iCIMS, Inc. and its subsidiaries, iCIMS International, LLC, TextRecruit, Inc., Opening HR Limited, EasyRecrue S.A.S., Candidate ID Ltd, and SkillSurvey, Inc. (collectively, “iCIMS,” “we,” or “us”), respects the privacy of its job applicants and individuals interested in potential employment opportunities with iCIMS (“you”), and we are committed to protecting their personal data. To that end, we have put together this Talent Acquisition Privacy Notice (“Privacy Notice”) to give you a better understanding of who we are and our practices with respect to the collection, use, disclosure, and retention of personal data obtained in connection with applying for a job at iCIMS and iCIMS’ recruitment process.

For purposes of this Privacy Notice:

• The term “personal data” means any information which relates to an identified or identifiable, living individual that directly or indirectly references one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity. Personal data excludes anonymous data.

Please take the time to read this Privacy Notice and the related statements in their entirety to ensure you are fully informed. If you have any questions or concerns about our processing of your personal data, please contact us by using the contact details under the “Contact Information” heading below.

This Privacy Notice is a general guide on how iCIMS processes your personal data. As such, you should be aware that data protection and privacy laws can vary in different jurisdictions where iCIMS operates. iCIMS’ policy is to comply with applicable laws, including requirements in certain countries that iCIMS notify individuals in that country of its personal data practices, and in some cases, obtain consent to those practices.

Where applicable laws are stricter than the practices described in this Privacy Notice, iCIMS has adopted specific privacy practices in those locations to satisfy those stricter requirements.

As further described below, we collect personal data from you in connection with your job application with iCIMS and iCIMS’ recruitment and onboarding processes, which includes the following:

• Name, address, telephone number, e-mail address, and other contact information;
• Username and password;
• Work authorization status;
• CV, résumé, cover letter, previous work experience, and education information;
• Knowledge, skills, abilities, and preferences, including learning agility, aptitude, and working style and preferences;
• Professional and other work-related licenses, permits, and certifications held;
• Referral names and contact information for referrals;
• Information relating to character and employment references;
• Identification data, such as your gender, date of birth, languages, driver’s license, national ID, passport, immigration status and documentation, visas, social security numbers (for US only) and national insurance numbers;
• Information related to your browsing and email actions, which may include Internet protocol (“IP”) addresses, browser type, referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics), operating system, date/time stamp, and/or clickstream data;
• Communication data, such as digital text and audio information collected in email, chat, video and telephone, including interactions with chatbots; and
• Any other information you elect to provide to us (e.g., employment preferences, willingness to relocate, current salary, desired salary, awards, or professional memberships).

iCIMS may collect this information in a variety of ways, including from application forms, CVs or résumés, identity documents, third parties (such as for references or background checks, or from recruiters), or through interviews or other forms of assessment.

If we ask you to provide any other personal data not described above, then the personal data we will ask you to provide, and the reasons why we ask you to provide it, will be made clear to you at the point we collect it. If we ask you to provide personal data that we consider to be mandatory for us to administer your relationship with us, we will inform you of such at the time of collection. In addition, we will also inform you of the consequences for not providing us with the mandatory personal data.

iCIMS uses your personal data for the purposes of carrying out its job application, recruitment, and onboarding processes. Such uses include:

