Privacy Policy - StepRole Staging

Introduction
1. This Privacy Policy explains in detail the types of personal data that STEPROLE LIMITED, incorporated in Cyprus with registration number HE466241 and registered address at Agiou Symeon 11, Dali, 2548, Nicosia, Cyprus (“we”, “our”, “us”), may collect about you when you interact with us. It also explains how we store, handle, and keep your data safe, when and why we share personal data with third parties, and the rights and choices you have regarding your personal data.
2. This policy (together with our Terms and Conditions https://stg.steprole.com/terms-and-conditions/ ) applies if you use our Website and Platform. It also applies if you contact us or we contact you regarding any of our services accessible through our Website and Platform. By using our Website and Platform, you agree to the processing of your personal data in accordance with this Privacy Policy.
3. Capitalized terms not defined in this Privacy Policy shall have the meaning ascribed to them in the Terms and Conditions.
4. We are committed to ensuring that all personal data is processed in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and relevant data protection laws in Cyprus.
Important Information and Who We Are
1. We act as a Data Controller when we determine the purposes and means of processing personal data directly collected from Users of our platform. This includes:
  1. When Users register on the platform.
  2. When Candidates upload CVs or provide information directly on the Platform.
  3. When Users interact with our platform and services.
2. As a Data Controller, we are responsible for:
  1. Ensuring all processing activities comply with GDPR and other relevant laws.
  2. Providing transparency to Users about how their data is collected, used, and processed.
  3. Safeguarding the integrity, confidentiality, and availability of personal data through appropriate security measures.
  4. Supporting and enabling the exercise of data subject rights under GDPR, which include:
    1. Right of Access: Allowing Users to access their personal data.
    2. Right to Rectification: Ensuring Users can request corrections to inaccurate or incomplete data.
    3. Right to Erasure: Allowing Users to request deletion of their data where lawful.
    4. Right to Restriction of Processing: Allowing Users to limit the processing of their personal data in specific circumstances.
    5. Right to Data Portability: Enabling Users to receive their data in a structured, machine-readable format.
    6. Right to Object: Allowing Users to object to processing based on legitimate interests
3. We act as a Data Processor when processing personal data on behalf of Employers who use our platform for recruitment purposes. In this role, we:
  1. Process personal data strictly in accordance with the instructions of the Employer.
  2. Implement appropriate technical and organizational measures to ensure the security and lawful processing of personal data.
  3. Assist Employers in fulfilling their obligations under GDPR, including facilitating data subject rights requests.
  4. Ensure that any sub-processors we engage comply with GDPR obligations.
  5. Notify the Employer without undue delay in the event of a personal data breach.
4. As both a Data Controller and a Data Processor, we are committed to:
  1. Upholding the rights of all data subjects whose data is processed on our Platform.
  2. Maintaining compliance with GDPR and other applicable data protection laws.
  3. Providing clear communication to Users about their rights and how to exercise them.
5. Contact Information: If you have any questions about this Privacy Policy, including any complaints or requests to exercise your legal rights, please contact us at:
  - STEPROLE LIMITED
  - Email: [email protected]
  - Address: Agiou Symeon 11, Dali, 2548, Nicosia, Cyprus
6. You have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection (Commissioner), the Cyprus supervisory authority for data protection issues (www.dataprotection.gov.cy).
7. Changes to This Privacy Policy: We keep our Privacy Policy under regular review. Any updates will be posted on our Website and Platform with a revised “Last Updated” date. Continued use of the Website and Platform after updates constitutes acceptance of the revised Privacy Policy.
8. Third-Party Links: Our Website or Platform may contain links to third-party websites or services with their own privacy policies. We do not accept responsibility for these policies or any personal data collected by these websites or services. Please review their privacy policies before providing any personal data.
Data We Collect
1. We may collect, use, store, and transfer different types of personal data, including:
  1. Identity Data: First name, last name,, password, and social media identifiers.
  2. Contact Data: Address, email, phone number, and communication history.
  3. CV and Professional Data: Full CV content, employment history, education history, professional qualifications, skills, references, and certifications.
  4. Recruitment Data: Job application details, employer interactions, interview records, and employment status.
  5. Transaction Data: Details of transactions, products/services purchased, and payment details.
  6. Financial Data: Bank account and payment card information.
  7. Device Data: IP addresses, browser type, and device details.
  8. Usage Data: Information on website interactions, preferences, and browsing behavior.
  9. Marketing and Communications Data: Preferences for receiving marketing communications, engagement history, and opt-in preferences.
  10. Aggregated Data: Statistical or demographic data derived from personal data but anonymized for analytical purposes.
2. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
3. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
4. Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
How is your personal data collected?
1. We use different methods to collect data from and about you including through:
  1. Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
    - apply for our services;
    - create an account on our Platform;
    - subscribe to our Service or publications;
    - request marketing material to be sent to you;
    - enter a competition, promotion or survey; or
    - give us feedback or contact us
  2. Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
Processing of User Personal Data
1. It is acknowledged and agreed that in the event of processing of personal data by virtue of our online services, the Employer, Assignee, or entity will be acting as a Data Controller, and we will be processing personal data on their behalf as a Data Processor.
