New Ecosystem Coming November 2025

RecXchange Global Data Protection Policy

Purpose and Scope

This Global Data Protection Policy (“Policy”) outlines how RecXchange Portal LLC (“RecXchange”, “we” or “us”) protects personal data in compliance with applicable data protection laws worldwide. RecXchange is a recruiter-to-recruiter collaboration platform headquartered in the United Arab Emirates (Dubai) and operating under the laws of England and Wales. While our services are governed by English law for consistency, we adhere to international data protection standards to ensure all personal data is handled lawfully, fairly, and securely across all jurisdictions in which we or our users operate.

Applicable Laws: This Policy is designed to meet or exceed the requirements of major data protection regulations globally, including (but not limited to):

• UK GDPR and EU GDPR: The United Kingdom General Data Protection Regulation and the European Union General Data Protection Regulation, as well as the UK Data Protection Act 2018 and relevant EU member state laws.

• United States Laws: U.S. federal and state privacy laws, including the California Consumer Privacy Act (CCPA) (as amended by the CPRA) and analogous state laws (e.g. in Virginia, Colorado, etc.), to the extent they apply to our operations or the personal data we handle.

• Canada’s PIPEDA: The Personal Information Protection and Electronic Documents Act governing private-sector privacy in Canada.

• Brazil’s LGPD: The Lei Geral de Proteção de Dados, which regulates personal data processing in Brazil.

• Australia’s Privacy Act 1988 (Cth): Including the Australian Privacy Principles (APPs) which set standards for personal information handling in Australia.

• South Africa’s POPIA: The Protection of Personal Information Act, which protects personal information in South Africa.

• Singapore’s PDPA: The Personal Data Protection Act, governing collection, use, and disclosure of personal data in Singapore.

• UAE Federal Decree-Law No. 45 of 2021 (PDPL): The United Arab Emirates’ Personal Data Protection Law, which came into effect in 2022, and any regulations or decisions under it.

By adhering to this Policy, RecXchange commits to fulfilling the highest data protection requirements across all these jurisdictions. In case local laws mandate additional obligations beyond this Policy, we will comply with those stricter requirements. This Policy applies to all processing of personal data by RecXchange globally, including data of our platform Members, their candidates/clients shared via the platform, our employees or contractors, and any other identifiable individuals whose data we handle in the course of business. It also outlines the expectations and obligations placed on Members (users of the RecXchange platform) when they handle personal data through RecXchange, ensuring a cooperative approach to data protection.

Finally, this Policy complements our Privacy Policy and Terms & Conditions. It provides a comprehensive compliance framework expanding on those documents. All Members and staff must familiarize themselves with and abide by this Policy. Failure to do so may result in disciplinary action, account suspension, or other enforcement steps as described herein and in our Terms.

Definitions

For purposes of this Policy:

• Personal Data (also “Personal Information”): Any information relating to an identified or identifiable natural person (“Data Subject”). This includes obvious identifiers such as names, contact details, identification numbers, as well as any data that can indirectly identify a person when combined (e.g. job title and company, IP address, etc.), consistent with definitions in GDPR and analogous laws. It covers personal data of Members, candidates, client contacts, or any individual.

• Processing: Any operation performed on personal data, whether by automated means or not. This includes collection, recording, organizing, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission or dissemination, aligning or combining, restricting, erasing, or destroying data. If we handle personal data in any way, we are “processing” it under this definition.

• Data Subject: The individual to whom personal data relates. Data subjects may include our Members (who are individual recruiters or contacts at recruitment agencies), candidates seeking job placements, client representatives, or any person whose data is shared on the platform.

• Data Controller: The entity that determines the purposes and means of processing personal data. RecXchange Portal LLC is the primary Data Controller for personal data processed in connection with operating the RecXchange platform and services. For example, RecXchange is a controller of Member account data and platform usage data. In certain contexts, Members themselves may act as independent controllers of personal data they upload (e.g. a recruiter is a controller of their candidate’s data).

• Data Processor: An entity that processes personal data on behalf of a controller, according to the controller’s instructions. RecXchange may act as a Data Processor in some scenarios – for instance, when hosting or transmitting candidate data that one Member shares with another, RecXchange is processing that candidate data on behalf of the Member(s) involved in the transaction. We also engage third-party processors (service providers) to assist us in processing data (see Third-Party Processors below). In all cases, processors are required to handle data only as instructed and to maintain strict protections.

• Member: An approved user of the RecXchange platform, typically an independent recruitment professional or agency. Members collaborate by sharing job vacancies, candidate information, and entering into split-fee arrangements. (See our Terms & Conditions for detailed definitions of Member, Candidate, Client, etc. .)

• Special Category (Sensitive) Data: Certain laws define special categories of personal data that are afforded extra protection (e.g. data about racial or ethnic origin, health, biometric identifiers, criminal background). RecXchange’s policy is to avoid collecting or processing sensitive personal data unless absolutely necessary and done in compliance with the strict requirements of applicable law (for example, obtaining explicit consent where required). Our platform is not intended to handle sensitive data in the ordinary course of recruitment; Members should refrain from uploading such data about candidates or others unless legally required and with proper consent.

All other capitalized terms in this Policy have the meanings given in relevant data protection laws or in RecXchange’s Terms & Conditions and Privacy Policy.

Data Protection Principles

RecXchange upholds the core data protection principles found in the GDPR, UK GDPR, and mirrored in laws like LGPD, POPIA, PDPA, and others. These principles guide all our personal data handling practices:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully (with a valid legal basis – see next section), fairly (in ways expected by and not unduly detrimental to the data subject), and transparently (being open about our data practices). We provide clear notices about how we use personal data (e.g. via our Privacy Policy and any just-in-time notices) to fulfill the duty to keep Data Subjects informed.

• Purpose Limitation: We collect personal data for specified, explicit and legitimate purposes, and do not further process it in a manner incompatible with those purposes. In practice, this means we use data only for the purposes communicated to the Data Subject (such as operating the platform, facilitating recruitment collaborations, processing payments, etc.) and not for any new, unrelated purpose without obtaining additional consent or having a lawful basis.

• Data Minimization: We strive to collect and retain only the minimum amount of personal data necessary for our purposes. Members are asked to only share data that is relevant and required for recruitment collaborations. Unnecessary or excessive data should not be collected. By limiting data to what is pertinent (e.g. a candidate’s professional qualifications but not irrelevant personal details), we reduce risk and respect privacy.

• Accuracy: We take reasonable steps to ensure personal data is accurate and up-to-date. Users are encouraged to keep their account information current, and we promptly rectify or update data when notified of inaccuracies. For example, if a Member informs us that their contact number or a candidate’s CV has changed, we will update our records. Members, likewise, should verify candidate information is correct before sharing it.

• Storage Limitation: We do not keep personal data for longer than necessary. Personal data is retained only for the duration and purposes for which it was collected, and as required for legal or business obligations (see Data Retention below). After the relevant retention period, data is securely deleted or anonymized.

• Integrity and Confidentiality: We ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by using technical and organizational measures (see Data Security below). Personal data must be handled in a manner that guards its integrity and confidentiality – only authorized individuals with a legitimate need should have access.

• Accountability: RecXchange accepts responsibility for complying with these principles and can demonstrate our compliance. This involves maintaining documentation of our data processing activities, training our staff in data protection, conducting risk assessments and Data Protection Impact Assessments (DPIAs) where appropriate, and continuously monitoring and improving our privacy practices. We designate appropriate personnel to oversee compliance and provide guidance (e.g. a data protection officer or privacy team, if required).

All RecXchange employees, contractors, and Members are expected to adhere to these principles. We also contractually bind our data processors to these standards.

Lawful Bases for Data Processing

RecXchange will only process personal data where we have a valid legal basis to do so, as required by the GDPR, UK GDPR and analogous laws. We identify and document the legal basis for each processing activity. The primary lawful bases we rely on include:

• Consent: In situations where we do not have another legal justification, we will seek the Data Subject’s clear and affirmative consent. For example, we obtain consent to send marketing communications (newsletters, updates) to Members or prospective users. Likewise, Members must obtain a candidate’s consent before uploading or sharing that candidate’s personal details on RecXchange. Consent will be specific and informed, and Data Subjects have the right to withdraw consent at any time. We do not assume consent nor use pre-ticked boxes – consent must be actively given.

