RECKIAPP PRIVACY AND COOKIES POLICY
Version (Effective): 5th January 2025
Last reviewed: 5th January 2025
This Privacy and Cookies Policy (“Policy”) describes how RECKIAPP LTD (“Reckiapp”, “we”, “us”, “our”) collects, uses, shares, and otherwise processes personal data. It also explains the rights and choices available to individuals in relation to their personal data.
This Policy applies to personal data processed by Reckiapp in connection with (i) our websites and online services, (ii) our Salesforce-native applications and related service platforms (including where deployed into a customer’s Salesforce environment), (iii) our sales, marketing, contracting, billing, implementation and support activities, and (iv) any other interactions you may have with us (collectively, the “Services”). References to “you” depend on context and may include website visitors, customer users, customer administrators, business contacts, prospects, partners, and individuals whose personal data is processed by our customers using the Services (such as candidates, contacts, and employees).
This Policy is intended to align with applicable data protection laws and regulations including the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), the Privacy and Electronic Communications Regulations 2003 (“PECR”) and relevant international privacy laws where our Services are used globally. Where local law requires additional disclosures (for example, certain US states), additional information is set out in Section 14.
1. Company Details and Contact Information
RECKIAPP LTD
Company number: 16906783
Registered office address: 9 Bourne Road, Bexley, England, DA5 1LW
For privacy-related enquiries, you can contact us at: privacy@reckiapp.com.
Where we are required to appoint a Data Protection Officer, or where we appoint a privacy lead voluntarily for governance purposes, the relevant contact details will be provided upon request or in our customer contracting documentation.
2. Our Role Under Data Protection Law (Controller vs Processor)
Because Reckiapp provides Salesforce-native applications that operate within a customer’s own Salesforce instance, our role under data protection law depends on the processing activity in question.
Customer Data (Processor role). In most cases, Reckiapp processes personal data on behalf of our business customers. In those circumstances, the customer is the Data Controller (or a Processor acting for its own controller) and Reckiapp is a Data Processor. This means the customer determines the purposes for which personal data is used and how it is processed, including what data is entered into Salesforce, which fields are enabled, how long data is kept, and who has access. Reckiapp processes that data only in order to provide the Services and in accordance with the customer’s documented instructions and applicable law. This “Customer Data” may include personal data relating to the customer’s own employees and users, as well as data subjects such as candidates, applicants, contacts, clients, suppliers and other individuals.
Reckiapp Business Data (Controller role). Reckiapp is a Data Controller in relation to personal data we collect and process for our own business purposes, for example when you visit our website, request a demo, enter into a contract with us, administer an account, communicate with support, attend an event, or subscribe to marketing communications. This “Business Data” is used for operating and growing our business, providing customer service, managing our relationships and meeting our legal obligations.
Important note for candidates and other end individuals. Where your personal data is processed within a customer’s Salesforce instance using Reckiapp applications, the customer controls that data. In that scenario, Reckiapp typically has no direct relationship with you. If you have questions about why your data is being used, how long it will be stored, or you wish to exercise rights such as deletion, you should contact the relevant customer organisation first. We support our customers in fulfilling these requests in accordance with our contractual arrangements and applicable law.
3. Personal Data We Collect and Process
The categories of personal data processed will depend on whether you are interacting with Reckiapp directly (Business Data) or whether your data is processed by a customer using our Salesforce-native applications (Customer Data). We may process some or all of the categories below.
3.1 Categories of Customer Data (processed as Processor)
Reckiapp applications are designed for recruitment and relationship-led workflows and may process personal data that customers choose to store in Salesforce, including the following categories. Where a customer configures their environment to process particular categories (including sensitive categories), the customer is responsible for ensuring a lawful basis and appropriate notices and controls.
Identifiers and contact details. This may include names, business contact information, personal contact information (where customers choose to store it), usernames, profile identifiers, email addresses, postal addresses, and similar identifiers, including identifiers issued by public bodies if the customer stores them (for example, NI numbers, passport identifiers, or other national identifiers, depending on the customer’s lawful basis and requirements).
Professional and education data. This may include CV/resume information, education history, qualifications, accreditations, training, skills, certifications, licensing status and professional membership information.
Employment and recruitment data. This may include work history, job applications, interview notes, placement details, role suitability notes, availability data, compensation expectations, work preferences, compliance or onboarding progress information, and performance/assignment-related records where the customer stores those in Salesforce.
