Last updated: 20th April, 2025
1. Introduction: Our Commitment to Your Privacy
1.1. Welcome: Welcome to Qamla. Qamla Ltd ("Qamla", "we", "us", "our"), a company registered in England and Wales, places the highest importance on protecting the privacy and security of the Personal Data entrusted to us by all users of our services.
1.2. Scope of this Policy: This Privacy Policy provides a comprehensive explanation of our practices regarding the collection, use, processing, storage, sharing, protection, and handling of your Personal Data when you interact with our online hiring platform. This encompasses our websites (primarily qamla.co.uk and its subdomains), any associated mobile applications, Application Programming Interfaces (APIs), and all related recruitment tools, features, and services offered by Qamla (collectively referred to herein as the "Services").
1.3. Your Rights and Applicable Law: This Policy details your rights concerning your Personal Data under applicable Data Protection Law. This includes, where applicable, the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR 2016/679), the UK Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and other relevant national and international privacy and data security legislation. This Policy also explains how you can exercise these important rights.
1.4. Understanding Our Practices: We strongly encourage you to read this Privacy Policy carefully and in its entirety, in conjunction with our Master Terms of Service and Cookie Policy. Doing so will help you understand how we manage your Personal Data. By accessing, registering for, or using any part of our Services, you acknowledge that you have read, understood, and accept the data handling practices described within this Privacy Policy. If you do not agree with any part of this Policy, you should refrain from using our Services.
2. About Us and Data Controller Responsibilities
2.1. Who We Are: Qamla Ltd operates the Qamla online hiring platform. [Company Registration Number optional].
2.2. Qamla as Data Controller: For the vast majority of Personal Data processing activities described in this Policy that occur directly through the provision and operation of the Services, Qamla Ltd acts as the data controller under Data Protection Law. In this capacity, we are responsible for determining the purposes for which and the manner in which your Personal Data is processed.
2.3. Our Contact Details: Our registered office address serves as our primary point of contact for data protection matters. You can reach us regarding privacy at:
Qamla Ltd
Attn: Data Privacy / Legal Department
Unit B15
129 Mile End Road
London, E1 4BG
United Kingdom
Email for privacy inquiries: legal@qamla.co.uk
2.4. Employer as Data Controller: It is important to understand the distinct roles on our Platform. When an Employer uses our Services to post Job Opportunities, receive applications, and manage their recruitment process, that Employer typically acts as an independent data controller for the Personal Data contained within the applications they receive from Job Seekers. Qamla's role in facilitating this process (e.g., transmitting the application from the Job Seeker to the Employer) is generally that of a data processor, acting on the Employer's behalf and instructions. This processor relationship is governed by our Data Processing Addendum (DPA) where applicable (see Section 9.5). Job Seekers should also consult the privacy policies of Employers they apply to.
2.5. Data Protection Officer (DPO): [Optional: Insert if applicable] We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with Data Protection Law. If you wish to contact the DPO directly regarding data protection matters, please use the contact information provided in Section 14, specifying your query is for the DPO.
3. The Personal Data We Collect and How We Collect It
We collect various categories of Personal Data to provide and improve our Services. The specific data collected depends on your role (Job Seeker, Employer representative, general visitor) and how you choose to interact with our Platform.
3.1. Information You Directly Provide to Us:
(a) Account Registration and Identity Verification: When you create an Account, we require essential contact and identity information, such as your full name, email address, telephone number, postal address (verified using services like getaddress.io), and chosen login credentials (username, password which is securely hashed using bcrypt). Employers will also provide company identification details (legal name, registration number) and business contact information. We reserve the right to request additional information to verify identity if necessary for security or compliance reasons.