• Contractual Necessity: We process personal data as necessary to perform our contract with Members, or to take steps at a user’s request prior to entering a contract. This covers most of the core platform activities – e.g. using a Member’s contact and professional details to set up their account and profile, facilitating communications and data sharing between Members (since the platform’s purpose is connecting recruiters), and processing payments or fees related to subscriptions or split placements. If a Member enters a transaction on the platform (such as using our escrow service for a split fee), processing the involved personal data is done under this basis as well.

• Legal Obligation: Where law imposes a duty on RecXchange to process or retain data, we will do so. This includes complying with court orders, regulatory requirements, or other legal processes. For instance, we may retain invoicing and transaction records to satisfy tax law and accounting rules. If law enforcement or a regulatory authority lawfully requires information (e.g. a court subpoena or a data protection regulator’s request), we will process and disclose data as needed under our legal obligations.

• Legitimate Interests: In some cases, RecXchange will process personal data for purposes that are within our legitimate interests (or those of a third party), provided such processing is not overridden by the individual’s rights and interests. We have a legitimate interest in ensuring the security and integrity of our platform, preventing fraud and unauthorized use, improving our services, and supporting our community of recruiters. For example, we may monitor usage and communications on the platform to detect potential breaches of our Terms (like circumvention or spam) and to protect our network. We may also keep limited records of interactions to resolve future disputes (e.g. retaining confirmation of a split-fee agreement or messages leading to a placement, under legitimate interest in defending legal claims or mediating disputes). When relying on legitimate interests, we carefully assess the impact on individuals to ensure our interests are not outweighed by any risk to their privacy. Individuals generally have the right to object to processing based on our legitimate interests (see Data Subject Rights below).

• Other Bases: In rare cases, other legal bases might apply. For example, to protect a Data Subject’s vital interests (life or health) in an emergency, or to perform a task in the public interest (unlikely in RecXchange’s context, but included for completeness). If we ever process personal data under these bases, we will ensure it is permitted by law and only for necessary and limited purposes.

RecXchange does not use personal data for automated decision-making that produces legal or similarly significant effects without human involvement. If that policy changes, we will ensure we have a lawful basis (such as explicit consent, or necessity for a contract authorized by law) and we will inform Data Subjects of their rights relating to such processing.

Where RecXchange processes special category data (sensitive data) or personal data of children (which we generally do not target, since our platform is for professional adult use), we will obtain any necessary explicit consents or meet other legal conditions required by applicable laws for such data (e.g. substantial public interest conditions, parental consent requirements, etc.).

For Members who are themselves subject to certain laws (for instance, a Member in the EU under GDPR, or in Brazil under LGPD), it is important to note that you too must have a lawful basis for any personal data you handle through RecXchange. Typically, for candidate data, this will be the candidate’s consent or another permitted basis – see Member Obligations below.

Data Subject Rights

We respect and uphold the rights of individuals (Data Subjects) regarding their personal data. Various laws (UK/EU GDPR, PIPEDA, LGPD, POPIA, PDPA, CCPA, etc.) provide individuals with certain key data subject rights. RecXchange’s policy is to honor these rights for all users wherever feasible, regardless of where the individual is located, so as to maintain a high standard of privacy protection globally. The following are the core rights and how we accommodate them:

• Right to Be Informed: Individuals have the right to clear and transparent information about how their data is collected and used. We fulfill this through notices like this Policy and our Privacy Policy, which detail our data practices in plain language. We also provide context-specific notices when appropriate (for example, explaining why we request certain data on a form).

• Right of Access: Data Subjects can request confirmation of whether we are processing their personal data, and if so, obtain a copy of that data along with supplementary information (such as the purposes of processing, categories of data, and parties with whom it’s shared). Upon a verified access request, RecXchange will provide the individual with their personal data that we hold, in accordance with legal requirements (typically within 30 days under GDPR timelines).

• Right to Rectification: If any personal data we hold is inaccurate or incomplete, individuals have the right to have it corrected or completed. RecXchange allows Members to update basic profile information directly, and for any other corrections, our support team will promptly update records upon request. We may ask for documentation where appropriate (e.g. proof of correct information) before making certain changes.

• Right to Erasure (Right to be Forgotten): Individuals may request deletion of their personal data in certain circumstances. We will honor valid deletion requests – for example, when the data is no longer necessary for the purpose collected, or the individual withdraws consent and there is no other legal ground to continue processing. If a Member closes their account, they can request complete deletion of personal data associated with it. We will erase data except where retention is required by law or compelling legitimate interests (we will inform the requester of any such necessity, e.g. “we must retain transaction records for tax compliance until X date”). Important: If a Member has shared a candidate’s data with another Member, that candidate’s data may also reside with the other Member (outside of RecXchange’s direct control); in such cases, RecXchange will delete data on our systems, but Members should also honor candidate requests to delete data they received.

• Right to Restrict Processing: Individuals have the right to request that we limit the processing of their data (without deleting it) in certain scenarios – for example, if they contest the data’s accuracy or have objected to processing and we are evaluating the request. When processing is restricted, we will mark the data as limited-use and refrain from processing it (beyond storing it securely) unless the individual consents or the processing is necessary for legal claims or other exemptions. We will inform the individual before lifting any restriction.

• Right to Data Portability: Individuals have the right to receive certain personal data they have provided to us, in a structured, commonly used, machine-readable format, and to transmit that data to another controller where technically feasible. This applies to personal data processed by automated means based on consent or contract. Upon request, RecXchange will export the user’s provided data (for example, their profile information, account details, etc.) in a CSV or similar format. Where feasible, and if requested, we will transfer the data directly to a new provider the individual designates.

• Right to Object: Individuals can object to certain processing of their personal data. In particular, they have an absolute right to opt-out of direct marketing at any time – RecXchange will always honor such an objection and cease any marketing use of the person’s data. Individuals may also object to processing based on legitimate interests or public interest tasks; in such cases, we will review the objection and cease processing unless we have compelling legitimate grounds that override the individual’s rights or the processing is needed for legal claims. If, for instance, a user objects to us retaining data for dispute protection, we would weigh the request seriously and might decide to delete the data unless we truly need it for a potential legal defense that outweighs their privacy concerns.

• Rights regarding Automated Decisions: Where laws like GDPR or PDPL grant rights not to be subject to purely automated decisions that have legal or similarly significant effects, RecXchange will comply. As noted, RecXchange does not currently engage in such profiling or automated decision-making without human involvement. If we ever introduce automated decision systems (e.g. an algorithm to automatically match candidates to jobs), we will ensure individuals can request human review or opt-out as required.

• Right to Withdraw Consent: If we are processing personal data based on consent, the Data Subject has the right to withdraw that consent at any time. For example, a Member who initially consented to receive newsletters can unsubscribe via the provided link in emails or contact us to revoke consent. Withdrawal of consent will not affect the lawfulness of processing already carried out but will mean we stop the specific processing going forward.

• Right to Non-Discrimination: (Specific to certain jurisdictions like California) – If an individual exercises any of the above rights, we will not deny them services, charge different prices, or provide a lower quality of service as a result. RecXchange does not penalize users for exercising privacy rights. We treat all Members fairly and any data subject rights requests are handled independently of commercial considerations.

• Other Local Rights: We also acknowledge other rights provided by local laws. For example, under South Africa’s POPIA, individuals have a right to complain to the Information Regulator and institute civil action; under Brazil’s LGPD, there are rights to anonymization or blocking of unnecessary data; under Singapore’s PDPA, a right to request we cease retention and make corrections; and under UAE’s PDPL, rights similar to GDPR (access, correction, erasure, restriction, etc., as well as the right to stop processing in some cases). RecXchange will accommodate these rights to the extent applicable and within required timeframes.