Financial and transaction data. Depending on customer use cases, records may include pay rates, salary information, billing rates, timesheet-related information, invoice references, payment status data, and other finance-related data necessary for staffing and recruitment operations.
IT and usage information. This may include audit logs, access and activity data within Salesforce, IP addresses (where logged by the platform or connected services), device information, and technical identifiers, subject to the customer’s platform configuration and our own security logging.
Communications content. Customer environments may contain communications content, such as email metadata, messages, notes, tasks, call logs or activity history, depending on how the customer operates their Salesforce instance and integrates third-party tools.
Special category data (where configured by customer). Some customers may choose to store or process special category data (for example health data or diversity data) or criminal record-related information. Reckiapp does not require customers to provide such data for the core functioning of the Services and we do not encourage its processing unless necessary and lawfully permitted. Where a customer chooses to store such data in Salesforce and use it with our applications, the customer must ensure it has a valid lawful basis (and a valid Article 9 condition for special category data, and any required additional safeguards). Reckiapp will process that data only on customer instruction and subject to appropriate contractual safeguards.
3.2 Categories of Business Data (processed as Controller)
When you interact with Reckiapp directly, we may process the following:
Business contact details. This includes your name, work email, telephone number, job title, company name and related professional contact information.
Account and subscription administration data. Where you are a customer administrator or named contact, we may process login identifiers, user provisioning records, customer configuration communications, renewal information, and similar account-management data.
Billing and financial administration data. This may include invoicing contacts, billing addresses, VAT information, purchase order details, and records of payments and subscription status. Payment card details, where used, are typically processed by payment providers rather than stored by Reckiapp (subject to the payment method chosen).
Support and communications. If you contact us, we will process the content of your messages, emails, and support tickets, including any attachments you provide. We may also keep records of calls or meetings where necessary for training, quality assurance, dispute resolution, or evidencing support outcomes, subject to lawful basis and appropriate notice.
Website and cookie data. We collect certain information automatically when you use our websites, such as IP address, browser type, pages visited, referral URLs, approximate location (derived from IP address), device identifiers and similar analytics data through cookies and similar technologies, as described in Section 9.
4. How We Use Personal Data and Why (Purposes)
Reckiapp processes personal data for specific, limited purposes. The relevant purposes depend on whether we are acting as Processor (Customer Data) or Controller (Business Data).
4.1 Purposes for Customer Data (Processor)
Where Reckiapp processes Customer Data as a Processor, we do so to: (i) provide and maintain the Services, (ii) operate the functionality requested by the customer, (iii) provide support and professional services where requested, (iv) ensure security and operational integrity, and (v) comply with legal obligations. This includes processing necessary to enable features such as automation, workflow triggers, UI rendering, reporting outputs, and Salesforce-native data interactions as configured by the customer.
We may access Customer Data only in limited circumstances and only where necessary, for example to troubleshoot an issue, respond to a support request, implement customer instructions, investigate suspected misuse or a security incident, or comply with law. Access is restricted, logged where feasible, and subject to confidentiality obligations.
4.2 Purposes for Business Data (Controller)
Where Reckiapp acts as Controller, we process personal data to: operate our business, provide and market the Services, manage customer relationships, administer subscriptions, provide customer support, ensure security, comply with legal obligations, and protect our legal rights. This may include communicating with you about product updates, service notices, security notices, invoices, renewal discussions, service improvements, webinars, events, and relevant marketing content, subject to your choices and applicable law.
5. Legal Bases for Processing
Where Reckiapp acts as a Controller (Business Data), we rely on the following lawful bases, as applicable:
Contractual necessity. We process personal data where necessary to perform a contract with you or your organisation, or to take steps at your request before entering into a contract. This includes implementing Services, administering subscriptions, providing support, and managing service communications.
Legitimate interests. We process personal data where necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms. Legitimate interests may include operating and improving the Services, ensuring security and preventing fraud, marketing to business contacts in a proportionate manner, maintaining records, quality assurance, and defending legal claims.
Legal obligation. We process personal data where required to comply with legal obligations, such as tax, accounting, regulatory compliance, or responding to lawful requests by authorities.
Consent. We use consent where required by law (for example under PECR for certain cookies, or for marketing to individuals where consent is required). Where we rely on consent, you may withdraw it at any time.
