Privacy Notice (Website & Recruitment)

1. Introduction

1.1 Mustard HR is a registered Data Controller with the Information Commissioner's Office (ICO)

1.2 This Privacy Notice sets out how we collect, store and use personal information in accordance with the UK General Data Protection Regulations (UK GDPR) and Data Protection Act of 2018.

1.3 It applies to all users of the Mustard HR website and individuals who apply for vacancies with us, whether through our online careers portal or by any other means.

1.4 We reserve the right to amend this Privacy Notice at any time. It does not form part of any contract with us.

1.5 By using our website, you agree to the collection and use of information in accordance with this policy.

2. Data Controller Information

Company: Mustard HR Ltd
Contact Person: Lucy Feavearyear (Data Protection Officer)
Address: Norwich, Norfolk
Email: lucy@mustardhr.co.uk
Phone: 07809 227222

3. The information we store

3.1 We collect, store and use the following categories of personal information:

a) Basic contact information, such as names, titles, pronoun preferences, addresses, email, phone and other details.

b) Business Information such as company details, employee count, industry sector.

c) Payment details, financial and transaction data; usage and technical data – including website, products and services.

d) Marketing preferences, profile information, IP addresses, website and app user journey information.

e) Communication Data such as records of our correspondence, enquiry details, feedback.

f) Employment information and work records, including employment dates and location, employment and education history, details of criminal convictions or other security or vetting information and right to work documentation such as ID and proof of address, next of kin information.

4. How we collect this information

4.1 When you submit a website enquiry or sign up to our newsletter, the data that you have provided will be stored in our website database and emailed to us directly.

4.2 When you apply for a vacancy through our careers portal, your data will be collected and stored within our Applicant Tracking System (ATS), which is provided by Hireful Ltd. This system may also collect technical information such as your IP address and device information when you interact with the application portal. We remain the data controller for all recruitment data and Hireful acts as our data processor. You can view Hireful's privacy policy at www.hireful.com/privacy-policy.

4.3 We may also collect personal information from third parties such as recruitment agencies, online job boards, professional networking sites (such as LinkedIn), former employers, referees and background check agencies where relevant to the role.

5. Information Automatically Collected

5.1 When you visit our website, we may automatically collect:

5.2 Technical Data such as IP address, browser type, operating system, device information.

5.3 Usage Data such as pages visited, time spent on pages, links clicked, referring website.

5.4 Our website may contain links to other websites of interest. However, once a user has left our site we have no control over their privacy and therefore cannot be responsible for their data. Such sites are not governed by this privacy statement. This does not apply to the careers portal.

5.5 Our careers portal is provided by Hireful Ltd, a third-party Applicant Tracking System provider. When you access this portal via our website, you will be directed to their platform where your application data will be collected on our behalf. We remain the data controller for this information. Hireful acts as our data processor and is contractually required to handle your data in accordance with data protection legislation.

6. How we use personal information

6.1 We only use personal information when the law allows us to. Most commonly, in the following circumstances:

a) In limited circumstances, with explicit written consent. For example, When you subscribe to our newsletter or request to receive marketing communications, with your explicit consent.

b) When we need to perform a contract we have entered into, or because we have been asked to take specific steps before entering into a contract.

c) When we need to comply with a legal obligation.

d) When it is necessary for legitimate interests pursued by us or a third party and the individual's interests and fundamental rights do not override those interests. For example, when you submit an enquiry form or contact us requesting information about our services, as this constitutes a request for us to take steps before entering into a contract or falls under our legitimate interests in responding to business enquiries.

e) Vital Interests, such as processing necessary to protect someone's life (rare in our context).

6.2 Some of the above grounds will overlap, and there may be several grounds which justify our use of personal information.

6.3 We use the information we collect for the following purposes:

a) Delivering HR consultancy and support services;

b) as part of our internal recruitment, administration and management processes;

c) in order to make business decisions;

d) for the operation of client accounts;

e) managing client relationships and contracts;

f) to provide and improve products and services;

g) for information updates and marketing purposes;

h) for dealing with queries, complaints or claims;

i) responding to enquiries and consultations;

j) sending service updates and important notices;

k) understanding how our website is used;

l) analysing service effectiveness;

m) developing new services and features;

n) ensuring website security and preventing fraud;

o) meeting regulatory requirements;

p) responding to legal requests;

q) protecting our legal rights and interests;

r) processing enquiry forms and initial consultations;

s) responding to requests for information about our services;

t) managing newsletter subscriptions and sending hr updates, insights and industry news (with your consent).

6.4 Situations in which we will process particularly sensitive personal information include to:

a) Manage recruitment processes.

b) Monitor and report for equal opportunities purposes.

c) Comply with employment and other laws, such as for equal opportunities reporting.

d) Exercise rights in connection with employment.

7. Change of purpose

7.1 We only use personal information for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that the reason identified is compatible with the original purpose.

8. Consent and withdrawing consent

8.1 In limited circumstances, when we will not rely on the grounds for collecting, processing and transfer set out in this Privacy Notice, we may approach individuals directly for written consent to allow us to process certain particularly sensitive data. Individuals do not have to agree to any request for consent from us.

8.2 Individuals who have provided written consent to the collection, processing and transfer of personal information for a specific purpose have the right to withdraw consent for that specific processing at any time.

9. Information about criminal convictions

9.1 We will only collect, store or use information about criminal convictions if it is appropriate given the nature of the role and when we are legally able to do so, primarily in order to manage employment vetting processes.

