Nova Recruiter Privacy Policy

At Nova we take data privacy very seriously. We always treat personal data in accordance with the General Data Protection Regulation (GDPR) as well as any national legislation, regulations, etc. applicable to its processing. Contact us if you have any doubts about how your data is being treated.

1. Basic Understanding

a. About This Policy

This Privacy Policy explains how, when, and why your personal data is processed by Nova in connection with the use of the Nova Recruiter platform and related services (the “Service”).

For the purpose of this Policy, any reference to “Nova” shall mean any applicable company within NGlobal Holding AB, company registration no. 559240-0864, with registered address at C/O Talent Venture Group AB, Postbox 3053, 10361 Stockholm, Sweden, including its subsidiaries:

Nova Talent AB, company registration no. 559152-1603, with address at C/O Talent Venture Group AB, Postbox 3053, 10361 Stockholm, Sweden;
Nova Global Italy SRL, registration no. MI - 2609948, with address at Bastioni di Porta Nuova 21, Milano (MI) 20121, Italy; and
Nova Global Spain S.L., CIF B-87600391, with address at Calle de Gustavo Fernández Balbuena 11, piso 1, 28011 Madrid, Spain.

b. Scope

This Policy applies to all processing of personal data carried out by Nova in relation to Nova Recruiter, including data collected directly from client users (recruiters, hiring managers, or companies) and data obtained from third-party or publicly available sources integrated into the Service (such as ContactOut).

c. Our Principles

Your privacy and data integrity are essential to us. Nova handles personal data responsibly and strives to limit processing to what is strictly necessary to deliver the Service, maintain quality, and comply with legal obligations.

d. Compliance

Nova acts as both Data Controller and Data Processor, depending on context:

As Controller for candidate information appearing in Nova Recruiter and for client account data
As Processor when handling candidate information uploaded or provided by a Nova Recruiter client.

This Policy is established in accordance with the EU General Data Protection Regulation (2016/679) (“GDPR”), the UK GDPR, and, where applicable, Spain’s Organic Law 3/2018 (LOPDGDD) and other relevant privacy laws.

e. Joint Controllership

For certain processing operations, such as candidate profile visibility and recruiter search activity, Nova and its verified client users may act as independent or joint controllers within the meaning of Article 26 GDPR.

In such cases, Nova ensures that appropriate arrangements define the respective roles and responsibilities of each party, particularly regarding the handling of data-subject rights and transparency obligations.

2. Data Controller and Contact

a. Data Controller

NGlobal Holding AB (”Nova”). Reg. No. 559240-0864. C/O Talent Venture Group AB, Postbox 3053, 10361 Stockholm, Sweden

b. Data Protection Officer (DPO)

Nova has appointed a Data Protection Officer in accordance with Articles 37–39 GDPR. The DPO is responsible for monitoring compliance with data-protection laws, advising Nova on privacy obligations, and acting as the contact point for supervisory authorities and data subjects.

Email: dpo@novatalent.com

Postal: Attn: Data Protection Officer, NGlobal Holding AB, Postbox 3053, 10361 Stockholm, Sweden

You may contact the DPO for any questions or concerns about how Nova processes personal data or to exercise your data-protection rights.

3. Personal Data

A. Candidate Data (from public and licensed sources)

Nova Recruiter contains professional information about individuals (“candidates”) gathered from:

Publicly available sources — e.g. publicly accessible corporate websites, and other professional directories lawfully accessible online without login.
Licensed data providers, notably ContactOut Limited, which compiles professional contact details from public business sources in compliance with GDPR, UK GDPR, and CCPA.

ContactOut acts as an independent Data Controller and warrants lawful collection. Nova acts as a subsequent Controller when it integrates that data into Nova Recruiter to enable legitimate recruitment use by authorized clients.

Data typically includes:

name, current position, employer, and industry
email and LinkedIn URL
education and career history
professional skills and location (city/country).

No sensitive data (e.g. health, religion, political views) is collected.