(b) Job Seeker Profile, CV, and Application Data: As a Job Seeker, you may provide comprehensive professional and personal details when building your online profile, uploading an existing CV/resume, using our CV building tools, writing cover letters, or submitting applications for Job Opportunities. This data category can be extensive and may include: detailed employment history (past roles, responsibilities, dates), educational background (institutions, degrees, dates), specific skills (technical, soft skills, languages), professional qualifications and certifications, language proficiency levels, details of professional references (you must ensure you have explicit consent from your references before providing their contact details to us or potential Employers), salary expectations or historical salary information (optional), work authorization status (e.g., right to work in a specific country), professional affiliations or memberships, links to external online portfolios (e.g., GitHub, Behance) or professional network profiles (e.g., LinkedIn), and optionally, photographs or introductory videos if you utilize features allowing their upload. Important Note on Sensitive Data: We strongly advise Job Seekers against including sensitive Personal Data (also known as 'special category data' under GDPR, such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, data concerning health, or data concerning a natural person's sex life or sexual orientation) in their general profile or CV unless it is strictly necessary for a specific Job Opportunity being applied for, explicitly requested by the Employer for legitimate and legally permissible reasons (e.g., diversity monitoring where allowed by law), and provided with your explicit consent where required.
(c) Employer Job Opportunity and Company Data: As an Employer, when you post Job Opportunities, you provide detailed information including job titles, comprehensive job descriptions outlining responsibilities and requirements, necessary skills, qualifications, and experience levels, job locations (physical or remote), salary ranges or compensation packages, information about your company culture, mission, and values, specific application instructions, and contact points for candidate inquiries.
(d) Communications: We collect and store information contained within your communications with Qamla's customer support team (whether via email to support@qamla.co.uk, through platform-based messaging systems, or other channels), feedback you provide on our Services, responses to surveys or questionnaires we may send, and potentially communications exchanged between Users (e.g., Employer to Job Seeker) facilitated through integrated messaging tools on the Platform. Note that such user-to-user communications may be subject to monitoring for security, fraud prevention, and compliance purposes, as outlined in our Master Terms of Service.
(e) Marketing Preferences: We keep a record of your preferences regarding receiving marketing communications from Qamla, including opt-in and opt-out choices.
3.2. Information Collected Automatically Through Your Use of the Services:
(a) Technical and Device Information: When you interact with our Platform, our servers automatically log technical details about your device and connection. This includes your Internet Protocol (IP) address, unique device identifiers (e.g., MAC address, advertising ID where applicable), browser type (e.g., Chrome, Firefox) and version, details of browser plug-ins, operating system (e.g., Windows, macOS, iOS, Android) and platform, screen resolution, language preferences, time zone setting, and potentially general geographic location inferred from your IP address.
(b) Usage and Interaction Data: We automatically collect data about how you navigate, interact with, and use our Services. This encompasses the specific pages you visit, the features you utilize (e.g., search filters applied, interactions with the CV builder, buttons clicked, application submission steps), the time spent on different pages or features, the sequence of your navigation path, links you click on, the source that referred you to our site (e.g., a search engine or another website), diagnostic data such as crash reports, and other performance, interaction, and usage statistics. We maintain activity logs primarily for purposes of security monitoring, fraud detection, service optimization, and ensuring platform stability.
(c) Session Management Data: To maintain your logged-in state and provide a seamless user experience during a single visit, we use necessary mechanisms, such as secure tokens stored temporarily in your browser's local storage or session storage.
3.3. Information Received from Third-Party Sources:
(a) Social Login / Authentication Providers (OAuth): If you opt to register or log in to your Account using third-party authentication services like Google or LinkedIn, we will receive certain profile information from that service as permitted by your authorization and privacy settings on their platform. This typically includes your name, email address, and profile picture.
(b) Payment Processors (Stripe): When you subscribe to paid Services or make other purchases, our designated secure third-party payment processor, Stripe, handles the financial transaction. Stripe provides us with confirmation of payment success, subscription details, and limited transaction identifiers necessary for record-keeping and service provision. Qamla does not receive, store, process, or have access to your full credit card number or other sensitive payment card details.
