Recruiting Privacy Notice

Recruitment Privacy Notice for Candidates located in Europe

This Privacy Notice explains how Fotografen Online Service GmbH (“we,” “our,” or “us”) processes personal data collected during the recruitment process.

1. Contact Information

Data Controller:

Fotografen Online Service GmbH
Hausvogteiplatz 12
10117 Berlin
talentacquisition@fotograf.de

Data Protection Officer:

ISiCO Datenschutz GmbH
Am Hamburger Bhf 4, 10557 Berlin
datenschutz@fotograf.de

2. Purpose and Legal Basis for Data Processing

2.1. Online Applications

We process applicant data to evaluate candidates for potential employment. When applying through our online application form, we collect the following data directly from the applicant:

  • Identifiers (e.g. full name, email address, phone number, mailing address)
  • Location (country or state of residence to assess visa, work permit and/or relocation requirements)
  • Employment-related information (e.g. resume, cover letter, work history, educational background, professional certifications)
  • Demographic information (e.g. race, ethnicity, gender, voluntarily provided in compliance with EEO laws)
  • Sensitive personal information (e.g. Social Security Number – only if required for background checks, voluntarily disclosed disability or veteran status)
  • References and recommendations (e.g. contact details of references, letters of recommendation – only if specifically requested)

We use this information to assess applications, schedule interviews, and communicate with candidates. Subject to section 4. “Data Recipients”, applicant data is not shared with third parties unless required by law. If hired, we retain this data as necessary for employment. If rejected, the data is stored for six months unless the applicant consents to a longer retention period in our talent pool.

2.2 Candidate Sourcing

We may collect publicly available information via third-party sourcing tools, if the applicant’s profile matches one of our job openings. The collected data includes:

  • Name
  • Contact information
  • Location
  • Job title
  • Work experience
  • Educational background
  • Skills
  • Qualifications
  • Inferred characteristics based on publicly available information 

This information is stored for 6 months unless the applicant is hired.

2.3 Talent Pool

If the applicant consents, we will retain the application data for up to 12 months in our talent pool to inform the applicant of relevant job opportunities. The applicant may withdraw consent at any time by emailing talentacquisition@fotograf.de.

2.4 Communication and Scheduling

For interview scheduling and communication, we process:

  • Name
  • Email address
  • Photo (if provided)

This data is stored only as long as necessary to complete the hiring process. If the application is successful, we retain this data as necessary for employment.

2.5 Interview

We use an AI notetaker to ensure the quality of our interviews. The automized documentation of the interview allows us to concentrate on the communication with the applicant and is used for internal training purposes. The AI notetaker processes the following information:

  • Name
  • Job title
  • Job title applied for
  • Stage of the interview process
  • Written notes, recordings, transcripts and outcomes of the interview

This data is stored only as long as necessary to complete the hiring process. If the application is successful, we retain this data as necessary for employment.

2.6 Candidate Online Assessment Test

As part of our recruitment and selection process, we may invite you to complete one or more online assessments through our assessment platform provider, TestGorilla B.V.. These assessments are designed to help evaluate your skills, aptitudes, or personality traits in a fair and consistent way across all candidates.

We process your personal data in connection with the use of TestGorilla for the purpose of evaluating your suitability for the role to which you have applied. If you are selected to participate in an assessment, you will be asked to complete the test directly on TestGorilla’s platform. You will also be asked to provide consent to TestGorilla for processing your personal data and sharing the results with us.

The types of personal data that may be processed during the assessment include:

  • Name
  • Email address
  • IP address and browser metadata
  • Answers to test questions (open and multiple choice)
  • Assessment scores and evaluation results
  • Video or webcam recordings (if enabled)
  • Optional demographic information (where applicable)

Please note that TestGorilla is responsible for collecting your consent for processing your data on its platform and for sharing the results with us.

We retain assessment data only as long as necessary for the recruitment process and in accordance with our internal retention policy (typically no longer than 6 months unless you are hired or consent to a longer retention period, in which case different rules apply).

TestGorilla may retain certain data in accordance with their own retention policy, which includes storing your test scores for benchmarking and psychometric analysis in anonymized form.

2.7 Website Interaction Tracking

We use tracking tools to analyze job post interactions and improve user experience. We collect:

  • IP address
  • Operating system and browser details
  • Device type, make, model and resolution
  • Screen size
  • Country, city location (not precise)
  • referrer URL (previously visited page)
  • Pages accessed (date, time, URL, title, length of visit)
  • Downloaded files
  • Clicked links to other websites
  • Conversions (achievement of certain goals)
  • Preferred language

The data is processed based on the applicant’s consent (Art. 6 para. 1 lit. a GDPR) collected via the consent management tool Cookiebot and retained for 14 months.

