis (such as HR / recruitment staff, hiring managers, legal department);
  • Migration Authorities;
  • Until the earlier of: (i) permit decision/issuance and return of originals + up to 90 days for administrative reconciliation, or (ii) withdrawal of consent. 

Working copies are deleted promptly after submission/ decision. 

A minimal record of consent/ withdrawal may be kept to demonstrate compliance;

  • Longer where needed for legal obligations or legal claims.

Talent pool Recruitment and applicant records and Reference and verification data as described hereinabove can be kept in our talent pool

Same as both in the Recruitment and applicant records and Reference and verification data rows.

Same as both in the Recruitment and applicant records and Reference and verification data rows.

Same as both in the Recruitment and applicant records and Reference and verification data rows plus to provide you with the future relevant employment opportunities.

Consent.

Same as both in the Recruitment and applicant records and Reference and verification data rows.

  • If you are not hired: if you opt in, we retain your data for 12 months from the date you provide consent (or until you withdraw consent, whichever is earlier);
  • If you accept our offer, we retain and use your data from offer acceptance until your start date to complete pre-employment steps;
  • If you are hired: moved to personnel file under our employee/staff retention rules (Employment + 7 years);
  • Longer where needed for legal obligations or legal claims.

Website/careers form technical data

Automatically from your device/browser when you access uspio.ltd and submit a form.

As described in our website Privacy Notice available at: https://uspio.ltd/privacy-notice/.

As described in our website Privacy Notice available at: https://uspio.ltd/privacy-notice/.

As described in our website Privacy Notice available at: https://uspio.ltd/privacy-notice/.

As described in our website Privacy Notice available at: https://uspio.ltd/privacy-notice/.

As described in our website Privacy Notice available at: https://uspio.ltd/privacy-notice/.

We may also retain and use your personal data in relation to the legitimate interests we have and for the establishment, exercise or defence of legal claims, such as defending any legal claims that may be brought against us in connection with your recruitment/application, or in establishing, bringing or pursuing any claim against you. This will typically involve passing data on to our internal and / or external legal advisers, who will be under strict professional and contractual duties of confidentiality.
You are required (by law or in order to enter into your contract of employment) to provide the categories of data marked as * above to us to enable us to verify your right to work and suitability for the position. If you do not provide this data, we may not be able to employ you (or continue to employ you).

3. Special-Category Personal Data (Sensitive Data)

Special-category data include health, biometric, genetic, racial/ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and sexual orientation.

When we process it

In the recruitment/application and employment context this mainly arises for health/occupational-health purposes (e.g., sick pay, absence management, fitness-for-work assessments), workplace adjustments, and immigration medicals where legally required.

Legal bases to process it

We rely primarily on 9(2)(b) (employment, social security and social protection law), 9(2)(h) (occupational medicine/health care), and – where mandated by law – 9(2)(g) (substantial public interest). We may also rely on 9(2)(f) for legal claims. We generally do not rely on consent for employment-related processing, but if consent is genuinely optional (e.g., when we process such data of third country national’s candidates’ family dependants), we will request explicit consent, explain the purpose, and they can withdraw it at any time.

Safeguards

Special-category data are access-restricted, stored separately where feasible, and handled by trained personnel under confidentiality. We minimise content (prefer fit/unfit or eligibility instead of detailed diagnoses), conduct DPIAs for higher-risk processing, and apply proportionate retention as set out in the table.

4. Criminal-Offence Data (GDPR ART. 10)

Special-category data include health, biometric, genetic, racial/ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and sexual orientation.

When we process it

We may process personal data relating to criminal convictions and offences (for example, information from criminal record extracts or equivalent official documents) only where this is strictly necessary and permitted by applicable law, typically in connection with mandatory eligibility, compliance, or immigration/right-to-work checks for specific roles.
Where we process such data, we will do so only:

  • after making a conditional offer, unless applicable law requires earlier processing; and
  • to the minimum extent required for the specific legal or regulatory purpose.

Legal bases to process it

Where applicable, processing is carried out on the basis of GDPR Art. 6(1)(c) (compliance with a legal obligation) and/or GDPR Art. 6(1)(f) (legitimate interests in protecting our organisation and complying with obligations), and GDPR Art. 10, only where processing is authorised under Union or Member State law and subject to appropriate safeguards.

Safeguards

Access is strictly limited to authorised personnel (typically HR/recruitment and Legal/privacy function) on a need-to-know basis; we store such data separately where appropriate; we apply enhanced access controls and logging; and we retain it for the shortest period necessary (see retention below).

5. Where Data May Be Held

Data may be held at our offices, and trusted third-party providers, representatives and agents. We have security measures in place to seek to ensure that there is appropriate security for data we hold. Where we transfer your data outside the EEA/UK, we do so in accordance with the safeguards described in the section “HOW DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)” below.