• Assessing your skills, qualifications, and interests against our career opportunities and determining your suitability for employment;
• Deciding whether to offer you a job;
• Verifying your information and carrying out reference checks and/or conducting background checks (where applicable) if you are offered a job;
• Communications with you about the recruitment process and/or your job application(s), including, in appropriate cases, informing you of other potential career opportunities at iCIMS;
• Recommending potential career opportunities based on your skills, qualifications, and interests;
• Tracking your browsing and email actions, such as the pages you visited on our website over time and the job postings you viewed, for analytics and job recommendation purposes, and to evaluate your interest in iCIMS and engage with candidates based on their level of interest in iCIMS;
• Creating and/or submitting reports as required under any applicable laws or regulations;
• Where requested by you, assisting you with obtaining an immigration visa or work permit where required;
• Making improvements to iCIMS’ job application, recruitment, and/or onboarding processes, including improving diversity, equity, and inclusion in our recruitment practices;
• Implementing and administering IT security, including authentication and authorization to access iCIMS’ IT systems and networks;
• Fulfilling the purpose for which you provide it;
• Complying with applicable laws, regulations, legal processes, or enforceable governmental requests; and/or
• Proactively conducting research about your educational and professional background and skills and contacting you if we think you would be suitable for a role with iCIMS.

Our processing of Personal Data for the purposes described in this Talent Acquisition Privacy Notice also includes the use of automated methods of processing, including machine learning, artificial intelligence, and generative intelligence capabilities. to analyze your Personal Data, determine trends, or create AI-generated responses or other content. When you interact with the chatbot in our hiring software, we may also store the transcript for the purposes described in this Talent Acquisition Privacy Notice.

If you are offered and accept employment with iCIMS, the personal data collected during the job application, recruitment, and onboarding processes may become part of your employment record.

If we need to process your personal data for an incompatible purpose not discussed in this Privacy Notice, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent only where required by applicable law.

iCIMS takes care to allow your personal data to be accessed only by those who need such access to perform their tasks and duties, and to third parties who have a legitimate purpose for processing or accessing it. As such, we may share your personal data as described in this Privacy Notice to the following categories of recipients:

• To our subsidiaries, affiliates, or their or our successors or assigns.
• To our private equity investor, Vista Equity Partners, and its affiliates, including Vista Consulting Group (collectively, “Vista”), for administration, research, database development, workforce analytics and business operation purposes, in line with the terms of this Privacy Notice. Vista processes and shares your personal data with its affiliates, including other Vista portfolio companies, on the basis of its legitimate interests in managing, administering and improving its business and overseeing the recruitment process and, if applicable, your employment relationship with iCIMS. If you have consented to us doing so, we also share your personal data with other Vista portfolio companies for the purpose of being considered for other job opportunities in the pooling system, both inside and outside the European Economic Area (“EEA”) and United Kingdom (“UK”). Please find a full list of all Vista portfolio companies at: https://www.vistaequitypartners.com/companies/ and Vista’s privacy policy at https://www.vistaequitypartners.com/privacy/.
• Upon request, to an iCIMS employee who referred you to inform them about the limited, general status of the referral.
• To our contractors, business partners, service providers, and other third parties who require the data to carry out work relating to the job applicant and/or recruitment process on our behalf, provided such parties provide at least the same level of privacy protection as is required of iCIMS. These companies are authorized to use your personal data only as necessary to provide these services to us.
• To a potential buyer (and its agents and advisors) in connection with any proposed merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution or liquidation), in which case, personal data held by us about you will be among the assets transferred to the buyer or acquirer.
• To a third party under the following circumstances where we, in good faith,: (i) believe we are compelled by applicable law or regulation, judicial request from a court of competent jurisdiction, or another legal process or government authority; (ii) find it necessary to exercise, establish or defend our legal rights; (iii) seek to enforce or apply our Website Terms of Use or terms of any other agreement; (iv) seek to protect iCIMS’ rights or property; (v) seek to protect iCIMS, our Subscribers, or the public from harm or illegal activities; (vi) seek to respond to an emergency which we believe, in good faith requires us to disclose data to prevent harm; or (vii) rely on your consent.

Please note that we do not sell (as defined in applicable data protection and privacy laws) your personal data (and will not sell it without providing any required notices and/or opt-in/opt-out rights). 

