Back to home

GDPR Compliance

Last updated: May 13, 2026

Our commitment

Eligio is committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") for all users in the European Union and European Economic Area. This page explains our obligations and your rights under GDPR.

Roles: controller vs. processor

Under GDPR, the distinction between controller and processor is important:

  • Your organisation acts as the data controller for candidate data — you determine the purposes and means of processing candidate personal data (their name, CV, interview responses).
  • Eligio acts as a data processor when processing candidate data on your behalf, and as a controller for data related to your account (your name, email, billing).

Enterprise customers may request a Data Processing Agreement (DPA) by emailing legal@eligio.ai.

Legal basis for processing

We process personal data on the following legal bases:

  • Contract performance — processing your account data to provide the Service you have subscribed to.
  • Legitimate interests — security monitoring, fraud prevention, and product improvement using aggregated analytics.
  • Legal obligation — retaining certain records as required by applicable law.
  • Consent — optional analytics cookies and marketing communications (where applicable). You may withdraw consent at any time.

International transfers

Some of our infrastructure providers are based outside the EEA. Where we transfer data internationally, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where applicable.

A list of sub-processors is available upon request.

Your rights under GDPR

As a data subject (EU/EEA), you have the following rights:

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17)

Request deletion of your personal data where there is no overriding legal basis to retain it.

Right to restriction (Art. 18)

Ask us to restrict processing while a dispute is resolved.

Right to portability (Art. 20)

Receive your data in a machine-readable format for transfer to another controller.

Right to object (Art. 21)

Object to processing based on legitimate interests, including profiling.

Right not to be subject to automated decisions (Art. 22)

AI scores on our platform are decision-support tools; final hiring decisions always involve human review.

To exercise any of these rights, email privacy@eligio.ai. We will respond within 30 days.

Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

Supervisory authority

If you are not satisfied with our response to a data request, you have the right to lodge a complaint with your national data protection authority. A list of EU supervisory authorities is available at edpb.europa.eu.

Contact our DPO

For GDPR-related matters, contact our Data Protection Officer at dpo@eligio.ai.