2.8 Applicant Tracking System

We use Ashby, Inc. to manage applications. The system processes:

  • Name
  • Contact details
  • Education and work history
  • Interview feedback
  • Communication records
  • Any additional information voluntarily provided

Data is retained for up to 6 months after a rejection unless the applicant consents to an extended storage period in our talent pool. If hired, we retain the applicant’s data as necessary to manage the employment relationship.

3. Legal Basis for Processing

  • Recruiting: Section 26 para. 1 BDSG, Art. 88 para. 1 GDPR (employment related decision making)
  • Processing for employment-related decisions: Section 26 para. 2 BDSG, Art. 6 para. 1 lit. a GDPR (consent)
  • Special category data (e.g., health information): Section 26 para. 3 BDSG, Art. 9 para 2 lit. b GDPR (employment related rights or obligations)
  • Communication and scheduling: Art. 6 para. 1 lit. b GDPR (pre-contractual steps to a contract)
  • Enhancing and tracking interview quality: Art. 6 para. 1 lit. a GDPR (consent) 
  • Behavioral tracking: Art. 6 para. 1 lit. a GDPR (consent)
  • Candidate sourcing: Art. 6 para. 1 lit. f GDPR (legitimate interest)
  • Candidate online assessment test:  Art. 6 para. 1 lit. b GDPR (pre-contractual processing at candidates’ request), Art. 6 para. 1 lit. f GDPR (legitimate interest)

4. Data Recipients

We use third-party service providers for data processing, namely:

  • Personio GmbH (Applicant data management)
  • Google LLC & Slack Technologies LLC (Communication and interview scheduling)
  • Metaview Global Limited (AI notetaker)
  • Coderpad, Inc. (Technical assessment platform for IT applicants)
  • Usercentric A/S (Cookiebot – Consent Management Tool)
  • Google LLC & PostHog, Inc. (Analytics) 
  • Ashby, Inc. (Recruitment process and analytics)
  • TestGorilla B.V. (Online Assessment Test)

All the above listed third-party providers are bound by data processing agreements. They have been carefully selected, must follow our instructions when processing personal data and have implemented suitable technical and organization measures to ensure data security as well as the protection of data subject rights. 

For further information on these third-party service providers, applicant may refer to the privacy notice published on our country specific marketing websites.

We may disclose personal data in response to inquiries from the authorities, court orders or legal proceedings when legally required.

5. Data Providers

We use third-party service providers for data sourcing, including:

  • Juicebox App, Inc.

This third-party data sourcing tool primarily sources publicly available professional data. The use of data is aligned with industry norms in recruitment and safeguards have been put in place by the third party to respect privacy rights.

6. Data Transfers

Where data is transferred to third countries without an adequacy decision by the EU Commission, we implement Standard Contractual Clauses as appropriate safeguards to ensure data protection. 

7. Applicant’s Rights

Under GDPR, applicants have the right to:

  • Access applicant’s personal data
  • Correct inaccurate data
  • Request deletion (unless legal obligations require retention)
  • Restrict processing in specific circumstances
  • Data portability (receive a digital copy)
  • Withdraw consent at any time by emailing talentacquisition@fotograf.de
  • Lodge a complaint with the relevant data protection authority

To assert any of the applicant’s rights, the applicant may contact us by emailing talentacquisition@fotograf.de

The competent data protection authority for Berlin: 

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin

Updated: June 2025

Recruitment Privacy Notice for Candidates located in the United States

GotPhoto, Inc. – Recruitment Privacy Notice

1. Introduction

GotPhoto, Inc. (“GotPhoto”, “we”, “us” or “our”) is committed to protecting the privacy of individuals who apply for jobs with us. This Recruitment Privacy Notice explains how we collect, use, disclose, and protect personal information of job applicants in compliance with applicable U.S. federal and state privacy laws.

2. Scope

This Privacy Notice applies to personal information collected from job applicants who apply for a position at GotPhoto, Inc., whether through our career website, third-party recruitment platforms, or direct communication.

It does not apply to GotPhoto employees, independent contractors or GotPhoto customers, whose personal information is governed by separate privacy notices.

3. Personal Information We Collect

We may collect the following types of personal information:

3.1 Information Applicant Provides Directly

  • Identifiers (e.g. full name, email address, phone number, mailing address)
  • Location (country or state of residence to assess visa, work permit and/or relocation requirements)
  • Employment-related information (e.g. resume, cover letter, work history, educational background, professional certifications)
  • Demographic information (e.g. race, ethnicity, gender, voluntarily provided in compliance with EEO laws)
  • Sensitive personal information (e.g. Social Security Number – only if required for background checks, voluntarily disclosed disability or veteran status)
  • References and recommendations (e.g. contact details of references, letters of recommendation – only if specifically requested)
  • Answers to test questions, assessment scores, evaluation results
  • Video or webcam recordings (if enabled)

3.2 Information Collected Automatically

We may collect technical data when applicant interacts with our job postings and career site, including:

  • Device information (e.g. IP address, browser type, operating system)
  • Website usage (e.g. pages visited, time spent on pages, interactions with job postings)

We use cookies and similar tracking technologies to collect this data. Applicant can manage cookie preferences via our data consent management tool Cookiebot.

