Who we are

Connect Intelligent Technologies Ltd (company number 16339197) trades as HirePass and provides AI-powered employment screening services. We are committed to protecting your privacy and handling your personal data in accordance with UK data protection law.

What this policy covers

If you have any questions about this privacy policy or how we handle your personal data, our Data Protection Officer can be contacted at dpo@hirepass.com

Our contact details

If you have any questions about this privacy policy or how we handle your personal data, our Data Protection Officer can be contacted at dpo@hirepass.com

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our services or legal requirements. When we make significant changes, we will notify you by email if you have an account with us, or by posting a notice on our website. The current version will always be available on our website with the date of last update clearly shown.

Website visitors

When you visit our website, we automatically collect certain technical information including your IP address, browser type and version, operating system, referring website, pages visited, and time spent on our site. We also use cookies and similar technologies as described in our Cookie Notice.

Account holders (employers and clients)

When you create an account to use our services, we collect your name, email address, company name, job title, telephone number, and billing address. We may also collect additional business information needed to verify your identity and provide our services effectively.

Screening subjects (job applicants and employees)

When screening checks are conducted, we collect various categories of personal data depending on the types of checks requested. This may include identity information such as full name, date of birth, address history, and identification documents; employment history including previous employers, job titles, employment dates, and reasons for leaving; educational background including qualifications, institutions attended, and dates of study; financial information such as credit history and bankruptcy records where relevant; criminal records including convictions and cautions where legally permitted; and professional references from previous employers or colleagues. For certain types of checks, we may also process special category data including criminal conviction information under UK GDPR Article 10, and biometric data for identity verification purposes where necessary and with appropriate legal basis.

Third-party contacts

During the screening process, we may contact and collect limited personal data from third parties such as previous employers, educational institutions, and professional references. This typically includes their name, job title, contact details, and the information they provide about the screening subject.

Direct collection

We collect most personal data directly from you when you create an account, request screening services, provide information during the screening process, contact our customer support, or subscribe to our communications.

Third-party sources

For screening purposes, we obtain information from authorised third-party sources including government databases such as HM Revenue and Customs, Disclosure and Barring Service, and Home Office systems; credit reference agencies and financial databases; previous employers and educational institutions; professional and character references; and publicly available sources such as company registers and sanctions lists.

Automated collection

Our website and platform automatically collect certain technical data through cookies, web beacons, and similar technologies. This includes information about how you use our website and platform, which helps us improve our services and user experience.

Our lawful bases for processing

We process personal data under several lawful bases depending on the purpose. For service delivery and account management, we rely on contract necessity under UK GDPR Article 6(1)(b) where processing is necessary to provide our services or take steps before entering into a contract. For business operations, compliance, and security, we use legitimate interests under Article 6(1)(f) where we have compelling reasons for processing that are balanced against your privacy rights. For marketing communications and certain website features, we rely on your consent under Article 6(1)(a) which you can withdraw at any time. For certain regulatory requirements, we use legal obligation under Article 6(1)(c) where we must process data to comply with legal duties.

Specific purposes

We use your personal data to provide employment screening services including identity verification, background checks, and generating screening reports; manage your account and provide customer support; process payments and maintain billing records; improve our services through analysis and research; communicate with you about our services, including service updates and support messages; comply with legal obligations including data protection, financial, and employment law requirements; protect our business and users from fraud, security threats, and legal risks; and with your consent, send you marketing communications about our services and industry insights.

Special category data

Where we process special category data such as criminal conviction information, we do so under UK GDPR Article 10 for employment purposes and in accordance with UK law. Biometric data for identity verification is processed under Article 9(2)(f) for establishing, exercising, or defending legal claims, or Article 9(2)(a) with explicit consent where required.

Service delivery partners

To provide our screening services effectively, we share personal data with authorised third-party providers including identity verification services such as Persona Identities Inc and credit reference agencies like CreditSafe Business Solutions Limited; government bodies including Disclosure and Barring Service, HM Revenue and Customs, and Home Office systems for official checks; former employers, educational institutions, and references as necessary for verification purposes; and international screening providers where checks are required in other countries.

Technology and infrastructure providers

We work with trusted technology partners to deliver our services including cloud hosting providers such as Akamai Technologies Ltd and Microsoft Inc (using UK data centres); email service providers like SendGrid Inc for system communications; payment processors including Stripe Inc for handling transactions; and AI service providers such as OpenAI LP (in private enterprise environments where data is not used for training).

Legal and regulatory sharing

We may share personal data where required by law including with regulatory authorities such as the Information Commissioner's Office; law enforcement agencies where legally required; courts and legal advisors in connection with legal proceedings; and other parties where necessary to comply with legal obligations or protect our legitimate interests.

Business transfers

If we sell, merge, or transfer our business or assets, personal data may be transferred to the new owner, though we will ensure they provide equivalent protection for your personal data.

