logo
Privacy Policy

We care about your
personal data.

Privacy Policy

Last updated: 1 June 2026

1. Introduction and scope

Applyfin B.V. (hereinafter: "Applyfin", "we", "us") is a combined Recruitment Process Outsourcing (RPO) and ATS provider.

We operate a multi-tenant SaaS Applicant Tracking System with which employers manage their recruitment and selection process, and in addition we carry out, in whole or in part, recruitment and selection activities on behalf of our clients.

Our RPO services include, among other things, job advertising and media distribution, active candidate sourcing, pre-selection and screening, candidate communication, and the management of talent pools.

This privacy statement applies to:

  • Our marketing website applyfin.com and related domains;

  • The Applyfin Platform used by our clients;

  • The career pages we host on behalf of our clients on the (sub)domains they have linked;

  • All RPO and related services we offer.

We attach great importance to careful and transparent handling of personal data and comply with the:

  • General Data Protection Regulation (GDPR)

  • EU AI Act

  • ISO 27001 standard for information security

2. Processor vs. Controller

The role Applyfin fulfils under the GDPR depends on who determines the purpose and means of the processing.

2.1 Applyfin as processor
For personal data processed within the Applyfin Platform on behalf of our clients, including data of applicants, candidates, referees, and activities such as job advertising, candidate sourcing, pre-selection and candidate communication, we act as a processor within the meaning of Article 4(8) GDPR.

The employer-client is the controller in these situations and determines the purpose, legal bases and retention periods. Our mutual obligations are set out in a data processing agreement as referred to in Article 28 GDPR.

Responsibility upon delivery, onboarding, AI and services. Upon the delivery and onboarding of the platform, we actively support our clients in meeting the applicable requirements, including the GDPR and the EU AI Act. In doing so, we apply the principle that whoever actually carries out a processing operation, delivery or intervention bears responsibility for it. Our responsibility therefore includes, in any event:

  • the technical configuration of the platform, the default settings and the Consent Manager delivered at onboarding, as delivered and configured by us;

  • all AI applications and automated workflows that we develop, deliver and operate within the platform; we warrant their lawful operation (see also section 9);

  • all changes we make and all services we perform in the context of support and service activities.

Demarcation from the client's responsibility. The client is solely responsible for the changes and data that it itself enters or makes in the platform, for its own configuration choices, and for the lawfulness of the data it enters (see 2.3). Which actions were performed by Applyfin and which by the client is recorded in the platform's activity logs, so that this division of responsibility remains traceable at all times.

Measures and liability. In our role as processor, we take all reasonable technical and organisational measures to protect personal data; an elaboration is included in section 8. We are liable for damage resulting from an attributable failure on our part, including inadequate security measures, a data breach, unlawful processing, a failure in the onboarding, platform configuration, AI applications, workflows or support activities delivered or configured by us, or a breach of our processor obligations under Article 28 GDPR.

2.2 Applyfin as controller
For data we process for our own business operations, including data of visitors to applyfin.com, prospects, and the business contacts and users of our clients, we determine the purpose and means ourselves. For this processing we are the controller within the meaning of Article 4(7) GDPR.

2.3 Responsibility of our clients
As controllers, our clients bear their own responsibility for the lawfulness of the processing within their use of the platform. This includes, among other things, a valid legal basis when entering personal data, correctly configuring and maintaining the Consent Manager delivered by Applyfin at onboarding, safeguarding GDPR compliance for their own integrations and API connections, and granting access to personal data only to authorised persons.

2.4 Practical consequences for data subjects
Applicants and candidates who have responded to or been approached for a vacancy of a specific employer should address their questions or requests primarily to that employer; we support our clients in handling these in a timely and correct manner. For processing for which Applyfin is itself the controller, you can contact us directly via the contact details at the bottom of this statement.

2.5 Duty to inform in the event of data breaches
Both Applyfin and our clients are obliged to inform each other without delay of a (suspected) data breach or GDPR violation, so that appropriate measures can be taken in time. See also section 8.4.

