Job Applicant Privacy Notice

Job Applicant Privacy Notice

Updated: June 28, 2024

Gradle, Inc. (the “Company” or “we”) is committed to ensuring that the personal data of job applicants is handled in accordance with sound data protection and privacy principles. As a job applicant, the laws in many jurisdictions provide you with the right to know how we use your personal data when you apply for a role at Gradle, as well as the types of data we collect, who we share this information with, how long we keep the data for, what security controls we have in place, and where the data is stored.

This privacy notice tells you what to expect when we collect personal information about you. It applies to all job applicants who apply for a role at Gradle, or one of our subsidiaries. Unless otherwise noted, we are considered the controller (or the “business” under the California Consumer Privacy Act (CCPA)) of this personal information.

We do not sell or otherwise disclose or share your personal information for monetary or other consideration to any third parties, but we may need to share relevant information with service providers and sub-processors (collectively, “Service Providers”), in order to fulfill our business purposes, act on your behalf, comply with our legal obligations, or for other purposes described below.

What Categories of Personal Information Do We Collect and How Do We Use This Information as a Business?

We collect the following categories of personal information for the following business purposes identified below:

Category of Personal Data Types of Personal Information Collected and Processed Reason / Business Purpose of Collection and Processing
Information You Provide to Us When Applying for a Role
  • Personal contact details such as your name/preferred name, address, contact telephone number(s) and email address;
  • Your date of birth and gender (if provided);
  • SSN/National Identifier number;
  • Signature;
  • Employment and education history including your qualifications, prior positions, employment references, employment termination, and right to work information;
  • Educational records such as grades, transcripts, and class lists;
  • Other information you provide on your resume, cover letter or in your application materials;
  • Additional background information (e.g., security clearances, if applicable to your role).
 We collect this information to:

  • Process and manage your application;
  • Correspond with you during the recruitment process and manage our relationship with you;
  • Conduct interviews (this may include recording the interview, with your consent, taking notes and making observations about you);
  • Conduct pre-employment screening, including reference & background checks;
  • Enter an employment contract with you;
  • Provide assistance with immigration support (such as applying for a visa);
  • Support internal administration with our affiliated entities;
  • Conduct data analyses to review, better understand and improve our recruitment process and the tools we use;
  • Comply with our legal obligations (e.g., immigration, tax, law enforcement requests) in the jurisdictions where we operate.
Sensitive Personal Information and Protected Categories Information
  • Information about your age, race, ethnicity, religion or philosophical beliefs, country of origin, ancestry, sexual orientation, gender identity or gender expression,  if provided by you (e.g., as part of your resume/CV or online profile, or if you provide it as part a voluntary diversity survey);
  • Military and veterans’ status, or trade union membership, if provided by you;
  • Information about your physical or mental health, disability, or condition, if provided by you (e.g., to seek reasonable accommodation for a disability);
  • Information that reveals your social security, driver’s license, state ID, passport number;
  • Details of any criminal convictions you declare or are discovered via pre-employment screening;
  • Biometric data that uniquely identifies you if you visit an office (CCTV, voice/video recordings).
 We collect this information to:

  • Comply with applicable hiring laws;
  • Conduct interviews (this may include recording the interview, with your consent, taking notes and making observations about you);
  • Conduct pre-employment screening and background checks (criminal history only);
  • Protect the rights, property, or safety of you, us, or another party (CCTV footage);
  • Assess your working capacity;
  • Comply with our legal obligations in the jurisdictions where we operate;
  • Provide assistance with immigration & travel support (such as applying for a visa).
Internet or Network Activity information When Using our Networks
  • IP address;
  • Location information;
  • Information regarding your interaction with our website(s), or if you submit an application through a job portal (e.g., LinkedIn, Greenhouse).
 We collect this information to:

  • Protect Company, customer, and employee property, equipment, and confidential information;
  • Prevent, detect, and investigate security incidents and potentially illegal or prohibited activities;
  • Protect the rights, property, or safety of you, us, or another party.
If You Seek Reimbursement for Expenses
  • Invoices and receipts (e.g., travel receipts)
  • Personal Information such as your name, address, or email address;
  • Your bank account information (for reimbursement and payment purposes).
 We collect this information to:

  • Fulfill expense reimbursements and for general accounting purposes;
  • Handle general human resources processes;
  • Comply with our employment and legal obligations (e.g., tax) in the jurisdictions where we operate.
Inferred Data
  • Details related to your preferences, characteristics, psychological trends and predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
 We collect this information to indirectly or if you provide it to us during the recruiting process (e.g. during an interview), or if you make it available on your resume, CV or LinkedIn profile.
Information Collected for Legal and Contractual Obligations
  • Information necessary to comply with our legal and contractual obligations and to respond to legal claims.
 The Company collects this information to comply with our legal and contractual requirements, and to establish, exercise, and defend legal and contractual rights and claims.

Where Do We Obtain Your Personal Information?