10. Sharing data with third parties

10.1 We may share appropriate information with appointed Data Processors, such technical or administration support engaged by Mustard HR, with whom we have the appropriate agreements in place.

10.2 We will share your personal information with other third parties when required by law, when it is necessary to administer our working relationship with you or when we have another legitimate interest in doing so.

10.3 We will not transfer any personal data outside of the UK in order to perform a contract or otherwise, unless:

a) the transfer is to a country which provides an adequate level of protection for personal information consistent with and which respects the UK GDPR; or

b) there are appropriate safeguards or binding corporate rules in place; or

c) one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.

10.4 We do not sell, trade, or rent your personal information. We may share your data with:

a) IT service providers and hosting companies.

b) Professional advisors (lawyers, accountants, insurers).

c) Payment processors.

d) Marketing and analytics providers (with your consent).

e) Business Transfers.

10.5 If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

11. Data storage and retention

11.1 We store personal information securely and have in place the appropriate technical and organisational measures to protect and - when required - remove, both electronic and any physical records we hold.

11.2 Our appointed Data Processors and any third parties will only process your personal information on our instructions and when they have agreed to treat the information confidentially and keep it secure.

11.3 We retain information as long as the stated purposes in this Privacy Notice still apply. We use our judgement, taking a proportionate approach to balance the needs of our organisation with the impact of retention on individual privacy.

11.4 In the event that a relationship with an individual or organisation comes to an end, or the information is no longer required, we review whether we need to retain all or some personal data and delete that which it is not deemed necessary. Generally, we deem it sufficient to retain enough information to confirm that the relationship existed – such as basic contact information and details of contracts (where applicable).

11.5 In addition, we undertake an annual data audit to review our data retention and remove any unnecessary personal data.

a) We review all prospect and enquiry data and delete records where there has been no engagement for the specified period.

b) Where there is a possibility that records may be required in future - for example, to defend a possible claim - we retain the information until the situation is clarified either way, or review at the next audit, whichever is soonest.

c) We comply with applicable legal and regulatory requirements and professional guidelines relating to the retention of information for our business – for example, income and tax audit.

11.6 Upon review, we decide whether information should be erased (irretrievably deleted) or, in limited circumstances, anonymised so that it is no longer in a form which permits identification of data subjects.

11.7 The above processes mean that personal data which isn't in use or required to be retained for another stated reason, is not typically retained for longer than a maximum period of 24 months.

11.8 We will dispose of your information by irretrievably deleting it from the website database, email inboxes and our electronic and any physical storage systems.

11.9 We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including:

a) Client Records: up to 6 years after the end of our business relationship (where required for legal and tax purposes).

b) Marketing Contacts: Until you unsubscribe or request deletion.

c) Website Analytics: 26 months (Google Analytics default).

d) Web enquiry forms and initial consultations: 12 months from last contact (or until you request deletion), or 6 years if you become a client.

e) Newsletter subscriptions: Until you unsubscribe or request deletion.

f) Prospective client communications: 12-24 months from last contact (unless you request deletion or become a client).

g) Unsuccessful job applications: 6 months from the date of the recruitment decision, or up to 12 months if you have consented to us retaining your details for future opportunities.

12. Data Security

12.1 We implement appropriate technical and organisational measures to protect your personal data, including:

a) Encryption of data in transit and at rest

b) Regular security assessments and updates

c) Access controls and authentication measures

d) Training and guidance on data protection

e) Incident response procedures

12.2 However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

13. Rights in relation to personal data

13.1 Under data protection law, individuals have rights, including:

a) Right of access – the right to ask us for copies of personal information.

b) Right to rectification – the right to ask us to correct or delete personal information if believed to be inaccurate or incomplete.

c) Right to erasure – the right to ask us to delete personal information in certain circumstances.

d) Right to restriction of processing – the right to ask us to restrict the processing of personal information in certain circumstances.

e) Right to object to processing – the right to object to the processing of personal information in certain circumstances.

f) Right to request transfer – the right to ask that we transfer the personal information given to us by an individual or another person in certain circumstances.

g) Right to data portability - receive your data in a structured, machine-readable format.

h) Right to withdraw consent - where processing is based on consent.

13.2 To exercise any of these rights, please contact us using the details in the Data Controller Information section.

14. Children's Privacy

14.1 Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information.

15. Marketing Communications

15.1 We may send you marketing communications if you have:

a) Given us your consent, or

b) Purchased services from us and not opted out of marketing.

15.2 You can unsubscribe from marketing emails at any time by:

a) Clicking the unsubscribe link in any marketing email;

b) Contacting us directly

16. Changes to This Policy

16.1 We may update this Privacy Policy from time to time. We will notify you of any material changes by:

a) Posting the new Privacy Policy on this page.

b) Updating the "Last updated" date.

c) Sending you an email notification (for significant changes).

16.2 We encourage you to review this Privacy Policy periodically.

17. Contact

17.1 Our core activities do not require us to monitor or process personal data on a large scale and we are not a public authority or body, therefore we are not required to appoint a data protection officer (DPO).

17.2 Lucy Feavearyear, director, is responsible for data protection at Mustard HR. She may be contacted with any requests, queries or concerns regarding this Privacy Notice or any other data protection issue by emailing: lucy@mustardhr.co.uk

17.3 If you remain unhappy with how we've used your data after raising a complaint with us, you can raise your concerns with the ICO at the following address:

Information Commissioner's Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire
SK9 5AF

The ICO Helpline number is 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint