Privacy Policy

 

Last updated: 18/06/2026

  1. Who we are and what we do
  2. Purpose of this Privacy Notice
  3. Who this Privacy Notice applies to
  4. What Personal Data is
  5. Personal Data we collect
  6. Cookies and similar technologies
  7. Purposes, lawful bases and retention periods
  8. Artificial intelligence
  9. Sharing your Personal Information
  10. International data transfers
  11. Your data protection rights

 

Who we are

We are Caraffi Limited (“Caraffi”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 11798006 and we have our registered office at Chancery House, 30 St John’s Road, Woking, Surrey, GU21 7SA. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number ZA496297.

What we do

We are in the business of talent advisory and consulting services. We are committed to protecting the privacy and security of the Personal Data we process about you in line with the data protection principles set out in the UK General Data Protection Regulation 2016 (“UK GDPR”) and the Data Protection Act (“DPA 2018”).

Controller

Unless we notify you otherwise, we are the Controller of the Personal Data we process about you. This means that we decide what Personal Data to collect and how to process it.

 

The purpose of this Privacy Notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, or wish to make a complaint, you can contact us using the information provided below under the ‘Contact Us’ section.

As an information-led business, we place great importance on ensuring the quality, confidentiality, integrity, and availability of the data we hold and in meeting our data protection obligations when processing personal data. Caraffi are committed to protecting the security of your personal data. We use a variety of technical and organisational measures to help protect your personal data from unauthorised access, use or disclosure.

We update this privacy notice from time to time in response to changes in applicable laws and regulations, to our processing practices and to the products and services we offer. When changes are made, we will update the date at the top of this document. Please review this privacy notice periodically to check for updates.

 

This privacy notice applies to you if:

  • You visit our website
  • You purchase goods or services from us
  • You enquire about our products and/or services
  • You are an associate or job candidate
  • You apply for a position, create an account to apply for a position or otherwise engage with us in connection with recruitment, talent advisory or related client services
  • You are an employee, contractor, representative or contact of one of our clients, prospective clients, suppliers or business partners whose Personal Data is processed in connection with the services we provide
  • You sign up to receive newsletters and/or other promotional communications from us

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.

‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

The type of Personal Data we collect about you will depend on our relationship with you.

We may collect personal data about you in variety of ways, such as through our site and social media channels; at our events; through phone and fax; through job applications; in connection with in-person recruitment; or in connection with our interactions with clients and vendors. We may collect a selection of personal data dependant on the nature of the relationship, including, but not limited to (as permitted under local law):

  • Contact information (such as name, postal address, email address and telephone number);
  • Username and password when you register on our sites;
  • Information you provide about friends or other people you would like us to contact. (The Controller assumes that the other person previously gave an authorisation for such communication); and
  • Other information you may provide to us, such as in surveys or through the "Contact Us" feature on our site

In addition, if you are an associate or job candidate, you apply for a position or create an account to apply for a position, we may collect the following types of personal data (as permitted under local law):

  • Employment and education history;
  • Language proficiencies and other work-related skills;
  • Social security number, national identifier or other government-issued identification number;
  • Date of birth;
  • Gender;
  • Bank account information;
  • Citizenship and work authorisation status;
  • Benefits information;
  • Tax-related information;
  • Information provided by references;
  • Information contained in your resume or C.V., information you provide regarding your career interests, and other information about your qualifications for employment; and
  • Information generated through our use of artificial intelligence, automation or analytics tools, such as summaries, insights, classifications, trends, recommendations or workflow outputs derived from the Personal Data we process.