6. Keeping Your Personal Data Secure

We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

7. Your Rights

This section explains the rights you have under GDPR. These rights apply to the personal data we process about you in connection with your recruitment/application. Some rights apply only in certain circumstances; where that is the case, we explain the conditions below.

How to Exercise Your Rights

Submit requests by email to privacy@uspio.ltd (or by post to the address in Section I (WHO COLLECTS YOUR DATA) of this Privacy Notice). Please state which right(s) you wish to exercise and provide sufficient detail to help us identify the relevant data.

We may need to verify your identity before acting on a request. This is to protect you and ensure your data are not disclosed to an unauthorised person.

We aim to respond within one (1) month of receiving a valid request. Where requests are complex or numerous, we may extend by up to an additional two (2) months; if so, we will inform you within the initial month.

1. Right to be informed:

You have the right to receive clear information about how we collect, use, share, and retain your personal data. This Privacy Notice (and any updates we provide) fulfils that obligation. We will inform you before using your data for any materially different purpose.

2. Right to object on processing of your data:

Where our processing of your data is based solely on our legitimate interests (or those of a third party), you have the right to object to that processing if you give us specific reasons why you are objecting, which are based on your particular situation. If you object, we can no longer process your data unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

3. Right of access:

You may request confirmation of whether we process your personal data and, if so, receive a copy and supporting information (categories, purposes, recipients, retention, source, safeguards for international transfers, etc.). Where feasible we will provide copies electronically in a secure format.

4. Right to Rectification:

If any personal data we hold about you are inaccurate or incomplete, you can ask us to correct or update them. Please let us know if any information you submitted as part of your application changes (for example, your contact details, availability, or right-to-work information) so we can keep your application accurate and up to date.

5. Right to Erasure (“Right to Be Forgotten”):

You may ask us to delete personal data in certain situations, for example where:

  • the data are no longer needed for the purposes collected;
  • you withdraw consent (where consent was the sole basis);
  • you successfully object and no overriding grounds exist; or
  • processing was unlawful.

We may retain data where required by law (e.g., tax, social insurance, immigration records) or to establish, exercise or defend legal claims.

6. Right to Data Portability:

For data you provided to us that we process by automated means on the basis of your recruitment/application or your consent, you may request the data in a structured, commonly used, machine-readable format and ask that we transmit it to another controller where technically feasible. This right is more limited in the recruitment/application context because much HR data are processed under legal obligation or legitimate interests.

7. Right to Restrict Processing:

You may request that we suspend use of your data (while keeping them) where:

  • you contest accuracy (restriction applies while we verify);
  • processing is unlawful and you prefer restriction to deletion;
  • we no longer need the data but you require them for legal claims; or
  • you have objected and we are verifying overriding grounds.

8. Right to withdraw consent:

Where we rely on your consent (or explicit consent) for specific processing, you may withdraw that consent at any time. This will not affect the lawfulness of processing carried out before withdrawal. We generally rely on legal obligations and our legitimate interests for most HR-related processing; where we rely on consent, we will make this clear at the point of collection.

9. Automated decision-making:

We do not make decisions about you that are based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you. If this changes, we will inform you and explain the logic involved, the significance and the envisaged consequences of such processing for you, as well as your related rights.

8. How Do We Transfer Your Personal Data Outside The European Economic Area (EEA)? / International Transfers

We primarily process personal data within the European Economic Area (EEA). Nonetheless, transfers outside the EEA may occasionally be necessary – for example, when we engage service providers who process data outside the EEA or are hosted in third countries. In such cases, we implement recognised safeguards to ensure that your personal data receive an adequate level of protection. If your personal data are transferred to a service provider located in a country outside the EEA that is not recognised by the European Commission as providing an adequate level of protection for personal data, we will ensure that appropriate safeguards are in place. These safeguards may include the use of the European Commission’s Standard Contractual Clauses or other mechanisms permitted under applicable data protection laws. You can obtain more information about these safeguards (including a copy of the Standard Contractual Clauses or information on where they are made available) by contacting us at privacy@uspio.ltd.

9. How To Complain

Any query or concern about our use of your data can be directed to privacy@uspio.ltd. You may also contact the Cyprus Commissioner for Personal Data Protection for further information about your rights and how to make a formal complaint (https://www.dataprotection.gov.cy/).

10. Updates To This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our processing activities, operational practices, or applicable law. We will publish the updated version on our website and revise the “Last updated” date above; where changes materially affect you – such as introducing new purposes of processing, new categories of recipients, or significant retention changes – we will provide additional notice (for example by email or another prominent communication) in advance where practicable. If we intend to process your personal data for a purpose that is incompatible with the original purpose, we will notify you and, where required by law, obtain your consent or provide you with an opportunity to object. Copies of previous versions are available on request.