Global Privacy Notice

Last updated: 24 October 2025 

This Global Privacy Notice explains how Quantum People (“we”, “us”, “our”) collects and uses personal data worldwide in connection with our recruitment and talent‑advisory services. 

Who we are. Quantum People is the trading name of Talent Staffing Services Limited (England & Wales No. 16667216). Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. VAT No. 500462049. 

How to contact us. Email: privacy@quantumpeople.net 

EEA representative / DPO: If and when legally required, we will appoint and publish details of our EU representative and/or Data Protection Officer here. 

We work globally with companies, roles, and candidates. This notice is designed to comply with UK GDPR, the EU GDPR, the UK Data Protection Act 2018, PECR (cookies/marketing in the UK/EU), and key US state privacy laws (including California). 

1) Scope & Roles 

We primarily act as an independent controller for candidate and client personal data (e.g., sourcing, screening, matching, presenting candidates, coordinating interviews). 

In some engagements we may act as a processor/service provider for specific client instructions (e.g., operating within a client’s ATS). Where our role changes, we will document it in the contract and process data accordingly. 

This notice applies to: 

  • Candidates and job applicants (to our clients’ roles or to join Quantum People) 

  • Client and prospective‑client contacts 

  • Website users and event participants 

  • Vendors/partners 

2) Personal Data We Collect 

Candidates: name, contact details, CV/resumé, work history, skills, preferences, compensation and notice period, interview notes, assessment outcomes, right‑to‑work evidence, references, communications. 

Clients & prospects: business contact details, role/title, hiring requirements, meeting notes, communications. 

Website & marketing: IP address, device/browser, general location, cookie IDs, pages viewed, referral info, preferences and consent choices. 

Vendors/partners: business contact/billing details, contract information. 

Special category data (e.g., diversity information, health data for accommodations) is collected only where relevant, lawful and appropriately safeguarded. Criminal‑records data is processed only where required/permitted by law or client instruction and with the necessary legal bases and safeguards. 

3) Sources 

  • Directly from you (forms, email/phone, interviews, events) 

  • Public/professional sources (e.g., job boards, professional networks like LinkedIn) 

  • Referrals from clients or contacts 

  • Our service providers (e.g., communications, CRM/ATS, hosting and analytics) in the course of providing their services 

4) Purposes & Legal Bases 

Recruitment services: sourcing, screening, presenting candidates; arranging interviews; feedback — UK/EU bases: legitimate interests and/or contract; US framing: business purposes. 

Contracting & relationships: client onboarding, SOWs/MSAs, invoicing — UK/EU: contract; US: business purposes. 

Compliance: identity/right‑to‑work checks; fraud prevention — UK/EU: legal obligation; where relevant substantial public interest; US: legal compliance. 

Marketing & events: newsletters, insights, webinars — UK/EU: consent (where required) or legitimate interests for B2B; US: business purposes with consent where required. 

Website operation & analytics: security, performance, aggregated metrics — UK/EU: legitimate interests; consent for non‑essential cookies; US: business purposes with consent where required. 

Disputes & record‑keeping: legal claims, audits — UK/EU: legitimate interests/legal obligation; US: legal compliance. 

5) Sharing Your Data 

We share personal data, where necessary, with clients; service providers under contract (e.g., secure email/telephony, cloud productivity, CRM/ATS hosting, website hosting/analytics, professional advisors); referees and background‑check providers (when applicable and lawful); regulators, courts, and law enforcement when legally required; and business transferees as part of corporate transactions. 

We do not sell personal data and we do not share personal information for cross‑context behavioural advertising as defined by California law. 

6) International Transfers 

Because we work worldwide, we may transfer data across borders. We implement appropriate safeguards such as adequacy decisions/regulations (UK/EU), Standard Contractual Clauses (SCCs) with the UK Addendum/IDTA as applicable, and technical and organisational measures (encryption in transit, access controls, least‑privilege). You can request details of the specific safeguards used for your data. 