Nova processes this data only to:

provide recruiter search and contact capabilities;
maintain data accuracy and deduplication;
generate aggregated, anonymized usage statistics.

Nova never resells or redistributes ContactOut data as a standalone dataset. Access is restricted to authenticated Nova Recruiter users for professional recruiting purposes only.

Nova processes candidate data obtained from public and licensed sources on the basis of legitimate interest (Article 6(1)(f) GDPR).

The specific interest pursued is to operate and improve a professional-use recruitment and talent-matching platform that enables verified employer clients to identify and contact qualified professionals for genuine job opportunities.

This processing is subject to a written Legitimate Interest Assessment (LIA) confirming that it is necessary, proportionate, and limited to business-context data, with appropriate safeguards such as restricted access, opt-out rights, and exclusion of sensitive information.

Nova has performed a three-part Legitimate Interest Assessment (purpose, necessity and balancing tests) confirming that:

the processing is necessary to deliver a professional sourcing service to recruiters and candidates;
the data used concerns individuals in their business and professional capacity only;
the processing has minimal impact on individuals’ privacy, as access is restricted to authenticated clients, sensitive data is excluded, and all individuals can object or request erasure at any time.

A summary of this Legitimate Interest Assessment can be made available upon request by contacting privacy@novatalent.com

Nova Recruiter incorporates algorithmic and AI-based functionalities — such as candidate scoring, ranking, matching and automated outreach suggestions or messages — to assist recruiter users in identifying and engaging with relevant professionals.

These operations may involve automated processing of professional data to generate recommendations or trigger limited communications on behalf of a verified client, but they do not produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. Candidates are never automatically contacted or evaluated without a human-in-the-loop decision by a recruiter, and Nova maintains audit trails to evidence such human oversight.

All final hiring and selection decisions are taken by human recruiters or client representatives, who retain full control over whether to contact, shortlist or hire a candidate. Nova continuously reviews its AI systems to ensure appropriate human oversight, fairness, and transparency in line with GDPR principles and the forthcoming EU AI Act.

Nova does not monitor or track candidates’ online behavior or activity. Processing is limited to static professional data made publicly available or lawfully licensed from verified providers.

In accordance with Article 14 GDPR, you can read more about the categories of data, sources, lawful basis, and your rights in Nova’s dedicated Transparency Notice (HYPERLINK)

B. Client and Recruiter Account Data

For registered recruiters and client users we process:

name, company, work email, role;
authentication credentials;
account activity logs and usage metrics;
billing and payment information.

Lawful basis: performance of contract (Art. 6(1)(b)).

C. Email Integrations (Google / Microsoft)

Nova Recruiter offers optional integrations with Google Workspace (Gmail) and Microsoft 365 (Outlook) to enable recruiters to manage communications with candidates directly within the platform.

When you connect your email account, Nova will request your explicit consent to access specific data strictly necessary to support these features.

Data accessed and processed

Metadata of messages (IDs, timestamps, sender/recipient, status) related to recruitment communications initiated through Nova Recruiter;
Subject line and message body only for emails that are (i) sent from Nova Recruiter or (ii) replies received to those emails;
No access is made to unrelated inbox content, attachments, calendars, or contacts.

Nova does not use connected-email data for advertising, analytics unrelated to recruitment, or any form of AI model training. Processing is fully automated within the recruiter’s account environment and is not visible to other clients.

Storage and retention

Message data is stored in encrypted form and retained only while the integration is active.
Cached copies are deleted or de-linked automatically within 30 days after the integration is disconnected or inactive.
Nova employees cannot view message content unless you request explicit troubleshooting support.

Lawful basis and consent management

The lawful basis for this processing is explicit consent under Article 6(1)(a) GDPR, obtained when you authorize Nova Recruiter to connect with your Google or Microsoft account.

You may withdraw consent at any time by:

Revoking Nova Recruiter’s access in your Google Account Security Settings or Microsoft 365 Account Permissions, or
Disconnecting the integration from within the Nova Recruiter application settings.

