Referral Privacy.

Version v1 · Last Updated 19 May 2026

This notice explains how DeFinitive Talent Ltd ("DeFinitive", "we") handles personal data within the peer-to-peer referral programme. It applies to both referrers and the candidates they refer. It sits alongside the main site privacy policy and the referrer terms.

1. Who is the data controller

DeFinitive Talent Ltd, registered in England and Wales, is the data controller for personal data processed through the referral programme. Contact us at info@definitivetalent.xyz.

2. What we collect about referrers

Identity: name, email, country, profile photo (from Google or LinkedIn).
Professional: LinkedIn URL, optional Telegram handle.
Payment: USDC wallet address (collected when a payout is pending).
Activity: links generated, click counts, applications attributed to your links, hires, payouts.
Acceptance: timestamp and hashed IP address when you accept these terms, used as legal evidence of consent.

3. What we collect about referred candidates

Candidates who arrive via a referrer's link see an acknowledgement screen at /refer/welcome, where they confirm or decline the referral. We record:

The acknowledgement action (confirmed or declined) and timestamp.
A hashed IP address and the browser's user agent string, for fraud detection.
If the candidate submits an application: standard application data (name, email, CV, etc.) plus the consent ticks given on the apply form.

4. What the referrer sees about "their" candidate

To make the programme work, the referrer's dashboard shows them progress milestones when one of their links leads to action. Specifically, the referrer is told that:

Someone clicked their link, and how many times.
Someone started an application via their link.
Someone submitted an application.
An application was screened or progressed to interview.
A hire was made.
A payout has been triggered.

The referrer does not see the candidate's name, email, CV, cover message, or any other answers from the application. The above events are surfaced as counts and milestones, not identified records.

Candidates are told this at the point of giving consent on the apply form and on the welcome screen. If we ever change what the referrer sees, we update this notice and the consent text, and any candidate who applies after that change is consenting to the new arrangement.

5. Why we process this data (legal basis)

Consent (UK GDPR Art. 6(1)(a)) — for the candidate's consent to be referred and for their data to be processed for this specific application.
Contract (UK GDPR Art. 6(1)(b)) — to run the referral programme contract with you (the referrer) and to release payouts under it.
Legal obligation (UK GDPR Art. 6(1)(c)) — for sanctions screening prior to payout (UK Sanctions and Anti-Money Laundering Act 2018, OFSI guidance).
Legitimate interests (UK GDPR Art. 6(1)(f)) — for fraud detection, audit logging, dispute resolution, and product analytics. We have balanced these against your rights and consider the processing to be proportionate.

6. Who we share data with

The referrer — the referrer of a candidate sees the milestone events listed in section 4 above. They do not see candidate identity or application content.
The hiring client — if a candidate proceeds to interview, their application details are shared with the client for that role, in the same way as a non-referred application.
Service providers — Supabase (database hosting, EU/UK regions), Vercel (web hosting, EU/UK regions), Telegram (where you opt to provide a Telegram handle for notifications), and at payout time a sanctions-screening process performed in-house against public OFSI and OFAC lists.
Where required by law — to comply with UK statutory obligations or a court order.

We do not sell personal data, and we do not share it with advertisers or data brokers.

7. How long we keep it

Active referrer accounts: for as long as the account is open.
Closed referrer accounts: identity fields are anonymised within 30 days of closure; an audit record (referral activity, payouts) is kept for 6 years for accounting and dispute purposes.
Acknowledgement records (/refer/welcome confirm/decline): 24 months, then deleted. We use them only to evidence consent or decline in the event of a dispute.
Candidate applications: retained per the main site privacy policy.
Audit log of admin actions: 6 years.

8. Your rights

Under UK GDPR you have the right to: access your data, correct inaccurate data, request deletion, restrict processing, object to processing, and request data portability. Most of this you can do directly from your dashboard (close account, update profile). For anything else, contact info@definitivetalent.xyz and we will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data properly. We'd ask you to contact us first so we have a chance to fix it.

