Candidate Privacy Notice
Candidate Privacy Notice
Scope and Overview
Kraken is committed to protecting the privacy and security of candidates’ personal data. This Privacy Notice describes how Payward Inc. and its subsidiaries, affiliates, and related entities or related bodies corporate (collectively, “Kraken," "we," or "us") collect and process personal data about you during and after the candidate assessment and selection process. In each case Kraken is the controller.
This Privacy Notice describes the categories of personal data that we collect about you, how we use your personal data, how we secure your personal data, when we disclose your personal data to third parties, and when we transfer your personal data outside of your home jurisdiction. This Privacy Notice also describes data subject rights by jurisdiction, including access, correction, and erasure of personal data. Please note that rights vary by jurisdiction.
We will only process your personal data in accordance with this Privacy Notice unless otherwise required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
Collection and Other Processing of Personal Data
For the purposes of this Privacy Notice, “personal data” means any information about an identifiable individual. Personal data excludes anonymous or de-identified data that cannot be associated with a particular individual. To carry out our recruitment activities and meet our legal obligations, we collect, store, or otherwise process the following categories of personal data, in order to consider you for a role:
- Personal contact details such as legal name, preferred name, title, addresses, telephone numbers, personal email addresses, IP addresses, browser UserAgent, and online identifiers.
- Work history.
- Educational history.
- Confirmation of right to work.
- Compensation history (only where relevant and lawful).
- Licenses held if applicable.
- Professional memberships.
- References.
- Languages where relevant (comprehension, speaking and written).
- Where lawful and relevant to the position applied for: credit history and/or records of unspent criminal convictions.
- Other personal information revealed as part of a background check.
- Information about potential conflicts of interest.
- Other personal details included in a CV, resume, application form or cover letter or that you otherwise voluntarily provide to us.
- Interview recordings, including video, audio, and any AI-generated transcripts or notes derived from such recordings.
- Assessment information (such as your responses, scores, and reports generated as part of skills or behavioural assessments).
- Any other personal information that you voluntarily provide to us, including sensitive or ‘special category’ personal data.
How We Collect Your Personal information
We will collect the majority of the personal data that we process directly from you. In limited circumstances, third parties may provide your personal data to us, such as former employers or principals, official bodies (such as regulators or criminal record bureaus), medical professionals, or agencies used to carry out background checks. In addition, if you participate in a video interview, we may record the session (including audio and video) and use automated transcription tools to generate written records of the interview.
If we ask you to take a cognitive, skills or role-related assessment, you may be directed to a third-party assessment platform. That platform collects your assessment responses and related information and returns assessment results and/or reports to Kraken to support our evaluation of your application.
Any information flagged by these tools is reviewed in context and is not used as the sole basis for hiring decisions.
Assessment Integrity and AI-Assisted Proctoring
To help ensure the integrity and fairness of certain assessments, the assessment platform may use automated tools, including AI-assisted monitoring, to identify potential issues such as unusual activity or behaviour during an evaluation.
These tools are designed to support assessment integrity and do not involve biometric identification (such as facial recognition) or the creation of biometric templates. Kraken does not receive biometric data as part of the assessment process.
Purposes for Collecting Personal Data
We only process your personal data where reasonably necessary and as applicable law permits or requires it. This includes where the processing is necessary for the proper consideration of you for a role, where the processing is necessary to comply with a legal obligation that applies to us (such as licensing or other restrictions), for our legitimate interests, or with your consent if applicable law requires consent.
We process candidate personal data for the following legitimate business purposes and for the purposes of administering our relationship with you:
- Business management and planning.
- Conducting interviews and determining performance requirements.
- Assessing qualifications for a particular job or task.
- To accurately document interviews, enhance fairness and consistency in hiring decisions, enable training and calibration of interviewers, and generate transcripts for evaluation and administrative purposes.
- Accounting and auditing.
- Complying with health and safety obligations.
We also process personal data where required under law or company policy, or you have consented to our use for a particular purpose.
We will only process your personal data for the purposes we collected it for or for compatible purposes. If we need to process your personal data for an incompatible purpose, we will provide notice to you and where necessary the lawful basis for processing, including by seeking your consent if required by law.
We also reserve the right to process your personal data for our own legitimate interests, including, but not limited to, for the following purposes:
- Where necessary to establish, exercise or defend legal rights or for the purpose of legal proceedings.