(c) Address Verification Services (getaddress.io): To enhance data accuracy, particularly for Employer billing or User location details where relevant, we may utilize services like getaddress.io to help validate or auto-complete postal addresses provided by you.
(d) AI Service Providers (Gemini): For specific AI-driven features, such as resume analysis/parsing or assistance with enhancing job descriptions, relevant User Content (like the text of a CV or job description) is processed by our designated third-party AI provider, Gemini. This processing occurs based on our strict instructions and subject to robust contractual agreements that require confidentiality, security, and compliance with Data Protection Law. The processing is typically transient and focused on generating the specific requested output (e.g., a skills summary, suggested improvements).
(e) Publicly Available Professional Sources: In limited circumstances, where lawful and relevant to enhancing the Services (e.g., verifying company details), we may gather professional information from publicly accessible sources such as official company registries, corporate websites, or professional networking platforms like LinkedIn company pages.
(f) Employers and Recruitment Agencies: We may receive Personal Data about Candidates when Employers or authorized recruitment agencies utilize specific features of our Services to manage their candidate pool or recruitment workflows through the Platform.
3.4. Aggregated and Anonymized Data: We may collect, process, use, and share Aggregated Data for various legitimate business purposes, such as analyzing platform usage trends, understanding market demographics, improving our Services, developing new features, generating industry insights, and for marketing. Aggregated Data is statistical or demographic information derived from Personal Data but processed in a way that it can no longer be used to identify any specific individual (it is anonymized). As such, it is not considered Personal Data under Data Protection Law. However, if we combine Aggregated Data with your Personal Data such that you can be identified, we will treat the combined dataset as Personal Data and handle it strictly in accordance with this Privacy Policy.
4. Purposes and Legal Bases for Using Your Personal Data
4.1. We collect and process your Personal Data only for specified, explicit, and legitimate purposes. We ensure that we have a valid legal basis under Data Protection Law for each processing activity. The primary purposes and legal bases are:
Purpose of Processing | Examples of Relevant Data Types | Primary Legal Basis (under UK/EU GDPR) |
To Register and Manage Your Account | Identity, Contact, Technical | Performance of a contract (to fulfil our agreement to provide you with an account). |
To Provide, Operate, and Maintain the Services | Identity, Contact, Profile/Professional, Job Opportunity, Technical, Usage | Performance of a contract (to deliver the core platform functionality you request); Legitimate interests (to operate, maintain, and improve our online hiring platform efficiently). |
To Facilitate Job Applications and Connections Between Users | Identity, Contact, Profile/Professional, Job Opportunity, Communication | Performance of a contract (acting as the platform facilitating these interactions); Legitimate interests (enabling the core recruitment purpose of the platform). |
To Process Payments for Paid Services (via Stripe) | Identity, Contact, Transaction Data | Performance of a contract (to process payment for subscribed services); Legitimate interests (to obtain payment for services rendered). |
To Manage Our Relationship with You (Support, Notifications, etc.) | Identity, Contact, Communication, Technical, Usage | Performance of a contract; Legitimate interests (providing customer support, keeping records updated, improving engagement); Legal obligation (for certain essential service notices). |
To Improve and Develop the Platform and Services | Technical, Usage, Aggregated Data, Feedback | Legitimate interests (understanding user needs, enhancing usability, developing new features, ensuring network and information security). |
To Operate AI Features (e.g., matching, summaries via Gemini) | Profile/Professional, Job Opportunity, Usage | Legitimate interests (providing value-added features to enhance service efficiency and user experience). We aim to implement appropriate safeguards, including human oversight where legally required for decisions with significant effects. |
To Ensure Platform Security, Prevent Fraud, and Enforce Terms | Identity, Contact, Technical, Usage, Activity Logs | Legitimate interests (protecting Qamla, our platform, users, and business integrity); Legal obligation (e.g., investigating illegal activities). |
To Comply with Legal and Regulatory Obligations | Various data types as required by the specific obligation | Legal obligation (e.g., responding to legal requests, tax compliance). |
To Send Direct Marketing Communications (where permitted) | Identity, Contact, Marketing Preferences | Consent (where required by law, e.g., for email/SMS marketing to individuals); Legitimate interests (marketing to existing business contacts about similar services, where permitted). Consent can be withdrawn at any time. |
To Conduct Data Analytics and Business Intelligence | Technical, Usage, Aggregated Data | Legitimate interests (understanding service usage trends, defining customer segments, informing business and marketing strategy). |
4.2. Reliance on Legitimate Interests: Where we rely on legitimate interests, we have performed balancing tests to ensure they are not overridden by your rights. You may have the right to object (see Section 9).