9. International transfers

Our infrastructure is hosted in the UK and EU. Where a service provider transfers personal data outside the UK or EU (for example, Vercel's edge network), we rely on UK and EU adequacy decisions or standard contractual clauses to protect the transfer.

10. Changes to this notice

We may update this notice. The current version and last-updated date are shown at the top of this page. Material changes (such as changes to who sees what data) will be highlighted to active referrers in their dashboard and added to the consent text for new candidates.

Referral Privacy.

Version v1 · Last Updated 19 May 2026

1. Who is the data controller

DeFinitive Talent Ltd, registered in England and Wales, is the data controller for personal data processed through the referral programme. Contact us at info@definitivetalent.xyz.

2. What we collect about referrers

Identity: name, email, country, profile photo (from Google or LinkedIn).
Professional: LinkedIn URL, optional Telegram handle.
Payment: USDC wallet address (collected when a payout is pending).
Activity: links generated, click counts, applications attributed to your links, hires, payouts.
Acceptance: timestamp and hashed IP address when you accept these terms, used as legal evidence of consent.

3. What we collect about referred candidates

Candidates who arrive via a referrer's link see an acknowledgement screen at /refer/welcome, where they confirm or decline the referral. We record:

The acknowledgement action (confirmed or declined) and timestamp.
A hashed IP address and the browser's user agent string, for fraud detection.
If the candidate submits an application: standard application data (name, email, CV, etc.) plus the consent ticks given on the apply form.

4. What the referrer sees about "their" candidate

To make the programme work, the referrer's dashboard shows them progress milestones when one of their links leads to action. Specifically, the referrer is told that:

Someone clicked their link, and how many times.
Someone started an application via their link.
Someone submitted an application.
An application was screened or progressed to interview.
A hire was made.
A payout has been triggered.

5. Why we process this data (legal basis)

Consent (UK GDPR Art. 6(1)(a)) — for the candidate's consent to be referred and for their data to be processed for this specific application.
Contract (UK GDPR Art. 6(1)(b)) — to run the referral programme contract with you (the referrer) and to release payouts under it.
Legal obligation (UK GDPR Art. 6(1)(c)) — for sanctions screening prior to payout (UK Sanctions and Anti-Money Laundering Act 2018, OFSI guidance).
Legitimate interests (UK GDPR Art. 6(1)(f)) — for fraud detection, audit logging, dispute resolution, and product analytics. We have balanced these against your rights and consider the processing to be proportionate.

6. Who we share data with

The referrer — the referrer of a candidate sees the milestone events listed in section 4 above. They do not see candidate identity or application content.
The hiring client — if a candidate proceeds to interview, their application details are shared with the client for that role, in the same way as a non-referred application.
Service providers — Supabase (database hosting, EU/UK regions), Vercel (web hosting, EU/UK regions), Telegram (where you opt to provide a Telegram handle for notifications), and at payout time a sanctions-screening process performed in-house against public OFSI and OFAC lists.
Where required by law — to comply with UK statutory obligations or a court order.

We do not sell personal data, and we do not share it with advertisers or data brokers.

7. How long we keep it

Active referrer accounts: for as long as the account is open.
Closed referrer accounts: identity fields are anonymised within 30 days of closure; an audit record (referral activity, payouts) is kept for 6 years for accounting and dispute purposes.
Acknowledgement records (/refer/welcome confirm/decline): 24 months, then deleted. We use them only to evidence consent or decline in the event of a dispute.
Candidate applications: retained per the main site privacy policy.
Audit log of admin actions: 6 years.

Referral Privacy.Referral Privacy.

1. Who is the data controller

2. What we collect about referrers

3. What we collect about referred candidates

4. What the referrer sees about "their" candidate

5. Why we process this data (legal basis)

6. Who we share data with

7. How long we keep it

8. Your rights

9. International transfers

10. Changes to this notice

Referral Privacy.Referral Privacy.

1. Who is the data controller

2. What we collect about referrers

3. What we collect about referred candidates

4. What the referrer sees about "their" candidate

5. Why we process this data (legal basis)

6. Who we share data with

7. How long we keep it

8. Your rights

9. International transfers

10. Changes to this notice

Referral Privacy.

Referral Privacy.