Privacy Policy

How KalosHR collects, uses, shares, and protects your data across our website, app, employer careers pages, and marketing.

Effective 1 January 2026 · Last updated 1 June 2026

This policy explains what data KalosHR ("KalosHR", "we", "us") collects, why we collect it, who we share it with, and the choices you have. It covers the kaloshr.com website, the KalosHR application, employer careers pages hosted at kaloshr.com/{company}, and our marketing activity.

By using our website or services you acknowledge the practices described here.

1. Who we are

KalosHR is a hiring and applicant tracking platform operated by Kalos Technologies Ltd, registered in the United Kingdom, with its registered address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. For data protection matters, contact us at privacy@kaloshr.com.

2. Our two roles

We handle data in two distinct capacities, and your rights run to different parties depending on which applies to you:

  • As a data controller — for website visitors, people who sign up for or use KalosHR (recruiters, employers, team members), leads, and marketing audiences. We decide how and why this data is processed, and this policy governs it.
  • As a data processor — for candidate data submitted through an employer's job posts, careers page, or pipeline. The employer is the controller of that data; we process it on their instructions. Candidates should direct requests about their application data to the employer they applied to, though we will assist as described in Section 12.

3. Data we collect

Data you give us

  • Account data: name, email address, phone number, company name, role, password (hashed), and one-time verification codes.
  • Billing data: subscription plan, transaction history, and payment details processed by our payment provider (we never store full card numbers).
  • Content you create: job posts, application form questions, pipeline notes, careers page content, and messages sent through the platform.
  • Communications: messages you send us by email, contact forms, chat, or support channels.
  • Candidate data (processed for employers): name, contact details, CV and cover letter, answers to screening questions, LinkedIn or portfolio links, expected salary, referral source, and any other information a candidate submits.

Data we collect automatically

  • Usage and device data: pages visited, actions taken, browser type, operating system, screen size, IP address, and approximate location derived from IP.
  • Identifiers and advertising signals: cookie identifiers, our own session identifiers, Google Analytics client ID, and advertising click identifiers, including the Google Click ID (GCLID) attached to your visit when you arrive from an ad. We capture and store these identifiers when you land on our site and when you submit a form, and we associate them with your account or lead record so we can measure which marketing brought you to us.
  • Inferred data: engagement scores, plan interest, and estimated deal value used for sales and marketing prioritisation.

Data from third parties

  • Advertising and analytics platforms (Google) reporting on campaign interactions.
  • Publicly available professional information used to qualify business leads.
  • Referral sources, where a candidate or customer was referred by someone else.

4. How we use data

  • Provide, maintain, and improve the KalosHR platform.
  • Create and manage accounts, verify identity (OTP), and process payments.
  • Operate employer careers pages and deliver candidate applications to the right employer.
  • Measure and improve marketing: attribute signups and subscriptions to the campaigns, keywords, and ads that produced them, including by joining click identifiers to account outcomes.
  • Advertise our services, including retargeting and building advertising audiences (Section 6).
  • Communicate with you: service messages, onboarding, product updates, and, where permitted, marketing messages you can opt out of at any time.
  • Secure the platform, prevent fraud and abuse, enforce our terms, and comply with law.

5. Legal bases

Where the GDPR (and equivalent data protection laws) apply, we rely on:

  • Contract — to deliver the services you signed up for.
  • Legitimate interests — to secure the platform, measure and improve marketing performance, conduct B2B outreach, and grow our business in ways you would reasonably expect. Where we rely on legitimate interests, you may object (Section 11).
  • Consent — where required for certain cookies, advertising storage, and marketing communications. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation — for tax, accounting, and lawful requests.

6. Cookies, tracking, and advertising

We use cookies and similar technologies from the moment you load the site. Our cookie banner lets you accept or decline; here is precisely what each choice does:

  • Accept: all analytics and advertising storage operates normally.
  • Decline: we signal Google to downgrade its storage consent (Consent Mode), which disables ad and analytics cookies for Google services and switches Google measurement to aggregated, cookieless signals. Declining does not stop all data collection: we still process technical data needed to run the site, our own first-party measurement, and click identifiers such as the GCLID that arrive in the page URL, which we may store and use for attribution as described in this policy.

