Legal

Privacy Policy

Last updated [Date — TBC] · [Placeholder — legal review pending]

This is structured placeholder copy for review. Final wording, the legal entity, retention periods and the DPO contact are inputs pending legal review.

Who we are

Zepa is operated by [Legal entity — TBC] ("we", "us"). Where Zepa is used by a recruitment agency to manage its candidates, that agency is the data controller for its candidates' data and Zepa acts as its processor. For staff accounts and the operation of the platform itself, we are the controller.

Data we process

Depending on how the platform is used, we process:

  • Candidate data — name and contact details, CV and work history, right-to-work documents, DBS / background-check information, and recorded video introductions.
  • Application activity — the stage a candidate has reached, messages, interview and onboarding records.
  • Staff accounts — name, work email, role and permissions, and activity within the console.
  • Technical data — log and device information needed to run and secure the service.

Why we process it & lawful basis

We process data to operate the recruitment and onboarding service: to manage applications, run right-to-work and background checks, communicate with candidates, and provide the console to agency staff. Our lawful bases include performance of a contract, our legitimate interests in operating the service, compliance with legal obligations (such as right-to-work checks), and consent where required (for example, certain background checks and marketing). [Specific bases to be confirmed in legal review.]

How long we keep it

We keep personal data only as long as needed for the purposes above or as required by law, after which it is deleted or anonymised. Retention periods for each data category are [to be confirmed — legal review pending]. Candidates and users can request deletion at any time (see Data Deletion).

Who we share data with

We share data only as needed to provide the service, with:

  • The recruiting agency using Zepa, and the end-client an applicant is being recruited for.
  • Messaging providers — Meta / WhatsApp Business API and email/SMS delivery — to communicate with candidates.
  • Authentication providers — Google OAuth and our authentication platform — for sign-in.
  • Right-to-work and background-check providers (for example, Experian and DBS-check partners).
  • Infrastructure and hosting providers that run the platform on our behalf under data-processing terms.

Your rights

Subject to applicable law you have the right to access, correct, delete, restrict or object to the processing of your data, and to data portability. To exercise any of these, use the Data Deletion / Request page or contact us below. You also have the right to complain to your data-protection regulator.

Contact & DPO

Data-protection enquiries: [privacy@ — TBC]. Data Protection Officer / representative: [DPO contact — TBC].