Exercising Your Rights: Data Subjects (including our Members, or even candidates whose data is stored with us) can exercise their rights by contacting us at the contact information provided at the end of this Policy (e.g. via email at privacy@recxchange.com or legal@recxchange.io). We may need to verify the identity of the requestor to ensure we do not disclose or change data to an unauthorized person. We will respond to rights requests promptly and in any event within the timeframes required by law – typically within one month for GDPR-covered requests, and sooner if required by other laws (CCPA requires acknowledgment within 10 days and response within 45 days, etc.). If a request is complex or numerous, we may extend the response deadline as permitted (and will inform the requester of the extension and reasons). In general, we do not charge a fee for handling rights requests, unless the law allows a reasonable fee for repetitive, manifestly unfounded or excessive requests, in which case we will explain the justification.

If a Data Subject believes we have not adequately addressed their concerns or honored their rights, they have the right to lodge a complaint with the relevant supervisory authority or regulator. For example, our lead authority for GDPR purposes is the UK Information Commissioner’s Office (ICO), and individuals in the EU can contact their local Data Protection Authority. In other jurisdictions, this might be a Privacy Commissioner or Data Protection Office (e.g. the UAE Data Office for PDPL, the PDPC in Singapore, etc.). We will cooperate fully with regulators in investigating and resolving any complaints. We do encourage individuals to contact us first to allow us the opportunity to address any issue directly – we are committed to resolving complaints amicably and swiftly.

RecXchange as Data Controller and Accountability

RecXchange Portal LLC (Dubai, UAE) is the principal Data Controller for personal data processed through the RecXchange platform and business. As a controller, RecXchange is responsible for determining how and why personal data (such as Member account information, platform activity data, etc.) is processed, and for complying with applicable data protection obligations. We operate under the oversight of the UK ICO as our chosen lead supervisory authority for cross-border matters, reflecting our strong ties to the UK/EU regulatory regime, and we also abide by the requirements of the UAE Data Office under the PDPL and any other authorities in jurisdictions where we do business.

RecXchange acts as the central point of contact for supervisory authorities in respect of cross-border data processing. We coordinate regulatory responses on behalf of the platform and facilitate resolution of any third-party complaints involving Member actions on the platform.

Our accountability measures include:

• Policies and Governance: We maintain internal privacy and security policies consistent with this public Policy. We ensure that privacy considerations are integrated into our business processes (Data Protection by Design and Default). For any new or changed processing activities that may present high risks to individual rights (for instance, launching a new feature involving personal data use), we carry out Data Protection Impact Assessments (DPIAs) in line with GDPR and PDPL requirements to identify and mitigate privacy risks before launch.

• Record-Keeping: We keep records of our data processing activities as required by law (GDPR Art. 30 records, etc.), including details of the categories of personal data processed, purposes, data subjects, recipients, transfers, retention, and security measures. These records are available to regulators upon request, demonstrating our compliance posture.

• Training and Awareness: All RecXchange employees and any contractors who handle personal data are trained in data protection principles and best practices. We conduct regular training sessions and require adherence to confidentiality and privacy obligations. Staff must sign confidentiality agreements and understand that violating data protection requirements may result in disciplinary action, including termination. We foster a culture of privacy where employees are encouraged to flag any potential issues or improvements.

• Data Protection Officer: If required by law or as a matter of good practice, we will appoint a Data Protection Officer (DPO) or equivalent privacy officer to oversee compliance. (We assess the need for a formal DPO under criteria in GDPR/PDPL – e.g. large scale processing of sensitive data – and currently our processing does not mandate one by law, but we have designated a privacy lead who performs similar functions.) The privacy lead/DPO (if appointed) reports to senior management and has the autonomy to advise on compliance and address concerns without conflict of interest.

• Audits and Monitoring: We periodically audit our data protection compliance and information security controls. This may include third-party assessments or certifications as appropriate (for example, evaluating whether our technical measures meet industry standards like ISO 27001). We also monitor regulatory developments in privacy law and update our practices and this Policy accordingly.

• Vendor Management: When we engage any service providers (processors) that handle personal data on our behalf, we conduct due diligence to ensure they have appropriate data protection measures (more details in Third-Party Processors section). We maintain a list of current processors and key sub-processors which can be made available to users or regulators on request.

• Incident Response: We maintain a breach/incident response plan (see Data Breach Response below) and an internal team responsible for investigating and managing any security or privacy incidents. All employees are trained on how to report potential incidents internally so we can address them promptlyweb-files.crawco.com.

• Continuous Improvement: Data protection is not a one-time effort; we are committed to continuously improving our privacy program. This Policy and our practices are reviewed at least annually and whenever there is a significant change in our business or applicable law. Changes to this Policy will be communicated to Members through appropriate channels (e.g. email notice or platform notification) and, where required, we will seek consent for changes that materially affect how we handle data.

By accepting our Terms and using the platform, Members acknowledge RecXchange’s role as a data controller for the platform’s operations. We in turn pledge to handle that responsibility with utmost care and in compliance with all legal and ethical standards.

Note on Joint Responsibility: In the context of candidate data and recruitment activities, RecXchange and its Members might be considered independent (or joint) controllers of personal data at different stages. For example, if a Member (Recruiter A) shares a candidate’s CV with another Member (Recruiter B) via RecXchange, Recruiter A is the original controller of that candidate’s data (having collected it from the candidate), and Recruiter B becomes a controller once they receive it (determining whether to present that candidate to a client, etc.). RecXchange, as the platform provider, facilitates the transfer and storage of that data – in doing so, RecXchange acts in accordance with this Policy and our contractual duties, effectively as a processor for that transaction (we will not use that candidate data for our own purposes unrelated to the service). However, RecXchange may also be deemed a controller in the sense that we set rules for how data is handled on our platform and we store it on our systems. We approach these situations by ensuring appropriate safeguards and contracts are in place (including offering a Data Processing Addendum when needed), and by requiring Members to handle all personal data ethically and lawfully (see next section). Regardless of the exact legal characterization, RecXchange is fully committed to protecting all personal data on the platform and ensuring its use is limited to the intended recruitment purposes.

Obligations of Members (Users) in Handling Personal Data

All RecXchange Members (recruiters and agencies using our platform) must uphold the same high standards of data protection when handling personal data (such as candidate or client information) through RecXchange. By using the platform, you agree to the following specific obligations, which reflect both legal requirements and RecXchange’s community values:

• Compliance with Laws: You must comply with all applicable data protection laws in your jurisdiction and in the jurisdiction of any Data Subject whose data you handle. This includes familiarizing yourself with and adhering to regulations such as GDPR (if you handle EU/UK personal data), POPIA (for South African data), PDPA (Singapore), CCPA (if dealing with California residents), etc. You should treat personal data received via RecXchange with the same care and legal diligence as data you collect in your own recruiting business. If local law requires certain safeguards for handling or sharing data (for instance, having a privacy policy for candidates, registering with a regulator, or honoring opt-out requests), you must fulfill those obligations independently of RecXchange. Nothing in our platform relieves you of your direct legal responsibilities as a data controller for the data you contribute.

• Obtain Consent Before Sharing Candidate Data: Do not upload or share any candidate’s personal data on RecXchange without that individual’s prior knowledge and explicit consent. Before you forward a candidate’s CV, contact details, or any identifiable information to another recruiter via our platform, you must inform the candidate about RecXchange and obtain their permission. They should understand which information will be shared, with whom (e.g. “another recruitment partner in the RecXchange network for the purposes of exploring Job Opportunity X”), and for what purpose. This is a fundamental ethical and legal requirement: for example, GDPR demands a lawful basis (consent or otherwise) for processing and sharing personal data, and many professional codes of conduct require candidate consent for referrals. Document the consent (even if just noting the date and method by which the candidate agreed). If a candidate does not consent, you must not share their data on the platform. RecXchange enforces this requirement by prompting Members to confirm consent via a mandatory checkbox when uploading candidate data. This affirmation is logged and timestamped for audit purposes. Members must not bypass this confirmation mechanism or submit candidate data without lawful consent.

• Use Data Only for Intended Purpose: Personal data obtained via RecXchange must be used solely for the specific recruitment purpose for which it was shared. If another Member shares a candidate or client contact with you for a particular job opportunity or split-fee deal, you are authorized to use that data only for that collaboration. It is prohibited to repurpose the data for any other role, client, or business outside the scope of what was agreed, unless you obtain fresh consent from the Data Subject and, where applicable, permission from the original sharing Member. For instance, you must not add a candidate’s details received through RecXchange into your general candidate database for future unrelated vacancies (unless the candidate separately agrees to that after the initial process). This purpose limitation is essential to maintain trust and comply with laws that forbid using personal data in new ways incompatible with the original purpose.