We usually collect personal information directly from you. We may also collect personal information from other sources. For example, we may collect information from:

  • Recruiters, recruiting platforms (e.g., Greenhouse, LinkedIn) and employment agencies;
  • Professional references you provide to us;
  • Pre-employment screening services;
  • Prior employers (e.g., for references);
  • Educational institutions;
  • From government agencies (e.g., to verify that you have a right to work);
  • Credentialing and licensing organizations;
  • Publicly available sources such as your social media profile (e.g., LinkedIn, Twitter, and Facebook);
  • CCTV images at our office locations; and/or
  • Other sources as directed by you.

Who Do we Share Your Data With?

We may share your personal information as necessary for the purposes described in this Privacy Notice, including with other businesses. For example, we share your personal information with the following parties:

  • Affiliates and Subsidiaries: We may share information with affiliates and subsidiaries of Gradle.
  • Service Providers: We use service providers to operate, host, and facilitate our recruiting process, operations and business. These include hosting, technology, and communication providers; security and fraud prevention services and consultants; analytics providers; background and reference check screening services; immigration support; HR and recruiting; and benefits management and administration tools.
  • Government authorities and law enforcement: In certain situations, we may be required to disclose personal information in response to lawful requests made by public authorities, including to meet national security or international law enforcement requirements, and for immigration support purposes.
  • Business transfers: Your personal information may be transferred to a third party if we undergo a merger, acquisition, bankruptcy, or other transaction in which that third party assumes control of our business (in whole or in part).
  • Professional Advisors and Contractors: We may share your personal information with our professional advisors and contractors to handle recruitment, HR and related business operations.
  • Other: We may also share your personal information with third parties for purposes of fulfilling our legal obligations under applicable law, regulation, court order, or other legal process, such as preventing, detecting and investigating security incidents and potentially illegal or prohibited activities; protecting the rights, property or safety of you, us or another party; enforcing any agreements with you; responding to claims; and resolving disputes.

We do not share your information with any third party for the purposes of behavioral advertising.

The Company has agreements in place with our affiliates and subsidiaries, as well as Service Providers, professional advisors and contractors. These agreements strictly limit and set strong controls around the collection, use, storage, sharing and retention of your data. A list of our Service Providers can be found here.

Please note that mobile telephone information will not be shared with third parties/affiliates for marketing/promotional purposes. All other categories of Personal Data shared with third parties exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties for marketing or promotional purposes.

Your Rights

Depending on where you live, you may have additional rights under the data protection laws. For example, the California Consumer Privacy Act, other US state laws, the EU and UK General Data Protection Regulations and the Swiss Federal Act on Data Protection all provide individuals (or their authorized agents) with additional rights to their data.

Many of these rights ensure that you are informed and aware of how we process data about you. For example, you have the right to know what information we collect, the categories and sources we collect data from, our business purposes for collecting and processing your data, our legal reasons (or ‘lawful basis’) for processing your data, our retention period and security controls, and who we share your data with. Most of this information is available in this privacy notice.

But you also have other rights, which we have listed below. Sometimes, we may have valid grounds for limiting how we respond to some requests, rejecting a request, or charging a reasonable fee. Sometimes, technical, or legal restrictions may also make it impossible for us to comply with your request. For example, we may not be able to delete information about you if we need it to fulfill our legal obligations, or we may not be able to provide you with access to information if we have anonymized it.

In addition to the right to know, you have the following rights under the data protection laws:

  • Right of access – you have a right to access a copy of the data we hold about you. This right may be restricted depending on the volume and nature of the request, specific exceptions under the law, or the type of data available.
  • Right to withdraw consent – if we process data (including transferring data outside of the US, EU, Switzerland or UK) based on your consent, you have the right to withdraw that consent at any time.
  • Right to rectification – if you believe the information we have about you is wrong or incomplete, you have a right to ask us to correct that data.
  • Right to erasure (i.e. a right to be forgotten) – you have the right to ask us to delete data about you. While this is not an absolute right, if we no longer need this data, we will delete it.
  • Right to data portability – If you would like to transfer data to another service, you have a right to receive your personal data in a machine-readable format.
  • Right to restrict processing (or opt out of sale and sharing) – in certain cases, you may ask us to stop processing your data – for example, if we process data for a purpose you do not consent to, if we sell or share your information with third parties, especially sensitive personal information, or if we use that information to infer characteristics about you. In such cases, unless this processing is legally necessary, we will comply with your request.
  • Right to refuse automated decision-making including profiling – In some situations, if we make decisions about you based solely on automated means or profiling, you have the right to object and to ask us to stop.
  • Right to non-discrimination –Under the CCPA and related laws, you have a right not to be subject to discrimination if you exercise these rights.
  • Right to lodge a complaint with the Supervisory Authority – If you are based in the EU/EEA, Switzerland or the UK, you can complain to your data protection authority if you feel your rights have been infringed.
  • Right to seek a judicial remedy: Depending on your jurisdiction, you may have the right to make a legal claim where you believe we or our processors have not fulfilled our obligations under the data protection laws.

