RECRUITMENT & EMPLOYMENT PRIVACY NOTICE

Last updated: 1 June 2026 | Version 2.0 | Effective Date: 1 June 2026

Supersedes Recruitment Privacy Policy v1.0 (last updated 1 March 2025)

Entities covered by this Notice (each a “Company”, “we”, “us”, or “our”):

SPD TECHNOLOGY RO S.R.L. — Bucharest, District 4, 41 George Bacovia Street, Romania (VAT RO51276524)

SOFTWARE PRODUCT DEVELOPMENT GLOBAL LTD — 20 Birchin Court, Birchin Lane, London, EC3V 9DJ, United Kingdom (Co. No. 11015150)

LLC “SOFTWARE PRODUCT DEVELOPMENT” — 18002, Cherkasy region, Cherkasy, Shevchenko bldg. 266, office 213, Ukraine (Reg. 39000453)

LLC “SPD-GROUP UKRAINE” — 18005, Cherkasy region, Cherkasy city, Kryvalivska str. 7, Ukraine (Reg. 38843066)

LLC “VALLEY-SOFTWARE” — 18005, Cherkaska oblast, Cherkasy, Kryvalivska str. 7, office 6, Ukraine (Reg. 38668362)

The SPD Technology Companies privacy contact: [email protected]

1. Introduction

The SPD Technology Companies listed above (each a “Company”, “we”, “us”, or “our”) are committed to protecting and respecting your privacy.

This Notice (the “Privacy Notice”) explains how we collect, use, share, and safeguard your personal data in the context of recruitment and employment relationships, including:

• Job applicants and candidates worldwide for positions at any The SPD Technology Company;
• Employees of the EU/UK Companies (Romania, United Kingdom) hired under employment contracts or contractors engaged under service agreements;
• Employees of the Ukrainian Companies entities hired under employment contracts or contractors engaged under service agreements.

Applicable legal framework:

• EU General Data Protection Regulation (Regulation (EU) 2016/679, “EU GDPR”); Romanian Law No. 190/2018 — for processing by SPD TECHNOLOGY RO S.R.L.;
• UK GDPR (as defined in section 3 of the Data Protection Act 2018); UK Data Protection Act 2018 — for processing by SOFTWARE PRODUCT DEVELOPMENT GLOBAL LTD;
• Law of Ukraine No. 2297-VI “On Personal Data Protection” — for processing by LLC “SOFTWARE PRODUCT DEVELOPMENT”, LLC “SPD-GROUP UKRAINE”, and LLC “VALLEY-SOFTWARE”.

SPD Technology aims to apply privacy standards broadly aligned with the principles of the EU GDPR and UK GDPR across its operations, taking into account the nature of the processing and applicable local law.

Language: This Notice is provided in English. Romanian-language and Ukrainian-language versions are available on request from [email protected] and on our website where applicable. In case of material inconsistency, the version required by applicable mandatory law shall prevail.

2. Definitions

Personal Data — any information relating to an identified or identifiable natural person (the “data subject”); an identifiable person is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processing — any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Controller — the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In this Notice, each of the SPD Companies is a separate Controller for the processing it undertakes (see Section 3).

Processor / Sub-processor — a natural or legal person which processes Personal Data on behalf of the Controller. Our service providers (e.g., cloud hosting, payroll, recruitment SaaS) , depending on the nature of the services provided, recipients may act as processors, independent controllers, or, in limited cases, joint controllers.

Other capitalised terms used in this Notice have the meanings given to them in the EU GDPR, UK GDPR, and the Law of Ukraine “On Personal Data Protection”.

3. Data Controller

The Controller of your Personal Data depends on the SPD Company that engages you (or to which you have applied for a position):

Data Protection Coordinator: Head of Legal of SPD Technology, reachable at [email protected].

4. What Personal Data We Collect

We collect and process Personal Data in connection with:

(i) recruitment activities;

(ii) employment relationships; and

(iii) engagements with independent contractors and other service providers.

