Hiya Applicant Privacy

1. This Privacy Policy

This Applicant Privacy Policy provides information to applicants intending to work for Hiya, Inc., Hiya Communications UK Ltd., Hiya Canada, Inc., or Hiya Hungary Kft. When reading this Policy, the phrase “Hiya” may either refer to Hiya, Inc. or any of its subsidiaries, depending on which company you are applying to. With this Privacy Policy, we aim to inform applicants (also referred to as ‘you’, ‘your’) of the processing of their personal data carried out by Hiya. We urge you to read this policy and familiarize yourself with its content.

The Privacy Policy contains information on questions relating to how applicants’ data will be processed, especially on what types of data will be processed, for what purposes, on what legal basis, for what storage period, who has access to this data, the rules relating to the transmission of this data, questions concerning data security, and the applicants’ rights and possible legal remedies.

This Privacy Policy concerns issues specific to the processing of your data as an applicant to Hiya. For more general information on Hiya’s data processing practices, please see our general Privacy Policy.  

First of all, please note that your data is accessible by all Hiya entities. We manage data related to human resources jointly to establish unified human resources policies across the company group and ensure a uniformly high level of service to our applicants. Hiya entities act as joint data controllers of your personal data. This means that we determine the purposes and means of the processing of your data together. Our respective responsibilities in this regard, especially concerning the duties of enabling you to exercise your rights, are outlined in this Privacy Policy.

You can find the contact details of the respective data controllers in Section 13 of the Privacy Policy. Of course, you are always free to contact the data controller according to your place of residence or the location of the job you have applied for to ensure your inquiries are handled efficiently and promptly.

2. Who does this Privacy Policy concern?

This Privacy Policy applies to individuals who apply for a position at Hiya. Hiya collects and processes personal data related to applicants as part of the recruitment process.

3. What categories of data does Hiya collect and process?

We may collect and process the following categories of data:

• Personal information, including name, date of birth, place of birth, sex and/or gender, contact information, including address, zip code, place of residence, telephone number and email address.
• Curriculum vitae and cover letter details, such as data regarding your education, courses and internships, data regarding the nature and content of your current position, as well as regarding the ending thereof, data regarding the nature, time period and content of your previous employments, as well as regarding the ending thereof; your references and educational certificates; as well as any additional personal data voluntarily shared in your curriculum vitae and cover letter, particularly including, optionally, your photograph, motivation, and other personal interests.
• Additional data provided based on your responses in the electronic application form, including, in particular, the URL of your LinkedIn profile or personal website, as well as your answers (yes/no) to questions regarding your legal eligibility to work in Hungary, visa sponsorship needs, willingness to work in a hybrid model and accuracy of the provided information.
• Notes recorded during the recruitment process, including during your interview(s), which may include observations and evaluations relevant to the hiring decision.
• Information you publicly shared on social media platforms, including, but not limited to, LinkedIn and other social media profiles or personal websites that you explicitly include in your application or provide in the electronic application form. We only process such information where it is attached to or otherwise included within your application (for example, if you submit a job application through a LinkedIn posting, or if you provide your LinkedIn profile or website in the electronic application form, we may review these as part of your application).
• Any other personal data voluntarily shared during the application process or interviews, including but not limited to information disclosed in conversations, follow-up communications, or additional documents submitted at your discretion.

Please note that we do not request or intend to process special categories of personal data during the recruitment process (e.g. ethnicity, religious or philosophical beliefs, sexual orientation, information on union membership). We explicitly ask you not to provide us with such data. If you nevertheless choose to disclose such information to us, we will do our best to ensure that data related to this information is deleted as soon as possible.

4. How is the data collected?

We collect personal data provided directly by you during the application process. You are responsible for ensuring that the information you provide during the recruitment process is complete and accurate.

If any of your personal data changes or needs to be updated, you may contact us at recruiting@hiya.com to request a correction at any time.

