Kaplunk Privacy Notice (United Kingdom)

Who we are

Ka Plunk Ltd operates a recruitment platform enabling applicants to apply directly to employers. Unless stated otherwise, Kaplunk is the data controller of the personal information described in this notice.

Registered address: Ka Plunk Ltd, 66 Paul St London EC2A 4NA
Contact for privacy queries / rights requests: [email protected]
Website: www.kaplunk.co.uk

If you are not satisfied with our response, you can raise a concern with the UK Information Commissioner’s Office (ICO): ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113; ico.org.uk.

1) Scope & audience

This notice applies to:

Applicants who create a Kaplunk account and/or apply to roles through Kaplunk.
Website users browsing or contacting us.
Paying customers who purchase services on the platform.

It covers what we collect, how we use and share it, our lawful bases, international transfers, retention, security, your legal rights, and how to contact us.

ICO guidance encourages transparent, concise and intelligible privacy information tailored to the audience. Where we reference time limits, marketing rules, lawful bases, and transfer tools, we follow ICO guidance and UK GDPR/PECR.

2) Roles: controller vs. processor

Kaplunk as controller. We are the controller for account management, platform operation, security, customer support, and any communications we send.
Employers as independent controllers. When you apply to a job, your CV/application is provided directly to the employer for their recruitment purposes; they act as an independent controller of the copy they receive and process it under their privacy notice.
Payment providers as independent controllers. If you pay for a Kaplunk service, your card/wallet data is handled by your chosen provider (Stripe/Link, Google Pay, Apple Pay, American Express, PayPal) under their privacy notices and controller responsibilities. [stripe.com], [payments.google.com], [apple.com], [americanexpress.com], [paypal.com]

3) Categories of personal information we collect

Identity & contact — name, email, phone, postal address.
Account — username, password, authentication data, contact preferences.
Profile/CV — work history, education, skills, job titles, role and location preferences, and any information you include in your CV/application. Please do not include special category data (e.g., racial or ethnic origin; political opinions; religious or philosophical beliefs; trade‑union membership; genetic or biometric data; health; sex life or sexual orientation).
Application data — jobs you apply to, application timestamps, employer feedback/status (where provided via the platform).
Transactional — billing address and payment metadata (card numbers are processed by payment providers; Kaplunk does not store full card details.
Technical & security — basic log data and security signals for fraud prevention and account integrity.

Sources:

Directly from you (registration, CV upload, applications, messages).
From your use of the platform (logs for security and troubleshooting).
From employers you apply to (application status updates via the platform, if applicable).

4) How your CV and applications are handled

Your CV/profile is not placed into any public or searchable Kaplunk candidate database.
When you apply for a specific vacancy on Kaplunk, your CV and application are made available to the relevant employer to assess your suitability for that role. They process it as an independent controller under their privacy notice.
We will only share your CV/application with courts, police or regulators when we are legally required to do so.
For occasional trial client postings, if you apply, we will access and share your CV with that client for the purpose of handling your application.

5) Lawful bases & purposes of processing

We only process personal information where we have a lawful basis under the UK GDPR. The table below maps our key purposes to lawful bases and typical data used.

The ICO requires you to identify a lawful basis before processing and include it in your privacy information; many activities will be Contract, Legitimate interests, Consent, or Legal obligation depending on the purpose. A Legitimate Interests Assessment (LIA) is recommended when relying on that basis (three‑part test: purpose/necessity/balancing).

A. Core processing (platform operation)

Purpose	Examples	Lawful basis
Account creation & management	Register you; maintain your profile; keep your account secure; respond to support queries	Contract (to provide the service); Legitimate interests (secure, reliable platform)
Application handling	Submit your CV and application to the employer for a specific vacancy; communicate application status	Contract (to perform your instruction)
Safety & security	Fraud prevention, abuse detection, account protection, incident response	Legitimate interests (prevent misuse; safeguard users)
Legal compliance	Respond to legal requests; maintain tax/audit records	Legal obligation

B. Communications

Purpose	Examples	Lawful basis
Service messages	Password resets, security alerts, application updates	Contract / Legitimate interests
Job alerts & relevant course information	Targeted alerts based on your profile; course info that may assist employability	Consent (where required) or Legitimate interests with clear opt‑out; when sent by email/SMS, we also comply with PECR (consent or soft opt‑in + unsubscribe)

C. Payments

Purpose	Examples	Lawful basis
Payment processing & invoicing	Collect billing data; initiate charge with your chosen provider	Contract; Legal obligation (tax/audit)

Special category data

We do not request special category data from applicants. If you accidentally include it in your CV/application, we will delete or redact it unless we have a legal obligation to retain it (data minimisation).