4.1 Recruitment stage

During recruitment (from initial application until hiring or rejection), we may collect and process the following categories of Personal Data:

(a) Identification and contact data:

• full name (and, where relevant, Latin transliteration or name in the official language of the country of residence);
• email address;
• telephone number(s);
• country of residence and address information where relevant for the position or relocation process.

(b) Recruitment and professional data:

• CV / resume;
• cover letter and application materials;
• employment history and professional experience;
• educational background, qualifications, certifications, and professional licences;
• language skills and technical competencies;
• references and recommendation letters, where provided or where consent to contact referees has been obtained;
• interview notes, technical assessment results, and recruitment feedback records;
• portfolio materials, test assignments, coding samples, or other recruitment-related submissions voluntarily provided by the candidate.

(c) Compliance and eligibility data:

• work permit, visa, immigration, or temporary protection status information where relevant for the position;
• background-check and verification information, where permitted by applicable law and supported by an appropriate lawful basis.

(d) Voluntarily provided information:

• professional photographs, videos, or profile information voluntarily submitted during the recruitment process;
• information voluntarily disclosed in connection with relocation, interview scheduling, accessibility accommodations, or similar recruitment-related matters.

4.2 Employment Relationships

Where you are employed by the Company, we may additionally collect and process the following categories of Personal Data:

(a) Identification and employment administration data:

• passport or national ID details;
• date of birth;
• nationality and residence status where required for employment, tax, immigration, or compliance purposes;
• tax identification number and social-security-related identifiers (e.g., CNP, NI Number, РНОКПП, equivalent identifiers);
• employment agreement details, position, department, reporting line, work location, and employment status;
• records relating to onboarding, probation, promotions, transfers, leave, and termination of employment.

(b) Contact and emergency data:

• residential address and correspondence address;
• personal and business email address(es);
• telephone number(s);
• emergency contact details where voluntarily provided.

(c) Payroll, financial, and benefits data:

• payroll and compensation information;
• bank account and payment details (including IBAN, bank name, SWIFT/BIC where applicable);
• tax, pension, insurance, social security, and benefits-related information where required under applicable law or employment arrangements;
• reimbursement and expense-related records.

(d) Professional and HR administration data:

• qualifications, certifications, training records, and professional development information;
• performance and appraisal records;
• records relating to compliance with internal policies, disciplinary procedures, or grievance processes where applicable;
• business travel and mobility-related information where relevant to the role.

(e) Communications and business activity data:

• business communications exchanged through corporate systems and approved collaboration tools;
• project, task-management, ticketing, and collaboration records;
• work-product, documentation, and materials created or processed in the course of employment;
• meeting recordings where recording is enabled in accordance with applicable law and appropriate notice has been provided.

(f) IT, access, and security-related data:

• corporate account identifiers and authentication credentials;
• IP addresses, device identifiers, access timestamps, and access logs;
• audit trails, cybersecurity events, and security-related system activity records;
• endpoint and cybersecurity telemetry relating to Company-managed devices, systems, accounts, and infrastructure, where necessary and proportionate for security purposes.

What we do not monitor is the content of personal communications. Where business communications on corporate systems are accessed for security investigation or legal purposes, this is done only on a case-by-case basis with appropriate authorisation, and only to the extent necessary for the specific purpose.

(g) Health and compliance-related data:

• medical certificates and occupational-health-related information only where required by applicable law or necessary for employment-related obligations;
• workplace health and safety records where required under applicable law.

(h) Voluntarily provided information:

• professional photographs or profile information used for internal directories or, subject to separate consent where required, external communications and marketing;
• information voluntarily provided in connection with corporate events, training, conferences, relocation, or similar employment-related activities;
• non-sensitive preferences voluntarily disclosed for organisational purposes (for example, dietary preferences for corporate events).

