Recruitment Privacy Policy
Equilibrium Engineering Oy
Version: 1.0
Effective date: April 15, 2026
Last updated: April 15, 2026
At a Glance
We collect your name, contact details, CV, and information generated during the recruitment process (interview notes, assessments).
We use it to evaluate your application and, if you're not selected, to consider you for future roles.
We delete your CV and application documents after 3 months. If you say yes, we keep your application materials for up to 24 months so we can reach out about future opportunities.
You can withdraw your consent at any time by emailing privacy@equilibrium.co.
You have rights under GDPR — including access, correction, deletion, and objection. Details in Section 8.
1. Who We Are
Equilibrium Engineering Oy ("Equilibrium", "we", "us", "our") is the data controller responsible for your personal data in the context of recruitment.
Business ID: 3274646-4
Registered address: Meritullinkatu 1 B, 00170 Helsinki.
Privacy contact: privacy@equilibrium.co
Equilibrium is not required to appoint a Data Protection Officer under GDPR Art. 37. Privacy-related questions are handled by the privacy contact above.
2. Scope
This privacy policy applies to all personal data we collect and process in connection with:
Job applications submitted through our recruitment platform — directly by you, via a recruitment agency acting on your behalf, by email, or via referrals
Recruitment activities including interviews, assessments, and related communications
Talent pool retention of contact details for future opportunities
This policy covers both successful and unsuccessful candidates, including roles that may result in employment, contractor engagements, or service agreements with a company you represent.
3. What Personal Data We Collect
We are committed to collecting only the personal data that is necessary for assessing your suitability for a role. We do not ask for or process data beyond what is described below. Where you represent a company, we may process your professional contact details in your capacity as a business representative.
Data we collect
Category | Examples | Required? |
|---|---|---|
Identification & contact | Name, email address, phone number | Some required, some optional — see the application form |
Location | Country (required); city (optional) | Country required |
Application materials | CV / resume, cover letter | Required |
Application questions | Your answers to questions about your strengths, motivation, and similar | "What are you good at" required; others optional |
Online profiles | LinkedIn, personal website, GitHub — only if you choose to share them | Optional |
Compensation | Your compensation expectations, if you choose to share them | Optional |
Source attribution | How you heard about the position | Optional |
In addition, we generate or collect automatically:
Category | Examples |
|---|---|
Application metadata | Date of application, position applied for |
Assessment data | Interview notes, technical assessment results |
Communication records | Emails and messages exchanged during the recruitment process |
The application form itself shows which fields are mandatory and which are optional at the time of application.
Data we do NOT routinely collect
Date of birth or national ID numbers — only requested at the offer stage if legally required
Photographs — not requested; if embedded in a CV, not retained separately
Social media data — we do not screen your personal social media; we only consider professional profiles you voluntarily provide
Special category data (race, ethnic origin, political opinions, religious beliefs, health data, sexual orientation) — we do not collect or process this data
Where your data comes from
Most data we hold about you comes directly from your application. Where a recruitment agency submits your application on your behalf, we also receive the application from them. In that case we will also send you this privacy notice by email so that you know how your data is handled with us.
4. Why We Process Your Data and Our Legal Bases
Where applicable, processing may relate to entering into a contract with you or with an organization you represent.
Purpose | Legal Basis (GDPR Article) |
|---|---|
Evaluating your application for the specific role you applied for | Necessary for pre-contractual measures taken at your request (6(1)(b)) |
Conducting interviews and technical assessments | Necessary for pre-contractual measures taken at your request (6(1)(b)) |
Communicating with you about your application status | Necessary for pre-contractual measures taken at your request (6(1)(b)) |
Verifying right-to-work, education, or professional credentials at the offer stage | Our legitimate interest in ensuring the suitability of candidates (6(1)(f)) |
Defending against potential legal claims related to recruitment decisions | Our legitimate interest in legal protection (6(1)(f)) |
Retaining your application data in our talent pool for future opportunities | Your consent (6(1)(a)) |
5. How Long We Keep Your Data
We apply a two-tier retention approach to minimize the personal data we hold while maintaining a useful talent pool.
Tier 1 — Standard retention (all applicants)
Data | Retention period | Trigger |
|---|---|---|
Full application (CV, cover letter, portfolio) | 3 months | From the date the position is filled or your application is declined, whichever is later |
Interview notes and assessment results | 3 months | Same as above |
Communication records | 3 months | Same as above |
After 3 months, this data is permanently deleted from our systems and our recruitment platform.
Tier 2 — Talent pool (with your consent)
If you are not selected for the role you applied for, we may ask whether you'd like us to keep your application materials so we can reach out about future roles that match your skills.
