Privacy

Privacy Notice

Last updated: 14 May 2026.

This notice explains how Candidate Kit handles personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to the marketing site at candidatekit.uk and the application at app.candidatekit.uk. If anything here is unclear, email ck-hello@candidatekit.uk.

Who we are

Candidate Kit is operated by Elastic Mint Ltd, a company registered in England and Wales (company number 11288579). Elastic Mint Ltd is the data controller for the purposes of UK GDPR.

You can contact us at ck-hello@candidatekit.uk.

What we collect, why, and on what lawful basis

We only collect what we need to operate the service.

• Email address (when you request an invite). Used to send a confirmation link and, once confirmed, to email you when a beta place opens. Lawful basis: consent. You can withdraw consent at any time by emailing us; we'll delete the record.
• Account data (when you accept an invite). Email address, password hash, and the records you create inside the app (saved searches, scoring criteria, application history). Lawful basis: contract — we cannot provide the service without this data.
• Submission metadata. When you submit the interest form, we record the timestamp, your IP address, and a truncated User-Agent string. We use this to detect abuse (spam submissions). Lawful basis: legitimate interests — operating the service securely.
• Payment information (post-launch). Card details are handled by Stripe; we never see or store them. We retain only the Stripe customer ID and the subscription state. Lawful basis: contract.

We do not collect special-category data, and we do not profile or make automated decisions about you.

Who we share data with

We share the minimum data needed with these processors:

• Microsoft Azure (UK South region). Hosts the application database and storage. Your data stays in the UK.
• Azure Communication Services. Sends transactional email (confirmation, password reset, beta-invite). Email content and recipient address only.
• Cloudflare. Provides Turnstile (bot protection) on anonymous forms and privacy-respecting Web Analytics on the marketing site. Cloudflare receives only what's needed to operate these features — no cookies, no cross-site tracking.
• Stripe (post-launch). Handles subscription billing. We share only your email and a customer reference; Stripe holds the payment-method details under its own privacy notice.

We do not sell personal data, and we do not share it for advertising.

How long we keep it

• Interest registrations that you never confirm are deleted after 7 days.
• Confirmed interest registrations are deleted 12 months after confirmation, or sooner if you ask us to. If you've been invited or signed up, the record is kept as part of the invite audit trail and governed by the account data policy above.
• Account data is kept while your account is active. If you delete your account, data is soft-deleted (recoverable for 90 days) and then permanently purged.
• Billing records are retained for 6 years after the last transaction, as required by UK tax law.
• Submission metadata in application logs is retained for 30 days.

Your rights

You have the right to:

• Access the personal data we hold about you.
• Have inaccurate data rectified.
• Have your data erased ("right to be forgotten").
• Restrict or object to our processing.
• Receive your data in a portable format.
• Withdraw consent (where the lawful basis is consent).

Email ck-hello@candidatekit.uk to exercise any of these rights. We'll respond within 30 days as required by UK GDPR. There is no charge for a reasonable request.

Cookies and similar technologies

The marketing site uses no cookies. Cloudflare Web Analytics is cookieless and does not track you across sites. The application uses essential cookies only — the authentication cookie that keeps you signed in, and an anti-forgery token that protects you against CSRF. We do not set advertising or analytics cookies.

International transfers

All primary processing happens in Microsoft Azure UK South. Cloudflare and Stripe are US-headquartered processors but operate UK/EU data-residency offerings; where a transfer outside the UK does occur, it is covered by the UK International Data Transfer Addendum.

Security

We use TLS 1.2 or higher in transit and AES-256 at rest (via Azure's Transparent Data Encryption for the database and server-side encryption for storage), passwords hashed using PBKDF2-HMAC-SHA256 with 600,000 iterations (per current OWASP guidance), and least-privilege access to production systems.

Complaints

If you are unhappy with how we handle your data, please email us first so we can try to put it right. You can also complain to the Information Commissioner's Office (the UK's data-protection authority) at ico.org.uk/make-a-complaint.

Changes to this notice

If we make material changes we'll email registered users and update the "last updated" date at the top of this page.