ReferPool

ReferPool Global Privacy Policy

Effective Date: 16 February 2026

ReferPool is operated by:

The Apply Group Ltd.
Company No. 12938105
ICO Registration No. ZB327179
Address: 124 City Road, London EC1V 2NX United Kingdom
Contact: privacy@theapplygroup.com

The Apply Group Ltd is the data controller for personal data processed through ReferPool.

1. About ReferPool

ReferPool is a pre-vacancy referral and screening platform that enables:

  • Job seekers to complete structured PeerScreens
  • Verified employees to assess candidates
  • Talent Pools to be built prior to public job advertisements

ReferPool operates an anonymous-by-default model and uses AI-assisted tools to enhance signal quality.

2. Categories of Personal Data Collected

2.1 Account Information

  • Name
  • Email address
  • Persona type
  • Login credentials (securely hashed)

2.2 Professional Information

  • CV / résumé
  • Work history
  • Education
  • Skills
  • Target roles and locations
  • Right-to-work status (if provided)

2.3 PeerScreen Information

  • Written responses
  • Submission timestamps
  • AI-generated signal scores
  • AI summaries
  • Referral decisions
  • Talent Pool status

2.4 Verification Information

  • Work email address
  • University email address
  • Verification timestamps
  • Status confirmations

2.5 Payment Information

  • Transaction ID
  • Amount
  • Status

Payments are processed by Stripe. We do not store card numbers.

2.6 Technical & Usage Information

  • IP address
  • Device data
  • Browser data
  • Activity logs
  • Usage metrics

3. How Anonymity Works

ReferPool operates an anonymous-by-default structure:

Identity is hidden during initial PeerScreen review.

Identity is revealed only if:

  • You are added to a Talent Pool
  • You are referred
  • You consent

Once identity is shared with an employer, ReferPool does not control further internal distribution.

4. Purposes of Processing

We process personal data to:

  • Provide and operate the platform
  • Enable PeerScreens and Talent Pools
  • Facilitate referrals
  • Verify employment or student status
  • Process payments
  • Maintain platform security
  • Improve AI scoring systems
  • Comply with legal obligations

5. Legal Bases (UK & EEA Users)

Under GDPR, we rely on:

  • Contractual necessity
  • Legitimate interests
  • Legal obligations
  • Consent (where applicable)

Legitimate interests include fraud prevention, trust-building, AI signal quality and platform integrity.

6. AI & Automated Processing

We use AI tools to:

  • Generate structured signal scores
  • Provide evaluation summaries
  • Assist employee review

Important:

  • AI does not make final hiring decisions.
  • No fully automated employment decisions are made.
  • Users may request human review.

This addresses UK GDPR Article 22, EU GDPR profiling safeguards, and emerging U.S. AI transparency standards.

7. Data Sharing

We may share data with:

  • Verified employees (when triggered by user engagement)
  • Payment processors (Stripe)
  • Hosting and cloud providers
  • Security and analytics providers
  • Legal or regulatory authorities where required

We do not sell personal data.

8. International Data Transfers

Data may be processed outside your country.

Where required, we use:

  • Standard Contractual Clauses
  • Adequacy decisions
  • Contractual safeguards
  • Technical security protections

9. Data Retention

CategoryRetention Period
Active accountsWhile active
Closed accounts90 days
PeerScreensUp to 24 months unless active in Talent Pool or dispute
Talent Pool recordsWhile active + periodic review
Financial records7 years
Marketing dataUntil withdrawn or 24 months inactivity
Security logs12 months

10. Your Rights

Depending on your location, you may have the right to:

  • Access your data
  • Correct inaccurate data
  • Delete data
  • Restrict processing
  • Object to profiling
  • Data portability
  • Withdraw consent
  • Request human review of AI outputs

Contact: privacy@theapplygroup.com

We respond within legally required timeframes.

11. U.S. Privacy Rights (Including California)

For U.S. residents, you may request:

  • Categories of data collected
  • Specific data held
  • Deletion
  • Correction
  • Opt-out of sale (Note: we do not sell data)
  • Opt-out of targeted advertising (if applicable)

We do not knowingly sell data of individuals under 16.

We will not discriminate against you for exercising privacy rights.

12. Canadian Privacy Rights

Under PIPEDA, you may request:

  • Access to your personal information
  • Correction of inaccurate information
  • Withdrawal of consent

13. Security

We implement:

  • Encryption
  • Role-based access controls
  • Secure authentication
  • Ongoing monitoring

No system is entirely secure, but we take reasonable technical and organisational measures.

14. Complaints

  • UK users may complain to the Information Commissioner's Office (ICO).
  • EU users may contact their local Data Protection Authority.
  • U.S. users may contact their state Attorney General.
  • Canadian users may contact the Office of the Privacy Commissioner of Canada.

15. Updates

We may update this policy. Continued use constitutes acceptance.