- To prevent unlawful conduct including fraud.
- To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.
- For monitoring use of IT and other equipment and property, including our confidential information and intellectual property, to protect the company against any potential legal claims, or to protect staff, employees, consultants and contractors.
- To support internal administration with our affiliated entities.
- To conduct data analysis into our candidate pipeline, including the performance of recruitment campaigns, candidate interview performance, etc.
- To conduct Politically Exposed Person (PEP) screening and related due diligence as required under applicable anti–money laundering (AML) or counter–terrorist financing (CTF) laws, or where necessary to assess potential conflicts of interest, corruption risk, or compliance restrictions. Such processing may involve checking your details against regulatory or public databases of individuals who hold or have held prominent public functions, or their close associates or family members.
We may use tools that help us organise, summarise, or evaluate recruitment information (for example, generating interview transcripts/notes or scoring certain assessments). We do not make final hiring decisions based solely on automated processing.
We will not sell your personal data, including any sensitive personal data, that we collect about candidates or share it with third parties for cross-context behavioral advertising.
Preventing us from processing necessary personal data may affect our ability to progress your application.
Regulated Roles (Cyprus Investment Firm) – Fitness and Probity / Good Repute Requirements
If you apply for a position within our Cyprus investment firm regulated by the Cyprus Securities and Exchange Commission (CySEC), we are legally required under MiFID II and applicable Cyprus law to assess your honesty, integrity, good repute, and financial soundness.
To meet these obligations, we may collect and process information relating to criminal convictions and offences (including unspent and, where legally permitted, spent convictions), civil or regulatory proceedings, disciplinary actions by regulatory or professional bodies, financial soundness (including insolvency or bankruptcy), account closures by financial institutions, and any other matters relevant to assessing fitness and probity.
We process this data under GDPR Articles 6(1)(c) and 10, as such processing is necessary for compliance with legal obligations to which we are subject as a regulated investment firm and is authorised under EU and Member State law.
This information is used solely for regulatory suitability assessments and is handled confidentially, with access strictly limited to those involved in the recruitment and regulatory compliance process.
Collection and Use of Special Categories of Personal Data
Certain special categories of personal data may be considered sensitive under the laws of your jurisdiction and receive special protection. We may collect and process the following special categories of personal data when you voluntarily provide them, to carry out our obligations under employment laws, or as applicable law otherwise permits:
- Trade union membership information for the purpose of organizing to pay trade union premiums.
- Physical or mental health information or disability status to comply with health and safety obligations in the workplace, and to make appropriate workplace accommodations (for example, during the interview process).
- Race or ethnic origin, religious affiliation, philosophical beliefs, health information and sexual orientation information to ensure meaningful equal opportunity monitoring and reporting and to comply with applicable laws.
Where we have a legitimate need to process special categories of personal data for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent. We may also process limited information about your political exposure (for example, whether you hold or have held a public office or are related to someone who has) to comply with AML/CTF laws. This information will be used only for compliance purposes, handled confidentially, and will not be used to make automated or discriminatory decisions about your application.
We will always treat special categories of personal data as confidential and we will only share such data internally where there is a specific and legitimate purpose for sharing the data. As set out below, we have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure.
We will only retain special categories of personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes.
Please note that video and audio recordings may incidentally capture special categories of personal data (for example, racial or ethnic origin, health-related information, or religious affiliation). Such data will only be processed as strictly necessary for recruitment purposes and in accordance with applicable laws.
Data Sharing
We will only disclose your personal data to third parties where required by law or to our employees, consultants, contractors, designated agents, or third-party service providers who require such information to assist us with administering our relationship with you, including third-party service providers who provide services to us or on our behalf. We do not sell your personal data nor share it for the purposes of cross-context behavioral advertising. Third-party service providers may include, but are not limited to, payroll processors; benefits administration providers; providers of interview recording, transcription, and assessment platforms; risk management platforms; compliance service providers; and data storage or hosting providers. These third-party service providers may be located outside of your home jurisdiction.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us as your employer.. We only permit them to process your personal data for specified purposes in accordance with our instructions.
We also disclose your personal data for the following additional purposes where permitted or required by applicable law:
- To other members of our group of companies (including outside of your home jurisdiction) for the purposes set out in this Privacy Notice and as necessary to consider your candidacy.