We are committed to helping you exercise your rights. If you have a query, you can email us at privacy@gradle.com.

To comply with your request, we may request specific information from you to help us confirm your identity. If we cannot comply with your request, or need to limit information we share, we will inform you of the reasons why, subject to any legal or regulatory restrictions. We generally have at least one month (30 days) to respond to a request under the law but may request additional time in some cases.

Data Retention

Except as otherwise permitted or required by applicable law, regulation, or other legal obligation, we will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, in line with our data retention policy.

Under some circumstances we may aggregate and/or anonymize your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

Data Security

We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal information against accidental loss, unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal information to those employees, agents, contractors, and Service Providers that have a legitimate business need for such access.

In terms of technical controls, we apply encryption in transit and at rest, regularly undertake vulnerability assessments on our software and tools, monitor our service provider’s compliance with their data protection and security obligations, and ensure that contracts and agreements are in place with organizations that touch your data. If you have additional questions about our security practices, please reach out to security@gradle.com.

Applicants Located in the EU/European Economic Area (EEA) AND the United Kingdom (UK)

If you are in the EU / EEA or the UK, we need to provide you with additional information regarding our legal reasons (or ‘lawful basis’) for processing your personal information. These fall into the following categories:

  • Article 6(1)(a) –   If we obtain your consent
  • Article 6(1)(b) – To perform a contract with you, or on your behalf
  • Article 6(1)(c) –   To comply with our legal obligations
  • Article 6(1)(f) –   For our legitimate business interests. We will undertake a legitimate interests assessment that balances our interests against yours as a data subject.

Additionally, when we process sensitive personal information (or sensitive categories data), we have additional legal grounds on which we may rely. These are:

  • Article 9(2)(b) – To meet our employment obligations and carry out our rights in the field of employment, social security and social protection
  • Article 9(2)(e) – If the information has manifestly been made public by you
  • Article 9(2)(f) – For the establishment, exercise, or defense of legal claims

We will only process your personal data for the purposes we collected it for or for compatible purposes. If we need to process your personal data for an incompatible purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.

Depending on the processing activity, we rely on the following lawful basis for processing your personal data under the EU and UK GDPR:

Category of Personal Data

Reason / Business Purpose of Collection and Processing

Information Related to your Employment
  • Your consent
  • Compliance with our legal obligations
  • Our legitimate business interests
  • Employment obligations
  • When the information is manifestly made public
  • For the establishment, exercise, or defense of legal claims

Sensitive Personal Information and Protected Categories Information
  • Your consent
  • Compliance with our legal obligations
  • Employment obligations

Internet or Network Activity information When Using our Networks
  • Compliance with our legal obligations
  • Our legitimate business interests

If You Seek Reimbursement for Expenses
  • Your consent
  • Performance of a contract
  • Our Legitimate business interests

Inferred Data
  • Your consent
  • Our Legitimate business interests

Information Collected for Legal and Contractual Obligations
  • Compliance with our legal obligations
  • For the establishment, exercise, or defense of legal claims

International Transfers of Personal Data

Gradle complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) for transfers of Personal Data from the European Union (“EU”), European Economic Area (“EEA”), the United Kingdom (“U.K.”)(and Gibraltar), and Switzerland to the U.S.

When we transfer Personal Data out of EU, EEA, U.K.(and Gibraltar), and Switzerland to countries that do not benefit from an adequacy decision, we may rely on Standard Contractual Clauses, or other legal transfer mechanisms with appropriate safeguards in place to protect Personal Data.

Data Privacy Framework (DPF)

This policy applies to Personal Data processed in the course of the EU-U.S. Data Privacy Framework, to which Gradle has committed. Gradle complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom (including Gibraltar) and Switzerland to the United States.

Gradle has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

Gradle has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF.

Under the EU-U.S. DPF, including the UK Extension of the EU-U.S. DPF, and the Swiss-U.S. DPF , Gradle shall be subject to liability in cases of onward transfers of personal information to third parties, however Gradle is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles including the UK Extension of the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the EU-U.S. DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/

EU, UK, and Swiss individuals have rights, under certain circumstances, to access Personal Data about them, request that Personal Data be corrected, amended, or deleted and to limit use and disclosure of their Personal Data. With our Data Privacy Framework self-certification, Gradle has committed to respecting those rights. To exercise your rights under the DPF Principles, please contact Gradle at:  privacy@gradle.com

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Gradle commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Gradle’s privacy team at privacy@gradle.com.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2 for more information.

Please note that Gradle is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Contact for questions

If you have any questions or concerns regarding this Privacy Notice or the collection of your personal information, please contact our Data Protection Officer:

Website: www.gradle.com

Email: privacy@gradle.com

Address: 2261 Market Street #4081, San Francisco, CA  94114, United States / Danckelmannstr. 21, 14059, Berlin, Germany