Privacy policy

1. Who We Are

Spine is the trading name of WithSpine Ltd, a private limited company incorporated in England and Wales (company number 17213475), with its registered office at 124 City Road, London EC1V 2NX, United Kingdom. WithSpine Ltd is the data controller in respect of the processing described in this Privacy Policy, except where otherwise stated. All privacy enquiries should be directed to lucas@withspine.co. WithSpine Ltd is registered with the UK Information Commissioner's Office under registration number.

2. What Spine Does

Spine provides hiring intelligence services to hiring organisations ("Clients"). Where a Client engages Spine in connection with a hiring process, Spine receives information about candidates being considered for the role and produces a structured pre-hire memo, scorecard, and post-hire validation assessing the candidate's fit against the Client's success criteria. Spine does not make hiring decisions. The Client retains sole authority over hire and no-hire decisions, and every Spine recommendation is reviewed by a human Client representative before any action is taken.

3. How We Receive Your Data

Spine receives candidate personal data through one or more of the following routes: from a hiring Client in connection with a role for which the Client has engaged Spine; from an affiliate recruiter who has introduced the candidate to a Spine Client (in which case the recruiter is responsible for having obtained the candidate's prior consent to share data with Spine); directly from the candidate, where the candidate provides information to Spine in the course of the assessment process; or from publicly available professional sources such as LinkedIn or comparable professional listings.

4. What Information We Process

Depending on the engagement, Spine may process the candidate's name and contact details, CV, employment history, education, qualifications, salary expectations, interview notes, interview transcripts (where the candidate has consented to recording), reference feedback from previous managers or colleagues, Spine scorecard outputs and pre-hire memo content, and, where the candidate is subsequently hired, performance data against pre-agreed Day 60 and Day 90 success criteria provided by the Client. Spine does not process special-category personal data within the meaning of Article 9 GDPR as part of its standard assessment process; where any such information is volunteered, it is redacted from Spine's records and excluded from the assessment.

5. Why We Process Your Data

Spine processes candidate data on two distinct lawful bases. When assessing a candidate for a specific role on behalf of a Client, Spine acts as the Client's processor, and the Client is responsible for its own lawful basis under Article 6 of the GDPR (typically legitimate interests under Article 6(1)(f) or contract under Article 6(1)(b)). Where Spine retains a candidate's professional profile after the relevant hiring process has concluded, to inform the candidate of future opportunities at organisations other than the original Client, Spine acts as an independent data controller on the basis of its legitimate interests under Article 6(1)(f). A documented Legitimate Interests Assessment is available on written request. Anonymised and aggregated data used for methodology calibration is outside the scope of the GDPR.

6. Sub-processors

Spine engages sub-processors to assist in delivering its services. The current categories of sub-processor include large language model and artificial intelligence services, cloud document management and productivity platforms, call recording and transcription services, contact data and sales-engagement platforms, and payment processing. Each sub-processor is bound by data protection obligations no less protective than those set out in this Privacy Policy. A current list of named sub-processors is available on written request to lucas@withspine.co. Spine notifies its Clients in writing of any addition or change of sub-processor with no less than fourteen calendar days' prior notice.

7. International Data Transfers

Some of Spine's sub-processors operate outside the United Kingdom or the European Economic Area. Where personal data is transferred internationally, Spine relies on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs), as applicable, supplemented by technical safeguards including TLS 1.2 (or higher) encryption in transit and AES-256 (or equivalent) encryption at rest at each sub-processor.

8. How Long We Keep Your Data

Identifiable personal data processed by Spine on a Client's instructions for a specific hiring process is deleted from Spine's identifiable records within ninety calendar days following the conclusion of that hiring process, or, where applicable, the Day 90 verdict in respect of the resulting hire, unless the Client instructs Spine in writing to retain it for a longer period. Anonymised data and patterns derived from engagements, with no candidate-identifying information, are retained indefinitely for methodology calibration, accuracy benchmarking, and aggregated research outputs. Identifiable professional profiles retained by Spine on its legitimate-interests basis as part of its talent network are retained until the candidate objects under Article 21 GDPR (in which case the relevant data is deleted within thirty days of a valid objection), or until twenty-four months elapse without any contact with the candidate, whichever is sooner.

9. Your Rights

Under the UK GDPR and the EU GDPR, candidates have the right to request access to the personal data Spine holds about them, to have inaccurate or incomplete data rectified, to request erasure of personal data, to request restriction of processing, to object to processing carried out on the basis of legitimate interests, to receive personal data in a structured machine-readable format, and to withdraw consent where consent has been given. Requests should be sent to lucas@withspine.co, and Spine will respond within thirty calendar days. Candidates also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk or with the data protection authority in their country of residence.

10. Automated Decision-Making

Spine produces structured candidate assessments and recommendations that inform the Client's hiring decision. Spine does not make hiring decisions itself. Every Spine recommendation is reviewed by a human representative of the Client, who retains sole authority over the hire and no-hire decision. Spine's processing does not constitute solely-automated decision-making within the meaning of Article 22 GDPR.

11. Security

Spine implements appropriate technical and organisational measures to protect personal data, including full-disk encryption on all devices that access candidate data, AES-256 or equivalent encryption at rest at all sub-processors, TLS 1.2 or higher encryption in transit for all data exchanges, multi-factor authentication on all sub-processor accounts, and personal authenticated logins with no shared credentials on all systems. In the event of a personal data breach affecting candidate data, Spine notifies the relevant Client and supervisory authority without undue delay, and in any event within seventy-two hours of becoming aware of the breach, in accordance with Articles 33 and 34 GDPR.

12. Changes to This Privacy Policy

Spine may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated version number and effective date. Where Spine has an active relationship with a candidate, material changes will be brought to the candidate's attention directly. Candidates are encouraged to review this Privacy Policy periodically.

13. Contact Us

Any questions or requests in connection with this Privacy Policy or Spine's data practices should be directed to lucas@withspine.co. Postal correspondence should be addressed to WithSpine Ltd, 124 City Road, London EC1V 2NX, United Kingdom. Candidates also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk, or with the data protection authority in their country of residence.