Where Reckiapp acts as a Processor (Customer Data), the customer is responsible for determining the lawful basis for processing and for providing any required notices to data subjects.
6. Aggregated / Anonymised Data and Product Analytics
We may create aggregated and/or anonymised datasets from usage information and service telemetry for analytical purposes, capacity planning, security monitoring, and product improvement. These datasets are designed not to identify individuals. We take steps intended to prevent re-identification, and where data is truly anonymised it is no longer personal data.
Where service telemetry might contain personal data (for example, identifiers in logs), it will be handled as personal data under this Policy and our customer contracts, and retained only as necessary for security and operational purposes.
7. Sharing of Personal Data (Third Parties, Sub-processors, Onward Transfers)
Reckiapp does not sell personal data. We share personal data only as described in this Policy and in our customer agreements.
7.1 Sub-processors and service providers
We may share personal data with vetted third-party service providers who assist us in operating and delivering the Services (for example hosting, monitoring, customer support tooling, billing operations, security services, or professional advisers). Where we engage service providers that process personal data on our behalf, we put in place contractual protections designed to ensure appropriate confidentiality, security, and compliance with applicable data protection laws. Service providers are permitted to process personal data only as necessary to provide services to Reckiapp and for no other purpose.
Where we process Customer Data as Processor, our engagement of sub-processors is governed by our customer Data Processing Addendum (DPA) and relevant contractual terms. Customers may be informed of sub-processor changes as required by contract and law.
7.2 Customer-chosen integrations and marketplaces
Customers may integrate the Services with third-party products (including Salesforce AppExchange products, email providers, analytics tools, or other systems). Where a customer contracts directly with a third party, the third party’s privacy practices and terms will govern their processing. Reckiapp is not responsible for third-party processing outside our control, and customers should ensure they review third-party privacy terms and ensure appropriate compliance.
7.3 Legal disclosures and protection of rights
We may disclose personal data if we believe, acting reasonably, that disclosure is necessary to: comply with law or legal process; respond to lawful requests by public authorities; enforce our contracts; protect our rights, property or safety; investigate fraud or security incidents; or protect the rights, property or safety of our customers, users or others. Where permitted and appropriate, we will seek to notify affected customers or individuals about such disclosures.
7.4 Corporate transactions
If Reckiapp is involved in a merger, acquisition, reorganisation, sale of assets, financing, bankruptcy, insolvency or similar transaction, personal data may be disclosed as part of that transaction, subject to appropriate confidentiality safeguards and applicable law. Where required, we will provide notice of material changes to processing.
8. International Transfers
Because our customers may be worldwide, and because some of our service providers may operate globally, personal data may be transferred and processed outside the UK and/or EEA.
Where we transfer personal data from the UK and/or EEA to countries that do not provide an “adequate” level of protection, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and/or the EU Standard Contractual Clauses (SCCs) as applicable, along with additional technical and organisational measures where necessary. We also monitor legal developments relating to international transfers and update our approach where required.
9. Cookies, Similar Technologies, and PECR
Reckiapp uses cookies and similar technologies on its websites and, where applicable, in web-based components associated with the Services. Cookies are small files placed on your device that help websites function, improve performance, and provide analytics.
We use cookies for purposes including: enabling core website functionality; remembering preferences; helping keep the site secure; understanding how visitors use our website; measuring the effectiveness of campaigns; and improving content and user experience.
Where required by PECR and equivalent laws, we will obtain your consent for non-essential cookies (such as analytics and marketing cookies). You can manage cookie preferences via our cookie banner or settings tool (where implemented), and you can control cookies through your browser settings. Please note that disabling certain cookies may impact site functionality.
If we use third-party analytics or marketing cookies, those providers may process information collected through those cookies in accordance with their own privacy policies. We encourage you to review those third-party policies.
10. Marketing Communications
Where permitted by applicable law, we may send marketing communications to business contacts about Reckiapp products, features, events, webinars and services. We will provide a clear method to opt out in each marketing communication. Where consent is required (for example in certain jurisdictions or for certain categories of recipients), we will not send marketing unless you have opted in.
Operational or service communications (such as billing notices, security notices, changes to the Services, and support updates) are not considered marketing communications and you may continue to receive them while you have an active relationship with us.
11. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.