4.3. Reliance on Consent: Consent is generally sought for non-essential activities like certain marketing. You can withdraw consent at any time without affecting prior lawful processing.
5. How and Why We Share Your Personal Data
5.1. Commitment to Privacy: We do not sell your Personal Data. Sharing occurs only when necessary, lawful, or with consent.
5.2. Sharing Between Users:
(a) Job Seeker Data: Shared with Employers applied to, or searching (if profile public).
(b) Employer Data: Job/company info visible to Job Seekers.
5.3. Third-Party Service Providers (Data Processors): Companies performing functions on our behalf under contract (e.g., Hosting: Hostinger VPS, Vercel; Payments: Stripe; Auth: Google, LinkedIn; Address Check: getaddress.io; AI: Gemini; Analytics; Support tools; Security providers). They access only necessary data for specified purposes and are bound by data protection obligations.
5.4. Qamla Affiliates: Within our corporate group for internal administrative or operational purposes.
5.5. Legal Requirements & Business Transfers: If required by law/legal process, or during a merger/acquisition/sale (under confidentiality, with notice).
5.6. With Your Explicit Consent: When you agree to share with other specific third parties.
6. International Data Transfers
6.1. Cross-Border Processing: Your Personal Data may be transferred to/processed outside the UK/EEA (e.g., USA) where providers (Hostinger, Vercel, Stripe, Google, Gemini, etc.) operate. Data protection laws may differ.
6.2. Safeguards: We ensure transfers comply with Data Protection Law using appropriate safeguards like Adequacy Decisions or Standard Contractual Clauses (SCCs) (with UK Addendum where needed). We ensure these or equivalent protections are contractually in place with relevant providers.
6.3. Further Information: By using our Services, you acknowledge potential international transfers. Contact us (Section 14) for details on specific safeguards used.
7. Data Security
7.1. Our Security Measures: We implement appropriate technical and organizational measures designed to protect Personal Data. Technical measures include TLS encryption (in transit), bcrypt password hashing (at rest), secure server configurations (e.g., on Hostinger VPS/Vercel). Organizational measures include Role-Based Access Control (RBAC), access logging, security monitoring, staff training, and incident response plans.
7.2. Access Control: Access limited to authorized personnel/providers with a need-to-know, under confidentiality duties.
7.3. Breach Procedures: We have procedures for suspected breaches and will notify you and regulators (e.g., UK ICO) if legally required, aiming for within 72 hours for notifiable breaches.
7.4. Limitations: No system is 100% secure. User vigilance (strong passwords, device security) is crucial.
8. Data Retention
8.1. Storage Limitation Principle: We retain Personal Data only as long as reasonably necessary for the purposes collected, plus legal/regulatory/accounting/reporting/dispute resolution needs.
8.2. Retention Period Factors: Determined by data volume, nature, sensitivity; potential risks; processing purposes; legal/business requirements.
8.3. General Retention Approach:
(a) Account Information: Retained while Account active, plus a limited, defined period post-closure for operational/legal reasons, then deleted/anonymized.