2. This section ensures compliance with applicable data protection laws of the Republic of Cyprus, including but not limited to the EU General Data Protection Regulation 2016/679 (GDPR), and any national laws supplementing the GDPR (collectively referred to as “Data Protection Regulation”).
3. The subject matter of the processing will be the provision of recruitment, scheduling, and other services provided by us. The duration of the processing will be for as long as we have a contractual relationship. The nature and purpose of processing will be the provision of online services. The personal data we process on behalf of Employers include general identification and contact information such as name, address, telephone number, email, profile photograph, and financial information.
4. The data controller hereby instructs and authorizes us to process personal data for the purposes of providing our online services and grants us a general authorization to appoint third-party processors as described in Section 6 “Data Sharing and Third-Party Processors.”
5. We will:
  - Implement appropriate technical and organizational measures to ensure compliance with Data Protection Regulation.
    - Process personal data only for the provision of our online services.
    - Ensure persons authorized to process personal data commit to confidentiality.
    - Take appropriate security measures to prevent unauthorized access or data breaches.
    - Ensure that any third-party processor appointed by us will have the same obligations as imposed under this section.
    - Notify the data controller without undue delay in the event of a data breach.
    - Assist the data controller in responding to data subject requests under GDPR.
    - Delete or return all personal data at the end of service provision unless required by law to retain such data.
6. We want to give you the best possible customer experience. One way to achieve that is to get the richest picture we can of who you are by combining the data we have about you.
7. We then use this to offer you promotions, products and services that are most likely to interest you. In the case of loyalty scheme members, we’ll also offer you relevant rewards.
8. The data privacy law allows this as part of our legitimate interest in understanding our customers and providing the highest levels of service.
9. Remember, if you choose not to share your personal data with us, or refuse certain contact permissions, we might not be able to provide services.
Data Sharing and Third-Party Processors
1. We recognize the importance of protecting personal data and ensure that any sharing of personal data is conducted with the highest level of security, in compliance with GDPR and applicable data protection laws. We do not sell, rent, or otherwise commercially distribute personal data to third parties. However, in order to provide our services efficiently, we may share data under the following circumstances:
  1. Third-Party Service Providers: We may engage third-party service providers who act as data processors on our behalf to provide essential functions such as cloud hosting, IT infrastructure, payment processing, analytics, software as service (SaaS), platform as service (PaaS) and customer support. These processors are contractually obligated to handle personal data securely and only in accordance with our instructions, ensuring compliance with GDPR requirements.
  2. Employers as Independent Data Controllers: When Candidates submit their CVs and personal data via our platform, Employers who access this information are considered independent data controllers under GDPR. Employers are solely responsible for ensuring their compliance with applicable data protection laws when processing Candidate information. We do not control or assume responsibility for how Employers use or store personal data obtained through the platform.
  3. Legal and Regulatory Compliance: We may share personal data when legally required to do so, such as in response to legal requests, court orders, law enforcement investigations, regulatory requirements, or to comply with financial or fraud-prevention obligations. Any such disclosure will be made strictly in accordance with applicable laws and only to the extent necessary.
  4. Business Transfers: In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of the business transaction. Any such transfer will be conducted in compliance with GDPR, and we will take all reasonable steps to notify Users and protect their rights regarding their personal data.
  5. Aggregated and Anonymized Data: We may share aggregated, non-personally identifiable data with partners, industry bodies, or for research purposes to improve our services, conduct statistical analysis, and support business intelligence. This data will not contain any information that can be linked to an individual user.
Use of AI for Data Processing
1. Automated Data Processing via AI: To enhance our recruitment services, we utilize Artificial Intelligence (AI), including automated data extraction and analysis tools:
  1. For Candidates:
    1. For structuring information, identifying relevant skills and qualifications, and generating summaries to improve data accessibility for Employers.
    2. To process CVs and personal data submitted by Candidates.
    3. Parse CV’s and extract information related to personal information, education, experience, certificates, skills and languages.
    4. Evaluate the candidate profile against a job opening. The outcome would be a scoring of the Candidate along with a summary of the pros and cons.
    5. Prepare Candidates for an upcoming interview.
  2. For Employers:
    1. Assist with preparing a job listing.
    2. Assist with improving job description
2. AI Processing Transparency: AI-driven processing is used solely to assist in the recruitment and job-matching process. It does not make final hiring decisions, and all Candidate data remains subject to human oversight. Employers remain fully responsible for assessing and evaluating Candidates based on their own criteria.
3. Accuracy and Limitations of AI: While we strive to ensure the accuracy and reliability of AI-generated summaries and insights, Users acknowledge that AI-based analysis may not always be error-free. Candidates are encouraged to review their AI-processed data and request corrections if necessary.
