Privacy Policy

1 . Privacy Policy

1.1 . Vitay Inc., together with other members of its group (“Vitay”, “we”, us”, “our”) in carrying out its business, gathers personal information about individuals from individual clients, employer clients or directly from candidates. Vitay is committed to excellence in protecting the privacy of personal information and continually reviews and updates its procedures to protect the privacy of individuals.


1.2 Accountability
Vitay is responsible for personal information under its control and has designated a Privacy Officer responsible for Vitay’s compliance with the federal, provincial and local privacy rules and regulations. Vitay requires all clients to enter into Privacy and Terms of Service Agreements, which identify the importance of Vitay’s strict privacy and accountability standards. Vitay continuously updates and trains its staff with regard to the importance of protecting personal information. Vitay has agreements with third party organizations who may process information during the course of Vitay’s work. Vitay monitors all third parties’ compliance with Vitay’s requirements and privacy principles.

1.3 . This Privacy Policy  aims to provide users of our services (“Users”, “you”, “your”, “members”) with a clear summary of how we use information that is provided to us and how Vitay complies with applicable data protection laws.

2 . Types of Users

2.1 . We have 4 types of users we cover in this document:

(a) . Employers or Recruiters (i.e. orginisations or representatives of organisations who engage Vitay to assist them with the hiring of Candidates);

(b) . Candidates (i.e. persons we help co-ordinate application information and references for potential new jobs with Employers); and

(c) . Referees or References (i.e. persons we contact at the request of a Recruiter or Candidate in connection with the obtaining of a reference about the Candidate for an Employer).

(d) . Members (i.e. any users that opt into joining Vitay’s membership services)

3 . Purposes of Collection and Disclosure

3.1 . In this section, we set out the personal information we collect relating to all Users which we are the data controller in respect of and also the information we collect as a data processor on behalf of the Employer who is the data controller of that information:

Please note that this does not describe the Employer’s use of personal information which the Employer is responsible for providing its own privacy notice or policy in respect of. We do not control how employers who obtain and use your information in Vitay use your data or personal information outside of our platform.

3.2 . Under European Data Protection Law, we are required to identify the “legal grounds” on which we rely to process the information and these are set out next to each purpose for which we are a data controller. More information on legal grounds can be found at Appendix A

3.3 . Information we collect from all Users 

(a)   Personal information we collect

Contact Information: including your name, email address and other contact details

Our correspondence: if you contact us, we will typically keep a record of that correspondence
Website and communication usage: details of your visits to the websites and information collected through cookies and other tracking technologies including, but not limited to, your IP address and domain name, your browser version and operating system, traffic data, location data, web logs and other communication data, and the resources that you access    

(b)   How we collect personal information

We collect this personal information from you directly. Unless you have consented and provided this information to an employer or recruiter to then provide to us.

(c)   Purpose of use and disclosure

We process your personal information as a data controller for the following purposes:

To provide our services: to carry out our obligations arising from any agreements between you or the Employer and us, to respond to your queries and otherwise communicate with you.

Legal bases: contract performance, legitimate interests (to enable us to perform our obligations and provide our services to you)

To improve our services: to make our services more valuable or useful (e.g. when you have provided us with feedback), including to make our websites function correctly and undertake analytics (please see section 4 below).

Legal bases: consent, legitimate interest (to enable us to provide better services and to provide anonymised aggregated insight to our clients)

To inform you of changes: to notify you about changes to our services.

Legal bases: legitimate interests (to notify you about changes to our services)

To reorganise or make changes to our business: in the event that we (i) are subject to negotiations for the sale of our business or part thereof to a third party; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer some or all of your personal information to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to transfer your personal information to that re-organised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this policy.

Legal bases: legitimate interests (in order to allow us to change our business)

To comply with legal or regulatory obligations: We may process your personal information to comply with our legal and regulatory requirements, which may include disclosing your personal information to third parties, the court service and/or regulators or law enforcement agencies  in  connection  with  enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so.  Where permitted, we will direct any such request to you or notify you before responding unless to do so would prejudice the prevention or detection of a crime.