If you are a resident of the “EEA” or the UK, our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the context in which we collect it. However, we will normally collect and/or process your personal data pursuant to one or more of the following legal bases:

• The processing is necessary in connection with our legitimate interests in recruitment and hiring candidates and which do not override your data protection interests or fundamental rights and freedoms.
• The processing is necessary to take steps, at your request, relating to potentially entering into an employment contract with you.
• The processing is necessary to comply with our legal obligations, such as retaining records relating to the recruitment process for periods required under applicable laws or regulations.
• We may also seek your consent to process or retain your personal data in certain, limited circumstances that we clearly identify to you.
• In some limited cases, we may need the personal data to protect your vital interests or those of another person; for example, we may need to share your personal data with third parties for security reasons (when we believe in good faith that disclosure is necessary to protect our rights, protect your or others’ safety, to investigate fraud, or respond to a related government request).

If we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and let you know whether the provision of your personal data is mandatory or not (as well as the possible consequences if you do not provide it). Similarly, if we collect and use your personal data in reliance on our legitimate interests (or those of a third party) that are not listed above, we will make clear to you at the relevant time what those legitimate interests are. If you have questions about or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the contact details provided in the “Contact Information” section below.

iCIMS or its appointed service providers or contractors may collect, use, process, store and disclose your personal data outside of your home jurisdiction, including in the U.S., and in some cases, other countries, for the purposes described in this Privacy Notice. These countries may have data protection and privacy laws that are different than the laws of your home country. iCIMS only transfers personal data to another country in accordance with applicable data protection and privacy laws, provided there are legally adequate protections in place for the personal data. A list of iCIMS’ global offices is available here.

If your personal data is processed within the EEA or UK, and for onward transfers of personal data to iCIMS’ appointed service providers or contractors, iCIMS and its appointed service providers or contractors, will protect your personal data (as defined in the European Union’s (“EU”) General Data Protection Regulation (“GDPR”)) when it is transferred outside of the EEA or UK by:

• Processing it in a territory which the European Commission (or other relevant governmental authority) has determined provides an adequate level of protection for personal data; or
• Otherwise implementing appropriate safeguards to protect your personal data, including through the use of Standard Contractual Clauses or another lawful transfer mechanism approved by the European Commission (or other relevant governmental authority).

If you require further information about our international transfers of personal data, please contact us by using the contact details under the “Contact Information” heading below.

iCIMS, Inc. and certain of its subsidiaries listed here comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. iCIMS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Notice and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov .

iCIMS is responsible for the processing of personal data it receives, under the DPF and subsequently transfers to a third party acting as an agent on its behalf. iCIMS complies with the DPF Principles for all onward transfers of personal data from the EEA and UK, including the onward transfer liability provisions.

Although iCIMS also relies on Standard Contractual Clauses or other lawful transfer mechanisms approved by the European Commission (or other relevant governmental authority) to transfer personal data from the EEA and UK, iCIMS is committed to maintaining its DPF certification and will honor its obligation to comply with the DPF Principles.

The Federal Trade Commission has jurisdiction over iCIMS’ compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. In certain circumstances, iCIMS may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

EEA and UK individuals with inquiries or complaints regarding our privacy practices should first contact iCIMS as provided in the “Contact Information” section below. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, iCIMS commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (“DPAs”) and the UK Information Commissioner’s Office (“ICO”) and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

iCIMS maintains appropriate technical and organizational measures, including, but not limited to, reasonably designed administrative, physical, and technical safeguards, designed to protect the personal data obtained as discussed in this Privacy Notice from accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access. iCIMS personnel, service providers, and contractors with access to personal data collected as discussed in this Privacy Notice are required to keep such personal data confidential and secure. iCIMS has a dedicated team responsible for monitoring and responding to security events, and it notifies applicable parties of security or privacy incidents and data breaches in accordance with its incident response procedures and applicable law.