No other sharing

We do not sell, rent, or otherwise commercialise your personal data. We do not share your data with advertisers or for marketing purposes beyond our own communications (which you can opt out of at any time).

Our approach to international transfers

We primarily process personal data within the United Kingdom using UK-based systems and data centres. However, some of our service providers may involve international data transfers, which we handle in accordance with UK GDPR requirements.

Safeguards for international transfers

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place including using providers in countries with UK adequacy decisions where the UK government has determined data protection standards are equivalent; implementing Standard Contractual Clauses approved by the Information Commissioner's Office; conducting transfer impact assessments to evaluate and mitigate risks; and ensuring our service providers implement appropriate technical and organisational measures to protect your data.

Specific international transfers

Current international transfers include identity verification services with Persona Identities Inc in the United States (with Standard Contractual Clauses for identity document verification and biometric processing), AI processing services with OpenAI LP in the United States (using enterprise private environments with contractual data protection guarantees), email delivery services with SendGrid Inc in the United States (with Standard Contractual Clauses), and payment processing with Stripe Inc (with appropriate safeguards for financial data). International background screening may involve transfers to relevant jurisdictions where checks are required, always with appropriate legal safeguards in place.

Retention principles

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, or protect our legitimate interests. Our retention periods are based on the nature of the data, legal requirements, and business needs.

Specific retention periods

Account information for active users is retained while your account remains active and for 3 years after account closure or last activity. Screening data including background check results and supporting documentation is retained for 6 years from completion of screening, though clients may request earlier deletion after the screening process is complete. Website analytics and technical data is retained for 2 years from collection. Marketing communications preferences and contact data is retained until you unsubscribe or request removal. Legal and compliance records including consent records, processing logs, and incident reports are retained for 6-7 years as required for regulatory compliance and legal protection.

Deletion procedures

After retention periods expire, we securely delete personal data using certified deletion methods that ensure data cannot be recovered. We also delete data from backup systems within 90 days of the main deletion. You can request early deletion of your data in many cases, subject to legal requirements and legitimate business needs.

Legal retention requirements

We may retain personal data beyond standard periods where required by law, ongoing legal proceedings, regulatory investigations, or where necessary to establish, exercise, or defend legal claims.

Your data protection rights

Under UK data protection law, you have several important rights regarding your personal data. You have the right to access your personal data and receive a copy of what we hold about you; rectify inaccurate or incomplete personal data; erase your personal data in certain circumstances; restrict processing where you have grounds to do so; object to processing based on legitimate interests; and data portability to receive your data in a machine-readable format or have it transferred to another organisation.

How to exercise your rights

To exercise any of these rights, contact us at dpo@hirepass.com with details of your request. We will respond within one month of receiving a valid request. For security purposes, we may need to verify your identity before processing your request. There is usually no charge for exercising your rights, though we may charge a reasonable fee for excessive or repetitive requests.

Right to object to marketing

You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails, updating your account preferences, or contacting us directly. This will not affect service-related communications which are necessary for account management and service delivery.

Withdrawal of consent

Where we process your personal data based on consent, you can withdraw that consent at any time. This will not affect processing that took place before you withdrew consent, but will prevent future processing for that purpose.

How we use cookies

Our website uses cookies and similar technologies to provide functionality, analyse usage, and improve your experience. For detailed information about what cookies we use, why we use them, and how you can manage them, please see our separate Cookie notice.

How we protect your data

We implement robust security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These include technical measures such as encryption of data in transit and at rest, multi-factor authentication for system access, regular security updates and patches, secure data centres with physical access controls, and network security including firewalls and intrusion detection systems. Our organisational measures include staff training on data protection and security, background checks for personnel with access to personal data, confidentiality agreements for all staff and contractors, regular security assessments and penetration testing, incident response procedures, and adherence to data minimisation principles.

Data breach procedures

In the unlikely event of a data breach that poses a risk to your privacy rights, we will notify the Information Commissioner's Office within 72 hours where required by law. We will also notify affected individuals where the breach poses a high risk to their rights and freedoms, providing clear information about what happened and what steps we are taking to address it.

Limitations of security

While we implement strong security measures, no system is completely secure. We cannot guarantee the absolute security of your personal data, though we continuously work to maintain and improve our security practices.

Age restrictions

Our services are designed for business use and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have collected such information, we will delete it promptly.

UK GDPR compliance

We process personal data in accordance with the UK General Data Protection Regulation and other applicable UK data protection laws. We have implemented appropriate policies, procedures, and technical measures to ensure compliance with our legal obligations.

Data Protection Officer

We have appointed a qualified Data Protection Officer who oversees our data protection compliance and can be contacted at dpo@hirepass.com for any privacy-related queries or concerns.

Regular compliance reviews

We regularly review our data processing activities, privacy practices, and security measures to ensure ongoing compliance with data protection requirements and best practices.