• Confidentiality and Security: You are expected to treat any personal data accessed through RecXchange as confidential. Do not disclose it to anyone except as needed for the intended recruitment process (e.g. presenting a candidate to a specific client, if that was part of the collaboration agreement). Ensure that you have adequate security measures on your own devices and networks to protect data downloaded or copied from RecXchange. For example, if you download a CV from the platform, keep it secure, do not leave it exposed on shared drives, and delete it when it is no longer required. If you print or share it with a client, do so securely and instruct the client to also handle it carefully. Under our Terms and this Policy, data scraping, mass downloading, or any unauthorized harvesting of personal data from the platform is strictly forbidden. Any suspected data breach or unauthorized access involving data you obtained via RecXchange must be reported to us immediately so we can take appropriate action.

• No Circumvention or Misuse: In line with RecXchange’s non-circumvention rules, you must not use personal data obtained via the platform to “go around” or bypass another Member who provided it. In practical terms, if a recruiter (Member A) shares a candidate or client with you (Member B) through RecXchange, you cannot later exploit that information to approach the candidate or client for a separate deal directly, without Member A’s consent. RecXchange imposes a standard non-circumvention period (e.g. 24 months) during which such conduct is forbidden. This means no poaching candidates or clients out of turn. Such misuse of data violates both this Policy and our Terms and could also breach data protection law (e.g. using someone’s data for a purpose they did not consent to). Always respect the source and purpose of the data.

• Cross-Border Data Sharing: If you share personal data across national borders via RecXchange, ensure the transfer is lawful under relevant data export rules. RecXchange’s platform is global, so, for example, a recruiter in the EU might share a candidate’s details with a recruiter in the UAE or USA. As the initiator of that transfer, you should have the candidate’s consent for an international transfer if required, or otherwise meet transfer requirements. RecXchange facilitates international data transfers by providing a secure platform and including necessary contractual safeguards (see International Data Transfers below). However, Members should also be mindful of their own compliance: e.g., European Members should generally inform candidates that their data could be accessed by partners outside the EEA, and possibly incorporate standard contractual clauses or rely on RecXchange’s provided safeguards. Similarly, if you are in a jurisdiction like Singapore or South Africa that requires certain steps before sending data abroad (such as ensuring the recipient will protect the data at a comparable level), you must take those steps. In summary, do not send personal data to another country unless you have a legitimate basis to do so – usually, this will be covered by the candidate’s informed consent and RecXchange’s secure framework, but always double-check your local obligations.

• Honour Data Subject Rights and Preferences: If a candidate or other individual whose data you obtained through RecXchange contacts you to exercise their data protection rights (for example, they ask you to delete their information or stop contacting them), you are obligated to comply just as RecXchange would. You should inform RecXchange as well if such a request relates to data on our platform, so we can assist and ensure complete removal on our side. Do not retain or process personal data in defiance of a data subject’s valid request or withdrawal of consent. Additionally, follow any agreed instructions from the data source: for instance, if the Member who shared a candidate tells you that the candidate has withdrawn consent or found a job elsewhere, you should cease processing that candidate’s data immediately.

• Consequences of Non-Compliance: Misuse of personal data or violation of these obligations will have serious repercussions. RecXchange reserves the right to suspend or terminate the accounts of Members who breach data protection rules or endanger individuals’ privacy. We may remove you from the platform if we find that you shared data without consent, used it for unauthorized purposes, or engaged in poaching/circumvention. Additionally, you could face legal liability: data protection regulators can issue fines or penalties for unlawful processing, and other Members or data subjects might pursue legal action against you for privacy infringements or breach of contract. RecXchange will cooperate with lawful investigations of any Member’s conduct. In line with our Terms, if you cause RecXchange to suffer any loss due to your violation (for example, a fine or claim), you may be held responsible for indemnifying us. Both ethically and financially, it is in your best interest to treat data properly.

• If a Member’s breach of this Policy or applicable law results in RecXchange incurring liability, fines, or investigation costs, that Member shall indemnify RecXchange in full, including legal fees and third-party settlements. This includes situations where RecXchange is held liable due to a Member uploading or sharing data without valid consent.

• Member Cooperation: Members should cooperate with RecXchange’s compliance efforts. This includes, for example, signing a Data Processing Addendum if we provide one for mutual records, responding to information requests if we’re conducting a privacy audit or investigating a complaint, and generally assisting us in meeting any regulatory obligations (such as responding to data access requests where you might have relevant information).

All RecXchange Members are automatically bound by our standard Data Processing Addendum (DPA), which is incorporated by reference into our Terms & Conditions and this Policy. The DPA governs Member-to-Member data exchanges and reinforces shared accountability for cross-border compliance. A copy is available upon request.

By following these rules, Members contribute to a trustworthy network. Remember: your professional reputation is also at stake – recruiters who respect candidate privacy and data security are far more likely to succeed in the long term. RecXchange is here to support you (you can reach out to us with any questions about data protection compliance), but each Member carries their own duties for the data they handle.

Data Sharing and Disclosures

In providing our services, RecXchange may need to share personal data with certain third parties. We do so in a controlled and secure manner, and only as necessary for the purposes outlined. We do not sell or rent personal data to third parties for their own marketing or profit. The key categories of recipients of personal data from RecXchange include:

• Other RecXchange Members: Given the nature of our platform, some data sharing happens between users. For example, if you as a Member post a job opportunity, your name and contact might be visible to other members interested in collaborating. If you share a candidate’s profile with another Member, that Member will see whatever personal data you provided (CV, contact info, etc.) about the candidate. This sharing is always initiated by a Member’s actions and is part of the core functionality of RecXchange (connecting recruiters for split placements). We expect all Members to handle any personal data they receive from others with confidentiality and in line with this Policy and our Terms (as detailed above in Member Obligations). RecXchange’s role is to facilitate these exchanges securely; we also log and monitor such data exchanges on the platform to prevent abuse and to have records in case of disputes or regulatory needs.

• Service Providers (Processors): We use trusted third-party companies to help us operate RecXchange and deliver our services to you. These third parties act under our instructions and are bound by data processing agreements to protect your information. Key service providers include:

• Cloud Hosting and IT Infrastructure: We host our platform and data on reputable cloud servers (for example, AWS or similar), potentially located in the UK, EEA, UAE, or other jurisdictions as needed for performance. These providers store and process data on our behalf. We ensure any cloud service used is compliant with modern security standards and, if outside the UK/EU, subject to appropriate transfer safeguards (see International Data Transfers).

• Payment and Financial Services: When handling subscription payments, escrow transactions, or other financial operations, we may use payment processors such as Stripe, PayPal, or banking partners. These entities process members’ payment information securely in compliance with PCI-DSS and applicable financial data regulations. If we implement an escrow service for split fees, a licensed escrow or payment intermediary will receive relevant data (names, payment account details) to hold and release funds. Such parties will only use the data to facilitate the transaction and not for anything else.

• Analytics and Communication Tools: We utilize analytics services (e.g. Google Analytics) to understand platform usage, and communication tools or marketing email services (e.g. Force24 or Mailchimp) to send out newsletters or alerts. These providers might process data like your email or cookies on our behalf. They are not allowed to use your data for their own purposes, and any data shared is limited (for instance, we might share an email address and name with an email service solely to send our emails).

• Customer Support Software: If we use CRM or support ticketing platforms (for example, Zendesk or HubSpot) to manage support inquiries, those platforms will process any personal data you provide in a support request (like your email or issue details) just to help us track and respond to your query.

• Other Contractors: At times, we may engage IT consultants, auditors, or legal advisors who require access to systems or data for their work (for example, a cybersecurity firm conducting a security test, or attorneys reviewing our compliance). We will ensure any such professional is under a strict confidentiality and data protection obligation before access is given.