4.3. Engagements with independent contractors and other service providers

We process the following categories of personal data about contractors engaged under service agreements:

(a) Identification data:

• full name (and, where relevant, name in the official language of your country of residence);
• date and place of birth (where required for compliance, e.g., AML, sanctions checks);
• national identification number / personal identification code (e.g., CNP in Romania, National Insurance Number in the UK);
• VAT registration number / tax number;
• passport / national ID details (only where strictly required for compliance verification);
• nationality and residence status (where required for tax or compliance purposes);
• registration details as PFA / sole trader / freelancer (registration date, ONRC certificate, equivalent).

(b) Contact details:

• registered address (legal address of your self-employed activity);
• correspondence / mailing address;
• email address(es);
• telephone number(s);
• emergency contact (where you provide one).

(c) Professional and contract data:

• CV / professional history (provided during contract administration);
• qualifications, certifications, and professional licences;
• service category / role within the engagement;
• Technical Specifications, Services Acceptance Acts / Records of services, service quality assessments

(d) Financial data:

• IBAN and bank account details;
• invoice records (issued by you to the Customer);
• payment records and timing;
• tax-related amounts (where the Customer withholds taxes under applicable law) and reporting records;
• self-employment tax status and category.

(e) Communications and work-product data:

• business correspondence (email, messaging platforms such as Slack, Google Workspace);
• ticket, task and project records (Jira, Confluence, GitHub/GitLab);
• Deliverables submitted under the Service Agreement (including any personal data within them);
• meeting recordings (only where recording is enabled with notice and lawful basis).

(f) IT and security data:

• login credentials and account identifiers in our corporate systems;
• IP addresses and device identifiers;
• access logs, security events, and audit trails;

(g) Other data you provide voluntarily:

• for visa support, business-trip arrangements, training enrolment, conference participation, or similar voluntary activities;
• non-confidential personal preferences relevant to the engagement (e.g., dietary preferences for events).

Special categories of Personal Data: We do NOT routinely process special categories of Personal Data under Article 9 EU GDPR / UK GDPR (e.g., health data, biometric data, trade union membership, political opinions, racial or ethnic origin). Where exceptionally required (e.g., a medical certificate for occupational health, or a security clearance check), we will rely on a specific Article 9(2) / 10 legal basis and inform you in advance. Such processing is carried out only where authorised by applicable law and subject to appropriate safeguards

5. Legal bases for processing

We process Personal Data on the following legal bases. The applicable basis depends on the purpose of the processing:

Where we rely on legitimate interests (Article 6(1)(f)), we have carried out a balancing test that weighs our interests against your rights and freedoms. Information about that balancing test is available on request from [email protected].

Where we rely on your consent (Article 6(1)(a)), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Processing activities and purposes

We process your Personal Data for the following purposes:

• managing job applications, interviews, technical assessments, and recruitment decisions;
• evaluating candidates for potential employment (current and future opportunities, where consent is given for talent-pool retention);
• entering into, performing, and managing employment agreements, service agreements, consultancy agreements, and other engagement arrangements, including collecting and processing Personal Data necessary for the conclusion of agreements with independent contractors and other service providers, and for the use of such Personal Data for lawful business, contractual, compliance, administrative, operational, and security purposes throughout the duration of the relevant engagement or service relationship;
• communicating with you about positions, the recruitment process, onboarding, and during employment;
• entering into and managing employment contracts;
• operating the employment relationship: payroll, performance evaluation, training, internal communication, leave management, corporate IT access;
• compliance with labour, tax, social security, immigration, anti-money-laundering, sanctions, and other statutory requirements applicable to each Company;
• protecting SPD Technology property, IT systems, confidential information, and trade secrets, including by IT security monitoring;
• internal audit, governance, and risk management;
• intra-group administration and coordination under the Master Intra-Group DPA;
• establishment, exercise, or defence of legal claims;
• professional marketing relating to the SPD Technologys expertise and projects (case studies, blog posts, professional social media profiles), where you have given your separate consent to the use of your professional image and contributions for external purposes;
• storing recruitment data for future job openings (talent pool) — only where you have given specific consent for retention beyond 12 months.