Legal bases: legal obligations, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities)

To third parties under our control to assist us with service delivery: We may disclose your personal information to our service providers, contractors, agents, advisors (e.g.  legal, financial, business or other advisors) and other Vitay group companies that perform activities on our behalf always subject to suitable safeguards.

Legal bases: legitimate interests (in order to use specialist service providers and operate our business efficiently)

3.4 . Employers Representatives

(d)   Purpose of use and disclosure

We also process your personal information as a data controller for the following purposes:

For marketing purposes: to send you offers and marketing materials about Vitay and Vitay’s suppliers and partners’ products and services by email or SMS, and where required by law, we will ask for your consent before we conduct any of these types of marketing. If you wish to opt out from receipt of marketing materials sent by Vitay at any time, please use the opt out mechanism in the marketing material, or contact the Privacy Officer to let us know.

Legal bases: consent, legitimate interest (to keep you updated with news in relation to our services) 

3.5 . Candidates 

(a)   Personal information we collect

In addition to the information set out in the All Users section above we may collect the following additional information as a processor for the Employer.

Reference Information: including your work experience, job titles, qualifications, period of employment, aptitude test results, opinions about your work performance provided by Employers and/or Referees

Sensitive Information: including information to assess your work authorisation or visa requirements (if any), criminal record (or proceedings), health or disability information

(b)   How we collect personal information (including personal information of your chosen Referees)

We collect personal information from you directly when you provide information to us relating to your references, but also collect personal information about you from your potential Employer and your Referees

As a Candidate, we will assume that you have clear consent from your chosen Referees to supply their names and contact details (including email address) to us so that we can contact them on your behalf to obtain a reference about you which will be supplied to the Employer interested in potentially hiring you. If you do not have that consent, please do not provide their details to us.

(c)   Purpose of use and disclosure

Except as set out in the All Users section above, we process your personal information on behalf of your potential Employer. In providing our services to the potential Employer, we will use your information to communicate with you, organize your application information, coordinate your references, authenticate your identity and respond to your questions, queries or requests regarding our services. We will need to disclose your information to the Employer who will be a  client of Vitay and will have requested us to seek references in relation to your potential employment by them. The Employer’s processing of such personal information will be subject to the privacy notice or policy of the Employer. 

3.6 . Referees 

(a)   Personal information we collect

In addition to the information set out in the All Users section we may collect the following additional information as a processor for the Employer.

Employment Information: including your position, the name of the organisation you are or were working with and the dates covering the period of time in which you are providing a reference for the Candidate

Any opinions you give on the Candidate

(b)   How we collect personal information

We collect personal information from you directly when you provide information to us in response to a request for reference, but also collect personal information about you from Candidates who have asked you to provide a reference for them.

(c)   Purpose of use and disclosure

Except as set out in the All Users section above, we process your personal information on behalf of the (potential) Employer of the Candidate who has asked you to provide a reference for him/her. In providing our services to the Employer, we will use your information to communicate with you, coordinate the opinion you provide about the Candidate, authenticate your identity and respond to your questions, queries or requests regarding our services. We will need to disclose your information to the potential Employer who will be a client of Vitay and will have requested us to seek references from you in relation to the Candidate. The Employer’s processing of such personal information will be subject to the privacy notice or policy of the  Employer. 

4 . Analytics

4.1 . We may use Users’ information for data analytics purposes, including to create insights, reports and other analytics to provide benchmarks to our clients, improve our services and to market our services. The output of our analytics will never identify a particular User or Vitay client.

5 . Security and Storage

5.1 . We will retain your personal and sensitive information as directed by the Employer, or where we are a data controller when we no longer require it for any purpose for which it was collected. Vitay will comply with its obligations to destroy, erase, or de-identify your personal information as required by applicable law.

5.2 . Vitay protects the personal information in its custody or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.  You should be aware that confidentiality and security are not assured when information is transmitted through e-mail or wireless communication.

5.3 . Vitay will not be responsible for any loss or damage suffered as a result of a breach of security or confidentiality when information is transmitted by e-mail or wireless communication.

6 . Export outside the EEA

6.1 . Your personal information may be accessed by Employers, Candidates, Referees and/or our service providers (as the case may be), and/or stored at, a destination outside the country in which you are located, whose data protection laws may be of a lower standard than those in your country.  We will, in all circumstances, safeguard personal information as set out in this Privacy Policy. 