We may collect the following types of personal data where required by law and explicit consent has been provided by you:

  • Disabilities and health-related information;
  • Results of drug tests, criminal and other background checks;
  • Special categories of data, such as information about ethnic origin, sexual orientation or religion or belief in order to monitor diversity in recruitment; and
  • AI-assisted notes, summaries, outputs or insights relating to your recruitment, application, associate engagement or work-related profile, where these are created to support our personnel or the services we provide to clients.
  • Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
  • We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary. (A copy of the IDTA can be found here ), or
  • When transferring your Personal Data to America, we may rely on the UK-US Data Bridge, where appropriate.
  • Right to be informed
  • Right of access (commonly known as a “Subject Access Request”)
  • Right to rectification
  • Right to erasure (commonly known as the right to be forgotten)
  • Right to object to processing
  • Right to restrict processing
  • Right to portability
  • Automated decision-making.
  • Right to withdraw consent

As a general rule, we try not to collect or process any special categories of data about you, unless authorised by law or where necessary to comply with applicable laws.

However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, some special category information for legitimate employment-related purposes: for example, information about your racial/ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and for government reporting obligations; or information about your physical or mental condition to consider accommodations for the recruitment process.

In addition, we may collect information you provide to us about other individuals, such as information related to emergency contacts.

Caraffi uses both cookies and web beacons on our website and web beacons in some emails. Cookies are small text files and web beacons are small graphic images. They are downloaded to your device when you visit a website or receive certain emails, unless you have set your browser to reject them.

We use cookies to remember your preferences, display content that is more relevant to you and improve your overall experience of our site. We use web beacons to track the actions of individuals (such as email recipients) and measure the success and response rates of our marketing campaigns.

 

To learn more about cookies, web beacons and what you can do to opt out of receiving them, please view our Cookies Notice here.

Caraffi processes your personal data for a number of different lawful purposes. Data protection law only allows us to use your personal data if we have a lawful reason to do so. Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

We will retain your personal data for as long as is necessary to provide you with our products and ongoing services and for a reasonable period thereafter, to enable us to meet our contractual and legal obligations and to deal with complaints and claims. At the end of the retention period, your personal data will be securely deleted in accordance with the Caraffi Personal Data Retention and Destruction Policy and Schedule.

We may use your data for the following purposes and on the following lawful bases:

Purpose

Lawful Bases for Processing

Contacting you by telephone to discuss our services

We rely on your consent to call you to discuss our products and services.

Responding to correspondence from you

It is in our legitimate interest to respond to enquiries made via our website, by email, through our social channels or any other means

 

Managing our client and vendor relationships

 

It is our legitimate interest to manage our business relationships effectively.

Sending you information (via post) such as Caraffi news and information which may be of interest

 

It is our legitimate interest to send out mail to tell you about any offers, products or services which may be of interest to you.

Business management, forecasting and statistical purposes

It is our legitimate interest to identify areas for managing current business relationships, develop new products and services, and for managing our business

 

Improving our website and the overall website visitor and user experience

It is our legitimate interest to allow analytics and search engine providers to help improve and optimise our website

Improving our website and the overall website visitor and user experience

 

We use analytics and performance cookies on our website with your consent

Send you emails to keep you updated on our services

It is our legitimate interest to send you emails to inform you about any offers, products or services which may be of interest to you. We will only send you emails if we have an existing relationship with you. You can opt out of receiving emails by using the unsubscribe facility in the email we have sent you or by using the contact details below.

Complying with and enforcing applicable legal requirements, relevant industry standards, contractual obligations and our policies.

We are required to process your personal data for various legal and regulatory purposes.

Protecting against, identifying and seeking to prevent fraud and other unlawful activity, claims and other liabilities

It is our legitimate interest to ensure we do not engage in any unlawful activities and to prevent such activities

Using artificial intelligence, automation and analytics tools to support our internal operations, improve efficiency, assist with workflow management and develop, test, improve and deliver services to our clients

It is in our legitimate interest to manage and improve our business, develop and deliver services to clients, support recruitment and talent advisory services, and improve operational efficiency. Where processing is necessary to provide requested services, we may also rely on contract. Where required by law, we may rely on legal obligation or consent.

Analysing recruitment, candidate, associate, client contact or workforce-related data to identify trends, patterns and insights and to support human-led decision-making

It is in our legitimate interest to provide and improve our talent advisory and recruitment services, support client service delivery, and produce insights for business management and forecasting. We will apply safeguards, including data minimisation and human review, where appropriate.