Providing personal data during the job application process is voluntary; however, certain data is necessary for us to process your application. If you choose not to provide the required information, we will be unable to evaluate your candidacy or proceed with the recruitment process.

5. Lawful bases of processing

We process your personal data in accordance with the General Data Protection Regulation (GDPR), ensuring that all processing activities have a lawful basis. The legal bases applicable to our processing activities in the context of your job application include the following:

a. Contractual Necessity (GDPR Art. 6(1)(b))

We process your personal data to take steps at your request prior to entering into an employment or other work-related contract. This includes assessing your suitability for the position you applied for (or, where appropriate, other relevant vacancies within Hiya) and managing the recruitment process up to the decision on establishing an employment or other work-related contractual relationship.

b. Consent (GDPR Art. 6(1)(a))

If you explicitly consented during your application, we may retain your data after an unsuccessful application for future job opportunities and contact you with potential job offers at a later stage. The processing of personal data in this case is based on your voluntary consent, which you may withdraw at any time by contacting us at recruiting@hiya.com.

Please note that withdrawing your consent does not affect the lawfulness of processing conducted before the withdrawal. Additionally, providing consent for future job opportunities is entirely optional, and your application will still be considered for the applied position regardless of your choice.

c. Legitimate Interests (GDPR Art. 6(1)(f))

We may process certain personal data based on our legitimate interest in ensuring an effective, fair, and transparent recruitment process. This includes improving our hiring procedures, protecting against fraudulent applications, and maintaining security throughout the application process. Where we rely on legitimate interests, we ensure that such interests do not override your rights and freedoms.

Once the job application process has concluded, if data is required to establish, exercise, or defend a legal claim, we may continue processing it based on legitimate interest under Art. 6(1)(f) GDPR. The legitimate interest of the relevant Hiya entity lies in the assertion or defence of legal claims. For example, if a candidate initiates a discrimination claim related to a recruitment process, we may retain and process personal data to protect our rights in such proceedings.

d. Legal Obligation (GDPR Art. 6(1)(c))

In some cases, we are required to process your personal data to comply with legal obligations, such as employment laws or equal opportunity regulations related to the recruitment process.

6. The purposes of the processing

Hiya processes the personal data you provide in your application (along with any other information referenced in this Privacy Policy) for the following purposes:

• Managing and evaluating your candidacy as part of the recruitment process, including verifying the information provided in your application, assessing your suitability for the position you applied for (or, where appropriate, other relevant vacancies within Hiya), and deciding whether to offer you employment.
• Communicating with you throughout the recruitment process via voice, email and text.
• Conducting pre-employment background checks, where permitted by applicable law and where necessary for the role you have applied for. You will be informed in advance if such a background check is required and provided with further details on the process and legal basis for such processing.
• Maintaining recruitment records in accordance with legal requirements, equal opportunity policies, and Hiya’s internal recruitment policies.
• Protecting our legal rights, such as retaining necessary data to establish, exercise, or defend against legal claims related to the recruitment process (e.g., in case of a discrimination claim).

Processing for the above purposes is carried out under the appropriate lawful bases as described in Section 5: Lawful Bases of Processing, including contractual necessity, legitimate interest, and legal obligation.
Where applicable, and only if you have explicitly provided consent, we may retain your application data after an unsuccessful application to consider you for future job opportunities. You have the right to withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

7. Data recipients and data transfers

a. Who Has Access to Your Data?