Withdrawal of consent immediately stops all access and triggers deletion of associated cached data.

Third-party API compliance

Nova complies with the Google API Services User Data Policy, including the “Limited Use” requirements, and with Microsoft’s API and Graph Data Protection terms.

Email data is used solely to deliver user-requested functionality within Nova Recruiter and is never transferred to any external system other than the recruiter’s own workspace.

D. Usage and Technical Data

Collected automatically for security and analytics: IP address, device and browser type, login events, cookies, and telemetry.

Lawful basis: legitimate interest (ensuring security and service reliability).

4. Purposes and Lawful Bases Overview

Purpose | Lawful Basis under GDPR | Example Processing Activities

‍Operate and maintain the Nova Recruiter platform | Performance of a contract (Art. 6(1)(b)) | Account creation, authentication, user management

Provide candidate search and matching capabilities | Legitimate interest (Art. 6(1)(f)) | Indexing and display of professional profiles

Integrate licensed data from ContactOut and public sources | Legitimate interest (Art. 6(1)(f)) | Importing and updating professional datasets

Manage email integrations (Google / Microsoft) |Consent (Art. 6(1)(a)) | User-authorized access to email metadata and replies

Provide billing, customer support and contract administration | Performance of a contract (Art. 6(1)(b)) | Invoicing, account support, user roles

Ensure security and fraud prevention | Legitimate interest (Art. 6(1)(f))| Monitoring logins, detecting abuse or misuse

Comply with legal and regulatory obligations| Legal obligation (Art. 6(1)(c)) | Record keeping, responding to lawful requests

‍

5. Data Sharing and Disclosures

Nova only shares personal data where necessary to deliver the Service, comply with legal obligations, or ensure the secure operation of our systems.

We never sell or disclose personal data for advertising or unrelated commercial purposes.

a. Clients (Recruiters and Companies)

Candidate profiles are made visible only to verified Nova Recruiter clients who have entered into a contractual agreement with Nova. These clients act as independent Data Controllers for their own recruitment activities and must use the information solely for legitimate hiring purposes in accordance with the GDPR and their own privacy obligations.

Where a client exports candidate data into its own ATS or HRIS, the client becomes an independent controller for that processing and must provide its own privacy information to the candidate.

b. Service Providers (Processors)

We use carefully selected third-party providers to host and operate our infrastructure, analytics, and communications. They process personal data only under Nova’s instructions and subject to strict data-processing agreements.

Current categories include:

Cloud infrastructure: Amazon Web Services (EU)
Communications & support: Intercom (EU/US)
Productivity & storage: Notion (US), Google (EU/US)
Forms & analytics: Typeform (Spain)
Messaging integration: Unipile (France)

Each provider is contractually bound to implement appropriate security measures and may not use the data for its own purposes.

c. Licensed Data Providers

Nova obtains professional data from ContactOut Limited (Hong Kong) and similar licensed providers that act as independent Controllers and warrant GDPR-compliant collection of information from public business sources. Nova acts as a subsequent Controller when integrating such datasets into Nova Recruiter. All controller-to-controller transfers occur under adequate safeguards and encryption, in line with Articles 44–46 GDPR.

Where Nova receives updated datasets from licensed providers, Nova applies its internal suppression lists (opt-outs and objections) to prevent re-appearance of data subjects who have exercised their rights with Nova.

Nova verifies each provider’s data-collection notices and removal mechanisms before onboarding and conducts annual due-diligence reviews.

d. Cross-Border Transfers

Personal data is primarily stored within the European Economic Area (EEA). When data must be transferred outside the EEA—such as to the United States or Hong Kong—Nova ensures an equivalent level of protection through:

EU Standard Contractual Clauses (SCCs) approved by the European Commission;
Adequacy decisions where applicable; and
Additional technical and organisational safeguards, including encryption and access controls.

Copies of relevant transfer mechanisms can be requested at privacy@novatalent.com.

e. Legal Requirements and Corporate Events

Nova may disclose limited information where required by law, court order, or governmental request, or in connection with a merger, acquisition, or reorganisation of Nova’s business, always under confidentiality and data-protection safeguards.