3. What personal data we process

Data processed via anonymous labour-market/campaign metrics (see 4.6), or anonymised server-side tracking (see 4.8), does not qualify as personal data and falls outside the scope of this section.

We distinguish in this section between processing for which Applyfin is the controller, and processing for which our client is the controller and Applyfin acts as processor. Which role applies determines to whom you address a request (see section 2 and section 10).

A. Processing for which Applyfin is the controller

3.1 Visitors to applyfin.com and prospects
Name, email address, telephone number, organisation name, job title, correspondence and any data you provide yourself via forms; technical data such as IP address, browser type, device information and visit statistics (insofar as processed with consent).

3.2 Clients and their users
Name and contact details of contacts and users within client organisations; login credentials; usage data and audit logs; invoicing and payment data (including bank account number or SEPA mandate); contractual and commercial correspondence.

B. Processing for which our client is the controller (Applyfin as processor)

To fill vacancies, we process personal data of applicants and candidates on behalf of our clients. This data reaches the platform via two routes — the candidate applies themselves, or the candidate is found via a candidate database — and may subsequently, with consent, be included in the employer's talent pool. In all cases below, the employer-client is the controller: it determines the purpose, legal basis and retention period. Applyfin processes solely on the instructions of and at the direction of the client.

3.3 Applicants who apply themselves
When a candidate responds to a vacancy themselves — via a career page we host or via a linked job board — we process name and address details, contact details, date of birth, CV and cover letter, education and employment history, application status, correspondence between the applicant and the employer, and any additional data the employer requests.

3.4 Candidates found via a candidate database
Our clients can, whether or not they purchase RPO services, use candidate databases to proactively find suitable candidates. In doing so we process name, professional contact details, current and former positions, educational background, skills, location indication, and the source from which the data originates. The client decides on the use of this functionality and on approaching a candidate, and does so on its own legal basis as employer; we limit the processing strictly to data relevant to a possible professional match.

Our responsibility for the databases we provide. Although the client is the controller for the use of the databases and for the recruitment decision, as a supplier we bear responsibility for the lawful compilation, the security and the correct provision of the databases we make available. This includes, among other things, that data originates from legitimate sources, that a client is only granted access to the databases intended for it, and that an objection or suppression request invoked by a data subject is given effect by us. We do not process special categories of personal data, unless the employer has a legal basis for doing so and we have made an additional agreement about this.

3.5 Talent pool participants
Our clients can maintain their own, client-specific talent pool within the platform. Candidates who — whether or not after a previous application or active approach — have consented to inclusion in an employer's talent pool, we process with additional data such as preferences, availability and interest in specific roles or sectors. The employer is the controller for its talent pool and determines the purpose, legal basis (usually consent), retention period and the moment of reconfirmation; we process solely on its instructions.

4. How we collect personal data

We collect personal data through various channels, depending on your role and your interaction with our services. The role Applyfin fulfils per processing operation — controller or processor — follows from section 3. Anonymised streams (server-side tracking, see 4.8, and campaign metrics, see 4.6) fall outside the scope of this section.

A. Collection for processing for which Applyfin is the controller

4.1 Directly from you
When you visit our website, fill in a form, request a trial account or contact our sales or support department, we collect the data you actively provide yourself.

4.2 From our clients and their users
For the management of client organisations and their user accounts, we collect and store name and contact details of contacts and users, login credentials, usage and audit data, and invoicing and payment data. This data is stored in our centrally managed (global) database and not within the isolated tenant environment of an individual client. For this data Applyfin is the controller (see 3.2) and we bear responsibility for its lawful processing and security.

4.3 Via automated system and security logs
To safeguard the security, stability and traceability of the platform, we automatically generate logs containing, among other things, IP address, timestamp, browser signature and the action performed.