We will only disclose your personal data to third parties in the following cases:

1. Service providers: We use third-party service providers to process your personal data on our behalf for the purposes outlined in Section 6. These service providers are contractually obligated to process your data securely and in compliance with GDPR.
   1. In particular, we use AshbyHQ, Inc. (Ashby), which provides the job application platform we use for managing recruitment processes. Ashby acts as our data processor, and its processing of personal data is governed by its own Privacy Policy, available at: Ashby Privacy Policy.
   2. We use Zendesk, Inc. (Zendesk) to handle applicant inquiries and manage communications related to the recruitment process. Zendesk processes personal data on our behalf as a data processor, and its data processing practices are governed by its Privacy Policy, available at: Zendesk Privacy Policy.
2. Legal obligations: We may disclose your data to government authorities, regulators, or law enforcement agencies if required by applicable law or to comply with a legal obligation.
3. Since Hiya entities act as joint data controllers (as outlined in the Introduction of this Privacy Policy), your data may be accessible across Hiya entities where necessary to establish unified human resources policies and ensure a high level of service to applicants.

b. International Data Transfers

Your personal data may be transferred to and stored in countries outside the European Economic Area (EEA), which may not be subject to the same data protection laws as those within the EEA. This includes transfers to the United States, where Hiya, Inc. is headquartered.

• Data transfers to the United Kingdom (UK): The European Commission has issued an adequacy decision for the UK, meaning that personal data can be freely transferred from the EEA to the UK without additional safeguards under GDPR (Art. 45).
• Data transfers to other non-EEA countries (e.g., the United States): Where personal data is transferred outside the EEA or the UK to countries that do not benefit from an adequacy decision, we implement appropriate safeguards to ensure that your data remains protected and is processed securely in accordance with GDPR (Art. 44-49). These safeguards include:
  • Standard Contractual Clauses (SCCs): We rely on the European Commission-approved Standard Contractual Clauses (SCCs) to govern international data transfers where applicable. In accordance with the European Commission Implementing Decision (EU) 2021/914, we have reviewed our SCCs and implemented additional measures to ensure compliance with the latest international data transfer requirements following the Schrems II ruling.
  • Transfer Impact Assessments (TIAs): Where required, we conduct Transfer Impact Assessments to evaluate the level of data protection in the recipient country and implement supplementary safeguards where necessary.

c. Data Privacy Framework (DPF) and Our Current Status

On July 17, 2023, the European Commission issued an adequacy decision for the EU-U.S. Data Privacy Framework (DPF), which allows certified U.S. companies to receive personal data from the EU under GDPR-compliant conditions. At this time, Hiya, Inc. is not certified under the Data Privacy Framework (DPF). Therefore, our data transfers to the U.S. continue to rely on SCCs and additional safeguards as outlined above.

8. Automated decisions

Hiya uses automated decision-making in the following two limited cases to verify whether applicants meet objective legal requirements for employment:

• If an applicant answers "No" to the question "Are you legally eligible to work in Hungary?", their application will be automatically rejected, as Hiya would not be legally able to employ them.
• Similarly, if an applicant answers "Yes" to the question "Will you now or in the future require visa sponsorship for employment at Hiya?", their application will be automatically rejected, as Hungarian labor law requires all employees to have valid work authorization. EU/EEA/Swiss citizens can work in Hungary without restriction, while non-EU nationals generally require a work visa and residence permit. Since Hiya does not provide visa sponsorship, we can only consider candidates who already have the legal right to work in Hungary.

Our system applies a simple, rule-based approach: if an applicant indicates on the job application platform that they do not have legal work eligibility or require visa sponsorship, their application will not proceed further. This automated decision-making is based on Article 6(1)(b) GDPR ("contractual necessity"), as these are fundamental conditions for entering into an employment contract.

If your application is rejected due to an automated decision, you have the right to request human review. You may also provide additional information or challenge the decision if you believe it was made in error (e.g., if you already hold a valid Hungarian work permit). To exercise these rights, please contact us at recruiting@hiya.com, and a member of our team will review your request.

Beyond these limited cases, Hiya does not use automated decision-making in its recruitment process. All other hiring actions and decisions involve human review.