Nova does not sell personal data.

6. International Transfers

a. Storage and Primary Hosting

Personal data processed through Nova Recruiter is primarily stored and managed on secure servers located within the European Union / European Economic Area (EU/EEA).

Nova’s main hosting provider is Amazon Web Services (AWS), with data hosted in the EU (Ireland) region under ISO 27001 and SOC 2 certifications.

b. Transfers Outside the EU/EEA

Some of Nova’s trusted technology and infrastructure partners may store or access personal data from outside the EEA, for example, from the United States or Hong Kong, in order to provide technical support, maintenance, or integration services.

Whenever such transfers occur, Nova ensures that an adequate level of protection is maintained in accordance with Chapter V of the GDPR.

Depending on the provider and destination, Nova relies on one or more of the following mechanisms:

Adequacy Decisions issued by the European Commission (e.g., the EU–U.S. Data Privacy Framework for certified U.S. entities);
Standard Contractual Clauses (SCCs) adopted by the European Commission, combined with appropriate technical and organisational safeguards (encryption, pseudonymisation, restricted access); and
Intra-group transfer agreements incorporating SCCs between Nova entities in Sweden, Spain, and Italy.

c. Key Providers and Transfer Mechanisms

Provider | Function | Data Storage | Location | Transfer Mechanism (if outside EU)

‍Amazon Web Services (AWS) | Cloud hosting and infrastructure | EU (Ireland)

Google (Workspace, Cloud, OAuth) | Authentication, productivity and analytics | Primarily EU (Ireland / Netherlands); limited U.S. access for support | EU–U.S. Data Privacy Framework and SCCs

Intercom | Customer support and in-app communications | EU (Ireland) | Limited U.S. access under EU–U.S. Data Privacy Framework and SCCs

Notion Labs | Inc.Internal collaboration and documentation |United States | EU–U.S. Data Privacy Framework and SCCs

Typeform S.L. | Form and survey management | Spain (EU)

Unipile SAS | Secure messaging integration (Gmail/Outlook connectors) | France (EU)

ContactOut Limited | Licensed professional data provider |Hong Kong | SCCs with supplemental safeguards and encryption

Each provider operates under a Data Processing Agreement (DPA) compliant with Article 28 GDPR, ensuring that:

data is processed only on Nova’s documented instructions,
security and confidentiality are maintained, and
the provider assists Nova with data-subject rights and breach notifications.

d. Safeguards

Nova applies layered protection for international transfers, including:

encryption in transit and at rest
strict role-based access control
continuous monitoring and auditing
vendor due-diligence and re-certification checks.

These measures ensure that your personal data remains secure, even when processed outside the EEA.

e. Copies and Further Information

You may request further details about Nova’s international data transfers or obtain a copy of the applicable Standard Contractual Clauses (SCCs) by contacting privacy@novatalent.com.

7. Data Retention

Nova retains personal data only for as long as it is necessary to fulfil the purposes described in this Privacy Policy or to comply with legal, contractual, or security obligations.

We regularly review the data we hold and apply minimisation, suppression, or anonymisation measures when information is no longer needed.

a. Retention by Data Category

Category of Data | Typical Retention Period | Purpose of Retention

‍Client (Account) Data | While the client’s Nova Recruiter subscription is active + up to 3 years after termination | Contract administration, billing, legal defence, and audit trail

Recruiter Activity Logs | Up to 24 months | Service security, misuse detection, troubleshooting

Candidate Profiles (Professional Data) | As long as the data remains relevant and accurate for legitimate recruitment purposes, or until we receive an objection or deletion request | Operation of candidate search and matching features

Licensed Data from ContactOut and other providers | In line with the provider’s licensing agreement and Nova’s own data-review cycles (typically 12–24 months), or earlier if a candidate requests removal | Ensuring dataset accuracy, deduplication, and lawful use