B. Collection for processing for which our client is the controller

Personal data of applicants and candidates reaches the platform because the candidate applies themselves, because the candidate is found via a candidate database, or because the employer enters or uploads the data itself (manually or via integrations). This data is stored within the isolated tenant environment of the relevant employer.

4.4 Directly from applicants
When you apply via a career page we host on behalf of an employer, or via a linked job board, we collect the data you provide yourself for the purpose of your application (see 3.3). After you have applied, the employer retains the right to screen your candidacy. In this screening we process both the data you have provided yourself and additional data from publicly accessible and professional sources (see 4.5), insofar as relevant to assessing a possible match with the role. The employer is the controller for this and determines the purpose and legal basis; we process solely on its instructions.

4.5 From public and professional sources
For the purpose of the candidate databases we make available to our clients (see 3.4) — and for the purpose of the screening described in 4.4 — we collect data from publicly accessible and professional sources, such as professional networking sites, sector-specific platforms and CV databases for which the data subject has given consent to the provider of that database. As a supplier we are responsible for the lawful compilation, the provenance and the security of these databases; the client that uses a database to find, approach or screen a candidate is the controller for that use and applies its own legal basis as employer. On request we share the specific source from which your data originates, and you can object or request not to be approached again (see section 10).

4.6 Via job board, distribution and market-data partners
We receive application data from job boards and vacancy distribution partners (including, among others, Indeed, LinkedIn and related platforms) when a candidate applies via those channels to a vacancy distributed by or on behalf of an Applyfin client. We process this application data on behalf of our clients, within the tenant context of the relevant employer (see 3.3). In addition, we receive campaign and labour-market metrics from media partners in the context of job advertising and posting; this data is aggregated and anonymised, does not qualify as personal data and falls outside the scope of section 3.

C. Cookies and tracking (role depends on the environment)

On our corporate website (applyfin.com) Applyfin is the controller for the tracking; on the career pages we host on behalf of employers, the relevant employer is the controller and Applyfin acts as processor. In both environments we strictly separate processing involving personal data from processing based on anonymised data, in accordance with the GDPR and Article 11.7a of the Dutch Telecommunications Act.

4.7 Cookies and client-side tracking
We place cookies that are strictly necessary for the functioning of the service — such as session management, language preference, security and protection against misuse; for these the statutory exemption from the consent requirement under Article 11.7a(3) of the Dutch Telecommunications Act applies. If you give explicit consent via our cookie banner, we process additional data that may indeed qualify as personal data, such as a full IP address, behaviour across multiple sessions, and attribution and conversion data, on the basis of your consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time via the cookie settings, without consequences for your use of our services.

4.8 Server-side tracking (anonymised, without consent)
To measure general usage, optimise performance and safeguard security, we apply server-side tracking whereby data is anonymised at the server side: IP addresses are truncated immediately upon receipt, we place no identifying cookies or fingerprints, and we do not link sessions or visits to an individual visitor. Data is used solely in aggregated and statistical form. This data qualifies as anonymised within the meaning of Recital 26 GDPR, is not traceable to an individual and does not require consent. We keep this stream technically and organisationally separated from the stream for which consent has been given, so that subsequent linking is excluded; we verify this periodically.

A detailed overview of the specific cookies and pixels deployed on our sites can be found in our cookie statement.

5. Purposes and legal bases

We process personal data solely for the purposes set out below. For the processing in block A we determine the purpose and legal basis ourselves; for the processing in block B we act on the instructions of and on the legal basis of the employer-client.

