Shortlisted
Sign in

Last updated · 12 May 2026

Terms of Service & Privacy

Plain-English rules for using Shortlisted, plus how we handle your personal data under the EU/UK GDPR and Singapore's PDPA.

1. Who we are

Shortlisted is a two-sided job matching platform operated for candidates and hiring companies. For the purposes of GDPR, Shortlisted is the data controller for the accounts, profiles, and matching data we collect directly from you. When we process candidate data on behalf of a hiring company that has shortlisted you, we act as a data processor for that company.

2. Using Shortlisted

  • You must be 18 or older and legally permitted to work.
  • Information you submit (CV, headline, preferences) must be accurate and yours to share.
  • No scraping, reverse engineering, or automated harvesting of candidate or job data.
  • Recruiters may only contact candidates about genuine roles and must respect withdrawal requests.

3. What data we collect

  • Account data — email, authentication tokens.
  • Profile data — CV, current title, skills, experience, salary preferences, location preferences.
  • Matching data — derived scores, canonical skill IDs, parse reasons.
  • Usage data — minimal logs needed to operate the service securely.

We do not sell your data, do not run third-party advertising trackers, and do not use your CV to train public AI models.

4. Lawful basis (GDPR Art. 6)

  • Contract — to operate your account and run matches you asked for.
  • Consent — to share your full profile with a specific hiring company when you accept a match.
  • Legitimate interests — to keep the service secure, prevent abuse, and improve matching quality, balanced against your rights.

5. Your GDPR rights

If you are in the EU, EEA, or UK you have the right to:

  • Access a copy of your personal data.
  • Rectify inaccurate data (editable in your profile).
  • Erase your data ("right to be forgotten") — deletes your account, CV, and match history.
  • Restrict or object to processing.
  • Port your data to another service in a machine-readable format.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU).

To exercise any right, email privacy@shortlisted.sg. We respond within 30 days.

6. Data retention

Active profiles are retained while your account is open. If your account is inactive for 24 months we notify you and then delete the profile. Deleted accounts are purged from primary systems within 30 days and from encrypted backups within 90 days. Match audit logs needed for fraud and dispute handling are kept for up to 12 months.

7. International transfers

Our infrastructure may process data in the EU, UK, and Singapore. Transfers outside the EEA/UK rely on Standard Contractual Clauses (SCCs) and the UK IDTA where applicable.

8. Security

Data is encrypted in transit (TLS) and at rest. Access to production data is least-privilege and audited. Row-level security isolates each candidate's data from other users.

9. Subprocessors

We use a small set of vetted infrastructure providers (authentication, database, edge hosting, transactional email). A current list is available on request to privacy@shortlisted.sg.

10. Cookies

We use strictly necessary cookies for authentication and session security only. No advertising or cross-site tracking cookies are set.

11. Singapore (PDPA)

Shortlisted is headquartered in Singapore and complies with the Personal Data Protection Act 2012 (PDPA), including the September 2024 amendments and the Advisory Guidelines on Key Concepts in the PDPA.

Submit and track an access, correction, portability, erasure, or withdraw-consent request directly from your in-app privacy requests page.

  • Consent Obligation — we collect, use, and disclose your personal data only for purposes you have consented to (creating an account, running matches, sharing your profile with a company you accept). You can withdraw consent at any time from your account settings.
  • Purpose Limitation & Notification — your CV and profile data are used only for job matching and account operation. We will notify you before using your data for any materially new purpose.
  • Access & Correction — you can view and edit your profile in-app, or request a full data access report by emailing privacy@shortlisted.sg. We respond within 30 days as required by the PDPA.
  • Data Portability — you can request an export of your profile and match history in a structured, machine-readable format.
  • Protection Obligation — TLS in transit, encryption at rest, row-level security, and least-privilege access controls protect your data.
  • Retention Limitation — we delete personal data when it is no longer needed for the purpose it was collected (see section 6).
  • Transfer Limitation — overseas transfers are only made to jurisdictions with comparable protection, or under contractual safeguards equivalent to PDPA standards.
  • Data Breach Notification — we will notify the PDPC and affected users without undue delay (and within 3 calendar days) of any notifiable data breach, in line with the PDPA's mandatory breach notification regime.
  • Do Not Call — we do not send marketing SMS or telemarketing calls. Recruiter contact only happens after you accept a match.

Our Data Protection Officer (DPO) can be reached at dpo@shortlisted.sg. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg.

12. Changes

We may update these terms. Material changes will be notified by email or in-app at least 14 days before they take effect.

13. Contact

Questions, complaints, or data requests: privacy@shortlisted.sg.

← Back to home