Legal

Privacy Policy

Last updated: May 2026

1. Who we are

REFRUIT TNOS Ltd (“REFRUIT TNOS”, “we”, “us”, or “our”) is a company incorporated in the Republic of Ireland. We operate an AI-powered recruitment agency operating system that assists Irish recruitment agencies in managing candidate records, client engagements, compliance documentation, shift fulfilment, timesheets, and payroll preparation.

Our registered office is in Ireland. We can be contacted at dpo@refruit.work.

2. What data we collect

We collect and process the following categories of personal data depending on your relationship with us:

Candidate data

  • Identity data: full name, date of birth, nationality, gender
  • Contact data: address, email address, phone number
  • Right-to-work documentation: passport, visa, work permit, PPSN
  • Work history: employment records, qualifications, certifications, references
  • Biometric data (where applicable): facial photographs for kiosk attendance
  • Financial data: bank account details for payroll preparation, tax records
  • Compliance records: Garda vetting outcomes, health declarations, training certificates
  • Usage data: platform login events, timesheet submissions, document uploads

Client data

  • Business contact data: name, email, job title, phone number of authorised users
  • Billing data: company registration number, VAT number, invoice address
  • Usage data: login events, shift approvals, timesheet confirmations

Technical data

  • IP addresses, browser type, and device identifiers collected via server logs
  • Session tokens and authentication data
  • Error and performance monitoring data via Sentry

3. Legal basis for processing

We process personal data under the following legal bases as set out in Article 6 of the GDPR (as given effect in Irish law by the Data Protection Acts 1988–2018 and the Data Protection Act 2018):

  • Contract (Art. 6(1)(b)): processing necessary to perform our agreement with the agency tenant or, where a candidate is a direct service recipient, with the candidate.
  • Legal obligation (Art. 6(1)(c)): processing required by the Employment Agencies Act 1971, Agency Workers Act 2012, National Minimum Wage Act 2000, and related Irish employment and tax legislation.
  • Legitimate interests (Art. 6(1)(f)): platform security, fraud prevention, product improvement, and audit logging, where our interests do not override your rights.
  • Consent (Art. 6(1)(a)): marketing communications and optional data enrichment, where we have obtained your prior consent. You may withdraw consent at any time.
  • Special category data (Art. 9(2)(b) and (h)): biometric data and health declarations processed under explicit consent or where necessary for employment law obligations.

4. Retention periods

We retain personal data only for as long as necessary for the purposes described above or as required by applicable law:

  • Candidate data: retained for 7 years from the date of last engagement or placement, in line with Irish employment law and Revenue record-keeping requirements.
  • Client data: retained for 6 years from termination of the client relationship, consistent with the Statute of Limitations 1957 as amended.
  • Audit logs: retained for 7 years to support compliance inquiries, legal proceedings, and regulatory requests.
  • Marketing consent records: retained for 3 years from the date consent was last confirmed or until withdrawn.

5. Your rights

Under the GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Access: obtain a copy of your personal data (Data Subject Access Request).
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion where there is no lawful basis for continued processing.
  • Portability: receive your data in a structured, machine-readable format.
  • Restriction: limit processing while a dispute is resolved.
  • Objection: object to processing based on legitimate interests or for direct marketing.
  • Automated decisions: not be subject to solely automated decisions that significantly affect you.

To exercise any of these rights, contact our Data Protection Officer at dpo@refruit.work. We will respond within one month as required by Article 12 GDPR.

6. International transfers

Personal data is stored in Supabase infrastructure hosted in the European Union (EU West 1, Ireland region). We do not transfer personal data to third countries outside the EEA without appropriate safeguards under Chapter V GDPR. Where any sub-processor operates outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.

7. Data Protection Officer

Our Data Protection Officer can be contacted at dpo@refruit.work. The DPO is responsible for overseeing compliance with this policy and with applicable data protection law.

8. Supervisory authority

The supervisory authority in Ireland is the Data Protection Commission (DPC). You have the right to lodge a complaint with the DPC at any time:

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
www.dataprotection.ie

9. Updates to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified to registered users by email at least 30 days before taking effect. The current version is always available at this URL. Continued use of the platform after the effective date constitutes acceptance of the updated policy.