I'm a Participant
      Back to home
      1. Knowledge Base
      2. I'm a Participant

      Privacy Policy (Extended)

      Last updated: 3rd January 2026

      Shortlister Solutions Limited (SSL) provides software platforms that support assessment and selection activities and employability preparation, including admissions and recruitment processes. Our platforms operate under the brands Shortlister and Shortlist.Me. We are committed to protecting the personal data of all candidates who use our services.

      This Privacy Notice explains what personal data we collect, how we use it, and how we keep it secure, in accordance with UK data protection laws and the EU General Data Protection Regulation (GDPR).

      1. Our Role as Data Processor

      Data Processor

      Shortlister Solutions Limited (SSL) acts as a data processor on behalf of a third party (the Data Controller). The Data Controller may be an organisation, employer, recruiter, educational institution, or other entity using our platform to assess, select, train, or prepare candidates.

      The Data Controller determines the purposes and means of processing your personal data. SSL processes your personal data only under the Data Controller’s instructions.

      Contact

      If you have questions about how your personal data is handled, you can contact our data protection contact at: privacy@shortlister.com

      2. Children and Young People

      Our platform is not intended for use by individuals under the age of 13.

      Where an organisation invites individuals aged 13 or over to participate in assessment, selection, preparation, or training activities, the organisation is responsible for ensuring the platform is used appropriately and for providing any required information to participants.

      If you are under 18 and have questions about how your personal data is used, you can contact the organisation that invited you to use the platform or email privacy@shortlister.com.

      3. Personal Data We Collect

      The personal data we process will depend on what the Data Controller has enabled and what is required for the activity you are taking part in. Not all data types will be collected in every scenario.

      Data We Receive from the Data Controller

      SSL may receive:

      • Contact details (such as your name, email address, and where provided, mobile number)

      • Candidate identifier (such as an applicant reference number), where provided

      • Application details (such as the role, course, programme, or opportunity), where provided

      • Application documents (such as your CV and supporting documents), where provided

      Data We Collect Directly from You

      Depending on the activity enabled, SSL may collect:

      • Video or audio responses

      • Written responses

      • Assessment responses and results (for example aptitude, situational judgement, or other assessment responses)

      • Files or evidence you upload (for example documents, portfolios, presentations, screenshots, or other attachments)

      • Practice or preparation content (for example practice recordings or draft answers), where enabled

      Technical Information

      We may also collect:

      • IP address

      • Device and browser information (where necessary for troubleshooting and service optimisation)

      • Usage data (such as pages visited within the platform and feature interactions)

      Identity Verification

      Where identity verification (IDV) is enabled, SSL may process identity verification information and verification results provided via our IDV partner.

      4. Special Category Data

      Please do not include special category personal data (such as information about your health, disability, race or ethnicity, religious beliefs, political opinions, trade union membership, genetic data, biometric data, or sexual orientation) in your responses, recordings, uploads or written answers unless the organisation has specifically requested it and provided guidance on why it is needed.

      If you provide special category personal data, SSL will only process it on the instructions of the Data Controller and in accordance with their legal basis and safeguards.

      5. Lawful Basis for Processing

      The Data Controller is responsible for determining the lawful basis for processing your personal data under UK GDPR.

      SSL processes your personal data on behalf of the Data Controller and in accordance with our contractual obligations with them. Without your personal data, we may not be able to provide or facilitate your participation in the relevant assessment, selection, preparation, or training activity.

      6. How We Use Your Data

      SSL only uses your personal data to provide and support the services the Data Controller has asked us to deliver. This includes:

      Facilitate Assessment, Selection and Preparation

      • Provide access to the platform and administer your participation in assessment, selection, preparation and training activities

      • Collect, record and present your submitted responses and results to the Data Controller

      • Enable identity verification, where enabled

      Provide Communications and Support

      • Send invitations, reminders, verification links and completion confirmations

      • Provide technical support and respond to queries

      Maintain Security and Improve the Platform

      • Maintain platform security and prevent misuse

      • Monitor and improve platform reliability, performance, and user experience

      • Where appropriate, convert data into anonymised or aggregated form to analyse usage trends and improve services

      AI-Assisted Features

      Some platform features may use artificial intelligence (AI) to support the creation of summaries, suggested feedback and insights, for example by analysing transcripts, candidate responses, or extracted document content (such as parsed CV data), where enabled. AI is used to support human review and improve efficiency.

