Job Candidate Privacy Notice

Last revised: 12/27/2025

This Job Candidate Privacy Notice (“Notice”) describes what personal data we, The Empathy Project, Inc. and our affiliates (“Empathy”, “we”, “our” or “us”) - collect and process on our job candidates and applicants (“Candidates”, “you” or “your”) as part of our application and recruitment process, why we collect it and how we use it. It also describes how candidates may exercise their rights to such data held with us.

We strongly urge you to read this Notice and make sure that you fully understand and agree to it. If you do not agree to this Notice, please avoid providing us with your personal data.

You are not legally required to provide us with any personal data, and may do so (or avoid doing so) at your own free will. However, without it we may not be able to process your application.

We will not use or disclose personal data covered by this Privacy Notice in a manner materially different from what is disclosed in this Privacy Notice. To the extent we process personal data which is considered sensitive personal data under applicable data protection laws, we will not use or disclose such sensitive personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by you unless we have received your affirmative and explicit consent.

1. What data do we collect and how do we collect it?

Throughout the application and recruitment process, you may provide us (or we may otherwise have access to) personal data about you, such as your identifying data, contact details, resume/CV, work-related data, recommendations, social media activity, etc. We may collect this data directly from you, as you provide it voluntarily through your application and candidacy review process, or from other sources such as recruitment agencies, background check services (as applicable and subject to applicable law), or your references. We refer to such data as "personal data" or "personal information".

In some regions, we may also require you to submit sensitive data such as ethnicity, gender, and whether you have a disability or veteran status, to ensure our compliance with our legal obligations under applicable law or otherwise to better analyze and improve our hiring practices. We may also collect sensitive data about your prior criminal convictions and offenses as part of our background checks for specific roles if permitted or required by law. To the extent legally required, we will obtain your explicit consent prior to any such collection and use.

For the purposes of the California Consumer Privacy Act (“CCPA”), in the last 12 months, we have collected the above-mentioned types of personal information about Candidates, which pertain to the following categories: identifiers; customer record information; protected characteristics; professional or employment-related Information; geolocation data; audio, electronic, visual or similar Information; education information; and inferences from personal information collected. We may also require you to submit sensitive personal information (as that term is defined in the CCPA), as outlined above.

2. For what purposes do we use your data?

We use and process your personal data as part of the employment application process at Empathy for the following business purposes (and in reliance on the legal bases for processing noted next to them, as appropriate):

  • To assess your skills and qualifications, and overall to verify, consider and process your application and candidacy for any of our positions, and to communicate with you regarding such processes (contractual necessity; legitimate interests; consent (where applicable));

  • To contact you about other suitable roles within Empathy in the future (legitimate interests; consent (where applicable));

  • To maintain our internal records of recruitment and employment applications (legal obligations; contractual necessity; legitimate interests);

  • To create your employee personnel file, if hired (legal obligations; contractual necessity; legitimate interests);

  • To comply with applicable legislation and industry codes (legal obligations; contractual necessity; legitimate interests);

  • To manage risk and enhance our security and anti-fraud measures (legitimate interests);

  • To create aggregated statistical or inferred data regarding our Candidates (legitimate interests);

  • To further develop and improve our recruitment, and hiring process (legitimate interests);

  • To protect the rights and interests of Empathy and its affiliates (legitimate interests).

If you reside in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for the processing of personal data as described herein, then your application will be deemed as your consent to the processing of your personal data for all purposes detailed in this Notice. If you wish to revoke such consent, please contact us at [email protected].

3. Where do we store your data?

Your personal data will be maintained, processed and stored by Empathy and our Service Providers (as defined in Section 6 below) in relevant Empathy offices worldwide including, without limitation, Israel, the United Kingdom (UK) and the United States, in the applied position’s location(s), and other jurisdictions, as necessary for the proper processing of your candidacy. 

While privacy laws may vary between jurisdictions, Empathy, its affiliates and Service Providers processing personal data on our behalf, are each committed to protecting personal data in accordance with this Notice, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

To the extent we transfer Candidates’ personal data originating in the European Economic Area (EEA) or UK to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on appropriate contractual undertakings and data transfer mechanisms as established under applicable law, such as the standard contractual clauses adopted in the EU (available here), the UK (available here). For data transfers to countries that have been recognized to be providing an adequate level of data protection, we rely on such adequacy findings regarding the level of data protection offered by the recipient country.

The Empathy Project, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce, and will be further liable in cases of onward transfers of your personal data to third parties (including our Service Providers).

The Empathy Project, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF, and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. 

If there is any conflict between the terms in this notice and the EU-U.S. DPF Principles, the Principles shall govern for personal data transferred under the DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

4. How long may we keep your data for?

We may retain Candidates’ data even after the applied position has been filled or closed. This is done so we can reconsider Candidates for other positions and opportunities at Empathy (subject to their specific consent, where required by law); so we may use their personal data as reference for future applications submitted by them; in case the Candidate is hired, for additional employment and business purposes related to their work; and as reasonably necessary to comply with our legal obligations, to resolve disputes, prevent fraud and abuse, perform or enforce our agreements or otherwise to protect our legitimate interests.

5. How do we secure your data?

Empathy has implemented physical, procedural and electronic security measures designed to protect the personal data of our Candidates consistent with applicable privacy and data security laws and regulations, including requiring service providers to use appropriate measures to protect the confidentiality and security of personal data. Please be aware that regardless of the measures we take and the efforts we make, we cannot and do not guarantee the absolute protection and security of any personal data stored with us.