7. Recipients of your personal data

We share your Personal Data with the following categories of recipients, in each case only as necessary for the purposes set out in Section 6 and in accordance with applicable law:

(a) Other SPD Companies:

All Companies listed in Section 3 may receive your Personal Data on a need-to-know basis for the purposes of intra-group coordination (e.g., where you are interviewed by a multi-country panel). Intra-group transfers are governed by the Master Intra-Group DPA (Version 2.0).

(b) Sub-processors (third-party service providers acting on our behalf under Article 28 GDPR / UK GDPR):

These providers act as Processors of your Personal Data, NOT as independent Controllers. They are contractually bound by data protection obligations no less protective than this Notice. Categories include:

• Cloud infrastructure: Amazon Web Services, Google Cloud Platform;
• Productivity and collaboration: Slack, Atlassian (Jira, Confluence);
• Source control and DevOps: GitHub, GitLab;
• HR / payroll / recruitment SaaS: applicant tracking system, HRIS, payroll-processing platforms (specific providers vary by Company — full list available on request from [email protected]);
• IT security and observability: CrowdStrike, Cloudflare;
• Accounting and payroll service providers in Romania, the UK, and Ukraine, engaged by the relevant Company (these providers may also act as separate Controllers for their own statutory obligations — see paragraph (c));
• Background-check providers, where applicable and with appropriate lawful basis.

A full Sub-processor Register is maintained by the SPD Technology (Annex 7 to the Master Intra-Group DPA).

(c) Independent Controllers (recipients who act on their own behalf, not under our instructions):

• Tax and government authorities: National tax authorities (e.g., ANAF in Romania, UK HMRC, Ukrainian State Tax Service), labour offices, social security authorities, immigration authorities, statistical authorities, and other regulatory bodies, as required by applicable law. When we transfer data to these authorities, they become independent Controllers in respect of that data.
• Banks and payment service providers: in respect of payments made to your bank account.
• Auditors and professional advisors (lawyers, tax advisors): where engaged in their professional capacity and bound by professional confidentiality.
• Insurance providers: in respect of employee benefits and insurance arrangements (where applicable).

(d) Social media platforms and external marketing channels:

Only where you have given your separate consent to the publication of your professional image, name, or contributions for external marketing purposes. Such consent can be withdrawn at any time, after which we will remove the relevant content from current publications (although content already published in archived or third-party indexed locations may remain).

(e) Legal proceedings, supervisory authorities, courts:

Where reasonably necessary for the establishment, exercise, or defence of legal claims, or where required by a binding order of a court, supervisory authority, or law-enforcement agency.

(f) Potential corporate successors:

In the event of a merger, acquisition, sale, or restructuring of part of the SPD’s business, your Personal Data may be disclosed to a potential or actual acquirer, subject to confidentiality undertakings.

We do NOT sell, rent, or otherwise commercialise your Personal Data, and we do NOT share your Personal Data with third parties for their own marketing purposes.

8. International transfers

Because the SPD Technology operates across Romania, the United Kingdom, and Ukraine, and because we engage sub-processors in the EU/EEA, the UK, the United States, and other locations, your Personal Data may be transferred internationally.

8.1 Where Your Personal Data May Be Transferred

• Within the EU/EEA: where SPD entities or sub-processors operate.
• Between the EU/EEA and the United Kingdom: transfers are covered by the European Commission’s adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021, as renewed in June 2025 and valid until 27 December 2031).
• To Ukraine: where the data is processed by a Ukrainian Company (e.g., recruitment by a Ukrainian team, employment of personnel in Ukraine, intra-group IT services). Ukraine does not benefit from an adequacy decision under the EU GDPR or UK GDPR.
• To the United States: where we engage US-based cloud and SaaS providers (e.g., AWS, Google, Atlassian, GitHub, Slack) for cloud hosting, collaboration, or HR/recruitment tooling. Most of these providers offer EU/UK data residency, which we use where possible.
• To other third countries: only where strictly necessary for the engagement (e.g., a candidate residing in a third country during recruitment).