• Affiliates and Corporate Transactions: Currently, RecXchange Portal LLC is a single business entity. If in the future we have affiliate companies or subsidiaries (e.g., if we expand globally or have a UK/EU branch to better handle GDPR compliance), we may share data within our corporate group on a need-to-know basis, under binding corporate policies that protect the data. Additionally, if RecXchange undergoes a business transaction like a merger, acquisition by another company, or sale of assets, personal data may be transferred as part of that deal, but it will remain protected by this Policy (the receiving entity will be required to uphold the same standards or inform users of any changes).

• Legal and Regulatory Disclosure: We may disclose personal data to third parties when required by law or necessary to protect rights. For example:

• In response to a legal request: If we receive a court order, subpoena, or lawful investigative demand, we may be compelled to provide relevant personal data to law enforcement, courts, or regulators.

• To enforce our agreements or protect our rights: If a Member engages in misconduct, we might share information with legal counsel or debt collection agencies as part of addressing the issue. If necessary to prevent imminent harm, illegal activities, or defend against legal claims, we may disclose data to appropriate authorities or parties (for instance, providing fraud evidence to police).

• Data Subject requests: If we get a request from an individual to transfer their data to another provider (portability) or a copy of their interactions, that might involve transmitting data to a third party (at the individual’s direction). We will only do so after verifying the request.

Whenever RecXchange shares personal data externally, we follow these practices:

• Least Privilege: We share the minimum amount of information necessary for the purpose. For example, a payment processor gets billing info but not unrelated data; a recruiter receiving a candidate sees the candidate’s professional details but not hidden data.

• Contractual Safeguards: We impose contractual obligations on all our service providers to keep personal data confidential and secure, and to use it only as instructed. Our contracts with processors include standard data protection clauses as required by GDPR Article 28 and other laws. This means the processor must implement adequate security measures, assist us in fulfilling individual rights requests, notify us of any data breaches immediately, and delete or return data upon our instruction. They also commit to be audited or provide evidence of compliance. We remain liable for our processors’ actions in accordance with law, so we choose reputable partners and monitor their performance.

• No Unauthorized Third-Party Access: We do not allow our processors to sub-contract further or engage sub-processors without our consent. If they do use sub-processors (for instance, a cloud provider’s data center operator), they must flow down the same data protection obligations. We maintain transparency about significant sub-processors (we can provide a list of sub-processors on request).

• International Transfers: If we share data with a recipient in another country, we ensure compliance with transfer laws as described in the next section. For example, when using a U.S.-based service provider for data about EU users, we will have them sign the EU Standard Contractual Clauses or rely on another approved transfer mechanism.

• User Consent for Certain Disclosures: If none of the above conditions apply and we ever needed to share personal data in a new way, we would seek user consent. For instance, if we were approached by a third-party business offering a partnership that involves accessing our user data, we would not hand over data unless users actively opt-in (and such an arrangement would be communicated clearly or governed by an update to our policies).

In summary, RecXchange’s data sharing is limited to supporting the purposes of the platform and complying with the law. There is no selling of personal information for profit, and no unauthorized exploitation of data. We maintain a principle of transparency – if you have questions about who has access to your data, we will gladly provide information.

International Data Transfers

RecXchange is a global platform – by its very nature, personal data may flow across international borders in the course of our operations. We are headquartered in the UAE and have infrastructure in multiple regions (e.g. servers or support teams in the UK, EEA, etc.). Many of our Members are likewise spread across the world, meaning that a recruiter in one country might be sharing data with a recruiter in another. All international data transfers are handled in compliance with applicable laws to ensure an adequate level of protection for personal data, no matter where it is located.

Key considerations and measures for cross-border data transfers include:

• United Kingdom & European Economic Area (EEA) Transfers: The UK GDPR and EU GDPR impose restrictions on transferring personal data to countries outside the UK/EEA that are not deemed to have “adequate” data protection. RecXchange ensures that any transfer of personal data from the UK or EU to a third country is protected by approved safeguards:

• We utilize the latest Standard Contractual Clauses (SCCs) issued by the European Commission and the UK’s International Data Transfer Addendum, as appropriate. These are template contractual commitments that bind the data importer to EU/UK privacy standards. For example, if we host data on a server in the United States or grant access to data to our UAE headquarters from the EU, we will have SCCs in place covering that transfer. Likewise, if a Member in the EEA shares data to a Member in a non-EU country via our platform, RecXchange’s terms of use incorporate SCC-like obligations to ensure that, legally, the transfer is covered (Members essentially agree to protect data they receive to the standard required).

• Where available, we also consider Adequacy Decisions: If data is being transferred to a country that has been officially recognized by the EU or UK as providing adequate protection (for instance, the UK is “adequate” for the EU currently, and countries like Canada (commercial organizations under PIPEDA), Switzerland, Japan, etc. have adequacy decisions), we rely on those decisions. Adequacy means personal data can flow as if within the EU/UK without further safeguards. If RecXchange stores EU personal data in an adequate country or works with a service provider in one, we note that as a compliant transfer.

• Binding Corporate Rules (BCRs) and Other Mechanisms: Should it become necessary (for example, if we establish a group of companies and need internal rules, or if we engage in more complex processing across entities), we may develop Binding Corporate Rules or rely on certifications or codes of conduct once they are approved for international transfers. At present, SCCs and adequacy cover most of our needs. We also implement technical measures like encryption to supplement legal safeguards – this mitigates risks identified in the wake of cases like Schrems II (concerning government access to data).

• We conduct Transfer Impact Assessments when needed to evaluate the legal environment of data importing countries and ensure that SCCs can be complied with in practice. If we ever determine that an overseas recipient cannot uphold the required privacy protections, we will suspend the transfer or put in additional safeguards.

• UAE and Other Countries’ Transfer Rules: The UAE’s PDPL also regulates transfers of personal data outside the UAE. We will abide by any future regulations or guidelines issued by the UAE Data Office regarding approved jurisdictions or required contractual clauses for exports of data. Until official decisions are in place, we will treat transfers from the UAE similarly to EU transfers – i.e., ensure the recipient country has an adequate law or use SCCs or consent. Likewise, for other jurisdictions: for example, under Singapore’s PDPA we must ensure overseas recipients protect the data to PDPA standards (which SCCs or similar contractual terms can satisfy); under POPIA, transfers out of South Africa require consent or legal requirements or comparable protections; under Brazil’s LGPD, transfers need specific safeguards (adequacy, SCCs, etc.). RecXchange commits to complying with each applicable regime’s cross-border rules, using contractual safeguards, user consent, or other mechanisms as necessary.

• Member-to-Member Transfers: When Members share candidate or client data across borders via RecXchange, we consider that an extension of our international data transfer framework. Our platform terms incorporate clauses to ensure that the recipient Member (data importer) will treat the personal data with a high level of protection (essentially, by agreeing to our Terms & Conditions and this Policy, each Member outside a strict jurisdiction agrees to handle data to GDPR/PDPL standards). Additionally, because such transfers often rely on the consent of the data subject (candidate), that consent should include acknowledgment of the international aspect. We encourage Members to explicitly mention to candidates if their data will be reviewed by a recruiting partner in another country.

• Transparency: We inform users that their data may be processed in various locations. Our Privacy Policy discloses the countries or regions where we may process data (UAE, UK, EEA, etc.). If we introduce a new processing location that is materially different (say, adding a data center in a country not previously mentioned), we will update our notices and, if required, obtain consent. Users can request details on where their particular data is stored or accessed from, and we will provide such information.

• Data Localization: If any law requires that personal data remain within a certain country or region (data localization requirements), we will take steps to comply – for instance, by using local data centers or restricting remote access. Currently, RecXchange is not subject to strict localization mandates, but we monitor legal developments (e.g. some countries require certain personal data to be stored domestically or impose conditions on cloud services).

• Encrypted Transfers: All data in transit is protected by strong encryption (HTTPS/TLS). This means that when personal data is being transferred across borders over the internet (between a user’s browser and our servers, or between our internal systems), it’s encrypted and cannot be read if intercepted. We also encrypt data at rest in foreign servers to add another layer of security. These technical measures ensure that even while data is physically in another country, it remains confidential.

• Ongoing Compliance: We stay updated on changes to international data transfer regimes. For example, if a new EU-US Data Privacy Framework is implemented or if the UK issues new model clauses, we will adapt accordingly. We also track geopolitical developments that could affect our ability to protect data (like surveillance laws) and will be transparent with regulators and users if any transfer is deemed untenable under privacy standards.