Customer Data. Customer Data primarily resides in the customer’s Salesforce environment and is retained according to the customer’s own retention settings and legal obligations. Where Reckiapp processes Customer Data outside the customer environment (for example in support tickets, diagnostic logs, or implementation files), we retain it only as long as necessary to provide support, meet contractual obligations, ensure security, resolve disputes, and enforce agreements. Where feasible, we minimise the personal data contained in logs and restrict access.
Business Data. Business contact and account-related data is typically retained for the duration of the customer relationship and as necessary thereafter for audit, accounting, tax and legal compliance. Marketing data is retained until you opt out or until it is no longer required for lawful marketing purposes.
Where deletion is not possible (for example due to technical constraints, legal hold, or backup retention), we will take steps to restrict processing and securely isolate the data until it can be deleted.
12. Security and Confidentiality
Reckiapp implements appropriate technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures may include access controls, least-privilege policies, secure authentication practices, logging and monitoring, secure development lifecycle practices, staff confidentiality obligations, and incident response procedures.
No method of transmission over the internet or method of electronic storage is completely secure. Accordingly, while we take reasonable steps to protect personal data, we cannot guarantee absolute security. Customers are responsible for maintaining the confidentiality of their credentials and for securing their own Salesforce environment, including user permissions, MFA policies, and data governance, unless otherwise agreed in writing.
13. Your Rights and How to Exercise Them
Subject to applicable law, individuals may have rights to request access to personal data, rectification, deletion, restriction of processing, data portability, and to object to certain processing. Individuals may also have the right to withdraw consent where processing is based on consent.
Where Customer Data is concerned, the customer is the controller. If you are an individual whose personal data is processed by one of our customers (for example a candidate), you should direct your request to the relevant customer organisation. Where appropriate, and in accordance with our customer contracts and law, we will assist our customers to respond to requests.
Where Reckiapp is controller (Business Data), you can contact us directly. Requests should be sent to privacy@reckiapp.com. We may need to verify identity and request additional information to process your request securely. We may decline or limit a request where permitted by law (for example where it would adversely affect the rights of others, where the request is manifestly unfounded or excessive, or where we must retain data for legal obligations).
Complaints. If you are in the UK, you may lodge a complaint with the Information Commissioner’s Office (ICO). You may also have the right to lodge a complaint with your local supervisory authority if you are in the EEA.
14. Jurisdiction-Specific Disclosures (International)
Because customers and users may be worldwide, the following additional rights and disclosures may apply depending on where you live.
14.1 United States (Certain State Privacy Laws)
Residents of certain US states (including California, Colorado, Connecticut, Utah and Virginia) may have rights to request information about categories of personal information collected, the sources of that information, the business purposes for collection, categories of third parties with whom information is shared, and rights to access, correct or delete personal information, subject to exceptions. Where required, individuals may also have rights to opt out of certain forms of “targeted advertising” or “sharing” as defined by local law.
Reckiapp does not sell personal information in the conventional sense. If we engage in activities that constitute “sharing” for targeted advertising under certain state laws through cookies or similar technologies, we will provide appropriate mechanisms (such as cookie preference controls) to opt out where required.
14.2 Other Regions
Individuals may have additional rights under local laws in jurisdictions such as Canada, Australia, New Zealand, Singapore, South Africa, Brazil, and others. Where such laws impose mandatory additional disclosures, Reckiapp will provide them in contracting documentation, supplemental notices, or regional addenda as appropriate.
15. Children
Our websites and Services are not directed to children, and we do not knowingly collect personal data from children. If we become aware that personal data of a child has been collected without appropriate authorisation, we will take reasonable steps to delete it.
16. Links to Third Party Sites
Our websites and Services may contain links to third-party websites or services. We are not responsible for the privacy practices of third parties, and this Policy does not apply to third-party services. We encourage you to review the relevant third-party privacy policies.
17. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will become effective when posted, unless otherwise stated. Where changes are material, we will take reasonable steps to provide notice (for example by posting a prominent notice on our website or by notifying customers through appropriate channels).
18. How to Contact Us
If you have questions about this Policy or our processing of personal data, you may contact:
RECKIAPP LTD
9 Bourne Road, Bexley, England, DA5 1LW
privacy@reckiapp.com
19. Customer Contractual Documents (Important)
For customers, this Policy should be read alongside your contractual documents with Reckiapp, including any Master Subscription Agreement, Support Terms, and Data Processing Addendum (DPA). Where there is a conflict between this Policy and an executed DPA in respect of Customer Data, the DPA will prevail to the extent of that conflict.