8.2 Safeguards for transfers to non-adequate countries

Where Personal Data is transferred from the EU/EEA or the UK to a country that does not benefit from an adequacy decision (in particular, Ukraine), we apply one or more of the following safeguards:

• EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 (the appropriate Module — typically Module 2 for Controller-to-Processor transfers — is selected for each flow);
• UK International Data Transfer Addendum to the EU SCCs (Form B1.0, issued by the Information Commissioner under section 119A of the Data Protection Act 2018), for UK-originating transfers;
• EU-US Data Privacy Framework (and the UK Extension to the DPF) for transfers to US-based sub-processors that are and remain DPF-certified;
• Supplementary measures including end-to-end encryption (TLS 1.2+ in transit; AES-256 at rest), key management performed in EU/UK-based key management systems, multi-factor authentication, role-based access controls, centralised security monitoring, and a contractual obligation to challenge any unlawful access requests from public authorities;
• A documented combined Transfer Impact Assessment (EU TIA) and UK Transfer Risk Assessment (UK TRA), available on request from [email protected].

Outbound transfers from Ukraine: For data transfers from Ukraine to the EU/EEA, the UK, or other jurisdictions, we comply with Article 29 of the Law of Ukraine on Personal Data Protection and ensure appropriate safeguards as required by Ukrainian law.

9. Data retention

We retain your Personal Data only for as long as necessary for the purposes set out in Section 6, taking into account legally mandated retention periods. Specific retention periods are set out below:

After the applicable retention period, your Personal Data will be securely deleted or anonymised in accordance with the Data Retention & Deletion Policy.

10. Automated decision-making and profiling

We do NOT make decisions about you (including hiring decisions) based solely on automated processing of your Personal Data (including profiling) that produce legal effects on you or similarly significantly affect you, within the meaning of Article 22 EU/UK GDPR.

Where automated tools assist our recruitment or HR processes (for example, automated CV parsing, candidate matching, or screening within the applicant tracking system), the final decision is always reviewed and made by a human recruiter or hiring manager. You retain the right at any time to obtain human intervention, to express your point of view, and to contest any decision that has been informed by automated tools.

If, in the future, we deploy AI-based or fully automated decision-making tools that would have legal or similarly significant effects on candidates or employees, we will update this Notice in advance and ensure that the conditions in Article 22(2) GDPR / UK GDPR are met (typically: explicit consent, contract necessity, or authorisation under law with suitable safeguards). The use of high-risk AI systems in recruitment and HR is additionally regulated under the EU AI Act (Regulation (EU) 2024/1689); we will comply with applicable AI Act requirements where they apply.

11. Your rights

Depending on the Company that processes your Personal Data and the applicable law, you have one or more of the following rights:

11.1 Under the EU GDPR (SPD TECHNOLOGY RO S.R.L.) and the UK GDPR (SOFTWARE PRODUCT DEVELOPMENT GLOBAL LTD)

• Right of access (Article 15) — to obtain confirmation of whether we process your data and a copy of it.
• Right to rectification (Article 16) — to have inaccurate or incomplete data corrected.
• Right to erasure (Article 17, “right to be forgotten”) — to have your data deleted in certain circumstances. Does not apply where we are required to retain data by law.
• Right to restriction of processing (Article 18) — to limit our processing in certain circumstances.
• Right to data portability (Article 20) — to receive your data in a structured, commonly used, machine-readable format and to have it transferred to another controller where technically feasible.
• Right to object (Article 21) — to processing based on legitimate interests, including profiling; you also have an absolute right to object to processing for direct marketing.
• Right not to be subject to solely automated decision-making (Article 22) — see Section 10 above.
• Right to withdraw consent (Article 7(3)) — at any time, without affecting prior lawful processing.
• Right to lodge a complaint with a supervisory authority (Article 77) — see Section 13 below.