By using RecXchange, Members and users acknowledge that personal data may be transferred internationally as needed for the service, but always in accordance with this Policy and applicable laws. We understand that international transfers can be a complex area of compliance, and we welcome questions or requests for more information about how we handle global data flows. If you need a copy of our standard contractual clauses or have concerns about a particular transfer, please contact us – we are happy to provide additional assurances and information.

Data Retention and Deletion

RecXchange retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law or legitimate business interests. We have established retention periods for different categories of data, and we securely dispose of data once retention periods expire. Our approach to data retention is as follows:

• Member Account Data: If you are an active Member, we retain your account information, profile data, and transaction history for the duration of your membership on the platform. This allows us to provide continuous service to you. All such data is kept until you deactivate your account or otherwise end your membership, subject to certain grace periods.

• Former Members: When a Member account is closed (either at your request or due to termination under our Terms), we will archive and eventually delete your personal data. Generally, we aim to retain core records of your membership for up to 7 years from the end of the membership. This period is based on several considerations: (a) statutory limitation periods for contract or tort claims (often up to 6 years in many jurisdictions, so 7 years provides a buffer), (b) financial record-keeping laws (tax or accounting regulations may require retention of transaction records for 5-7 years), and (c) our need to have historical data in case of later disputes or to maintain platform integrity (for example, if a dispute arises or if a banned user attempts to re-register, historical data can be important). After 7 years post-termination, personal data associated with that Member will be deleted or anonymized, unless a longer retention is legally required. We will not use former member data for any new purposes after account closure (except possibly to contact you regarding any residual issues like unpaid fees or legal matters).

• Prospective Members and Inquiry Data: If you provided us personal data but did not become a full Member – e.g., you started an application, joined a waitlist, or contacted us with questions – we typically retain that data for up to 12 months. If you don’t engage further within that period, we will delete or anonymize your data. This retention allows us to follow up on your inquiry or offer you membership later, but ensures we don’t keep data indefinitely if there’s no ongoing relationship.

• Candidate and Client Data (Shared via Platform): When Members share candidate CVs, candidate contact details, or client contacts through RecXchange as part of a collaboration, RecXchange may store that information as part of the deal record. We consider candidate and client data a part of the business record of the transaction (the split placement or attempted placement). We retain such data in line with the retention for the deal or associated Members. For example, if a placement is made, details of that placement (including the candidate’s name, the client, date of placement, fee, etc.) might be kept for 7 years as part of our financial records or dispute evidence. The candidate’s full CV or personal details beyond what is needed for record purposes will not be kept longer than necessary – we may, for instance, only retain identifying info and placement info after a period, and securely dispose of attachments like CV files once a deal is long concluded. We encourage Members to also observe data minimization with candidate data: if you received a candidate’s information via RecXchange, do not keep it longer than you are entitled to. If the candidate was not placed and the process is over, you should delete their data unless you have another lawful basis to keep it (e.g. the candidate agreed to be in your talent pool). Our platform may provide features to auto-expunge shared candidate data after a certain time unless the recruiters indicate an ongoing need.

• Communication Records: We log communications through the platform (messages between Members, notifications, etc.) and support correspondence. These logs are retained as long as the member account is active and for a time after (aligned with the 7-year former member rule) to serve as evidence in case of disputes, to improve our services, or to comply with legal obligations. For instance, if two members have a disagreement two years after a placement, we can refer to the communication logs to help resolve it (hence we keep them for a reasonable period).

• Web Analytics and Cookies: Data from cookies and similar trackers have varying retention depending on their purpose. Essential session cookies may last only for the session duration, while analytics cookies might persist for a few months (Google Analytics data, for example, might be retained in aggregate form for 14 months, but this does not include personal identifiers). We abide by industry standards and any regulatory guidance on analytics data retention. Users can also clear cookies to remove those trackers. (See our separate Cookies policy for specific lifespans of cookies).

• Legal Hold and Exceptions: If we are aware of a legal dispute, investigation, or request that requires us to preserve certain data beyond the normal retention period, we will do so. For example, if a Member is suspended for misconduct, we might retain their data longer if needed for potential litigation. Or if we receive a preservation order from law enforcement, we will keep the data specified until cleared to delete. During such a hold, the data will be isolated and protected, and only used for the purpose of complying with the law or resolving the issue.

• Destruction and Anonymization: Once data is no longer required and the retention period has elapsed, we will permanently and securely delete or anonymize the personal data. Deletion involves removing data from our active databases and backups in a manner that it cannot be feasibly recovered or reconstructed. Anonymization is an alternative we may use for certain data that could be useful in aggregate form (e.g. we might keep anonymized statistics about platform usage or placement success rates). Anonymization means stripping all personal identifiers (names, emails, IDs, etc.) such that the data can no longer be linked to any individual. For example, after 7 years we might convert a record of a placement into a purely statistical entry (like “placement in industry X, fee Y”) with no personal data attached.

• Member Deletion Requests: We also respect a Member’s right to request deletion (as noted in Data Subject Rights). If you request erasure of your data, we will do our best to remove your personal data from our systems and inform any processors to do the same, provided we have no overriding need or legal obligation to keep it. We will also notify other Members who received your data (if you were a candidate, for instance) if we have the means to, urging them to delete the data as well. Some information, such as posts you made in a forum or messages sent to other users, may not be completely deletable without affecting others’ data – in those cases, we anonymize it (e.g. replace your name with “Deleted User”). We maintain logs of deletion operations as proof of compliance.

Our retention policy aims to balance privacy (not keeping data indefinitely) with practical needs (keeping important records for a sufficient period). We believe the above periods achieve that balance, but we continually review them. We will update our retention schedules if, for instance, laws change or if shorter retention is feasible without impacting our service. Users will be notified of any significant changes to how long we keep data.

Data Security Measures

RecXchange is committed to maintaining the security of personal data. We implement a robust information security program with technical and organizational measures to prevent data breaches, unauthorized access, or any compromise of personal data confidentiality, integrity, or availability. Key aspects of our data security framework include:

• Encryption: All sensitive data handled by RecXchange is protected by encryption in transit and at rest. Our website and platform use HTTPS (SSL/TLS) for all communications, ensuring that data (like login credentials, personal details, messages, etc.) is encrypted when sent between your device and our servers. Additionally, we encrypt personal data stored in our databases and backups using strong encryption algorithms. This means that even if data were to be intercepted or accessed without authorization, it would be unreadable without the encryption keys. We manage and safeguard those cryptographic keys with best practices (secure storage, regular rotation where feasible, limited access).

• Secure Infrastructure: We host RecXchange on secure, modern cloud infrastructure. Our servers are located in secure data centers with 24/7 physical security, access control, surveillance, and redundancy for power and networking. We ensure operating systems and software are kept up-to-date with security patches. Firewalls and intrusion detection systems are in place to guard against external attacks. We isolate our application environment and segment networks such that an issue in one component does not easily compromise another. Regular data backups are performed and stored in encrypted form, so that in the event of data loss or ransomware, we can restore functionality with minimal data loss. Our backup storage is protected and geographically distributed for resilience.

• Access Controls: Access to personal data within RecXchange is strictly limited based on role and necessity (principle of least privilege). Only authorized personnel who require access to perform their duties can view or manipulate user personal data. For example, customer support staff can see profile information needed to assist a user, but they may not have access to sensitive financial data which only the billing team can access. Administrative access to databases or servers is restricted to a small team of engineers and is secured with strong authentication measures (complex passwords, multi-factor authentication, SSH keys, etc.). We keep logs of who accesses what data and periodically review those logs to detect any unusual access patterns. User accounts on the platform are protected by password credentials (which are stored hashed), and we encourage users to choose strong passwords. Where possible, we may introduce additional security features for user accounts, such as two-factor authentication.

• Employee Training and Policies: Every team member at RecXchange is educated about our data protection and security policies. We have a confidentiality policy and each employee or contractor with access to personal data signs a confidentiality agreement. Training covers how to handle personal data safely (e.g., not downloading data to unsecured personal devices, recognizing phishing attempts, securing one’s workstation, etc.). We emphasize the importance of reporting any suspected security issues immediately. Our internal policies align with GDPR, PDPL, and other regulations – for instance, we have rules about not using personal data for anything outside of the intended purpose, and about immediately informing the privacy team if someone makes a data subject request or if a mistake involving personal data occurs. Non-compliance with our security/privacy policies by staff can result in disciplinary measures including termination.

