Since May 25, 2018, the General Data Protection Regulation (GDPR) governs how personal data is acquired, stored, and distributed between online service providers.

As a product with referral dynamics at its core, Circular takes data privacy and GDPR very seriously. We also believe it is a great opportunity for brands that are built on trust, like ours. That's why we worked with privacy experts at PwC to design a solid and GDPR-compliant product experience.

We are like any other referral program and, in a nutshell, this is how we comply with GDPR:

GDPR regulation –see full details on their website– has more items that we could cover in this article but we will only focus on two areas that affect Circular the most: User Consent and Right To Be Forgotten.

Circular helps recruiters refer developers to the platform so they can be sourced in other interview processes. But it is impossible to gain the referred developer's explicit consent for their data to be used. After all, it's not the data owner (developer) but someone else (recruiter) who uses their email address to send an invitation.

When designing Circular, we faced two main challenges around consent:

Let's see how we solved those challenges depending on how the developer is referred, via email or sharing their referral link:

Referring developers via email (inside the platform)

When referring developers via email we use a 3rd party email source (hiring team) to refer the data owner (developer) for Circular.

We send the developer one email on your behalf, with a randomly generated invitation link. We do not store the developer email address after 24 hours so we will never send any other emails to them.

If they decide to sign-up, they’ll accept the privacy policy and terms and conditions, giving us their consent to be part of the Circular community.

Your referral link leads to a signup form for developers that is uniquely linked to you. When a developer signs up through it, we send you an email so you can write a small text highlighting their best qualities.

If you share the referral link with the developer outside the platform (for instance in your rejection email), we obviously don't have any of their information since we don't have any visibility on who you shared the link with (until they eventually sign-up). If they decide to sign-up, they’ll accept the privacy policy and terms and conditions, giving us their consent to be part of the Circular community.

We give developers extended control over their data: allowing them to remove referrals from their profile, switch to "not available" status to stop receiving interview offers, unsubscribe from any communication, decide the channels they want to be contacted from, etc.

More importantly, developers (and recruiters) can delete their accounts from the platform at any time. That option completely removes all their data from our database along with the activity they've generated in Circular.

Note: this article doesn't intend to have any contractual value. For detailed information on the privacy policy and platform, please refer to the Privacy Policy and Terms and Conditions

Why does Circular process personal data in connection with this tool?

Circular processes data in two different ways: (i) to provide a service to its clients as a data processor and (ii) to anonymise it and consequently use said anonymised and aggregated data to train its algorithm as a data controller, as better explained in the privacy policy.

Is it possible to conclude a contract for the processing of customer personal data with Circular?

Whenever Circular processes personal data to provide a service to its clients, Circular and the respective clients always enter into a data processing agreement as required by Article 28 of the GDPR.

Is personal data shared with other parties?

Personal data may be shared with public authorities, to comply with the requirements of such authorities and the applicable regulations, if any. In addition to said communications, we have the collaboration of some third-party service providers who have access to your personal data and who process said data in our name and on our behalf, only during the provision of the service we have contracted, as better detailed in our privacy policy.

When is personal data deleted or anonymised?

In relation to the personal data processed on behalf of its clients, after the provision of the corresponding services is concluded, Circular will anonymise and aggregate said personal data prior to using it for the improvement of the products and services of CIRCULAR and development of new products and services, which most notably include the training and developing of its machine learning algorithms.

Circular has protocols in place to ensure that all data breaches are duly dealt with and solved in line with the rules of the GDPR and the guidelines of the Spanish Data Protection Agency.

Who at Circular and its partner can access personal data?

At Circular we have a very strict least-privilege policy by which only specific employees have time-controlled, audited access to personal data. No partners have access to any personal data whatsoever besides our infrastructure hosting providers.

Does Circular perform measures to identify vulnerabilities in the security of personal data?

We use the facilities and services provided by our hosting partner, Amazon Web Services, to continuously scan and assess security threats. Moreover, we keep all critical software dependencies automatically updated and, when possible, use managed services instead of self-hosted ones.