2. What information we collect

The Company collects and processes personal data only to the extent necessary for the functioning of the platform, provision of services to users and fulfilment of obligations prescribed by law.

Collection of personal data is carried out both through direct provision by the data subject and automatically during the use of the platform.

The personal data processed by the Company may include the following categories:

Identification and contact data – first name and surname, residential address, date of birth, telephone number, email address, organisation name, IP address and session duration.
Professional and socio-demographic data – information about education, work experience, professional skills and qualifications, place of work, career history, evaluations and the professional profile created within the platform.
Contract and service-related data – information related to the use of services offered by the Company, account status, functions used and scope of services.
Behavioural and technical data – information about the user’s interaction with the platform, including navigation history, functions used, session times – necessary for ensuring the proper functioning and security of the platform.
Documentary data – documents uploaded by the user to the platform, including résumé (CV), diplomas, certificates and other documents confirming qualifications.

The Company does not collect personal data from third parties. All data is received directly from the data subject or with their consent through automated technologies.

3. Sources of data

Personal data is collected through:

• direct provision by the user (registration, submission of application, uploading documents);
• the process of communication with the Company;
• automatically during the use of the website and services.

4. Cookies and similar technologies

The Company uses cookies and similar technologies to improve user experience, personalise content, analyse traffic and increase the efficiency of the platform.
Management of cookies is possible through the settings of the user’s browser.

5. Marketing communication (direct marketing)

The Company has the right, in compliance with applicable legislation, to use the user’s personal data to deliver content related to news, updates and recommendations concerning the platform and services, taking into account the user’s interests.
Marketing communication is carried out only on a lawful basis and is not intended for unlawful use of data. All messages are aimed at improving user experience and promoting effective use of the platform.
The user has the right at any time, without any additional explanation, to opt out of processing of data for direct marketing purposes.
An opt-out request is processed no later than 7 (seven) business days. Every marketing message contains a simple and clear opt-out mechanism.

6. Purposes and legal bases of data processing

Personal data is processed for the following purposes:

• ensuring the functioning of the platform;
• connecting candidates and employers with each other and facilitating communication;
• creating profiles and recommendations;
• improving the quality of services;
• communication with the user and receiving feedback;
• fulfilment of obligations prescribed by law.

The legal bases for processing are: consent of the data subject, legitimate interests of the Company, and legal obligation imposed by law.

7. Transfer of data to third parties

Personal data is not transferred to third parties except in cases provided by law or to service providers with whom appropriate confidentiality agreements have been concluded.
Personal data processed by the Company is stored and processed on servers located in EU member states.
EU member states are considered safe countries for the processing of personal data under Georgian law and international data protection standards, where a high level of data protection is ensured.
Processing of personal data on servers located in the territory of the European Union complies with:

• the principles of the Georgian Law “On Personal Data Protection”;
• the requirements of the EU General Data Protection Regulation (GDPR).

The Company ensures that the processing of personal data on servers is carried out using appropriate technical and organisational security measures and that no transfer of data occurs to countries or third parties where an adequate level of personal data protection is not ensured, except in cases directly provided by law.

8. Data categories, retention periods and retention rules

HRThoth retains personal data only during the period when the account is active and the data is necessary for the provision of platform services.
If the account becomes inactive for a certain period, a limited retention period begins, after the expiry of which the data is deleted or anonymised.

Definition of an active account
An account is considered active if the user:

• logs in to the platform
• updates the profile
• sends or receives messages
• submits an application for a job
• publishes a job advertisement

In the case of an active account, data is retained because its processing is necessary for the functioning of the service.

Definition of an inactive account
An account is considered inactive if the user performs no action for twelve months.
After inactivity is recorded, an additional retention period of twelve months begins.

Candidate’s personal data
Data types:

• name
• email
• phone
• profile information
• CV / résumé

Purposes of use:

• authorisation
• profile display
• job applications
• communication with companies

Retention rule:
Data is retained during the period of account activity and for a maximum of twelve months after inactivity.

