CANDIDATE PRIVACY POLICY

Effective date: 05 June 2026

1. Introduction

This Candidate Privacy Notice explains how XYZ Reality Limited (“we”, “us”, “our”) collects, uses, and protects personal data relating to job applicants and candidates. We are committed to protecting your privacy and handling your personal data lawfully, transparently, and securely.

2. Data Controller

XYZ Reality Limited is the data controller in respect of your personal data. Please direct all queries to privacy@xyzreality.com or to 338–346 Goswell Road, London EC1V 7LQ.

3. What Personal Data We Collect

In connection with your application for work with us, we may collect, store, and process the following categories of personal data:

• Information on your CV and covering letter, including education, qualifications, and employment history;

• Identification and contact data such as your sex, pronouns, name, date of birth, address, email, national insurance number, phone number, passport, and visa/immigration documents;

• Interview notes and assessment results, and interview and offer letters;

• Information from third parties such as references and referee contact details;

• Information about your health, including any medical condition and health and sickness records, which we may use to provide appropriate adjustments during the recruitment process (this is special category personal data, processed on the basis of Article 9(2)(b) UK GDPR);

• Background checks such as right-to-work checks, criminal record checks, and regulatory or professional checks (criminal record data is processed under Article 10 UK GDPR and paragraph 29 or 36 of Schedule 1 to the Data Protection Act 2018, as applicable); and

• Equality and diversity monitoring data (such as age, race, gender, disability), processed on the basis of substantial public interest (Article 9(2)(g) UK GDPR) as permitted by paragraph 8 of Schedule 1 to the Data Protection Act 2018.

4. How We Collect Your Data

We collect personal data through job applications submitted directly by you; recruitment agencies, background check providers, or third-party platforms; interviews, assessments, and communications; references provided by third parties; and publicly available professional information (e.g. LinkedIn).

5. How We Use Your Personal Data

We process your personal data to manage and assess your skills, qualifications, suitability for the role, and application; determine your suitability for employment; communicate with you throughout the recruitment process; comply with legal and regulatory obligations; carry out right-to-work, background, reference, and suitability checks; and maintain records of recruitment decisions.

6. Legal Bases for Processing

We rely on the following lawful bases under UK GDPR Article 6:

• Legitimate interests (Article 6(1)(f)): assessing your skills and suitability, evaluating interview and assessment results, reviewing publicly available professional information, and maintaining records of recruitment decisions. Where we rely on legitimate interests we have carried out a Legitimate Interests Assessment (LIA); you may request a summary by contacting privacy@xyzreality.com;

• Legal obligation (Article 6(1)(c)): right-to-work checks, criminal record checks where legally required, health and safety obligations, and applicable regulatory requirements;

• Pre-contractual necessity (Article 6(1)(b)): communicating with you, making and communicating recruitment decisions, and processing steps required prior to entering a contract of employment or engagement; and

• Consent (Article 6(1)(a)): used only for specific, optional processing such as retaining your details on a talent pool for future opportunities. Consent is sought explicitly and separately, withholding it has no bearing on your application, and you may withdraw it at any time.

If you fail to provide information when requested, we may not be able to process your application successfully.

7. Who We Share Your Data With

We may share your data with HR personnel and hiring managers; recruitment agencies; assessment providers; background screening providers; IT and HR system providers; and regulators or authorities where legally required. All third parties are required to maintain appropriate confidentiality and security standards and may only process your data for specified purposes in accordance with our instructions. We may disclose personal data where required by law, government, or regulatory authorities; to establish, exercise, or defend legal rights; and for purposes of preventing crime and fraud.

8. International Transfers

Where personal data is transferred outside the UK and EEA, appropriate contractual safeguards are used (e.g. UK adequacy regulations, International Data Transfer Agreements (IDTAs), or UK Addenda to EU Standard Contractual Clauses). Data is protected in accordance with UK GDPR requirements. For further information, contact privacy@xyzreality.com.

9. How Long We Retain Data

We retain candidate data for: successful candidates — as part of the employee personnel file and up to six years post-termination; and unsuccessful candidates, criminal records, and equality and diversity monitoring data — typically up to two years after the recruitment process ends. Longer retention may apply where legal claims are anticipated, regulatory requirements apply, or you ask to be informed of future opportunities.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. Access is limited to those with a business need to know, who are subject to a duty of confidentiality. We will notify you of any suspected data security breach where legally required to do so.

11. Your Data Protection Rights

You have the right to access your personal data and receive a copy; request rectification of inaccurate or incomplete data; request erasure (subject to legal exceptions); object to processing where we rely on legitimate interests; request restriction of processing; data portability (where applicable); and withdraw consent at any time where consent is the legal basis, without affecting the progress or outcome of your current application. To exercise any of these rights, contact privacy@xyzreality.com.

12. Automated Decision-Making

You will not be subject to decisions that have a significant impact on you based solely on automated decision-making. Automated tools may form a proportionate part of our recruitment process (for example, to screen candidates against minimum requirements or assess test results). If you believe a decision affecting your application has been made solely by automated means, you have the right to request human review, express your point of view, and contest the outcome — contact privacy@xyzreality.com.

13. Complaints

You have the right to lodge a complaint at any time with the Information Commissioner’s Office (ICO) — website: ico.org.uk; phone: 0303 123 1113; address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would appreciate the opportunity to address your concerns first; please contact us at privacy@xyzreality.com in the first instance.

14. Changes to This Notice

We may update this notice from time to time. The most recent version will be available on our website or provided during the recruitment process.