This Personal Data Protection Policy (hereinafter referred to as the "Policy") defines the legal bases, purposes, and rules for the collection, processing, use, storage, and protection of personal data of users by HRThoth LLC (hereinafter referred to as the "Company").
The Policy has been developed in accordance with the requirements of the Georgian Law on Personal Data Protection and is based on international standards for personal data protection, including the fundamental principles of the European Union General Data Protection Regulation (GDPR) (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, security, and accountability).
1. Terms
Data Controller (Company) – HRThoth LLC, which determines the purposes and means of personal data processing and carries out processing directly or through an authorized person.
Data Subject / User – any natural person about whom the Company processes personal data (employee, job seeker, employer representative).
Personal Data – any information relating to an identified or identifiable natural person.
Data Processor – a natural or legal person who processes personal data on behalf of or for the Company.
Profiling – automated processing of data aimed at evaluating a user's professional characteristics, skills, experience, or suitability.
Direct Marketing – providing information, messages, advertisements, offers, or service-related information to users through telephone, email, or other communication means, for the purpose of forming, maintaining, or realizing user interest.
2. What Information We Collect
The Company collects and processes personal data only to the extent necessary for the functioning of the platform, providing services to users, and fulfilling legal obligations.
Personal data is collected both through direct provision by the data subject and automatically during the use of the platform.
Personal data processed by the Company may include the following categories:
Identification and Contact Data – name, surname, residential address, date of birth, phone number, email address, organization name, IP address, and session duration.
Professional and Socio-Demographic Data – information about education, work experience, professional skills and qualifications, workplace, career history, evaluations, and professional profile created within the platform.
Contract and Service-Related Data – information related to the use of services offered by the Company, account status, used functionality, and scope of services.
Behavioral and Technical Data – information about user interaction with the platform, including navigation history, features used, session times, necessary for proper platform operation and security.
Documentary Data – documents uploaded by users to the platform, including CV (resume), diplomas, certificates, and other qualification documents.
The Company does not collect personal data from third parties. All data is obtained directly from the data subject or with their consent through automated technologies.
3. Data Sources
Personal data is collected:
Directly provided by the user (registration, application submission, document upload);
During communication with the Company;
Automatically through the use of the website and services.
4. Cookies and Similar Technologies
The Company uses cookies and similar technologies to improve user experience, personalize content, analyze traffic, and increase platform efficiency.
Cookie management is available through browser settings.
5. Marketing Communication (Direct Marketing)
The Company has the right, in compliance with applicable legislation, to use user personal data to provide news, updates, and recommendations related to the platform and services, taking into account user interests.
Marketing communication is carried out only on a lawful basis and does not serve unlawful use of data. All messages are aimed at improving user experience and promoting effective use of the platform.
Users have the right to opt out of data processing for direct marketing purposes at any time without additional explanation. Opt-out requests are processed within 7 (seven) business days, and each marketing message provides a simple and clear mechanism for opting out.
6. Data Processing Purposes and Legal Bases
Personal data is processed for the following purposes:
To ensure the functioning of the platform;
To connect and facilitate communication between candidates and employers;
To create profiling and recommendations;
To improve service quality;
For communication with users and receiving feedback;
To fulfill legal obligations.
Legal bases for processing are: data subject consent, legitimate interest of the Company, and legal obligation.
7. Data Transfer to Third Parties
Personal data is not transferred to third parties, except in cases provided by law or to service providers with whom an appropriate confidentiality agreement has been concluded.
8. Data Retention Period
Personal data is retained for as long as necessary for legal or operational purposes. After the expiration of the period, data is deleted or anonymized.
9. Data Security
The Company uses reasonable technical and organizational measures to ensure data protection, including encryption (AES-256), role-based access control, security audits, and employee training.
10. Data Subject Rights
Data subjects have all rights defined by the Georgian Law on Personal Data Protection. The Company ensures the realization of these rights in compliance with legally established rules and deadlines.
10.1
Data subjects have the right to request information from the Company about the processing of their data. In such cases, the institution shall provide the following information within 10 (ten) calendar days from receipt of the notification about the request:
10.1.1 Which category of data is being processed about them;
10.1.2 For what purpose the data is being processed;
10.1.3 On what legal basis the data is being processed;
10.1.4 How the personal data was collected;
10.1.5 Whether their data has been disclosed to a third party, to whom it was disclosed – the basis and purpose of disclosure.
10.2
Data subjects have the right to access personal data held about them by the data controller and receive copies of such data free of charge, except in cases where access to data and/or issuance of data copies requires:
a) A fee provided for by Georgian legislation;
b) A reasonable fee established by the data controller for resources spent on issuing data in a form different from the storage form and/or due to the frequency of requests.
Data subjects have the right to access the data provided for in the first paragraph of this article and/or receive their copies within 10 business days from the request, unless a different deadline is established by Georgian legislation.
In exceptional cases with proper justification, the deadline may be extended by no more than 10 business days, of which the data subject must be notified immediately.