A. Processing for which Applyfin is the controller

  • Entering into and performing agreements with our clients and providing the platform and our services (Article 6(1)(b) GDPR);

  • Client management, invoicing and accounts-receivable management, on the basis of contract and legal obligation (Article 6(1)(b) and (c) GDPR);

  • Compiling, updating and offering lawfully compiled candidate databases to our clients, on the basis of our legitimate interest in providing a usable and lawful recruitment service (Article 6(1)(f) GDPR). In doing so we carry out a balancing test in which the data subject's interest in privacy and being left undisturbed is weighed against the professional nature of the data, the public provenance, and the reasonable expectation professionals may have regarding recruitment. Data subjects can object at any time and are placed on a suppression list (see 3.4 and section 10);

  • Product improvement, security and fraud prevention, including system and security logs, on the basis of legitimate interest (Article 6(1)(f) GDPR);

  • Marketing communication to existing clients and prospects who have given consent or for whom a legitimate interest exists (Article 6(1)(a) or (f) GDPR); you can unsubscribe at any time;

  • Complying with legal obligations such as tax retention obligations (Article 6(1)(c) GDPR).

B. Processing for which our client is the controller (Applyfin as processor)

For the purposes below, the employer-client determines the purpose and legal basis; we process solely on its instructions. The legal bases stated are those the employer usually applies.

  • Receiving, assessing and managing applications for the purpose of filling vacancies, usually on the basis of the performance or preparation of an employment contract or consent (Article 6(1)(b) or (a) GDPR);

  • Proactively finding, approaching and screening candidates via the candidate databases, on the basis of the employer's legitimate interest in filling its vacancies (Article 6(1)(f) GDPR). The employer weighs the data subject's interest against the limited nature of the initial approach and the relevance to a specific vacancy; we give effect to any objection invoked (see 3.4);

  • Mediation and communication between candidate and employer in the context of an ongoing procedure, on the legal basis of the employer;

  • Managing the client-specific talent pool, usually on the basis of the candidate's consent (Article 6(1)(a) GDPR).

6. Retention periods

We do not retain personal data longer than necessary. For the processing in block B, the employer-controller determines the retention period; we apply the standards below unless the employer instructs otherwise.

A. Processing for which Applyfin is the controller

  • Prospect data: up to 24 months after the last contact moment, unless you unsubscribe earlier;

  • Data of clients and their users: for the duration of the agreement and thereafter in accordance with statutory retention periods (including a tax retention obligation of 7 years for financial data);

  • Candidate databases we compile and offer: we update these periodically, remove outdated or unlawfully included data, and give effect to objection and suppression requests on an ongoing basis;

  • Logging and security logs: maximum 12 months, unless longer retention is necessary in the context of an incident or legal obligation.

B. Processing for which our client is the controller (Applyfin as processor)

  • Applicant data within the ATS: in accordance with the instructions and retention policy of the employer. By default Applyfin follows the guideline of the Dutch Data Protection Authority (4 weeks after completion of the procedure, or 1 year with consent);

  • Sourced candidates within the tenant without follow-up contact: by default a maximum of 6 months after the initial approach, unless the candidate has consented to longer retention or inclusion in the talent pool;

  • Talent pool participants: a maximum of 2 years after the last contact or the last update, with a reconfirmation moment before the end of that period. Consent can be withdrawn at any time, after which the employer has the data deleted.

7. Sharing, sub-processors and international transfers

We share personal data with third parties only when necessary for the performance of our services, at your request, or when we are legally obliged to do so. With all engaged parties we conclude agreements that comply with Article 28 GDPR.

A. Processors we engage for our own processing (Applyfin as controller)

For the processing for which we are ourselves the controller, we engage processors on the basis of a data processing agreement, including for:

  • Cloud hosting and infrastructure within the EEA (our global database and corporate website);

  • Payment and direct-debit service providers;

  • Email, communication and notification services for our own communication;

  • Analytics and monitoring tools for applyfin.com.

B. Sub-processors we engage for processing on behalf of our clients (Applyfin as processor)

For the processing we carry out on behalf of our clients, we engage sub-processors with the client's authorisation and under the terms of the data processing agreement (Article 28(2) and (4) GDPR). We inform our clients of intended changes to these sub-processors so that they can object. These include, among others:

  • Cloud hosting and infrastructure within the EEA for the isolated tenant environments;

  • Email and notification services for the purpose of candidate communication;

  • Job distribution partners (when a client chooses to publish vacancies via external channels).