Candidate’s application history
Data:

• job identifier
• status
• dates

Purposes of use:

• dispute resolution
• ensuring system reliability
• statistical analysis

Retention rule:
Fully retained on active accounts; anonymised after inactivity.

Company profile data
Data:

• company name
• industry
• description
• logo

Purposes of use:

• company identification
• publishing jobs

Retention rule:
Retained during the period of company account activity and for a limited period after inactivity.

Company employees and roles
Data:

• user identifier
• role

Purpose of use:

• access management

Retention rule:
Retained during the period of cooperation and deleted thereafter.

Job postings (Jobs)
Purposes of use:

• display to candidates
• historical records

Retention rule:
Retained during active status; anonymised thereafter.

Analytical data
Purposes of use:

• product improvement
• statistical analysis

Retention rule:
Retained only in anonymised form and without time limit.

General logic of retention periods

• Active account – data is retained
• Inactive account – final retention period begins
• After expiry of the period – data is anonymised or deleted

Anonymisation approach
During the anonymisation process:

• email is deleted
• phone is deleted
• name is replaced with the text “Deleted User”
• CV files are deleted

Only data that can no longer be linked to a specific individual remains.
Anonymised data is no longer considered personal data within the meaning of GDPR.

User deletion request
If the user requests deletion of the account:

• the account is immediately deactivated
• a twelve-month retention period begins
• after expiry of the period, anonymisation or deletion occurs

Technical enforcement mechanism
The system stores for each account:

• date of last activity
• inactivity status
• anonymisation status

Daily automated process:

• checks the date of last activity
• assigns the corresponding status to inactive accounts
• initiates anonymisation or deletion after expiry of the period

All actions are logged.

Backups
Personal data may temporarily exist in encrypted backup copies that are automatically overwritten in accordance with the above periods and are not used for active processing.

8. Data Protection Officer (DPO)

Sopio Gogoladze
Personal Data Protection Officer
Email: sopioo.gogoladze@gmail.com

9. Data security

The Company uses reasonable technical and organisational measures to ensure data protection, including encryption (AES-256), role-based access control, security audits and employee training.

10. Rights of the data subject

The data subject has all rights defined in the Georgian Law “On Personal Data Protection”. The Company ensures the exercise of these rights in accordance with the procedure and time limits established by law.

10.1
The data subject has the right to request from the Company information regarding the processing of data concerning him/her. In such case, the Company, no later than 10 (ten) calendar days from receipt of the request, provides the following information:

10.1.1 which categories of data are being processed concerning him/her;
10.1.2 for what purpose the data is being processed;
10.1.3 on what legal basis the data is being processed;
10.1.4 in what manner the personal data was collected;
10.1.5 whether his/her data has been disclosed to a third party, to whom it was disclosed – the basis and purpose of disclosure.

10.2
The data subject has the right to access personal data concerning him/her held by the controller and to receive copies of such data free of charge, except in cases where:
a) a fee is prescribed by Georgian legislation for access to and/or provision of copies of data;
b) the controller has established a reasonable fee for providing the data in a form different from the form of storage, due to the resources expended and/or the frequency of requests.

The data subject has the right to access the data referred to in the first paragraph of this article and/or receive copies thereof no later than 10 business days from the request, unless another period is established by Georgian legislation.
The period may be extended by no more than 10 business days in exceptional cases and with proper justification, of which the data subject must be immediately informed.
The data subject has the right to access the data and/or receive copies thereof in the form in which it is protected by the controller and/or the authorised processor. The data subject also has the right to request delivery of copies of the data concerning him/her in a different form, against a reasonable fee established by the controller, if technically feasible.

10.3
The data subject has the right to request the controller to rectify, update and/or complete inaccurate, incorrect and/or incomplete data concerning him/her.
No later than 10 business days from receipt of the request (unless another period is established by Georgian legislation), the data must be rectified, updated and/or completed, or the data subject must be informed of the grounds for refusal and the procedure for appealing the refusal.
If the controller independently discovers that the data in its possession is inaccurate, incorrect and/or incomplete, it must rectify, update and/or complete the data within a reasonable time and notify the data subject within 10 business days from rectification.
The controller is not obliged to notify the data subject if the rectification, update and/or completion relates to the correction/elimination of a technical error.