If you say yes, we retain the data you submitted as part of your application — your name, contact details, country, professional profile URLs and compensation expectations (if you provided them), area of interest, your CV and cover letter, your free-text application answers, and the interview notes and assessment results we generated during the process.
Retention period: Up to 24 months from the date you give us your consent.
12-month re-confirmation: At 12 months, we will contact you to ask whether you'd like to remain in the talent pool. If you don't respond, your data is deleted.
Withdraw consent: You can withdraw your consent at any time by emailing privacy@equilibrium.co. Withdrawal stops processing going forward; it does not affect the lawfulness of processing carried out before withdrawal. We will delete your data within 30 days of your withdrawal.
No talent-pool retention without consent: If you don't give consent, your application data is deleted under the standard 3-month timeline (see Tier 1 above) — there is no detriment to declining.
Legal basis: Your consent (Art. 6(1)(a)). You have the right to withdraw consent at any time under Art. 7(3) — see Section 8.
Successful candidates
If you engage with Equilibrium as an employee, contractor, or through a company you represent, your application data may be transferred to the relevant commercial, contractor, or personnel records. From that point, processing is governed by the privacy notice that applies to your engagement, which we will provide to you at onboarding.
6. Who Has Access to Your Data
Within Equilibrium
Your data is accessible only to Equilibrium team members directly involved in evaluating your application, on a need-to-know basis.
Recruitment agencies
If your application was submitted by a recruitment agency, that agency retains visibility of your application's progress with us while we are considering you. Agencies do not see interview notes, scorecards, or internal discussion about your application. The agency is an independent controller for its own records of you; its handling of your data outside our process is governed by its own privacy policy.
Service providers (data processors)
We use the following categories of service providers, each operating under a Data Processing Agreement (DPA):
Provider category | Purpose |
|---|---|
Recruitment platform | Hosting job listings, receiving and managing applications |
Email and cloud productivity | Storing and transmitting application data, document collaboration |
Team communication | Internal hiring discussions that may reference applicants |
Video conferencing | Conducting remote interviews |
We never sell your data
Your personal data is never sold, rented, or shared for marketing purposes.
7. International Data Transfers
Equilibrium operates as a fully remote, global team. Your personal data may be accessed by team members or processed by service providers located outside the European Economic Area (EEA).
Where personal data is transferred to a country that does not benefit from an EU adequacy decision, we ensure appropriate safeguards are in place, including:
EU-US Data Privacy Framework (DPF) — for certified US-based providers
Standard Contractual Clauses (SCCs) — approved by the European Commission
Adequacy decisions — where the European Commission has determined that a country provides adequate protection
Our US-based service providers (recruitment platform, email and cloud productivity, team communication, video conferencing) rely primarily on EU-US Data Privacy Framework certification for transfers of personal data from the EEA. DPF certifications can be verified at dataprivacyframework.gov. Where a provider is not DPF-certified for a particular transfer, we rely on Standard Contractual Clauses under the relevant Data Processing Agreement.
You may request a copy of the safeguards we rely on by contacting privacy@equilibrium.co.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Right | What it means |
|---|---|
Access (Art. 15) | You can request a copy of the personal data we hold about you |
Rectification (Art. 16) | You can ask us to correct inaccurate or incomplete data |
Erasure (Art. 17) | You can ask us to delete your personal data, subject to any legal retention obligations |
Restriction (Art. 18) | You can ask us to limit how we process your data in certain circumstances |
Data portability (Art. 20) | You can request your data in a structured, machine-readable format |
Withdraw consent (Art. 7(3)) | For processing based on your consent (talent-pool retention), you can withdraw at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal |
Object (Art. 21) | You can object to processing based on our legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds |
How to exercise your rights
Contact us at privacy@equilibrium.co.
We will respond to your request within 30 days. If we need more time due to the complexity of the request, we will inform you of the extension within the initial 30-day period.
We may ask you to verify your identity before processing your request.
9. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with a supervisory authority.
Lead supervisory authority:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Website: tietosuoja.fi
You also have the right to lodge a complaint with the supervisory authority in the EU member state where you reside or work.
10. Automated Decision-Making
Final hiring decisions are made by people. We do not use automated decision-making or profiling that produces legal or similarly significant effects on you within the meaning of GDPR Art. 22. Where our recruitment platform offers AI-assisted features such as keyword matching or candidate ranking, any such tools are used only to support human reviewers — they do not make decisions about your application.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated to active applicants. The current version is always available at https://equilibrium.co/careers/privacy-policy.
Contact: privacy@equilibrium.co