• Vendor Security: Part of our security program is ensuring that any third-party services or plugins we use meet high security standards. We vet vendors for their security certifications (such as ISO 27001, SOC 2, etc. if available) and privacy practices. We include security requirements in our contracts with them and monitor their compliance. If a vendor suffers a breach that might affect RecXchange data, they are obligated to inform us immediately so we can take action (and notify users/regulators as needed).

• Testing and Auditing: We regularly test our systems and processes to identify and address vulnerabilities. This includes:

• Vulnerability scanning: Automated tools periodically scan our web application and servers for known vulnerabilities.

• Penetration testing: We engage independent security experts to perform penetration tests on the RecXchange platform. These ethical hackers attempt to find weaknesses that malicious actors might exploit, allowing us to fix them proactively.

• Code review: Our development team follows secure coding practices and peer-reviews code for security issues before deployment. We avoid using deprecated or insecure libraries.

• Audit logs: We maintain detailed logs of system activity and access to data, which are protected from tampering. We audit these logs to ensure activities are legitimate. Any anomalies (e.g., large exports of data, repeated failed logins, etc.) trigger alerts for our security team to investigate.

• Data Minimization (Security aspect): By minimizing what data we collect and retain (as described earlier), we inherently reduce the risk exposure. If we don’t have it, it can’t be stolen or misused. We encourage pseudonymization where feasible – e.g., in some internal analytics, we use unique IDs instead of names to analyze usage patterns.

• Incident Response Plan: Despite all precautions, no system can be guaranteed 100% secure. RecXchange has a Data Breach Response Plan ready for prompt action in case of any security incident. The plan includes:

• Defined roles and communication lines (who in our team leads the response, who contacts law enforcement or external experts if needed, etc.).

• Steps for immediate containment (e.g., isolating affected systems, changing access credentials, etc.).

• Investigation procedures to determine the scope and root cause of the incident.

• Fix and recovery steps to remediate vulnerabilities and restore any lost functionality.

• Notification procedures as required by law (detailed in the next section).

• Post-incident review to improve our processes and prevent similar incidents.

• User Responsibilities: We remind our users that security is a shared responsibility. Members should also take steps to protect their accounts and any data they handle:

• Keep your RecXchange login credentials confidential. Do not share your password with others. Use a unique, strong password for our platform.

• Enable any security features we offer (such as 2FA) for added protection.

• Be vigilant about phishing – RecXchange will never ask for your password via email. Verify communications from us, especially if they ask for any personal data.

• Logout of the platform when using public or shared computers, and maintain up-to-date anti-virus software on your devices.

• If you suspect any unauthorized activity on your account or a potential security vulnerability, notify us immediately at support@recxchange.com. We will take swift action to secure your account and investigate the matter.

We are dedicated to keeping the platform secure and continually investing in our security capabilities. Our goal is to not only meet the legal requirements (like GDPR’s mandate for appropriate technical and organizational measures, or UAE PDPL’s security standards) but to earn our users’ trust by protecting their data as we would want ours protected. We will update our security practices as technology and threats evolve, and we will report on significant changes or certifications in updates to this Policy.

Data Breach Response and Notification

Despite robust safeguards, it is important to be prepared for the unfortunate event of a personal data breach. A data breach can be any incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. RecXchange has a defined procedure to respond to such incidents, minimize harm, and fulfill all legal notification obligations.

Our breach response includes:

• Immediate Action: Upon discovery or notification of a potential breach, our incident response team will rapidly assess the situation. We will secure systems, patch vulnerabilities, and prevent further unauthorized access or data leakage. Time is of the essence; containment measures (such as shutting down certain functions or isolating databases) occur within hours or minutes of detection, as appropriate to the severity.

• Investigation: We investigate the scope and impact of the breach. This involves determining what data was affected, which individuals were involved, how many records were compromised, how the breach occurred, and whether the data has been misused. We may engage forensic security experts to assist. We maintain detailed records of the incident and our response steps.

• Internal Notification: We escalate to senior management and, if applicable, our Data Protection Officer or privacy lead immediately. If the breach involves criminal activity (like hacking), we will also contact law enforcement as appropriate.

• Assess Risk to Individuals: We evaluate the risks posed by the breach to Data Subjects. If personal data has been exposed, we consider the likely consequences – e.g., risk of identity theft, fraud, physical harm, embarrassment, reputational damage, etc. This risk assessment guides our external notification actions.

• Regulatory Notification: Where required by law, we will notify the relevant data protection authorities of the breach. Under GDPR/UK GDPR, for example, if a breach is likely to result in a risk to individuals’ rights and freedoms, we must notify the supervisory authority (ICO in the UK, or an EU authority if EU data subjects are affected) without undue delay and within 72 hours of becoming aware of the breach. Our aim is to notify as soon as possible, ideally well within that window, once we have basic facts. We include in the notification the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address it. If full details aren’t known within 72 hours, we send an initial notification and commit to supplementary info when available. Other laws have their own notification timelines (e.g., some U.S. state laws suggest notification to authorities within a certain number of days for large breaches; PDPA in Singapore requires notification “as soon as practicable” if harm is likely; POPIA requires notification to SA Information Regulator and data subjects in a reasonable time). We will adhere to each applicable law for incidents in their scope. We will also notify the UAE Data Office per PDPL requirements (which at the time of writing, similarly require prompt notification of material breaches once the regulatory body and process are established).

• Notification of Affected Individuals: If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform those individuals without undue delay, again as required by GDPR and analogous laws. “High risk” typically means the data leaked could lead to significant harm (e.g., release of sensitive personal details, passwords, financial info). Our notice to individuals will be in clear language, describing the nature of the breach, what data is involved, and giving specific advice on steps they should take to protect themselves (such as resetting passwords, monitoring accounts, etc.). We will also provide contact information for our team for questions, and inform individuals of their rights (like the right to complain to a supervisory authority). We may use email, in-app notifications, and/or public announcements (if reaching individuals directly is impossible, e.g., if contact info was also lost).

• Members must report any suspected data breach involving personal data obtained via RecXchange within 24 hours of becoming aware of the incident. Failure to report promptly may itself constitute a breach of this Policy and expose the Member to platform sanctions and legal liability.

• Containment and Recovery: We will take all necessary steps to mitigate the effects of the breach and prevent recurrence. This could include: deploying patches, changing access credentials, restoring data from clean backups, removing malicious code, working with third-party contractors if the breach originated there (and possibly suspending those integrations until resolved), and improving processes that failed. We’ll keep affected users updated on major developments, especially if new information emerges that impacts them.

• Documentation: We document every data breach incident and the response thoroughly, as required by law. Even if a breach doesn’t require external notification (e.g., it was low-risk), we keep an internal record of what happened and what we did. These records include the facts about the breach, its effects, and remedial actions taken, and are useful for post-mortem analysis and potentially for demonstrating compliance to regulators later.

• Post-Incident Review: After addressing the immediate crisis, we conduct a root-cause analysis to learn from the event. The findings are used to update our security measures and training. If the breach revealed any gap in our policies or technical controls, we will fix those promptly. We may also revisit our risk assessments and see if any similar systems need strengthening.

RecXchange’s goal is to be forthright and proactive in the event of a breach. We will never hide a significant data breach. Transparency and swift action are crucial to maintaining trust and limiting damage. Our communications around a breach will be factual and not misleading; if an ongoing investigation means some details are unknown, we will say so and avoid speculation.

For Members: if you, as a user of RecXchange, become aware of or cause a data breach (for example, you accidentally expose another Member’s or a candidate’s data), you should inform us immediately. We will work with you to manage the incident. Keep in mind that if a Member’s own systems are breached and it involves personal data originally obtained via RecXchange, that Member may have independent legal obligations to notify authorities or individuals. RecXchange will assist where possible, but Members should have their own breach response plans in line with their local laws.