3.3 Information from Third Parties

We may collect information from:

  • Recruitment agencies and job boards (e.g. LinkedIn, Indeed)
  • Publicly available sources (e.g. professional profiles)
  • Background check providers (if applicable and with consent)

4. How We Use Applicant’s Personal Information

We collect and process applicant’s personal information for the following purposes:

4.1 Recruitment and Hiring Process

  • Evaluating applicant‘s qualifications for employment
  • Scheduling and conducting interviews
  • Communicating with applicant about their application
  • Verifying references and conducting background checks (where legally permitted)
  • Making hiring decisions
  • Internal training

4.2 Legal Compliance and Security

  • Compliance with federal and state employment laws (e.g. Equal Employment Opportunity laws)
  • Detecting and preventing fraud, security threats, or illegal activities
  • Responding to legal requests (e.g. subpoenas, government inquiries)

4.3 Diversity and Inclusion (Optional, Voluntary Data Submission)

If applicant voluntarily provides demographic data (e.g. gender, ethnicity, disability status), we may use it to comply with equal employment opportunity laws or internal diversity initiatives.

5. How We Share Personal Information

We do not sell or share applicant’s personal information for advertising purposes. However, we may share applicant’s information in the following circumstances:

5.1 Service Providers

We use third-party service providers to assist with recruitment and hiring processes,namely:

  • Personio GmbH (Applicant data management)
  • Google Inc. & Slack Technologies LLC (Communication and interview scheduling)
  • Metaview Global Limited  (AI notetaker)
  • Coderpad, Inc. (Technical assessment platform for IT applicants)
  • Usercentric A/S (Cookiebot – Consent Management Tool)
  • Google LLC & PostHog, Inc. (Analytics)
  • Ashby, Inc. (Recruitment process and analytics)
  • TestGorilla B.V. (Candidate Online Assessment Test)

All above listed third-party providers are bound by data processing agreements. They have been carefully selected, must follow our instructions when processing personal data and have implemented suitable technical and organization measures to ensure data security as well as the protection of data subject rights. 

We also use third-party service providers for data sourcing, including:

  • Juicebox App, Inc.

This third-party data sourcing tool primarily sources publicly available professional data. The use of data is aligned with industry norms in recruitment and safeguards have been put in place by this provider to respect privacy rights.

For further information on these third-party service providers, applicant may refer to the privacy notice published on our country specific marketing websites.

5.2 Legal Compliance and Business Operations

We may share data:

  • To comply with legal obligations (e.g. subpoenas, law enforcement requests)
  • To protect GotPhoto’s rights, security, or property
  • In case of a corporate transaction (e.g. merger, acquisition)

5.3 State-Specific Sharing Requirements

For California residents, we do not sell or share applicant data as defined under CCPA / CPRA.

6. Data Retention

We retain applicant data for the following periods:

  • If hired: Applicant’s information becomes part of their employee record and is stored as required by employment laws.
  • If not hired: We retain applicant’s data for a maximum of six months after the rejection decision, unless applicant consents to a longer retention period.
  • Talent Pool: If applicant provides consent, we may store applicant’s data for an additional 12 months to consider applicant for future job opportunities. Applicant can revoke this consent at any time.
  • Candidate Sourcing Data: Retained for 6 months, after which it is deleted if the applicant is not hired.
  • Website Interaction Data (PostHog / Google Analytics tracking): Retained for 14 months.

7. Applicant’s Privacy Rights

7.1 Federal Rights

Under U.S. law, applicant has the right to:

  • Access applicant’s data and request details on how it is processed
  • Correct inaccurate information
  • Withdraw applicant’s application and request data deletion (unless retention is required by law)

7.2 State-Specific Rights

Depending on applicant’s state of residence, applicant may have additional rights:

State

Privacy Law

Applicant‘s Rights

California

CCPA / CPRA

Access, correct, delete, opt-out of data sharing

Virginia

VCDPA

Access, correct, delete, appeal denied requests

Colorado

CPA

Access, correct, delete, opt-out of profiling

Connecticut

CTDPA

Access, correct, delete, opt-out of data sales

Utah

UCPA

Access, delete limited data

7.3 How to Exercise Applicant’s Rights

To assert any of the applicant’s rights, the applicant may contact us by emailing talentacquisition@gotphoto.com.

We will respond within 45 days (or as required by applicable law). If we deny applicant’s request, applicant may have the right to appeal.

8. Updates to This Notice

We may update this Recruitment Privacy Notice periodically. Any material changes will be communicated through our website and will take effect on the updated date.

9. Contact Information

GotPhoto, Inc., 305 Broadway – Floor 7, New York, NY 10007, United States

Email: talentacquisition@gotphoto.com

Updated: June 2025