      Decisions relating to admissions, recruitment, assessment, or selection are made by the organisation (or its representatives), not by SSL.

      7. Data Sharing with Third Parties (Sub-Processors)

      To deliver our services, SSL may share your personal data with third-party providers (sub-processors), including those listed below. Some suppliers are only used where specific features are enabled by the Data Controller (for example transcription, document parsing, identity verification or AI-assisted insights).

      Company

      Information shared

      Purpose

      Data location

      Heroku

      Contact details and service usage data (where applicable)

      Application hosting and data processing

      EU

      Amazon Web Services

      Uploaded documents, video/audio responses, assessment files

      Data and media storage

      EU

      Mailgun

      Name and email address

      Email delivery

      EU

      Better Stack

      IP address and technical logs

      Logging, monitoring and technical diagnostics

      EU

      Rev.com

      Audio recordings (where enabled)

      Transcription and/or audio processing

      EU

      Textkernel (Bullhorn)

      CVs and uploaded documents (where provided)

      Document parsing and extraction of structured data

      EU

      OpenAI

      Transcripts and extracted document content (such as parsed CV data), where AI features are enabled

      AI-assisted summaries, suggested feedback and insights

      EU

      Yoti

      Identity verification information and verification results (where enabled)

      Identity verification (IDV)

      UK/EU

      *targetconnect

      Name, email and feedback URL (where enabled)

      Aggregation of data

      EU

      * Enablement subject to Data Controller authorisation.

      8. International Data Transfers

      Where it is necessary to transfer your personal data outside of the UK or European Economic Area (EEA), we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) (or UK Addendum), and implement additional safeguards as appropriate. This ensures your personal data receives an adequate level of protection.

      9. Security Measures

      We take information security seriously. Our safeguards include:

      • Encryption in transit and at rest

      • Strict access controls and strong password policies

      • Regular security reviews and updates

      • Access limited to authorised personnel only

      These measures help protect your data against unauthorised access, alteration, disclosure, or destruction.

      10. Retention of Personal Data

      Unless the Data Controller instructs otherwise, SSL will typically retain your personal data for 12 months from the date you complete the relevant activity (for example an assessment, selection activity, or preparation/training activity), after which it will be deleted or anonymised.

      The Data Controller may instruct SSL to delete personal data sooner or retain it for longer in accordance with their retention policy, legal obligations, or regulatory requirements.

      SSL retains technical and security logs for limited periods to maintain platform security, diagnose faults and provide support, using appropriate retention periods based on the type of log data collected.

      11. Your Rights

      Under data protection laws, you have the right to:

      • Withdraw consent (where processing is based on your consent)

      • Access your data (request a copy of the personal data held about you)

      • Rectify inaccuracies (request correction of inaccurate or incomplete data)

      • Delete your data (request deletion where applicable)

      • Restrict processing (for example, while a complaint is being investigated)

      • Object to processing (for example, where processing is based on legitimate interests)

      • Data portability (where applicable)

      As SSL acts as a data processor, you should direct rights requests to the Data Controller. If you contact us, we will forward your request to them.

      12. How to Make a Complaint

      If you are dissatisfied with how your personal data has been handled or believe your rights have not been upheld, you may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK.

      Website: ico.org.uk

      Telephone: 0303 123 1113

      Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

      13. Cookies and Tracking Technologies

      We may use strictly necessary cookies or similar technologies to:

      • Maintain session details (for example, keeping you logged in)

      • Enable video streaming and other interactive features

      These cookies do not collect personal data beyond what is necessary to provide the service. We do not use cookies for profiling or targeted advertising.

      14. Updates to This Notice

      We may update this Privacy Notice to reflect changes in our practices or legal requirements. Any updates will be posted with a clear effective date. We encourage you to review this Notice periodically.

      15. Contact Us

      If you have any questions about this Privacy Notice or wish to know more about how we handle your personal data, please email us at: privacy@shortlister.com