(b) User Content (Profiles, CVs, Job Posts, Applications): Generally retained while relevant (Account active, job post live). Permanently removed from active systems upon verified user/admin deletion request, subject to backups and legal holds. Qamla also maintains internal policies aiming to proactively review and remove unnecessary inactive data to comply with storage limitation.
(c) Financial Records: Retained typically for 6-7 years (UK tax/company law).
(d) Security, Access, and Activity Logs: Retained for shorter periods necessary for security/troubleshooting, unless longer retention required for specific investigations.
8.4. Erasure Requests: Honored unless compelling legal grounds or overriding legitimate interests prevent deletion (which will be explained).
8.5. Anonymization: Anonymized data (no longer Personal Data) may be kept indefinitely for statistical/research purposes.
9. Your Data Protection Rights
Under Data Protection Law, you have specific rights regarding your Personal Data (subject to legal conditions):
9.1. Right of Access: To request a copy of the Personal Data we hold about you and details about its processing.
9.2. Right to Rectification: To request correction of inaccurate or incomplete Personal Data.
9.3. Right to Erasure ('Right to be Forgotten'): To request deletion where there is no compelling legal reason for continued processing.
9.4. Right to Restrict Processing: To request processing suspension under certain conditions.
9.5. Right to Data Portability: To receive certain Personal Data you provided in a common format and request its transfer.
9.6. Right to Object: To object to processing based on legitimate interests; absolute right to object to direct marketing.
9.7. Right to Withdraw Consent: To withdraw previously given consent anytime (affects future processing).
9.8. Rights related to Automated Decision-Making: Rights concerning significant decisions based solely on automation (if applicable).
9.9. Right to Lodge a Complaint: To complain to the UK Information Commissioner's Office (ICO) or your relevant EU supervisory authority.
9.10. Exercising Your Rights: Contact us using details in Section 14. Identity verification may be required. We aim to respond within one month. Some data may be manageable via your Account settings.
10. Cookies and Tracking Technologies
10.1. Essential Technologies: We use cookies and similar technologies necessary for website operation, security, and managing user sessions (e.g., using browser storage).
10.2. Non-Essential Trackers: Based on current technical specifications, Qamla does not currently deploy non-essential third-party cookies for analytics or advertising (e.g., Google Analytics, Facebook Pixel).
10.3. Cookie Policy: For details on essential technologies used, see our separate Cookie Policy: [Link to Cookie Policy]. We will update this policy if our usage changes.
11. Children's Privacy
11.1. The Services are not intended for individuals under 18. We do not knowingly collect Personal Data from children under 18. Contact us if you believe we have inadvertently done so.
12. Links to Other Websites
12.1. Our Services may link to third-party sites (e.g., Employer websites). This Privacy Policy does not cover those external sites. We are not responsible for their content or privacy practices. Please review their policies.
13. Changes to This Privacy Policy
13.1. We may update this Privacy Policy periodically. We reserve the right to modify this Policy at any time.
13.2. Material changes will be notified as required by Applicable Law (e.g., email, platform notice), typically with reasonable advance notice. The "Effective Date" at the top indicates the latest revision.
13.3. We encourage you to review this Policy regularly. Your continued use of the Services after the Effective Date constitutes acceptance of the revised terms.
14. Contact Information
14.1. For questions about this Privacy Policy, our data practices, or to exercise your data protection rights, please contact us:
(a) Via Email:
legal@qamla.co.uk
(Please include "Privacy Inquiry" or "Data Protection Request" in the subject line)
(b) Via Post:
Qamla Ltd
Attn: Data Privacy / Legal Department
Unit B15, 129 Mile End Road, London, E1 4BG, United Kingdom
14.2. For general customer support or technical assistance: support@qamla.co.uk.
15. Supervisory Authority
15.1. If you are in the UK, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) (www.ico.org.uk).
15.2. If you are in the EEA, you may lodge a complaint with the supervisory authority in your Member State.
15.3. We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority, so please contact us in the first instance using the details in Section 14.
Live chat