The technologies we use include:

  • Google Analytics 4 — site usage measurement.
  • Google Ads conversion tracking and Conversion Linker — records when an ad click leads to a signup or subscription.
  • Enhanced conversions — when you sign up or convert, we may share a hashed (SHA-256) version of your email address with Google to improve conversion measurement. Google cannot read the raw address from the hash.
  • Offline conversion uploads — when a lead or customer reaches a business milestone in our systems (for example, becoming a subscriber), we may upload that outcome, its timestamp, its value, and the associated click identifier back to Google Ads so Google can measure and optimise our campaigns.
  • Remarketing and audiences — we build advertising audiences from site visitors, video viewers, and customer lists (customer match, using hashed identifiers), and Google may use these to show our ads on Google Search, YouTube, and partner sites, including to audiences similar to our customers.
  • Live chat and session tools — if enabled, chat providers process the messages you send through them.

You can additionally control advertising through your Google settings at adssettings.google.com, install the Google Analytics opt-out browser add-on, and block or delete cookies in your browser. Blocking essential cookies may break parts of the site.

7. Automated processing and match scores

The platform calculates an ATS match score comparing a candidate's application against a job's requirements. This score assists employer decision-making; KalosHR does not make automated hiring decisions. Employers remain responsible for their hiring choices and for telling candidates how they evaluate applications.

8. Who we share data with

We do not sell personal data. We share it with:

  • Service providers (processors) — hosting and infrastructure, payment processing (e.g., Stripe), email and OTP delivery, analytics and advertising (Google), CRM and automation tools (e.g., HubSpot, Zapier), and customer support tools. Each is bound by contract to process data only on our instructions.
  • Employers — candidate data goes to the employer whose job the candidate applied to.
  • Advertising platforms — hashed identifiers, click identifiers, and conversion outcomes, as described in Section 6.
  • Professional advisers and authorities — where required by law or to protect our rights.
  • A buyer or successor — if we are involved in a merger, acquisition, or asset sale, with notice to you.

9. International transfers

Our providers (including Google, Stripe, and cloud hosting) may process data outside your country, including in the United States and the European Economic Area. Where required, we use lawful transfer mechanisms such as standard contractual clauses or transfers to jurisdictions with adequate protection, per GDPR requirements.

10. Retention

  • Account and billing data: for the life of the account plus up to 6 years for legal and accounting purposes.
  • Candidate data: for as long as the controlling employer instructs, or until the employer or candidate (via the employer) requests deletion.
  • Marketing identifiers and attribution data (including click IDs): up to 26 months, or shorter where platform limits apply.
  • We delete or anonymise data when it is no longer needed.

11. Your rights

Subject to applicable law (including the GDPR), you may:

  • Access a copy of your personal data.
  • Correct inaccurate data.
  • Delete data, subject to legal retention requirements.
  • Object to or restrict processing, including processing based on legitimate interests and direct marketing.
  • Withdraw consent at any time.
  • Port your data to another provider in a structured format.
  • Complain to a supervisory authority — in the EEA/UK, your local data protection authority.

To exercise any right, email privacy@kaloshr.com. We respond within the time required by law and may verify your identity first.

12. Candidates

If you applied for a job through KalosHR, the employer controls your application data. Send access, correction, or deletion requests to that employer; we will support them in fulfilling your request, and where we are legally required to act directly, we will. Your application data is visible to the employer's authorised team members and is scored as described in Section 7.

13. Marketing communications

Where we send marketing emails or messages, every message includes an unsubscribe option. Opting out of marketing does not affect service messages such as billing notices or security alerts.

14. Security

We protect data with encryption in transit, hashed passwords, access controls, and least-privilege staff access. No system is perfectly secure; if a breach affects your data and creates a risk to you, we will notify you and the relevant authority as required by law, including within the GDPR's 72-hour notification window.

15. Children

KalosHR is a business tool for people aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us data, contact privacy@kaloshr.com and we will delete it.

16. Changes to this policy

We may update this policy as the product and law evolve. Material changes will be announced on the site or by email, and the "Last updated" date will change. Continued use after changes take effect constitutes acceptance.

17. Contact

KalosHR — Privacy
Kalos Technologies Ltd
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
privacy@kaloshr.com

If you do not agree with this policy, please do not use kaloshr.com or the KalosHR services.