Chrome Extension Privacy Policy
Privacy Policy — TalentRiver Chrome Extension
1. Controller Identity
TalentRiver AB
2. Introduction
This privacy policy explains how TalentRiver AB ("we", "our", "us") collects, processes, stores, and protects personal data through our Chrome browser extension and related services (together, the "Service"). It applies to all users of the Service and to all individuals whose personal data is processed through it.
We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and applicable Swedish data protection legislation.
3. Personal Data We Collect
3.1 User Account Data
When you use the Chrome extension, we process the following data about you as a user:
Email address
Password (stored locally on your device only; not transmitted to our servers in plaintext)
Authentication tokens
3.2 Candidate Data
When you use the extension to push candidate profiles from LinkedIn Recruiter, LinkedIn Sales Navigator, or standard LinkedIn, we process the following categories of candidate personal data:
Full name
Job title and professional history
Employer information
Location
Profile URL
Any additional professional data visible on the candidate's public or semi-public LinkedIn profile that you choose to send
3.3 Usage Data
We may collect technical data related to your use of the extension, including:
Extension version
Browser type
Timestamps of actions performed
Error logs
4. Purposes and Lawful Basis for Processing
Under Article 6 GDPR, we process personal data only where we have a valid lawful basis. The table below sets out each processing activity, its purpose, and the lawful basis relied upon.
Data Category | Purpose | Lawful Basis (Art. 6 GDPR) |
|---|---|---|
User account data | Authenticating you and providing access to the Service | Performance of a contract (Art. 6(1)(b)) — necessary to deliver the Service you have subscribed to |
Candidate data | Storing, ranking, and managing candidates within the TalentRiver platform on your behalf | Legitimate interest (Art. 6(1)(f)) — our legitimate interest in providing recruitment management services; balanced against candidate rights (see Section 4.1) |
Usage data | Maintaining, securing, and improving the Service | Legitimate interest (Art. 6(1)(f)) — our legitimate interest in operating a secure and reliable service |
4.1 Legitimate Interest Assessment — Candidate Data
Where we rely on legitimate interest, we have carried out a balancing test. The processing of candidate data sourced from professional networking platforms is necessary to deliver our recruitment technology service. Candidates have a reasonable expectation that their professional profile data may be used for recruitment purposes. We mitigate the impact on candidates by processing only professional data, applying appropriate security measures, and honouring data subject rights requests. A full legitimate interest assessment is available on request.
5. Data Storage and Security
5.1 Storage Location
All candidate data and server-side account data is stored on Microsoft Azure infrastructure located in Germany (EU). Your login credentials are stored locally on your device using the browser's local storage mechanism and are not transmitted to or stored on our servers in plaintext form.
5.2 Security Measures
We implement appropriate technical and organisational measures in accordance with Article 32 GDPR, including:
Encryption of data in transit (TLS) and at rest
Access controls limiting data access to authorised personnel
Regular security assessments and vulnerability testing
Logging and monitoring of system access
Incident response procedures
6. Data Sharing and Recipients
We do not sell personal data. We may share personal data with the following categories of recipients, solely to the extent necessary for the purposes described in this policy:
Recipient Category | Purpose | Safeguards |
|---|---|---|
Hosting and infrastructure providers (Microsoft Azure, Germany) | Data storage and processing infrastructure | Data Processing Agreement in place; data remains within the EU/EEA |
Your organisation | Candidate data is accessible to authorised users within your TalentRiver account | Access governed by your organisation's account settings |
If we engage additional sub-processors in the future, we will ensure that each sub-processor is bound by a data processing agreement meeting the requirements of Article 28 GDPR. An up-to-date list of sub-processors is available on request.
7. International Transfers
Your personal data is stored and processed within the EU/EEA (Germany). We do not currently transfer personal data outside the EU/EEA. If this changes, we will ensure that appropriate safeguards are in place, such as:
European Commission adequacy decisions (Article 45 GDPR)
Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR)
Other valid transfer mechanisms under Chapter V GDPR
We will update this policy and notify users before any such transfer takes place.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
Data Category | Retention Period | Basis |
|---|---|---|
User account data | Duration of your account plus 30 days after account deletion | Necessary for service delivery; 30-day grace period for account recovery |
Candidate data | As long as you maintain an active account, unless you or the candidate requests earlier deletion | Necessary for ongoing service delivery |
Usage data | 12 months from collection | Necessary for security monitoring and service improvement |
Local storage credentials | Until you sign out or clear your browser data | Stored locally on your device; under your control |
Upon expiration of the applicable retention period, personal data will be securely deleted or anonymised.
9. Your Rights as a Data Subject
Under the GDPR, you have the following rights in relation to your personal data. These rights also apply to candidates whose data is processed through the Service.
Right | Description |
|---|---|
Right of access (Art. 15) | Request a copy of the personal data we hold about you |
Right to rectification (Art. 16) | Request correction of inaccurate or incomplete personal data |
Right to erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations |
Right to restriction (Art. 18) | Request that we restrict the processing of your personal data in certain circumstances |
Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, machine-readable format |
Right to object (Art. 21) | Object to processing based on legitimate interest; we will cease processing unless we demonstrate compelling legitimate grounds |
Right to withdraw consent (Art. 7(3)) | Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing |
Right to lodge a complaint (Art. 77) | Lodge a complaint with a supervisory authority (see Section 9.1) |
How to exercise your rights: Contact us at support@talentriver.ai. We will respond within 30 days. If your request is complex, we may extend this period by up to 60 days, and we will inform you of any extension and the reasons for it.
We will verify your identity before processing any request. We do not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.
9.1 Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. For Sweden, this is:
Integritetsskyddsmyndigheten (IMY) Box 8114, 104 20 Stockholm, Sweden Website: www.imy.se Email: imy@imy.se
If you are located in another EU/EEA member state, you may also contact your local supervisory authority.
10. Automated Decision-Making
Our Service includes automated ranking and scoring of candidates. [If applicable, include the following:]
This processing constitutes profiling within the meaning of Article 22 GDPR. However, it does not produce legal effects or similarly significantly affect the candidates, as all hiring decisions remain with the human recruiters using our platform. The automated ranking serves as a decision-support tool only.
[If the automated processing does produce significant effects, additional safeguards under Art. 22(3) must be documented here, including the right to obtain human intervention, express a point of view, and contest the decision.]
11. Cookies and Local Storage
The Chrome extension uses the browser's local storage to store your authentication credentials. We do not use cookies or tracking technologies within the extension itself.
[If you use analytics, tracking pixels, or any other tracking technology, disclose them here with opt-out mechanisms.]
12. Children's Data
The Service is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete it promptly.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay, in accordance with Article 34 GDPR.
14. Changes to This Policy
We may update this privacy policy from time to time. If we make material changes, we will notify you through the extension interface or by email before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.
We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this privacy policy or our data processing practices, please contact us:
TalentRiver AB Email: support@talentriver.ai [INSERT physical address] [INSERT phone number, if applicable]