Email-Integration Data (Gmail / Outlook) | Cached only while the integration is active; deleted or de-linked immediately upon disconnection or after 30 days of inactivity | Delivery and reply-tracking functionality

Support and Communication Records | Up to 3 years after closure of the ticket or interaction | Customer support history, dispute resolution

Aggregated / Anonymised Data | Indefinite (non-personal) | Product analytics and performance statistics

b. Deletion, Blocking and Anonymisation

When retention periods expire, Nova will:

Delete data securely from active systems;
Block or restrict access where immediate deletion would interfere with audit or legal obligations; or
Anonymise data so that it can no longer identify any individual

If you request deletion of your professional profile or object to our processing, we will suppress your record from search results and ensure that no recruiter can access it going forward.

c. Legal and Regulatory Retention

Certain information may be retained for longer periods where required by law (for example, taxation or accounting regulations) or where necessary to establish, exercise, or defend legal claims.

Such data is stored securely and access is strictly limited.

8. Security

Nova implements a combination of technical, organisational, and contractual safeguards to protect personal data against unauthorised access, alteration, disclosure, or destruction.

Security and privacy are integral parts of the Nova Recruiter design and operations framework.

a. Technical and Organisational Measures

We apply industry-standard measures, including:

Encryption of data in transit (TLS 1.2+) and at rest;
Access control based on least-privilege and role-based permissions;
Multi-factor authentication for internal and administrative access;
Network isolation and firewalls to protect production environments;
Regular vulnerability scanning and patch management;
Comprehensive audit logging and monitoring of system activity;
Employee training in data protection, confidentiality, and secure handling;
Vendor due-diligence procedures and binding data-processing agreements with all third-party processors.

These controls are reviewed periodically and updated in line with best practices and regulatory requirements.

b. Data Breach Response

If a personal-data breach occurs, Nova will:

Assess the nature and scope of the incident
Mitigate risk to affected individuals
Notify the relevant supervisory authority without undue delay where required by law
Communicate transparently with affected users when the breach is likely to result in a high risk to their rights and freedoms.

We maintain documented incident-response procedures to ensure timely and effective action.

c. Responsible Vulnerability Disclosure

If you believe you have discovered a security vulnerability in any Nova Recruiter system, please contact us responsibly at privacy@novatalent.com with the subject line “Security Vulnerability.”

Testing must avoid accessing other users’ data, disrupting service, or breaching confidentiality obligations.

d. Data-Hosting Location

Personal data is primarily stored in Amazon Web Services (AWS) data centres located within the European Economic Area (EEA).

When data must be accessed or processed outside the EEA (e.g. by certain sub-processors), Nova ensures that EU Standard Contractual Clauses or other approved safeguards are in place, consistent with Section 5 (d) above.

9. Your Rights

Depending on your location and the nature of the data we process, you have several rights under the General Data Protection Regulation (GDPR) and related national laws. Nova is committed to enabling these rights in a clear, fair, and timely manner.

a. What Rights You Have

You may at any time exercise the following rights with respect to your personal data processed by Nova:

Right of Access
Request confirmation of whether we hold personal data about you and obtain a copy of that data, along with details about how and why we process it.
Right to Rectification
Request correction of inaccurate or incomplete information we hold about you.
Right to Erasure (“Right to Be Forgotten”)
Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent or successfully object to processing.
For candidate profiles appearing in Nova Recruiter, this means we will remove your record from the searchable database and restrict further access by recruiters.
Right to Object
Object at any time to the processing of your data based on legitimate interests (for example, inclusion of your professional profile in Nova Recruiter).
If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Restrict Processing
Request temporary restriction of processing while we verify accuracy, handle an objection, or establish legal claims.
Right to Data Portability
Receive your personal data in a structured, commonly used, machine-readable format, and request that it be transmitted to another controller where technically feasible.
Right to Withdraw Consent
Where processing is based on consent (for instance, when connecting your Gmail or Outlook account), you may withdraw that consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a ComplaintIf you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with your local Data Protection Authority.Examples include:
- Sweden: Integritetsskyddsmyndigheten (IMY)
- Spain: Agencia Española de Protección de Datos (AEPD)
- Italy: Garante per la Protezione dei Dati Personali

b. How to Exercise Your Rights

To exercise any of the rights above, please contact us at privacy@novatalent.com with the subject line “Data Rights Request – Nova Recruiter.” We may request limited information to verify your identity before processing your request. We will respond without undue delay and within one month, unless an extension is permitted under the GDPR due to complexity or volume.