10.4
The data subject has the right to request the controller to cease processing (including profiling), erase or destroy data concerning him/her.
No later than 10 business days from the request (unless otherwise provided by Georgian legislation), processing must be ceased and/or the data erased or destroyed, or the data subject must be informed of the grounds for refusal and the procedure for appealing the refusal.
The data subject has the right to receive information about the cessation of processing, erasure or destruction immediately upon performance of the action, but no later than 10 business days.
Where data concerning the data subject is processed in publicly available form, the data subject has the right to additionally request the controller to restrict access to the data and/or erase copies of the data or any internet links associated with the data.

10.5
The data subject has the right to request the controller to block data concerning him/her if one of the following circumstances exists:
a) the data subject disputes the authenticity or accuracy of the data;
b) processing of the data is unlawful, but the data subject opposes erasure and requests blocking;
c) the data is no longer necessary for the purpose of processing, but the data subject needs it for the submission of a complaint/claim;
d) the data subject requests cessation, erasure or destruction of processing and the request is under consideration;
e) there is a need to retain the data as evidence.

Upon request of the data subject, the controller is obliged to block the data if one of the circumstances listed in the first paragraph of this article exists, except where blocking may endanger:
a) performance by the controller of obligations imposed by law or by subordinate normative acts issued on the basis of law;
b) performance of tasks carried out in the public interest or exercise of official authority vested in the controller under Georgian legislation;
c) legitimate interests of the controller or a third party, unless there is a compelling interest of the data subject (especially a minor) in protecting his/her rights that overrides such interests;
d) the Personal Data Protection Service is authorised to decide on blocking before completion of examination of the data subject’s application.

Even after blocking, processing may continue if necessary to protect the vital interests of the data subject or a third party, or for purposes of national security and defence.
Data must be blocked for the duration of the reason for blocking, and where technically feasible, the blocking decision must be attached to the relevant data.
The data subject has the right to receive information about the blocking decision or the grounds for refusal to block immediately upon the decision being made, but no later than 3 business days from the request.

10.6
In case of automated processing, where technically feasible, the data subject has the right to receive from the controller the data he/she provided in a structured, commonly used and machine-readable format, or to request transmission of such data to another controller.

10.7
Except for the data subject’s first name, surname, address, telephone number and email address, processing of other data for direct marketing purposes requires the written consent of the data subject.
The data subject has the right to withdraw consent for processing for direct marketing purposes, in which case processing must cease within a reasonable period, no later than 7 business days from receipt of the request.

10.8
The data subject has the right at any time, without any explanation or justification, to withdraw consent given to the controller.
In such case, upon the data subject’s request, processing must cease and/or processed data must be erased or destroyed no later than 10 business days from the request, unless another legal basis for processing exists.
The data subject may withdraw consent in the same form in which it was given.
Before withdrawal of consent, the data subject has the right to request and receive from the controller information about the possible consequences of withdrawal of consent.

10.9
In case of violation of the rights and procedures established by this law, the data subject has the right to apply to the Personal Data Protection Service, to a court, and/or to a higher administrative body in accordance with the procedure established by law.
The data subject has the right to request that the Personal Data Protection Service adopt a decision on blocking data before completion of examination of the application.
The data subject has the right to appeal a decision of the Personal Data Protection Service to a court in accordance with the conditions and time limits established by Georgian legislation.

11. Data of minors

The platform is not intended for persons under 16 years of age.
In case of discovery of such data, it is immediately deleted.

☐ I confirm that by checking this field I have fully read and agree to the Personal Data Protection Policy of HRThoth LLC:

• processing of my personal data for the purposes specified in the Policy;
• automated processing of my data, including by way of profiling;
• use of my contact data for the purpose of direct marketing.

I acknowledge that this checkbox constitutes my voluntary, informed and unambiguous expression of will and is legally equivalent to written consent.