7) How long we keep your data (Retention) 

7.1 Principles we follow 

We retain personal data only for as long as necessary to fulfil the purposes set out in this Notice, to comply with legal and regulatory obligations across the UK, EU, and United States, and to establish, exercise, or defend legal claims. We apply: 

  • Storage limitation (UK/EU GDPR Art. 5(1)(e)) and data minimisation 

  • Purpose‑based schedules with category‑specific periods and clear triggers for when a period starts and ends 

  • Deletion or anonymisation at the end of a retention period, subject to any legal hold or statutory requirement 

We periodically review retention periods and may adjust them to reflect changes in law, regulation, industry standards, or our services. If a longer or shorter period is mandated in a specific jurisdiction or by contract, that requirement will prevail. 

7.2 Default retention periods (by data category) 

  • Active candidate profiles (not placed): up to 24 months from last meaningful contact (e.g., application, reply, call, interview, consent refresh). You may request deletion sooner. 

  • Talent pool (consented): up to 36 months from last meaningful contact, or until consent withdrawn. If not renewed, records are deleted or anonymised. 

  • Placed candidates/assignees: up to 6 years from end of engagement to manage contractual claims, fees, warranties, and statutory record‑keeping. 

  • Right‑to‑work/identity checks (where we perform them): UK generally 2 years after employment/assignment ends; US I‑9: 3 years from hire or 1 year after termination, whichever is later; other EEA: as required locally. 

  • References/background screening: in line with the underlying candidate record; evidence of checks retained up to 6 years where needed for audit/claims. 

  • Client and prospect B2B contacts: up to 36 months from last meaningful contact or end of contract. 

  • Contracts, orders, invoices, payments: 6–7 years from financial year end (jurisdiction‑specific). 

  • Customer service & complaints: up to 6 years after closure. 

  • Marketing lists & consent logs: active while subscribed; consent/opt‑out logs for at least 6 years after last change. 

  • Website analytics & telemetry (non‑essential; consent in UK/EU): 3–26 months depending on tool/configuration (see Cookie Notice). 

  • Security & access logs (systems, apps, network): 90–365 days (higher‑risk systems up to 24 months). 

  • Telephony/voicemail/meeting recordings (if used): 90–180 days (metadata up to 12 months) unless needed for training, quality, or legal reasons. 

  • Vendor/partner records: duration of relationship + 6 years. 

  • Legal, audit, and dispute files: until matter closes + limitation period (typically 6 years, longer for certain claims). 

Meaningful contact includes submitting or updating a CV, interacting with us about roles, attending interviews, replying to communications, opening emails in a way that evidences active interest, or explicitly asking us to keep your profile. 

7.3 Triggers that start, pause, or restart the clock 

  • Start: on collection/creation of the record or the last meaningful contact (for engagement‑based categories) 

  • Restart: each new meaningful contact or new engagement resets the retention timer for the relevant record 

  • Pause: when a legal hold is in place, retention is suspended until the hold is lifted 

  • Short‑circuit deletion: if you withdraw consent, successfully object, or we determine continued retention is not necessary, we will delete or anonymise earlier 

7.4 Deletion, anonymisation, and archiving standards 

  • Deletion: removal from active systems followed by purge from near‑line storage in scheduled jobs; cloud replicas honour vendor SLAs 

  • Anonymisation: irreversible removal of identifiers so individuals are no longer identifiable; anonymised data may be kept indefinitely 

  • Pseudonymisation: replacing identifiers with tokens to reduce risk during the retention period; pseudonymised data remains personal data 

  • Archiving: where a legitimate archival purpose exists (e.g., audit trails), we store minimal datasets with stricter access controls and longer review intervals 

7.5 Backups and disaster recovery 

  • Encrypted backups are kept solely for business continuity and disaster recovery; not used for routine processing 

  • Typical backup cycles are daily with rolling retention of 35–90 days depending on the system and provider 

  • When a record reaches end‑of‑life in production, it disappears from backups after the rolling window; post‑restore, we re‑apply outstanding deletions 

7.6 Legal holds and exceptions 

  • Anticipated or active disputes, investigations, audits, or legal proceedings: relevant records placed on legal hold, overriding ordinary deletion 