Legitimate interests details

When we rely on legitimate interests (e.g., platform security; certain direct communications compatible with your reasonable expectations), we carry out an LIA (purpose, necessity, balancing test) and keep a record under our accountability obligations.

6) Marketing, job alerts and PECR

We do not share your contact details with third parties for their direct marketing.
For Kaplunk job alerts and course information sent by email/SMS, we rely on consent or, where permitted, the soft opt‑in for our own similar services and always provide a clear unsubscribe in every message; we do not conceal our identity and provide a valid contact address. These are PECR requirements.
You can opt out anytime using the link in the message or via account settings.

7) Who we share information with

Employers you apply to — receive your CV/application and process it under their own privacy notice as independent controllers.
Service providers (processors) — e.g., secure hosting, email delivery, customer support tools; they act on our instructions under contract with appropriate safeguards.
Payment providers — if you buy a service, payment is handled by your selected provider, acting as independent controllers for your payment data (and sometimes device/anti‑fraud data). Review their privacy notices:
- Stripe (and Link): Privacy Policy (collects and processes personal data for payments/fraud prevention; controller/processor roles explained)
- Google Payments/Google Pay: Google Payments Privacy Notice
- Apple Pay: Apple Pay & Privacy
- American Express (UK): Online Privacy Statement / Privacy Centre
- PayPal (UK): Privacy Statement [paypal.com]
Authorities and regulators — where required by law (e.g., responding to lawful requests).
Professional advisers — auditors, lawyers; bound by confidentiality.

We do not sell your personal information.

8) International data transfers

Some providers (e.g., payment processors, cloud services) may process personal information outside the UK. Where this occurs, we ensure a lawful transfer mechanism is in place:

UK adequacy regulations (also called data bridges), including the UK Extension to the EU–US Data Privacy Framework (UK‑US Data Bridge) for US recipients self‑certified to the scheme. You must verify the recipient’s active certification and scope (HR/non‑HR) on the DPF list.
Appropriate safeguards under Article 46 UK GDPR such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, typically supported by a Transfer Risk Assessment (TRA).

Example: Stripe participates in the UK Extension/DPF (check the DPF participant list for current status). If a US recipient is not certified, we would use the IDTA/Addendum plus a TRA (UK‑specific) before transferring.

9) Retention (how long we keep data)

We keep personal information only for as long as necessary for the purposes described in this notice (storage limitation) and as required by law (e.g., tax/audit). You can delete your account at any time in settings.

Inactive accounts: If you do not log in or engage with our services for five (5) years, we will delete your profile and CV from Kaplunk.
Applications: Employers keep copies of applications they received under their retention schedules.
Payments: Transactional records may be retained for statutory periods (e.g., tax/audit).
Security logs: Retained for a period necessary for security and fraud prevention.

ICO guidance requires you to choose and document appropriate retention aligned to purposes and legal obligations; your privacy notice should explain retention or the criteria used.

A detailed schedule appears in Appendix B.

10) Security

We implement appropriate technical and organisational measures (TOMs) to protect personal information, including access controls, encryption in transit, least‑privilege access, protective monitoring, and vendor due diligence. You should use a strong, unique password and keep your login confidential. (For card/wallet data, see your payment provider’s security and privacy documentation.) [stripe.com]

11) Your data protection rights (UK)

You have the following rights under UK data protection law (subject to limits/exemptions):

Access: receive a copy of your personal data and supplementary information (SAR).
Rectification: correct inaccurate/incomplete personal data. [ico.org.uk]
Erasure: request deletion in certain circumstances (“right to be forgotten”).
Restriction: limit processing in certain circumstances. [ico.org.uk]
Portability: receive certain data in a structured, commonly used, machine‑readable format and/or transmit it to another controller.
Object: to processing based on legitimate interests and to direct marketing at any time.
Withdraw consent: where we rely on consent; this does not affect prior processing.

How to exercise: Email info@kaplunk.co.uk or use in‑product tools. We will respond within one calendar month of receipt; we may extend by up to two further months if the request is complex or multiple requests are made, and we will let you know within the first month if we need more time. We may ask for ID to verify your identity. Fees apply only where requests are manifestly unfounded or excessive.

Complaints: You may contact the ICO using the details above.

12) Payments

If you purchase a service, Kaplunk collects the billing address and the information necessary to identify your transaction. All card/wallet data is processed by your chosen provider and stored under their policies:

Stripe (and Link): controller/processor roles, fraud prevention, and international transfers are detailed in Stripe’s Privacy Policy.
Google Payments/Google Pay: scope of collection, controllers and additional disclosures are set out in Google’s Payments Privacy Notice.
Apple Pay: see Apple’s Apple Pay & Privacy.
American Express (UK): see Amex Online Privacy Statement / Privacy Centre.
PayPal (UK): see PayPal’s Privacy Statement.