If your data was obtained from a public or licensed source, you can also learn more about your rights and how to object specifically to that processing in our Transparency Notice. (HYPERLINK)

If we cannot identify you in our index with the information you provide, we may ask you for additional details — such as your LinkedIn URL, current employer, or public profile link — solely to locate your record. We will not retain this information after resolving your request.

If your professional data originated from a licensed provider (for example, ContactOut Limited), we will, where contractually possible, also inform that provider of your objection or deletion request so they can update their dataset accordingly.

c. No Discrimination or Retaliation

Nova will never deny access to the Service, alter pricing, or offer different levels of service because you exercised your data-protection rights.

10. Data Protection Governance

Nova’s Data Protection Officer conducts regular reviews of Nova Recruiter’s processing operations, including Legitimate Interest Assessments (LIA) and the Data Protection Impact Assessment (DPIA), and advises on updates to maintain ongoing GDPR compliance.

a. Record of Processing Activities (RoPA)

Nova maintains a Record of Processing Activities (“RoPA”) in accordance with Article 30 GDPR, covering all relevant data flows, categories, retention schedules, legal bases, and international transfers relating to Nova Recruiter.

This record is reviewed and updated periodically to reflect changes in the Service, and may be shared with competent supervisory authorities or enterprise customers upon legitimate request for compliance verification.

b. Legitimate Interest and DPIA

Nova processes professional data from public and licensed sources based on legitimate interest (Article 6(1)(f) GDPR), supported by a written Legitimate Interest Assessment (LIA) evaluating necessity, proportionality, and data-subject impact.

Given the potentially large scale of candidate data involved, Nova has also assessed the need for a Data Protection Impact Assessment (DPIA) under Article 35 GDPR and will update that assessment as the Service expands or incorporates new data sources or automated functionalities.

The assessment concluded that residual risks for data subjects are low and effectively mitigated through restricted access, transparency measures, and suppression mechanisms.

c. Source transparency within the platform

To enhance transparency, Nova Recruiter includes source-attribution labels within candidate profiles, indicating whether the information originates from:

The Nova Network (i.e., profiles created by Nova members);
Licensed professional data providers (e.g., ContactOut Limited); or
Public web sources (e.g., company websites, public LinkedIn URLs).

Where technically feasible, users can also view the date of the last update or verification.

This ensures that data subjects, recruiters, and customers understand the provenance and update cycle of professional data displayed in the Service.

Enterprise clients and regulators may request additional documentation such as Nova’s Article 30 RoPA summary, LIA executive summary, or DPIA statement by contacting privacy@novatalent.com.

d. Accountability and updates

Nova continuously monitors regulatory developments and guidance from EU and national Data Protection Authorities regarding the use of publicly sourced professional data for recruitment.

We update our privacy framework, including this Privacy Policy, the LIA, and the DPIA, to maintain compliance with evolving interpretations and best practices.

11. Cookies and Tracking

We use cookies and similar technologies to ensure proper functioning of the Service and analyze usage patterns. You can control cookie preferences in your browser or via our Cookie Settings panel.

See our separate Cookie Policy (HYPERLINK) for details on categories, retention and third-party ad/analytics cookies.

Nova does not use third-party tracking cookies for advertising or behavioral profiling.

12. Updates to This Policy

We may update this Policy to reflect legal, technical, or business changes. Material updates will be communicated through the Service or by email. The date at the top indicates the latest revision.

13. Contact

NGlobal Holding AB (Nova)

privacy@novatalent.com

‍