We use the following criteria to determine the length of time for which we retain personal data subject to this Privacy Notice:

• The purposes outlined in this Privacy Notice for which the personal data is used, and the length of time for which such data is required to achieve those purposes, including for business operations, security purposes, and legal requirements;
• Whether we are required to retain the category of personal data in order to: (i) comply with legal or contractual obligations; (ii) assert or defend against potential legal claims or as necessary to investigate theft, fraud, or other activities that are potentially (a) in violation of our policies and procedures applicable to you or (b) a violation of the law; (iii) ensure a secure online environment; and/or (iv) protect your or others’ health and safety;
• The privacy impact on the individual of ongoing retention (for example, determining if our legitimate business interest is outweighed by your data protection interests or fundamental rights and freedoms); and
• The manner in which the personal data is maintained and flows through our systems and how best to manage the lifecycle of such data in light of the volume and complexity of the systems in our infrastructure and the need to maintain high integrity and availability within our systems.

When we have no legal obligation or ongoing legitimate business need to process your personal data, we will either delete or anonymize it or, if this is not possible (e.g., because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. As such, we reserve the right to use such anonymous data for any legitimate business purpose without further notice to you or your consent. In addition, we delete personal data if an individual makes a verifiable request to delete such personal data and no exception applies.

Certain jurisdictions may provide you with privacy rights under applicable data protection or privacy law regarding your personal data. In particular, you may have the right to:

• be informed about your personal data;
• access your personal data;
• correct any personal data that is inaccurate;
• have your personal data erased;
• restrict or suppress the processing of your personal data;
• obtain and reuse your personal data;
• object to the processing of your personal data;
• object to how your personal data is used in automated decision making, if applicable;
• lodge a complaint with a supervisory authority; and
• obtain a copy of Standard Contractual Clauses (if applicable).

These rights may be limited, for example, if fulfilling your request would reveal personal data about another individual, or if you ask us to delete personal data which we are required by law to keep or which we need to defend claims against us.

If you are a California resident, please see our Privacy Notice for California Residents for additional disclosures and information about the personal data we have collected about you over the last 12 months and rights you may have regarding your personal data.

If you do not wish to receive our email marketing communication for promotional purposes, you may opt‑out by clicking on the “unsubscribe” or “opt‑out” link in the marketing e‑mails we send you.

If we process your personal data in reliance upon your consent, you can contact us at any time to withdraw your consent.

To exercise any of these rights, please contact us by using the contact details under the “Contact Information” heading below.

We will respond to such requests in accordance with the requirements of applicable data protection laws. Please note that in order to fulfil your request, we may need you to provide certain personal data to verify your identity. Depending upon applicable data protection and privacy law, individuals may also designate an authorized agent to exercise these rights on their behalf.

Various browsers (i.e., Internet Explorer, Chrome, Firefox, Edge, etc.) allow a “do not track” (DNT) setting, which sends a signal to websites visited by an individual about their browser DNT setting. At this time, there is no general agreement on how companies, like iCIMS, should interpret DNT signals. Therefore, we do not currently commit to respond to DNT signals. We will continue to monitor developments around DNT browser technology and the implementation of a standard.

This Website may link to websites that are not owned or controlled by iCIMS. As such, this Privacy Notice does not apply to personal data collected on any third‑party site or by any third‑party application that may link to or be accessible from the Website. This Privacy Notice does not apply to personal data collected by Subscribers, our business partners, and other third parties or third‑party applications or services, even if this personal data is collected using our Website or at events.

The Website is not directed to or intended to be used by anyone under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. If you are under 18, please do not attempt to fill out our forms or send any personal data about yourself to us. If we learn that we have collected personal data from a child under age 18, we will delete that personal data promptly.

iCIMS reserves the right to update or change this Privacy Notice from time to time. If we make material changes to this Privacy Notice, we will post it to our Website home page prior to or at the time of the change becoming effective. We ask that you review the Privacy Notice periodically to stay informed about any updates or changes that we may have made.

You can see when this Privacy Notice was last updated by checking the “Effective Date” displayed at the top of this Privacy Notice.