4. User Rights Regarding AI Processing: Candidates have the right to edit or make changes to their profile at any time after AI Processing.
5. Security of AI-Processed Data: All AI-driven processing is conducted within a secure cloud-based environment, ensuring compliance with data protection laws. AI tools operate under strict security protocols to prevent unauthorized access, data breaches, or misuse of personal information.
6. AI Improvements and Ethical Use: We continuously refine the use of AI models to improve accuracy and fairness. We ensure that AI algorithms are free from bias and operate in a manner that aligns with ethical data processing standards. Users will be notified if significant changes are made to AI-driven processes that may impact their data.
7. By using our platform, Users acknowledge and consent to AI-driven data processing, as described in this policy.
Obligations of Employers as Data Controllers
1. Independent Data Controller Responsibilities: Employers accessing Candidate CVs and personal data via the platform act as independent data controllers under GDPR and are solely responsible for ensuring that they process Candidate data in compliance with applicable data protection laws.
2. Lawful Basis for Processing: Employers must ensure that they have a lawful basis for processing Candidate personal data, such as consent, contractual necessity, or legitimate interest, as required under Article 6 of GDPR.
3. Data Security Measures: Employers are required to implement appropriate technical and organizational security measures to protect Candidate data from unauthorized access, loss, misuse, or disclosure. Employers must:
  - Store personal data securely and limit access to authorized personnel only;
  - Encrypt or pseudonymize sensitive information where necessary;
  - Ensure that any third-party tools or software used comply with GDPR standards.
4. Retention and Deletion of Data: Employers must not retain Candidate personal data for longer than is necessary for recruitment purposes. Once the recruitment process is completed, Employers must:
  1. Securely delete Candidate data unless the Candidate has provided explicit consent for further retention;
  2. Ensure that Candidate data is not unlawfully shared, copied, or retained beyond its intended use.
5. Compliance with Candidate Rights: Employers must uphold Candidate rights under GDPR, including:
  1. The right to access personal data processed about them;
  2. The right to rectification of inaccurate or incomplete data;
  3. The right to erasure (right to be forgotten) under lawful conditions;
  4. The right to restrict processing under specific circumstances;
  5. The right to object to processing based on legitimate interest.
6. Third-Party Processors and Transfers: If an Employer engages third-party processors to handle Candidate data, they must ensure that:
  1. A Data Processing Agreement (DPA) is in place with any third-party service provider;
  2. Data transfers outside the EEA comply with Standard Contractual Clauses (SCCs) or other GDPR-compliant mechanisms.
7. Liability Disclaimer: The Platform acts solely as a data intermediary, facilitating the exchange of Candidate data between Users. We do not monitor, control, or assume liability for how Employers process, store, or use Candidate personal data. Employers agree to indemnify and hold us harmless from any claims, damages, or legal liabilities arising from their handling of Candidate data.
8. By using the platform, Employers acknowledge their obligations as independent data controllers and agree to process personal data in compliance with GDPR and applicable data protection laws. Failure to comply with these obligations may result in legal consequences and potential removal from the platform.
Security Measures
1. We implement security measures to protect personal data, including:
  - Data encryption
  - Secure server infrastructures
  - Multi-factor authentication
  - Regular security audits and penetration testing
2. All personal data you provide to us is securely stored on cloud-based servers hosted by third-party service providers that power our Website and Platform. We do not store personal data locally on our own premises. Our cloud service providers are contractually required to implement adequate technical and organizational security measures in compliance with GDPR and applicable data protection laws.
3. Any transactions carried out by us or our authorized third-party payment processing providers are encrypted to ensure security. If we provide you with—or you choose—a password to access specific areas of the Website or Platform, you are responsible for keeping this password confidential and must not share it with anyone. Passwords are encrypted and stored securely using industry-standard practices. We never store passwords in plain text and take strict measures to ensure their confidentiality.
4. Once we receive your information, we implement strict security protocols and technical safeguards to prevent unauthorized access, loss, or misuse of personal data. We ensure that all data processors and third-party service providers maintain security standards at least equal to our own.
5. In the event of a personal data breach, we have established procedures to identify, assess, and mitigate risks. Where legally required, we will notify affected individuals and the relevant Data Protection Authority within the legally mandated timeframe.
6. To ensure the protection of your data, we may occasionally request proof of identity before responding to requests related to your personal information, including data access requests (subject access requests) under GDPR.
Data Breach Notification
1. If a data breach poses a risk to Users’ rights and freedoms, we will notify the relevant Data Protection Authority within 72 hours and affected individuals without undue delay.
Updates to this Privacy Policy
1. We reserve the right to modify this Privacy Policy, and updates will be posted with a revised “Last Updated” date.
2. Continued use of the Website and Platform after updates constitutes acceptance of the revised Privacy Policy.
Contact Information
1. For GDPR-related inquiries, data access requests, or privacy concerns, contact us at [email protected]

Last Updated: This policy was last updated on the 24^th of January 2025.