6.2 . Where we transfer personal information from inside the European Economic Area (the EEA) to outside the EEA, we may be required to take specific additional measures to safeguard the relevant personal information. Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections to EEA data protection laws and therefore no additional safeguards are required to export personal information to these jurisdictions. In countries which have not had these approvals, we will establish legal grounds justifying such transfer, such as EU Commission-approved model contractual clauses, or other legal grounds permitted by applicable legal requirements. See the full list of countries that have not had these approvals here.

6.3 . Please contact us as set out in the “Contacting Us” section below if you would like to see a copy of the specific safeguards applied to the export of your personal information.

7 . Contacting Us and Your rights 

7.1 . Vitay has designated a Privacy Officer who is accountable for Vitay’s compliance with this Privacy Policy.  If you have any questions in relation to this Privacy Policy,  the  Privacy Officer can be contacted at the addresses indicated below, or by emailing hello@vitay.io

827 Cambie Street, Vancouver, British Columbia, Canada, V6B2P4

7.2 . Vitay holds the information set out at sections 3.4 and 3.5 as a data processor of the Employer. This means that if you wish to exercise your data subject rights you must address the request to the Employer and Vitay will assist the Employer to respond as directed by your Employer. In relation to the information set out at section 3.3, Vitay is the controller and in relation to that information, you may have the right to require us to:

(a)         provide you with further details on the use we make of your information;

(b)         provide you with a copy of information that you have provided to us;

(c)         update any inaccuracies in the personal information we hold;

(d)         delete any personal information we no longer have a lawful ground to use;

(e)         where processing is based on consent, to withdraw your consent so that we stop that particular processing;

(f)          to ask us to transmit the personal data you have provided to us and we still hold about you to a third party electronically;

(g)         object to any processing based on the legitimate interests ground unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights; and

(h)         restrict how we use your information whilst a complaint is being investigated.

7.3 . Your exercise of these data subject rights is subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege).  If you exercise any of these rights we will check your entitlement and respond in most cases within a month.

7.4 . If you are not satisfied with our use of your personal information or our response to any exercise of these rights, you have the right to complain to your local data protection regulator.  If you are in the European Economic Area (EEA) a list of data protection regulators and their contact details can be found here.

8. PCI Compliance

8.1 We never see (or have access to) card data at all. Our payment processor Stripe handles all of our clients card information. PCI compliance is maintained by:

8.2 Using Strip Checkout, Stripe.js and Elements and for mobile we use Stripes mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through our servers.

8.3 We Serve our payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS.

8.4 We review and validate our account’s PCI compliance annually.

9 . Cookies Policy

Vitay’s website uses the following cookies:

sessionid: To store session data of the logged in user. This is how we identify who is logged when they request an action

csrftoken: To prevent cross site request forgery. This ensures that only forms that have originated from our Website can be used to POST data back. Please note that some of the services will not function so well if cookies are disabled. If you do not agree to the use of these cookies please disable them by following the instructions for your browser set out here. 

10 . Changes to our Privacy Policy and/or Cookies Policy

10.1 . We may change the content of our websites and how we use cookies and consequently, our Privacy Policy and our Cookie Policy may change from time to time in the future.  If we change this Privacy Policy or our Cookies Policy, we will update the date it was last changed below.  If these changes are material, we will indicate this clearly on our Website.

10.2 . This Privacy Policy was last updated on 19 April 2018

Appendix A: Legal grounds

Legal grounds to justify use of personal information

Under European Data Protection Law, we are required to identify the “legal grounds” on which we rely to process the information. Use of personal information under European Data Protection Law must be justified under one of a number of “legal grounds” and we have set out the grounds in respect of each use above. The explanations of the legal grounds that justify our use of your personal information are as follows:

Consent: where you have consented to our use of your information (you will have been presented with a consent form in relation to any such use [and may withdraw your consent by contacting us as set out in the “Contacting Us” section).

Contract performance: where your information is necessary to enter into or perform our contract with you.

Legal obligation: where we need to use your information to comply with our legal obligations.

Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.

Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.