To summarize, while we strive to prevent any data breaches, RecXchange has a comprehensive plan to handle them and minimize impact, including timely notifications to regulators and affected parties as mandated (e.g., ICO and users within 72 hours for serious breaches, and analogous requirements globally). We consider protecting our users’ data not just a legal duty but a core responsibility of our business.

Enforcement and Compliance

This Policy is a binding commitment by RecXchange, and we enforce compliance with it through various means. Ensuring adherence to data protection requirements is critical both within our organization and among our platform community. Below is how we implement and enforce these rules:

• Internal Enforcement (Employees and Contractors): All personnel with access to RecXchange systems or data must comply with this Policy and related internal procedures. We incorporate data protection compliance into our employee handbook and contractual agreements. Breaches of data protection obligations by staff (e.g. unauthorized accessing of user data, not following security protocols) are treated as serious misconduct. Depending on severity, consequences may include retraining, formal warnings, or termination of employment/contract. We maintain an audit trail of who has accessed sensitive data – if an audit or alert reveals unauthorized access, we investigate immediately. We also utilize the principle of separation of duties so that no single individual has unchecked powers over personal data, reducing risk of intentional misuse.

• Member Compliance Monitoring: We actively monitor platform activity for compliance with our Terms and this Policy. For example, unusual patterns like bulk downloading of profiles or repeated attempts to bypass communication channels can be flagged by our system. We also rely on community reporting – Members can report suspicious behavior or potential data misuse. When a complaint or red flag arises, RecXchange will investigate. This might involve reviewing message logs, verifying whether consent records exist for a candidate share, or asking the accused Member for an explanation. We maintain the right to audit Member activity on the platform where necessary to ensure no one is violating data protection rules or other terms.

• Member Enforcement Actions: If we determine that a Member has violated this Policy or applicable data protection laws in the context of platform use, we will take action. Actions include:

• Warning or Training: For minor or inadvertent violations (e.g., a misunderstanding that didn’t result in actual harm), we may issue a warning and require the Member to undergo additional training or acknowledge the rules again.

• Suspension: We can suspend a Member’s account access temporarily while investigating a potential serious breach. During suspension, the Member cannot use the platform.

• Termination (Ban): For clear and serious violations – such as sharing data without consent, data scraping, or poaching another’s candidate – RecXchange will terminate the Member’s account. This is a permanent ban in most cases. The Member will be notified of the termination and, if applicable, the reason (unless legal advice suggests not disclosing details). As stated in our Terms, confirmed poaching or circumvention leads to a permanent ban, which aligns with data misuse consequences. We also reserve the right to report egregious unlawful conduct to the authorities (for instance, if a Member’s misuse might constitute an offense under privacy or computer misuse laws).

• Legal Recourse: In line with our contractual terms and the law, if RecXchange or other users suffer damages due to a Member’s data protection breach, that Member may be held liable. We may pursue legal action for injunctive relief (to stop the misuse) and/or damages. As outlined in our Terms, a Member who circumvents another in breach of contract owes liquidated damages (100% of the fee) to the wronged party – this is enforceable separately from any regulatory fines the Member might face under data laws.

• Third-Party Processor Compliance: We enforce this Policy with third-party processors through contractual clauses. If a processor fails to meet our data protection requirements or suffers a breach, we will hold them accountable according to the contract (which may involve termination of the service and possibly liability for damages). We audit critical providers by reviewing their compliance reports and can request evidence of their practices. In the event a processor is found non-compliant, we take swift corrective action – e.g., suspending data flows to them until issues are fixed, or switching to an alternative provider if needed.

• Regulatory Cooperation: RecXchange cooperates fully with data protection authorities. If we are subject to an inquiry or inspection by a regulator (ICO, Data Office, etc.), we will provide the required information and access. We maintain an open-door policy with regulators: transparency and good faith are paramount. In case of any formal enforcement action or notice from a regulator, we will comply with directives (such as improving practices, ceasing certain processing, or paying fines). Our aim is to resolve any compliance issues amicably and promptly.

• Periodic Compliance Reviews: We conduct regular reviews to ensure that what we say in this Policy is actually being done in practice. This includes checking that data inventories are up to date, privacy notices cover all processing, consents are properly recorded, and retention/deletion routines are functioning. We might simulate a data subject request or breach scenario internally to test our responsiveness. Results of these reviews are reported to senior management and used to refine our privacy program.

• Updates and Version Control: We recognize that data protection law is continuously evolving. We monitor new legislation (for instance, emerging U.S. state laws, amendments to existing laws, new court decisions affecting interpretation) and update our policies and procedures accordingly. When this Policy is updated, we will notify Members in a manner appropriate (email or platform notification, and by updating the “last revised” date on the document). If changes are substantial (especially if they affect how data is processed or users’ rights), we may seek affirmative acceptance or consent as needed. Continuing to use the platform after an update implies acceptance of the Policy, but we’ll always highlight significant changes for clarity.

• Governing Law and Jurisdiction: This Policy is governed by the laws of England and Wales (as our Terms specify). However, this choice of law does not override any mandatory data protection rights users have in their local jurisdictions. We design our compliance to meet those local requirements. In the event of a dispute regarding data protection that cannot be resolved amicably or via arbitration (as provided in our Terms for cross-border disputes), it may ultimately be brought before the courts of England and Wales, unless local law dictates otherwise. We certainly hope to never reach that stage – our preference is to work collaboratively with users and regulators to address any issues.

• Penalties for Non-Compliance: We remind all stakeholders that violating data protection laws can carry severe penalties. GDPR and UK GDPR can impose fines up to 4% of global annual turnover or €20 million (whichever is higher) for the most serious infringements. Other laws (like PDPL, CCPA/CPRA, LGPD, POPIA, etc.) also have significant fine regimes and even criminal sanctions in some cases. Beyond formal penalties, the reputational harm from a data breach or law violation can be irreparable. RecXchange’s compliance program and this Policy are intended to prevent such outcomes. We take these laws seriously not just to avoid fines, but because protecting personal data is the right thing to do for our Members, their candidates, and our business integrity. Every Member is urged to do likewise. Non-compliance is not worth the risk – as a community, we are all better off adhering strictly to these standards.

By enforcing this Policy at every level – individual, organizational, technical, and legal – RecXchange aims to maintain a platform that is not only effective for recruitment collaboration but also exemplary in privacy compliance. We appreciate the trust that users and partners place in us, and we reaffirm that we will do everything in our power to deserve that trust through ongoing vigilance and accountability.

Limitation of Liability:

Except where prohibited by law, RecXchange’s liability for any claim arising from data processing shall be limited to direct damages not exceeding the total Fees paid by the affected Member or Client in the preceding 12 months. We are not liable for actions or omissions of Members acting as independent data controllers (e.g. misuse of candidate data by another recruiter) unless caused by our own negligence or breach.

Contact Information and Further Guidance

If you have any questions, concerns, or requests regarding this Global Data Protection Policy or any aspect of how RecXchange handles personal data, please contact us. We have a dedicated team for data protection and privacy inquiries.

Contact Details:

• Email: legal@recxchange.io

• Postal Address: Data Protection Officer (or Privacy Team), RecXchange Portal LLC, Pinnacle Building, Sheikh Zayed Road, Dubai, United Arab Emirates.

For the fastest response, we recommend reaching out via email. We endeavour to respond to all legitimate inquiries within two business days. If you are contacting us to exercise a data subject right, please provide enough information for us to verify your identity and clearly describe your request (e.g., “I am requesting a copy of all my personal data” or “Please delete my account and all data”). This helps us address your query efficiently.

You may also refer to our published Privacy Policy for more details on specific data processing activities, and to our Terms & Conditions for contractual terms related to data use and intellectual property on the platform. This Global Data Protection Policy is intended to harmonize and expand upon those documents, giving a full picture of our compliance program. In case of any inconsistency, we will interpret and apply the documents together in the manner most protective of individual privacy.

RecXchange thanks you for reading and abiding by this Policy. We are dedicated to protecting personal data and upholding privacy as a fundamental aspect of our service. By fostering a culture of respect for data protection, we create a trustworthy environment for all recruiters, candidates, and clients involved.

Last Updated: September 2025 (to be revised as needed in line with regulatory changes or improvements in our practices).