9. Storage periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was originally collected. Once those purposes have been achieved, personal data will be deleted or anonymized, unless further retention is required in accordance with the following:

• For unsuccessful applicants: If your application is unsuccessful, we will delete your personal data immediately after the conclusion of the hiring process for the specific position unless another lawful basis applies (e.g., legal compliance or explicit consent for future job opportunities).
• For legal compliance: Where required by applicable employment, tax, or other regulations, we may retain certain personal data for the legally prescribed period.
• For legal claims (legitimate interest): If necessary to establish, exercise, or defend legal claims (e.g., in case of a discrimination complaint related to recruitment), we may retain personal data based on our legitimate interest under Article 6(1)(f) GDPR. In such cases, data will be retained for the duration of the legal proceedings and any applicable statutory limitation period.
• For future job opportunities (explicit consent): If you explicitly consent to be considered for future job openings, we will retain your personal data for up to one additional year after the recruitment process. You may withdraw your consent at any time, and upon withdrawal, your data will be deleted unless another lawful basis applies.

After the applicable retention periods expire, we will delete personal data, unless further retention is required by law.

10. Your rights

As an applicant, you have the following rights regarding the processing of your personal data. Although Hiya entities act as joint controllers, the primary responsibility for handling requests related to your rights lies with the entity to which you applied.

1. Right of access – You have the right to request access to the personal data we process about you.
2. Right to rectification – You have the right to request the correction or completion of inaccurate or incomplete personal data.
3. Right to erasure (‘right to be forgotten’) – You have the right to request the deletion of your personal data where the legal basis for processing has ceased or the data is no longer necessary for the purposes for which it was collected.
4. Right to restriction of processing – In certain circumstances, you may request that we restrict the processing of your personal data.
5. Right to data portability – If the processing is based on your consent or a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller.
6. Right to object – Under certain circumstances, you may object to the processing of your personal data, particularly where processing is based on legitimate interest.
7. Right to withdraw consent – Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of data processing carried out before the withdrawal.
8. Right to lodge a complaint – If you believe your rights have been infringed, you have the right to file a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, workplace, or the location of the alleged infringement. A list of competent supervisory authorities is available on the European Data Protection Board (EDPB) website.

Additionally, under the Hungarian Act No. CXII of 2011 on Informational Self-Determination and Freedom of Information, Hungarian applicants are also entitled to initiate court proceedings in case of a data protection violation, which may be brought before the court of their habitual residence.

If you are located in the EEA and wish to exercise any of the above rights, please complete a request here or contact our data protection officer at dpo@hiya.com.

11. Your Rights under the CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) may provide you with additional rights regarding our use of your personal data. To learn more about your California privacy rights, see below.  Unless otherwise stated, terms in this Privacy Policy that are not addressed in, and/or do not conflict with, the terms in this Section 11 will continue to apply to your personal data.Some of the personal information that we receive from you in connection with your (actual or potential) employment may qualify as “Sensitive Personal Information” under the CCPA. The types of Sensitive Personal Information that we have collected, processed, and disclosed to third parties in the last twelve months are identified in the table below, along with our business purposes for disclosing such Sensitive Personal Information.

Category of Sensitive Personal Information

• Your social security, driver’s license, state identification card, or passport number.
• Your precise geolocation.
• Your immigration status.

Third Parties who Receive Sensitive Personal Information

• Service providers who perform services for the Hiya such as payroll, benefits, training, medical benefits, IT, and other services;
• Professional advisors, such as accountants, auditors, bankers, and lawyers.

Purposes for Disclosing Sensitive Personal Information

• Collecting and processing employment applications, including confirming eligibility for employment, background and related checks, and onboarding;
• Maintaining personnel records;
• Investigating any allegations, complaints, or grievances regarding violations of Hiya’s policies;
• Complying with applicable federal, state, and local laws, rules, and regulations relating to labor and employment (which may include, as applicable, tax, benefits, workers’ compensation, disability, equal employment opportunity, unemployment claim information requests, workplace safety, and related laws, and specifically laws relating to Equal Employment Opportunity).