Data subjects have the right to access the data provided for in the first paragraph of this article and/or receive their copies in the form in which they are stored with the data controller and/or the data processor. Data subjects also have the right to request delivery of copies of their data in a different form, in exchange for a reasonable fee established by the data controller, if this is technically feasible.
10.3
Data subjects have the right to request correction, updating, and/or completion of incorrect, inaccurate, and/or incomplete data about them from the data controller. The institution must correct, update, and/or complete the data within 10 business days (unless a different deadline is established by Georgian legislation), or the data subject must be notified of the grounds for refusal and the procedure for appealing the refusal must be explained.
11. Minor's Data
The platform is not intended for persons under 16 years of age. If such data is discovered, it will be immediately deleted.
Consent Confirmation
I confirm that by marking this field, I have fully read and agree to HRThoth LLC's:
Personal Data Protection Policy;
Processing of my personal data for the purposes specified in the Policy;
Automated processing of my data, including through profiling;
Use of my contact data for direct marketing purposes.
I acknowledge that this marking represents my voluntary, informed, and unambiguous expression of will and is legally equivalent to written consent.
Contact Us
For questions or to exercise your data rights, contact us at: info@hrthoth.com
HrThoth
HrThoth Platform
Modern HR software that simplifies recruitment and talent management for growing teams.
If the data controller independently discovers that the data in its possession is incorrect, inaccurate, and/or incomplete, it must correct, update, and/or complete the data within a reasonable time and notify the data subject within 10 business days from the correction.
The data controller has no obligation to notify the data subject if the correction, updating, and/or completion of data is related to the correction/elimination of a technical error.
10.4
Data subjects have the right to request the cessation of processing (including profiling), deletion, or destruction of their data from the data controller. Within 10 business days from the data subject's request (unless otherwise established by Georgian legislation), data processing must be ceased and/or data must be deleted or destroyed, or the data subject must be notified of the grounds for refusal and the procedure for appealing the refusal must be explained.
Data subjects have the right to receive information about the cessation of processing, deletion, or destruction of data immediately upon completion of the relevant action, but no later than 10 business days.
In case of processing data about them in a publicly accessible form, data subjects additionally have the right to request from the data controller the restriction of data accessibility and/or deletion of data copies or any internet link connecting to the data.
10.5
Data subjects have the right to request blocking of their data from the data controller if one of the following circumstances exists:
a) The data subject disputes the authenticity or accuracy of the data;
b) Data processing is unlawful, but the data subject objects to their deletion and requests blocking of the data;
c) The data is no longer necessary for the purpose of processing, but the data subject needs it for filing a complaint/claim;
d) The data subject requests cessation, deletion, or destruction of data processing and this request is under review;
e) There is a necessity to retain the data for use as evidence.
The data controller is obligated to block the data at the request of the data subject if one of the circumstances provided for in the first paragraph of this article exists, except when blocking the data may pose a threat to:
a) The fulfillment of obligations imposed on the data controller by law and/or subordinate normative act issued on the basis of law;
b) The performance of tasks attributed to the sphere of public interest in accordance with the law or the exercise of authority granted to the data controller by Georgian legislation;
c) The legitimate interests of the data controller or a third party, except when there is a prevailing interest in protecting the rights of the data subject, especially a minor;
d) The Personal Data Protection Service is authorized to make a decision on blocking data before the completion of reviewing the data subject's application. Despite blocking the data, processing of such data may continue if it is necessary to protect the vital interests of the data subject or a third party, as well as for state security and defense purposes.
Data must be blocked for the duration of the reason for blocking, and during this period, if technically feasible, the decision on data blocking must accompany the relevant data.
Data subjects have the right to receive information about the decision made regarding data blocking or the grounds for refusing to block data immediately upon the decision, but no later than 3 business days from the request.
10.6
In case of automated data processing, if technically feasible, data subjects have the right to receive data provided by them in a structured, commonly used, and machine-readable format from the data controller, or to request transfer of such data to another data controller.
10.7
Apart from the data subject's name, surname, address, phone number, and email address, processing of other data for direct marketing purposes requires the written consent of the data subject. Data subjects have the right to withdraw consent for data processing for direct marketing purposes, in which case data processing must cease within a reasonable period from receipt of the request, no later than 7 business days.
10.8
Data subjects have the right to withdraw consent given to the institution at any time, without any explanation or justification. In this case, in accordance with the data subject's request, data processing must cease and/or processed data must be deleted or destroyed within 10 business days from the request, unless there is another legal basis for data processing.
Data subjects have the right to withdraw consent in the same form in which consent was given.
Before withdrawing consent, data subjects have the right to request and receive information from the data controller about the possible consequences of withdrawing consent.
10.9
Data subjects have the right to appeal to the Personal Data Protection Service, court, and/or higher administrative body in accordance with the law in case of violation of rights and established rules provided for by this law.
Data subjects have the right to request the Personal Data Protection Service to make a decision on blocking data before the decision on completion of reviewing the application is made.
Data subjects have the right to appeal the decision of the Personal Data Protection Service in court in compliance with the conditions and deadlines provided for by Georgian legislation.