A current overview of our processors and sub-processors is available to our clients on request.

International transfers (both roles). Our primary infrastructure is hosted within the European Union (Germany). When a transfer outside the European Economic Area is unavoidable, it takes place solely on the basis of appropriate safeguards such as the Standard Contractual Clauses of the European Commission, supplemented with additional organisational and technical measures where necessary.

8. Security — ISO 27001 ready

Applyfin uses the ISO 27001 framework as a guideline for the design of its Information Security Management System (ISMS). At the time of publication of this statement we are ISO 27001 ready: our platform, our processes and our policy meet the requirements of the standard, although we are not yet formally certified.

8.1 Core principles for information security
We organise our work on the basis of the three core principles of information security:

  • Confidentiality — data is accessible only to those who are authorised to access it;

  • Integrity — data is accurate, complete and not altered without authorisation;

  • Availability — data and systems are available when authorised users need them.

8.2 Multi-tenant architecture and data isolation
The Applyfin platform is built according to a multi-tenant architecture. Although the platform is offered from a single codebase, each client's data is stored strictly logically and physically separated:

  • Separate database per client. Each tenant has its own, isolated database. Client A's data is not visible or retrievable by client B, and vice versa.

  • Tenant-scoped access. Every logged-in user and every API call is bound at infrastructure level to one specific tenant context. Cross-tenant access is technically excluded.

  • Encrypted separation of backups. Backups are made separately per tenant and stored encrypted.

  • No marketing or analytics exchange between tenants. One client's data is never shared with, disclosed to or used for the marketing or analytics purposes of another client.

  • No cross-tenant AI training. AI models deployed within the platform are not trained on client data aggregated across tenants. Training data originates from sources for which we ourselves have a valid legal basis, or — where applicable — from data explicitly made available by a client solely for the benefit of that specific client.

This architecture guarantees that applicants of employer A never come into view at employer B via Applyfin, and that clients have no insight into each other's recruitment data, user accounts or statistics.

8.3 Technical and organisational measures
In addition to the architectural separation, we take, among others, the following measures:

Technical measures. Encryption of data in transit (TLS 1.3+) and at rest; hardened infrastructure and network segmentation; automated patch management; verified and encrypted backups; central logging and monitoring with alerting on anomalous behaviour; protection against common attack vectors such as those described in the OWASP Top 10; periodic vulnerability scans and penetration tests.

Organisational measures. Access policy based on least-privilege and need-to-know; multi-factor authentication for employees with access to production; a formal risk management process and periodic risk assessments; information security policy and associated procedures; confidentiality obligations and screening of employees; security awareness training; supplier assessments before and during cooperation; defined incident response and business continuity procedures.

Continuous improvement. We periodically evaluate and update our security policy and our measures on the basis of risk analyses, audits, lessons learned from incidents and developments in the threat landscape.

8.4 Data breaches and incident management
We have an incident response procedure with which security incidents and data breaches are detected, assessed and handled in a timely manner. In the event of a notifiable data breach, we report this within 72 hours to the Dutch Data Protection Authority and, where applicable, to our clients and data subjects, in accordance with Articles 33 and 34 GDPR. Both Applyfin and our clients are obliged to inform each other without delay of a (suspected) data breach or GDPR violation, so that appropriate measures can be taken in time.

9. AI Applications — EU AI Act

We recognise that AI systems deployed within recruitment and selection qualify as high-risk AI systems under the EU AI Act (Regulation (EU) 2024/1689) within the meaning of Annex III, point 4. We take a restrained and transparent approach to the deployment of AI within the Applyfin platform and the associated RPO services, and design our processes around the requirements the AI Act imposes on providers and deployers.

