Privacy Policy

When we determine the purposes and means of processing (for example, for operating izerra.com, our own recruitment, billing, security, or marketing), we act as a data controller.

When we process personal data on behalf of Tenants in their HR and recruitment processes (for example, Candidate and employee data within a Tenant's Izerra account), we act as a data processor and the Tenant is the data controller.

In the latter case, the Tenant's own privacy notice applies in addition to this Policy.

When GDPR applies, we follow its core principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality.

When GDPR applies, we rely on one or more of the following legal bases: performance of a contract, compliance with legal obligations, legitimate interests, and consent where required.

We may share personal data with:

• Tenants: If you are a Candidate or employee whose data is processed in a Tenant account, your data is shared with that Tenant and its Authorized Users.
• Service providers: Hosting, infrastructure, email services, analytics, customer support tools, payment providers, and other vendors that support our operations. These providers process data only on our instructions and under appropriate contractual safeguards.
• Professional advisers: Lawyers, auditors, or consultants where necessary for legal and business purposes.
• Authorities: Where required by law, regulation, or court order, or to protect our rights or the rights of others.
• Business transfers: In the context of a merger, acquisition, or other business transaction, personal data may be transferred to the relevant parties, subject to appropriate protections and, where required, information to you.

We do not sell personal data.

We use cookies and similar technologies on izerra.com and Careers Portals to:

• Enable essential site functionality (such as log‑in sessions and security).
• Remember your preferences (such as language or cookie settings).
• Collect anonymized or aggregated statistics on usage, where permitted.

Where required by law, we request your consent for non‑essential cookies via a banner or consent tool. You can manage cookies through your browser settings, but disabling some cookies may affect functionality.

We operate globally and may process personal data in countries outside your own, including outside the EU/EEA and the UK.

Where personal data is transferred from the EU/EEA or the UK to a country that does not have an adequacy decision, we implement appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission (and, where applicable, the UK addendum), and
• Additional technical and organizational measures where necessary to ensure an essentially equivalent level of protection.

You can contact us for more information about the safeguards in place and, where applicable, a copy of the relevant transfer mechanisms.

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law.

• Tenant account and billing data: kept for the duration of the contract and for a period afterwards as needed for accounting, tax, and legal purposes.
• Candidates for Izerra roles: retained for the recruitment process and for a limited period afterwards, for example to consider you for future roles or defend against legal claims, in line with local law.
• Candidates and employees in Tenant accounts: primary retention decisions are made by each Tenant. Tenants can configure retention settings and delete or anonymize data. After a Tenant's contract ends, we delete or anonymize data in accordance with our DPA, internal policies, and legal obligations.
• Technical and usage data: retained for a period necessary for security, analytics, and improvement, and then deleted or anonymized.

Your rights depend on your location and the laws that apply to you. Where GDPR applies (EU/EEA and in similar frameworks like UK GDPR), you have the following rights:

• Right of access: to obtain confirmation and a copy of personal data we hold about you.
• Right to rectification: to have inaccurate or incomplete personal data corrected.
• Right to erasure: to request deletion of your personal data in certain circumstances ("right to be forgotten").
• Right to restriction: to request that we restrict processing under certain conditions.
• Right to data portability: to receive your personal data in a structured, commonly used, and machine‑readable format and transmit it to another controller where technically feasible.
• Right to object: to object to processing based on legitimate interests, including profiling, and to direct marketing.
• Right to withdraw consent: where processing is based on your consent, you can withdraw it at any time without affecting prior processing.

If we process your data on behalf of a Tenant (for example, as a Candidate applying to that Tenant), you should usually contact the Tenant directly to exercise your rights. We will support the Tenant as required by our agreement and by law.

For data we control, you can exercise your rights by contacting us using the details in Section 11. We may ask for information to verify your identity before responding.

You also have the right to lodge a complaint with a supervisory authority, such as the Estonian Data Protection Inspectorate or the authority in your country of residence or work.

We use appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, where appropriate:

• Access controls and authentication.
• Encryption in transit and/or at rest.
• Logging and monitoring.
• Regular updates and security patches.
• Backups and disaster recovery procedures.

No system is completely secure, but we work continuously to maintain and improve our security posture.

The Service is intended for use by businesses and adult users. Careers Portals and the platform are not designed for children under the minimum working age in the relevant jurisdiction.

If you believe we have collected personal data from a child inappropriately, please contact us so we can investigate and take appropriate action.

We may update this Privacy Policy from time to time. The latest version will always be available on izerra.com with a "Last updated" date.

If we make material changes, we may provide additional notice (for example, via email or in‑app notice). Your continued use of the Service after changes become effective means you accept the updated Policy.