6. Who will have access to your data?

Service Providers: Empathy will disclose your personal data to several selected third-party service providers, whose services and solutions complement, facilitate and enhance the processing of your application and our recruitment process. These include any recruitment firms or individuals that have referred you to us (or vice versa), candidate evaluation centers, applicant tracking systems, recruitment software providers, background checks providers, data storage and cybersecurity services, web analytics, and our business, legal, compliance and financial advisors (collectively, "Service Providers"). Such Service Providers may receive or otherwise have limited access to our Candidates’ personal data, depending on each of their particular roles and purposes in facilitating and enhancing our recruitment process, and may only use it for such purposes.

Public and Governmental Authorities: We may disclose or otherwise allow access to any Candidates’ personal data pursuant to a legal request, such as a subpoena, search warrant or court order, or in compliance with applicable laws, with or without notice to you, if we have a good faith belief that we are legally required to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud or other wrongdoing. We may also disclose your personal data to others, with or without notice to you, if we believe in good faith that this will help protect the rights, property or personal safety of Empathy, any of our customers or employees, or any member of the general public, including yourself or other applicants.

Empathy Affiliated Companies: We may disclose personal data internally within our family of companies, for the purposes described above. Finally, should Empathy undergo any change in control, including by means of merger, acquisition or purchase of all or part of its assets, your personal data may be disclosed to the parties involved in such event.

For the purposes of the CCPA, in the past 12 months, we may have disclosed to the above-mentioned parties, the following categories of personal information relating to our Candidates: identifiers; customer record information; characteristics of protected classifications; professional or employment-related information; geolocation data; audio, electronic, visual or similar information; education information; inferences from personal information collected; and sensitive personal information. We do so for the purposes described in Section 2 above.

We do not sell or share your personal information for the intents and purposes of the CCPA. We do not use or disclose sensitive personal information outside of the purposes allowed by the CCPA.

7. Which cookies and tracking technologies do we use?

If you apply to one of our positions via our website (or that of a Service Provider) please note the use of certain monitoring and tracking technologies, such as “cookies” or similar technologies. These technologies are used to maintain, provide and improve our processes and operations on an ongoing basis, and in order to provide a better experience to our website visitors and Candidates. For example, these technologies enable us to better secure our website and services and detect abnormal behaviors, to identify technical issues, and to monitor and improve the overall performance of our services and processes. To learn more about our cookies practices, please visit our website Cookie Policy.

8. How can you exercise your rights?

If you wish to exercise your privacy rights under applicable law, (including, but not limited to, the EU or UK General Data Protection Regulation (GDPR), Israeli Privacy Protection Laws, or the California Consumer Privacy Act (CCPA)), you may do so by contacting us via [email protected].

Such rights may include – each to the extent available to you under the laws that apply to you – the right to know/request access (to specific pieces of personal data collected, categories of data collected, and sources from whom it was collected, as well as the purposes of collecting it and categories of third parties to whom we have disclosed it);  the right to request rectification or erasure of your personal data held with us; to port it or to restrict its processing; to object to any processing of your data; (including limiting use and disclosure of personal data); to withdraw your consent to any processing of your data; or the right to equal treatment (e.g., freedom against discrimination if you exercise these rights). If you are a GDPR-protected individual, you also have the right to lodge a complaint with the relevant supervisory authority in the EEA or UK, as applicable.

You may designate an authorized agent, in writing or through a power of attorney, to request to exercise your privacy rights on your behalf. The authorized agent may submit a request to exercise these rights by emailing us. In such cases, we may request further information to verify such power of attorney and authorization.

Please note that such rights are not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal data that we hold about you. In the event that we cannot accommodate your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Please note that we may require additional information, including certain personal data, in order to authenticate and process your request. Such additional information may be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 4 above.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, The Empathy Project, Inc. commits to resolve complaints about our collection or use of your personal data. EEA and UK individuals with inquiries or complaints regarding our Data Privacy Framework compliance should submit inquiries to [email protected]. If you do not receive timely acknowledgment of your EU-U.S. DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, we further commit to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and UK Extension to the EU-U.S. DPF in the context of an employment relationship.

Please note, for complaints regarding DPF compliance not resolved by the other DPF mechanisms, you have the possibility, under certain conditions (as described under the DPF Principles that The Empathy Project, Inc. adheres to), to invoke binding arbitration. Further information can be found on the official DPF website. Please also note that The Empathy Project, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

9. Who is responsible for your data?

Certain data protection laws and regulations, such as the EU and UK GDPR, the CCPA and other US state privacy laws, typically distinguish between two main roles for parties processing personal data: the “Data Controller” (or under the CCPA, “business”), who determines the purposes and means for processing; and the “Data Processor” (or under the CCPA, “service provider”), who processes the data on behalf of the Data Controller. 

Empathy’s local affiliate relevant to the role for which you apply is typically the Data Controller of your personal data, and with respect to which, assumes the responsibilities of a Data Controller – solely to the extent applicable under the law and as set forth in this Notice. In such instances, our Service Providers processing such data will assume the role of Data Processors. For the purposes of Israel’s Protection of Privacy Law, The Empathy Project Ltd. serves as the “Database Controller” responsible for personal data processed in its recruitment processes and can be contacted at [email protected].

10. Will this Notice be updated?

We may update this Notice to reflect changes in our privacy practices. If we make any changes that we deem as "material", we will update this page prior to the change becoming effective.

11. What if you have any questions?

If you have any comments or questions regarding this Notice, if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by Empathy, you can contact us at [email protected]