Refunds: Kaplunk does not offer refunds (please see our Terms of Service for the contractual details).

13) Children

Our services are not intended for children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided data to us, contact us and we will take appropriate action.

14) Automated decision‑making and profiling

Kaplunk does not make decisions producing legal or similarly significant effects solely by automated means. If this changes, we will update this notice and set out your rights and the logic involved.

15) Cookies and similar technologies

If Kaplunk uses cookies or SDKs (e.g., for session management, analytics, or crash reporting), we will present a cookie banner and provide a Cookies Notice explaining categories, purposes, and retention. Non‑essential cookies (e.g., analytics/advertising) require consent under PECR; you can withdraw consent at any time using cookie settings. We will also maintain records of consent choices.

If you tell me which analytics/ads tools you use (if any), I’ll tailor this section and generate a full Cookies Notice.

16) Changes to this notice

We may update this notice from time to time (for example, if we add features or change providers). We will post the new version here and, where appropriate, notify you by email or in‑app message.

Appendix A — Legitimate Interests Assessment (summary)

When we rely on Legitimate Interests, we complete an LIA documenting:

Purpose test: why Kaplunk (or users) benefit from the processing (e.g., platform security, service communications that users reasonably expect).
Necessity test: why the purpose cannot reasonably be achieved by less intrusive means.
Balancing test: weighing our interests against individuals’ interests/rights; safeguards to mitigate risks (e.g., opt‑outs, data minimisation, security).
Outcome & review cycle.

Keeping an LIA record is recommended by the ICO and supports the accountability principle.

Appendix B — Retention & deletion schedule (illustrative)

Data set	Typical retention	Rationale / notes
User account profile	Active use + 5 years inactivity (then deletion)	Business rule communicated in notice; supports storage limitation.
CV/profile attachments	Active use + 5 years inactivity (then deletion)	Deleted with account or on request unless legal retention applies.
Application metadata	24 months	Operational/audit trail; employers keep their copies under their own notices.
Customer support tickets	24–36 months	Service quality and dispute resolution.
Payment records (Kaplunk side)	Statutory period (typically 6–7 years)	Accounting/tax audit obligations. [ico.org.uk]
Security/event logs	6–24 months (depending on log type)	Detect, investigate and remediate fraud/security incidents (legitimate interests). [ico.org.uk]

Documenting criteria or specific periods satisfies transparency and accountability expectations. [ico.org.uk]

Appendix C — International transfers & safeguards (detail)

Where we use UK adequacy regulations: We confirm the destination is covered (e.g., the UK‑US Data Bridge for eligible US businesses with active certification under the DPF, verifying the recipient’s listing and the data types covered).
Where we use Article 46 safeguards: We choose the IDTA or UK Addendum to the EU SCCs as appropriate, and complete a Transfer Risk Assessment (TRA). For US transfers that are not covered by the UK‑US Data Bridge, ICO allows relying on the UK Government’s analysis to streamline the TRA.
Records: We maintain copies of the executed clauses/addendum and TRA outcomes.

ICO provides detailed guidance and templates for IDTA/Addendum and TRAs.

Appendix D — Data subject requests (DSR) playbook

Intake: centralise via info@kaplunk.co.uk or an in‑product form; log request type and date.
Verify identity: request reasonable ID where necessary; pause the clock until received.
Timeline: respond within 1 calendar month of receipt; extend up to 2 more months if complex/multiple; notify within first month if extending.
Scope: clarify if request is narrow; employers are independent controllers for data they hold.
Search & compile: “reasonable search” across systems; redact third‑party data where required.
Respond securely: provide data in a commonly used, machine‑readable format where applicable.
Refusals: only if manifestly unfounded/excessive or an exemption applies; explain and advise on the ICO route.

Appendix E — Direct marketing & PECR checklist

Choose consent or soft opt‑in (your own similar services) per channel.
Capture/record consent; provide unsubscribe in every message; do not conceal identity.
Maintain a suppression list (don’t email those who opted out).
If using an email service provider, ensure controller/processor roles are documented, and a data processing agreement is in place.

Appendix F — Cookies & trackers

Strictly necessary: authentication, load balancing, security (no consent required).
Analytics (e.g., first‑party or third‑party): consent required under PECR; provide toggles by category; load only after consent.
Advertising/retargeting: consent required; provide vendor list; support withdrawal at any time.
Publish a Cookies Notice with purposes, providers, durations, and how to change settings.

Appendix G — Contact, DPO & EU/UK representatives

Data Protection Officer (DPO): Not required unless your processing triggers DPO criteria (e.g., large‑scale special category monitoring). If you appoint one, list details here.
EU representative (if applicable): If you actively target individuals in the EEA without an EU establishment, appoint and list details here (not typically required if you only operate in the UK).