 

To support our internal operations and the services we provide to business clients, we may use artificial intelligence technologies, automation and data analytics tools. We may use these tools to drive efficiencies within Caraffi, support recruitment and talent advisory services, analyse data sets and intelligence, identify trends and patterns, generate insights, assist with workflow management, and help us produce or improve outputs for our clients.

 

Where we use AI in relation to associates, job candidates or employees, contractors, representatives or contacts of our clients, the Personal Data processed may include the categories described in section 5, depending on the context. Some AI uses may involve combining data sets and producing statistical or analytical insights. We will seek to avoid using Special Category Personal Data in AI tools unless permitted by law and appropriate safeguards are in place.

Where we process Personal Data as a Controller through AI tools, we will use a lawful basis that is appropriate to the relevant processing.

We will implement appropriate technical and organisational measures for AI processing, including access controls, supplier due diligence, contractual controls, data minimisation, privacy and security assessments where appropriate, and controls designed to prevent Personal Data being used for purposes incompatible with this Privacy Notice.

 

We will not intentionally use your Personal Data to train third-party public AI models unless we have notified you and identified a lawful basis for doing so.

We do not disclose personal data that we collect about you, except as described in this privacy notice or in separate notices provided in connection with particular activities. We may share personal data with trusted partners or vendors who perform services on our behalf based on our instructions. We do not authorise these vendors to use or disclose the information except as necessary to perform services on our behalf or comply with legal requirements. We also may share your personal data:

  • with our subsidiaries and affiliates;
  • if you are a job candidate, with clients who may have job opportunities available or interest in placing our job candidates; and
  • (iii) with others with whom we work, such as job placement consultants and subcontractors, to find you a job.

 

In addition, we may disclose personal data about you:

  • if we are required to do so by law or legal process;
  • to law enforcement authorities or other government officials based on a lawful disclosure request; and
  • (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.

We also reserve the right to transfer personal data we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganisation, dissolution or liquidation).

Your Personal Data may be processed outside of the UK. This is because the organisations we use to provide our service to you are based outside the UK.

We have taken appropriate steps to ensure that when your Personal Data is processed in a country outside the UK, it does not have a materially lower level of protection than that guaranteed in the UK. We do this by ensuring that:

You have certain rights in relation to the processing of your Personal Data, including the:

You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

You have the right to receive a copy of the Personal Data we hold about you.

You have the right to have any incomplete or inaccurate information we hold about you corrected.

You have the right to ask us to delete your Personal Data.

You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material. If at any time you decide that you no longer wish to be contacted for marketing purposes, you can contact us at dpo@caraffi.co.uk.

You have the right to restrict our use of your Personal Data.

You have the right to ask us to transfer your Personal Data to another party.

You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

How to exercise your rights:

You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.

Some of these rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

11. Complaints

You have the right to complain if you consider that we have not complied with the data protection law when handling your Personal Data. We will acknowledge receipt of your complaint within 30 days, investigate the matter without undue delay, and keep you informed of the progress and outcome. If you wish to complain please use the contact details given below under “How to contact us and our Data Protection Officer”. We will do our best to resolve the matter to your satisfaction.

If you are not satisfied with the outcome of your complaint, you can complain with the relevant supervisory authority. The supervisory authority in the UK is the Information Commission who can be contacted online at:

Contact us | ICO

Or by telephone on 0303 123 1113

  1. Automated Decision-making
  2. How to contact us and our Data Protection Officer

We do not make any decisions about you based solely on automated decisions.

We may use AI or automated tools to support our personnel in carrying out recruitment, associate management, client service delivery, analytics and business management activities. These tools are intended to assist human review and decision-making and not to replace it where a decision would have a legal or similarly significant effect on you.

You can contact Caraffi in relation to data protection and this Privacy Notice, or if you wish to exercise any of your data protection rights, by emailing dpo@caraffi.co.uk or writing to us at:

Caraffi Data Protection Officer (DPO)

Caraffi Limited

30 St John’s Road

Woking

Surrey

GU21 7SA

United Kingdom