The data controller for the personal data described in this policy is Way of Work OÜ, Narva mnt 5, 10117 Tallinn, Estonia (“we”, “us”). You can contact our privacy team at privacy@wayofwork.com.

This policy applies to two groups of data subjects: customers (the recruiters and hiring teams who subscribe to the Service) and candidates (the professionals sourced and contacted through the Service). Where the legal basis or treatment differs, this is called out explicitly below.

Customer account data. When you create an account, configure a workspace and run roles, you are the controller of the role briefs, notes, settings, sender domain configuration and other content you input. We process this data as your processor in accordance with these Terms and our Data Processing Addendum (available on request).

Sourced candidate data. We source candidate profiles from public professional sources and licensed third-party data providers (see section 4). We act as an independent controller of that data at the point we collect, normalise, score and surface it. Once you contact a candidate through the Service or export their data, you become an independent controller for your own subsequent processing of that candidate’s data within your systems.

We do not scrape the open web for candidate data. Candidate profiles are collected from the following sources:

• SignalHire — primary professional-data provider, returning candidate profiles assembled from publicly available sources.
• GitHub — public profiles and public repository activity for technical roles, accessed via the GitHub API.
• Apollo (optional, where enabled) — professional-data provider used for go-to-market roles in markets where SignalHire under-covers.
• Hunter.io / equivalent email-enrichment services — used to verify or supplement email addresses already obtained from the above.
• Information that candidates submit directly to us (for example, when they complete an AI screening interview through a link sent by a customer).

Each of these providers has its own privacy policy and represents to us that the data it makes available has been collected from publicly available professional sources. We do not knowingly accept data obtained without a lawful basis.

We do not use personal data to train third-party generative models. Customer content and candidate data are not used to train our own foundation models; where AI features rely on third-party models (see section 7), the requests are sent under provider terms that prohibit training on customer data.

• Sourced candidates (no outreach): profiles surfaced into a workspace but never contacted are visible for 60 days from sourcing, then automatically removed from the active workspace. We may retain an internal record of the dedupe key to avoid re-sourcing the same candidate for the same customer.
• Contacted candidates: once outreach is sent, the candidate’s profile and engagement history are retained in the customer’s workspace for the duration of the customer’s active relationship with us, plus up to 24 months thereafter or until earlier deletion.
• Interview transcripts: retained alongside the candidate record. Candidates may request deletion at any time (see section 9).
• Customer account data: retained for the duration of the subscription plus 90 days after termination, then deleted from active systems. Encrypted backups are purged within a further 90 days.
• Billing and tax records: retained for 7 years as required by Estonian and EU tax law.
• Security and audit logs: retained for up to 12 months unless a longer period is required to investigate a specific incident.

We share personal data with the following categories of subprocessors strictly as needed to operate the Service. All subprocessors are bound by written data processing agreements that include GDPR-compliant safeguards.

An up-to-date list of subprocessors is available on request from privacy@wayofwork.com. We will give customers reasonable notice of new subprocessors before they are engaged.

We do not sell personal data. We do not share candidate data between customer workspaces. We do not provide candidate data to advertising networks.

Our primary hosting and database infrastructure is located in the European Union. Some subprocessors (notably Anthropic, SignalHire, Stripe, SendGrid and Cloudflare) may process data outside the EU/EEA. Where such transfers occur, they are made under the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical and organisational measures. A copy of the relevant transfer safeguards is available on request.

If you are located in the EU/EEA or the UK, you have the following rights under the GDPR:

• Access — to a copy of your personal data.
• Rectification — to correct inaccurate data.
• Erasure — to have your personal data deleted, subject to legal retention obligations.
• Restriction of processing in certain circumstances.
• Objection to processing carried out on the basis of legitimate interest, including objection to being sourced for recruitment outreach.
• Portability — to receive your data in a structured, commonly used format.
• Withdrawal of consent — where processing is based on consent (for example, an AI screening interview), at any time and without affecting prior processing.
• Lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

How to exercise rights. Send a request to privacy@wayofwork.com from the email address associated with the data, or by post to the address in section 1. We will respond within 30 days. For data that a customer has exported or downstream-processed in their own systems, please contact the customer directly; we will assist on request.

Candidate-specific note. If you have received outreach through the Service and want your data removed from our system, email privacy@wayofwork.com with the subject “Erase”. We will remove your profile from active workspaces within 30 days and add your contact details to a suppression list so we do not re-source you in the future.

We implement appropriate technical and organisational measures to protect personal data, including: TLS encryption in transit; AES-256 encryption at rest for the application database; row-level security on multi-tenant tables; role-based access control; audit logging of administrative actions; encrypted backups; least-privilege access for staff; secrets management for API keys; Cloudflare Turnstile and IP-based protection against automated abuse on signup and authentication endpoints.

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach and, where required, the affected data subjects without undue delay. Customers will be notified directly so they can meet their own obligations as controllers.

We use a minimal set of cookies and similar storage on the Service:

• Strictly necessary: session cookies that keep you signed in, theme preference, CSRF protection.
• Security: Cloudflare Turnstile bot-challenge tokens on signup and authentication endpoints.
• No advertising or cross-site tracking cookies.

We may add privacy-preserving, aggregated product analytics in the future. If we do, we will update this policy and provide a cookie banner where required by law.

The Service uses AI to score candidates against role-specific rubrics, to draft outreach copy and to conduct screening interviews. These outputs are decision-support: a human (the customer’s recruiter or hiring manager) reviews them and makes all hiring decisions. We do not make automated decisions that produce legal or similarly significant effects on candidates within the meaning of GDPR Article 22.

The Service is intended for professional recruitment of working-age adults and is not directed at children. We do not knowingly process personal data of individuals under 16. If we become aware that such data has been collected, we will delete it.

We may update this policy from time to time. Material changes will be announced by email to customers and in-app at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

Way of Work OÜ
Harju maakond, Tallinn, Kesklinna linnaosa
Narva mnt 5, 10117, Estonia
Privacy: privacy@wayofwork.com