- As part of our regular reporting activities to other members of our group of companies.
- To comply with legal obligations or valid legal processes. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
- To comply with ongoing sanctions screening as part of our obligations under NYDFS, OFAC, and other regulatory regimes.
- To protect the rights and property of Kraken and its clients (including where necessary to establish, exercise or defend legal rights or for the purpose of legal proceedings).
- During emergency situations or where necessary to protect the safety of persons.
- Where the personal data is publicly available.
- If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing only to what is strictly necessary, and we will anonymize the data where possible.
- For additional purposes with your consent where such consent is required by law.
Cross-Border Data Transfers
Where permitted by applicable law, we may transfer the personal data we collect about you to other jurisdictions as necessary for the purposes set out in this Privacy Notice.
For transfers between Kraken companies including data transfers from the EU and UK to the United States, we rely on an intra-group data transfer agreement that sets out appropriate safeguards to protect personal data such as ‘standard contractual clauses’ and the ‘UK addendum’ issued by the UK Information Commissioner’s Office.
Data Security
Taking into account the nature of the personal data we process, the risks to individuals, and the state of the art in security practices, we have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, consultants, contractors, and other third parties that have a legitimate business need for such access.
Data Retention
Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means.
If you are not engaged or hired, we will retain your personal data for a minimum period of three (3) years from the date of your application. Personal data for staff, employees, consultants and contractors will be transferred to personnel files and retained and processed in accordance with applicable data retention policies.
Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer engaged or employed by the company, we will retain and securely destroy your personal data in accordance with our document retention policy and applicable laws and regulations.
Data Subject Rights
Candidates have certain rights over their personal data depending on the jurisdiction where they are located. For ease of reference, we have provided a table illustrating examples of rights across four different groups of locations. For information on rights applicable in other jurisdictions, please contact our privacy team by submitting an inquiry through our Contact Form.
Jurisdictions | ||||
Rights | Group 1 | Group 2 | Group 3 | Group 4 |
Transparency | ✔ | ✔ | ✔ | ✔ |
Access | ✔ | ✔ | ✔ | ✔ |
Rectification / Correction | ✔ | ✔ | ||
Erasure | ✔ | ✔ | ||
Restriction / Withdrawal of Consent | ✔ | ✔ | ✔ | ✔ |
Portability* | ✔ | |||
Objection | ✔ | |||
No Automated Processing | ✔ | |||
Statutory Protection From Hindrance / Retaliation | ✔ | ✔ | ✔ | |
*Where processing is based on the consent of the data subject, their explicit consent in the case of special category data, or where the processing was necessary for the performance of a contract to which the data subject was party, or in order to take steps at the request of the data subject, prior to entering into the contract.
This table is a summary; specific rights and exceptions vary by jurisdiction and by the lawful basis we rely upon.
- Group 1 jurisdictions: The United Kingdom; EU Member States.
- Group 2 jurisdictions: California.
- Group 3 jurisdictions: Canada.
- Group 4 jurisdictions: Singapore; Australia.
If you want to exercise your data subject rights or have any further questions regarding this policy, please contact our privacy team by submitting an inquiry in our Contact Form. Please note that your rights in this regard vary by jurisdiction.
We have the right to request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Data Protection Officer
We have appointed a Data Protection Officer to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, or would like to request access to your personal data, please submit a request through our Contact Form. If you are unsatisfied with our response to any issues that you raise with the Data Protection Officer, you may have the right to make a complaint with the data protection authority in your jurisdiction by contacting the data protection authority.
Changes to This Privacy Notice
We reserve the right to update this Privacy Notice at any time to reflect changes in our practices, legal obligations, or operational requirements. The most current version of this Privacy Notice will be available on Kraken’s careers page, and it is your responsibility to regularly review Kraken’s careers page to ensure you are aware of the most up-to-date version. Continued engagement with Kraken following any update will be deemed acknowledgement of the revised Privacy Notice, to the extent permitted by applicable law. If we would like to use your previously collected personal data for different and unexpected purposes from those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose.
Contact Us
If you have any questions about our processing of your personal data or would like to make an access or other request, please contact us via our Contact Form. If you are unsatisfied with our response to any issues that you raise, you have the right to make a complaint with the data protection authority in your jurisdiction.
Effective Date: February 11, 2026