Note that we may analyze the above Sensitive Personal Information for our internal administrative purposes, such as identifying correlations to assess employee performance and aggregating and analyzing data to improve employee retention. Unless otherwise noted in this privacy policy, we will share your personal information with the following third parties:

• Service providers that we engage to carry out specific services in connection with the business purposes that we have identified;
• Consultants, auditors, accountants and other professional advisors and service providers;
• Third parties or agents who assist in the administration, processing and management of certain activities pertaining to Personnel; and/or
• Law enforcement agencies, government agencies, regulators, investigators and other bodies as may be required by law.

You may exercise the following rights, to the extent provided by the CCPA:

You may request that we disclose to you the following information, as applicable for the twelve-month period preceding your request:

• The categories of personal data that we have collected about you;
• The categories of sources from which we collected such personal data about you;
• The business purposes for which we collected personal data about you; and
• The categories of personal data about you that we disclosed to third parties for business purposes and the categories of third parties to whom we disclosed such personal data.
• You may request that we correct inaccuracies in your personal data.
• You may request that we delete some of the personal data that we hold about you.
• You may request to receive a copy of your personal data, including a copy of the personal data you provided to us in a portable format.

If you have any questions concerning the processing of your personal data or you wish to lodge a complaint, please contact us using the information provided in Section 13.

We are not required to delete personal information if the retention of that information is necessary for our reasonable internal uses, based on our prior or existing relationship with you, or to comply with our legal obligations. We will not unlawfully discriminate or retaliate against you for exercising your legal rights under the CCPA. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal data or an authorized representative of that person.
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

Note that we may need to request additional personal data from you to verify your identity and protect against fraudulent requests. We will only use personal data provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

12. Data security

We have implemented measures designed to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure.

We put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. Personal data is only transferred to a third party if they agree to comply with those procedures and policies or if they put in place adequate measures to protect the personal data.

We maintain data security by protecting the confidentiality, integrity and availability of the personal data.

13. Contact details of the data controller

If you have any questions regarding the processing of your personal data, or you wish to lodge a complaint, please contact Hiya. Depending on whether you are applying for a job the contact details are listed below:

• US Office: 701 5th Ave, Suite 1200, Seattle, WA 98104
• Email: support@hiya.com
• Follow this link to contact Hiya Customer Service
• Data Protection Officer e-mail: dpo@hiya.com
• UK Office:
  The Brew Eagle House (1st Floor ),
  163 City Road, London,
  EC1V 1NR,
  Contact: Kelly Schmitt
• EU/ Hungary office:
  1066 Budapest, Mozsár utca
  16. 5th floor,
  Contact: Lilla Szabo

14. Contact details of the supervisory authority

As mentioned above, you have the right to contact the supervisory authority, addressed to which you are entitled to lodge a complaint. Depending on whether you are applying for a job at Hiya Kft. or Hiya Communications UK Ltd., the supervisory authority’s contact details are listed below:

In case you are applying to Hiya Kft.:

Name: Hungarian National Authority for Data Protection and Freedom of Information
Address: H-1055 Budapest, Falk Miksa utca 9-11
Phone: +36-1-391-1400
E-mail:  ugyfelszolgalat@naih.hu
Website: http://naih.hu

‍In case you are applying to Hiya Communications UK Ltd.:

Name: The Information Commissioner’s Office
Address: Water Lane, Wycliffe House, Wilmslow - Cheshire SK9 5AF
Phone: +44 1625 545 745
E-mail: international.team@ico.org.uk
Website: https://ico.org.uk

‍15. Changes to Our Privacy Policy

Hiya reserves the right to unilaterally modify this Privacy Policy.

It is our policy to post any changes we make to our Privacy Policy on this page. If we make material changes to how we treat Personal Information hereunder, we will post a notice on the Website. The date the Privacy Policy was last revised is identified at the top of the page. You are responsible for periodically visiting our Website and this Privacy Policy to check for any changes.