9.1 Where AI is deployed within the platform
AI functionality may be used within the Applyfin platform to support, among other things, matching between vacancies and candidates, pre-selection and analysis of application documents, drafting of concept messages to candidates, and summarising interactions. This functionality is enabled or disabled by our clients at their own discretion; upon activation, clients are pointed to their obligations as deployer under the AI Act.

9.2 No fully automated decision-making about candidates
We do not take decisions with legal consequences or similarly significant consequences for a candidate based solely on automated processing. AI outcomes such as scores, rankings or recommendations serve as support for the recruiter and never constitute a final decision. Every rejection, invitation or comparable decision requires human assessment and confirmation.

9.3 Human oversight (Article 14 AI Act)
Our AI functionality is designed so that recruiters can open, assess and overrule AI outcomes; that the reasoning behind a recommendation is made transparent at a high level; that recruiters must record their decision independently and not merely by confirming an AI recommendation; and that AI functionality can be disabled per client, per user or for specific role types.

9.4 Transparency towards candidates (Articles 13, 50 and 86 AI Act)
When you, as a candidate, enter a procedure in which AI support is used by the employer, you are informed of this. You have the right to:

  • Know that AI has been deployed in the assessment of your candidacy and in what manner;

  • Receive information about the main logic and the possible consequences of that processing;

  • Request a human assessment of a decision taken partly on the basis of AI support;

  • Express your point of view and contest the decision;

  • Be informed when you communicate directly with an AI system, such as a chatbot or automated assistant.

You can exercise these rights via the employer in whose procedure you are. We support our clients in handling such requests correctly and in a timely manner.

9.5 Data governance and bias mitigation (Article 10 AI Act)
We maintain a data quality policy for the data on which our AI functionality is developed, validated and tested. We actively strive to detect and mitigate possible bias — towards, among other things, gender, age, ethnicity or disability — through the selection of representative data, periodic evaluation of model outcomes, and the exclusion of protected characteristics as direct or indirect determinants in decision-making models. Training and validation data is not aggregated across tenants; see also 8.2.

9.6 Our role and that of our clients under the AI Act
We act as the provider of AI systems within the platform. Our clients are the deployer when they use this AI functionality within their recruitment process. Both roles carry their own obligations, including registration, monitoring, logging and information to data subjects. We explicitly allocate these responsibilities in our documentation and contractual arrangements with clients.

9.7 Prohibited practices (Article 5 AI Act)
We do not deploy AI for emotion recognition in the workplace or during job interviews, for social scoring, or for inferring special categories of personal data from biometric data. Clients are contractually prohibited from using the platform for such applications.

9.8 Logging and traceability (Article 12 AI Act)
The deployment of AI functionality within the platform is automatically logged, such that it is traceable afterwards when and how AI contributed to a process. These logs are available to our clients to substantiate their own AI Act accountability.

10. Your rights as a data subject

Under the GDPR you have the following rights:

  • Right of access to your personal data;

  • Right to rectification of inaccurate or incomplete data;

  • Right to erasure ("right to be forgotten");

  • Right to restriction of processing;

  • Right to data portability;

  • Right to object to processing based on a legitimate interest or for direct marketing;

  • Right to withdraw consent previously given;

  • Right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

You can submit a request via the contact details at the bottom of this statement. If you are an applicant and your request concerns data stored within the ATS of a specific employer, you should address that employer; it is the controller for your application data.

If you have been proactively approached by Applyfin on the basis of public or professional sources, you have the right at all times to object to further processing and to be included on a suppression list, so that we do not approach you again. On request we also share the source from which we obtained your data.

11. Changes to this privacy statement

We may amend this privacy statement from time to time to reflect changes in our services, laws and regulations or security practices. We announce material changes in advance via the platform or by email. We recommend that you consult this page periodically.

12. Contact

Applyfin B.V. Wittevrouwenstraat 38B 3512 CV Utrecht info@applyfin.com +31 85 078 6002

For privacy and security-related questions you can contact us via privacy@applyfin.com.