  • Statutory retention (e.g., tax, accounting, immigration, employment, equal opportunity): kept for the full statutory period in the relevant jurisdiction (e.g., UK tax/companies 6 years; US EEOC certain recruitment records ≥1 year; US I‑9 per federal rules; EU/EEA local rules may set 3–10+ years) 

7.7 System‑specific notes (how this works in practice) 

  • Email & collaboration tools: mailbox retention follows the underlying record category; scheduled purges enforce timelines 

  • CRM/ATS: lifecycle states (active candidate, talent pool, placed, archived) with automated timers and bulk deletion/anonymisation; consent/objection flags enforced across pipelines 

  • Website/CMS & analytics: cookie consent governs non‑essential identifiers in the UK/EU; Cookie Notice lists cookie name, purpose, lifespan; IP truncation where supported 

  • File storage & contracts: versioned repositories apply immutable retention to executed contracts and financial records for the statutory period, then move to deletion queues 

  • Call/meeting platforms: recordings off by default and retained only with a clear business need and limited access 

7.8 Regional variants and cross‑border logic 

  • Where multiple regimes apply to the same record, we retain for the longest applicable mandatory period 

  • If a local law grants you the right to request earlier deletion (e.g., GDPR Art. 17), we will assess and act unless an exception applies 

  • For California and other US states, we map categories to business purposes and service provider/processor concepts and respect opt‑out and deletion rights, subject to exemptions 

7.9 How to request deletion or changes (your choices) 

Email privacy@quantumpeople.net to request deletion, restriction, or correction. We will verify identity/authority, assess legal obligations or holds, execute deletion/anonymisation across systems and processors, and confirm completion noting any lawful exemptions. Where we cannot fully delete due to an ongoing legal obligation, we will isolate and minimise your data. 

7.10 Review cadence and governance 

We review this schedule at least annually and after material changes in law or services; maintain Records of Processing Activities (ROPA) and a Retention Schedule (systems, categories, legal basis, period, trigger, owner, processor SLAs); and log deletion/anonymisation events for audit. 

7.11 Illustrative scenarios 

  • Apply/interview/not placed: keep up to 24 months from last meaningful contact; 36 months with talent‑pool consent; earlier deletion on request 

  • Placed: keep placement/commercial records for up to 6 years 

  • Deletion request: delete/anonymise and instruct processors unless a legal basis requires retention (e.g., invoices) 

  • Dispute: legal hold suspends deletion; schedule resumes when resolved 

8) Security 

We use proportionate technical and organisational measures: encryption in transit, access controls/least privilege, logging, employee confidentiality and training, vendor due diligence, and incident response processes. 

9) Your Rights 

UK/EU (UK GDPR, EU GDPR): rights to access, rectify, erase, restrict, object (including marketing), data portability, and withdraw consent. Contact privacy@quantumpeople.net; you may complain to the ICO or your local EEA authority. 

United States (state privacy laws including CA/CO/CT/VA, etc.): subject to verification and scope limits: rights to know/access, correct, delete, portability, opt‑out of targeted advertising/sale/certain profiling (we do not sell or share for cross‑context behavioural advertising), non‑discrimination, and appeal. Submit requests to privacy@quantumpeople.net; authorised agents may act where permitted. 

10) Marketing Preferences 

UK/EU: consent where required (e.g., non‑essential cookies, some direct electronic marketing); B2B marketing under legitimate interests with opt‑out. US: follow applicable state rules; opt out at any time via the email link or by contacting us. We do not disclose personal data to third parties for their own direct marketing. 

11) Cookies & Similar Technologies 

We use necessary cookies for operation and security. With consent, we may use analytics/marketing technologies. See our Cookie Notice and Preference Centre; non‑essential cookies are set only after consent in the UK/EU and where required elsewhere. 

12) Children 

Our services are intended for adults and professional users. We do not knowingly collect data from children under 16 (or 13 in the United States). If you believe a child has provided data, contact privacy@quantumpeople.net to request deletion. 

13) Automated Decision‑Making 

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. We may use ranking/search tools to organise candidate profiles, always with human review. 

14) Changes to this Notice 

We may update this Notice from time to time. When we do, we will revise the “Last updated” date and, where appropriate, notify you of material changes.