ShortlistIQ
Sign inGet started

Privacy Policy

Last updated: 1 June 2026

ShortlistIQ Ltd ("ShortlistIQ", "we", "us") provides AI-assisted candidate matching and recruitment tooling. This policy explains what personal data we collect, how we use it, and the rights you and the candidates whose data you process have under UK data protection law, including the UK GDPR and the Data Protection Act 2018.

1. What data we collect

  • Candidate CVs and uploaded documents. Files you upload (PDF, DOCX, TXT) and any structured information our parsers extract from them, including names, contact details, work history, education, skills, locations, salary expectations and any free-text content you provide.
  • Account information. Your name, email address, password hash, company name, billing details processed by our payments provider, and team membership data.
  • Usage analytics. Aggregated and pseudonymised information about how you use the product — pages visited, features used, request timing, error logs, IP address and user-agent — used to improve reliability and performance.

2. Roles and lawful basis

For your account data, ShortlistIQ is the data controller. For candidate data you upload, you are the controller and ShortlistIQ acts as your data processor. You are responsible for having a lawful basis to upload, store and process candidate information — typically legitimate interest or consent under Article 6(1) of the UK GDPR.

3. How data is stored

Data is stored on secure cloud infrastructure within the UK and EEA. Files are encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Access to production systems is restricted to authorised engineers, protected by multi-factor authentication and logged for audit.

4. Data retention

Candidate records remain in your workspace until you delete them or close your account. On account closure, your data is deleted from production systems within 30 days and from encrypted backups within 90 days. Billing records are retained for 7 years to satisfy UK tax law.

5. UK GDPR compliance

We process personal data in line with the UK GDPR's data minimisation, purpose limitation, accuracy, integrity and confidentiality principles. A Data Processing Agreement (DPA) covering your candidate data is available on request and forms part of our standard subscription terms.

6. Your rights

You and the candidates whose data you process have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Lodge a complaint with the Information Commissioner's Office (ICO)

7. Security measures

We operate role-based access controls, row-level security on all tenant data, automated dependency scanning, regular penetration testing and a documented incident response process. AI inference is performed via vetted model providers under data processing agreements that prohibit training on your content.

8. Contact

For any privacy question or data subject request, contact our Data Protection Officer at privacy@shortlistiq.com.