11.2 Under the Law of Ukraine on Personal Data Protection (LLC “SOFTWARE PRODUCT DEVELOPMENT”, LLC “SPD-GROUP UKRAINE”, LLC “VALLEY-SOFTWARE”)

Article 8 of the Law of Ukraine grants you the following rights:

• Right to information about the sources of collection, location of your data, the purpose of processing, and the location of the Controller/Processor;
• Right to access — to receive a response within 30 calendar days regarding whether your data is being processed and to obtain a copy;
• Right to object to processing of your data;
• Right to rectification and deletion — where data is unlawfully processed or inaccurate;
• Right to data protection from unlawful processing, loss, destruction, or unauthorised disclosure;
• Right to lodge complaints with the Ukrainian Parliament Commissioner for Human Rights or with a court;
• Right to legal remedies in case of violations;
• Right to restriction of processing when providing consent;
• Right to withdraw consent at any time;
• Right to information about automated decision-making and protection from automated decisions with legal consequences.

Where the EU GDPR or UK GDPR grants broader rights than Ukrainian law, the broader rights apply (where reasonably and lawfully applicable).

11.3 Responding to your requests

• We respond within one (1) month from receipt of your request, in accordance with Article 12 GDPR / Article 8 Law of Ukraine.
• In complex cases, the period may be extended by a further two months, of which we will inform you within the first month.
• Some rights may be subject to legal limitations (for example, we cannot delete records that are required to be retained by law).
• Our response is free of charge. Where requests are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse to act on the request, with written explanation.

12. How to exercise your rights

To exercise any of the rights in Section 11, please contact us:

• Email: [email protected]
• Postal address: write to the registered address of the relevant SPD Company (see Section 3), marked “FAO: Data Protection Coordinator — Privacy Request”.

We may ask you for additional information to verify your identity before responding. This is to protect your Personal Data from unauthorised disclosure.

13. Right to lodge a complaint

If you believe we have not handled your Personal Data in accordance with applicable law, you have the right to lodge a complaint with the competent supervisory authority. We encourage you to contact us first (Section 12), to give us an opportunity to address your concerns.

Competent supervisory authorities:

• Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), B-dul G-ral Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest; website: https://www.dataprotection.ro
• United Kingdom: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; website: https://ico.org.uk; phone: 0303 123 1113
• Ukraine: Ukrainian Parliament Commissioner for Human Rights, Department for Monitoring Compliance with the Legislation on Personal Data Protection, 21/8 Instytutska Street, Kyiv 01008; website: https://www.ombudsman.gov.ua; email: [email protected]

You may also lodge a complaint with the supervisory authority of the EU Member State of your habitual residence or place of work.

14. Security measures

We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 EU/UK GDPR and Article 24 of the Law of Ukraine on Personal Data Protection.

The full set of TOMs is set out in Annex 3 (Technical and Organisational Measures, Version 2.0) to the Master Intra-Group DPA, available on request.

15. Changes to this privacy notice

We may update this Privacy Notice from time to time to reflect changes in our processing, legal requirements, or business practices. The current version is always available on our website at https://spd.tech and on request from [email protected].

Material changes will be communicated to affected candidates and employees by email or via our internal communication channels at least 30 (thirty) calendar days before they take effect, or sooner where required by law.

The version number and effective date are stated at the top of this Notice.

16. Contact us

For all data protection enquiries, exercise of your rights, or general questions about this Notice:

Email: [email protected]

SPD Data Protection Coordinator: Head of Legal of SPD Technology (reachable via the email above).

For postal correspondence — write to the registered address of the relevant SPD Company (see Section 3).

If your enquiry relates to a specific recruitment process or engagement, please mention any reference number (job reference, employment contract number, etc.) in your communication.