/Legal

Version 1.3 · Last updated: 11 May 2026

Mainder Privacy Policy

Mainder's Privacy Policy as Data Processor under Regulation (EU) 2016/679 (GDPR).

1. Data Processor identification

Genius for People S.L., NIF B44879849, registered office at C/ Badajoz 32, 08005 Barcelona, Spain (hereinafter, "Mainder"), acts as Data Processor of candidates' personal data on behalf of our clients (the "Data Controllers"). Mainder processes such data exclusively under the Controller's documented instructions and for the sole purpose of providing technology services to manage selection processes, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

Data protection contact: privacy@mainder.ai.

2. Contractual framework and purposes

No other purpose, transfer or commercialisation of the data is authorised without explicit consent. Processing is governed by the contract with the Controller, which sets out the Processor's obligations and the safeguards for data subjects.

Mainder processes candidates' personal data exclusively for:

  • Providing technology services for the management of selection processes to the Controller.
  • Evaluating the candidate's suitability for the open positions through artificial intelligence systems (see section 5).
  • Communicating the status of the application to the candidate.
  • Complying with applicable legal obligations.
  • Where the candidate provides explicit consent and the Mainder client offers the service, sharing the profile with other Mainder clients through Mainder Connect (see section 12).
  • Management of the selection process: Art. 6.1.b GDPR (pre-contractual measures) and/or Art. 6.1.f (legitimate interest of the Controller).
  • AI-assisted evaluation: Art. 6.1.f GDPR (legitimate interest of the Controller, with safeguards).
  • Mainder Connect: Art. 6.1.a GDPR (explicit consent, where the client offers the service).
  • Legal compliance: Art. 6.1.c GDPR.

4. Data categories

Mainder processes personal data voluntarily provided by the candidate (CV, forms, correspondence) and data obtained from public professional sources (LinkedIn and similar) where the applicable legal bases permit.

Special categories of data (Art. 9 GDPR): Mainder does not request or infer data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, sex life or sexual orientation. If such data appears incidentally in the CV provided, Mainder discards it and does not use it for any automated evaluation.

5. Use of Artificial Intelligence (GDPR Arts. 13-14, AI Act Art. 50)

Mainder uses artificial intelligence systems to assist the selection process. The candidate should be aware that:

What our systems do:

  • AI Scoring: evaluates the fit between the profile and the job requirements in four objective dimensions (role, technical skills, experience and location).
  • CV Parsing: structures the content of the CV into navigable fields.
  • Professional enrichment: supplements, where lawful, with public professional information.
  • Interview evaluation (HireVoice): when the client activates this functionality, the responses to a recorded interview are processed by a specialised sub-processor.

What our systems DO NOT do (explicit commitment):

  • They do not infer or recognise emotions, mental states, personality traits or intentions.
  • They do not perform biometric categorisation.
  • They do not analyse facial expressions, gestures or tone of voice for affective purposes.
  • They do not use special categories of data under Art. 9 GDPR.

Automated decisions (Art. 22 GDPR): the final hiring decision is always human. AI systems produce recommendations and rankings but do not make decisions with legal or similarly significant effects without human intervention. The candidate has the right to:

  • Request human intervention in the evaluation.
  • Express their point of view and provide additional information.
  • Contest the decision and request a review.
  • Request understandable information about the logic applied.

These rights can be exercised by writing to privacy@mainder.ai or to the Data Controller (the contracting company).

6. Sub-processors

Mainder uses sub-processors bound by contract under Art. 28 GDPR. The complete and updated list is available at /legal/subprocessors and is also maintained in the Sub-processor Register available to the Controller.

7. Data location and international transfers

Mainder's primary servers are located in the European Economic Area (EEA), complying with GDPR requirements. Some sub-processors (section 6) process data in the US or the UK. In those cases Mainder applies:

  • Standard Contractual Clauses of the European Commission (Decision 2021/914), module 2 or 3 as applicable.
  • Adequacy decisions where applicable (UK Adequacy Decision; EU-US Data Privacy Framework, where in force).
  • Supplementary technical and organisational measures (encryption in transit and at rest, access control, minimisation).

A Transfer Impact Assessment (TIA) is available on request to the Controller.

8. Retention periods

  • Application data within an active process: for the duration of the process.
  • Application data after the process closes: 12 months, unless a legal obligation or Mainder Connect consent applies.
  • Data in Mainder Connect: until consent is withdrawn.
  • Audit and security logs: 24 months.

Once these periods elapse, the data is securely deleted or anonymised.

9. Security

Mainder applies appropriate technical and organisational measures to protect personal data, ensuring a level of security commensurate with the risk (Art. 32 GDPR): encryption in transit (TLS) and at rest, role-based access control, audit logging, environment segregation, backups, staff training, incident management and business continuity planning.

10. Breach notification

In the event of a personal data breach, Mainder will notify the Data Controller without undue delay and within a maximum of 48 hours of becoming aware of it, in accordance with Art. 33 GDPR and the data processing agreement.

11. Candidate's rights

Data subjects may exercise at any time the rights recognised by the GDPR (access, rectification, erasure, restriction of processing, objection and portability), as well as those provided for in Articles 15 to 22 GDPR and in the Spanish LOPDGDD, by sending their requests to the Data Controller (the contracting company) or to Mainder as Processor through privacy@mainder.ai. Full guide and request template at /legal/data-subject-rights.

They also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) if they consider it appropriate: www.aepd.es.

12. Mainder Connect

Where the candidate provides explicit consent when applying for a position, Mainder and the Mainder client to which they apply may process the candidate's personal data for three additional purposes:

  • Post-process retention: retain the candidate's profile and CV after the selection process they applied to has closed, in order to consider them for future matching opportunities within the same agency or Mainder client.
  • Email suggestions: send the candidate, by email, communications with openings that match their professional profile. Each communication includes an unsubscribe link allowing easy withdrawal of this consent.
  • Mainder client network: share the profile with other clients in the Mainder network for the purposes of selection processes compatible with the candidate's profile. This sharing is limited to Mainder clients contractually bound under Art. 28 GDPR; data will not be transferred or commercialised to third parties outside the Mainder network without a new explicit consent.

These additional purposes are based on explicit consent (Art. 6.1.a GDPR), given freely, specifically, informed and unambiguously, and are independent from the processing of the selection process the candidate is applying to (which relies on Art. 6.1.b GDPR and does not require separate consent).

The candidate may withdraw this consent at any time, without affecting the lawfulness of the processing carried out up to that moment, by writing to privacy@mainder.ai or via the unsubscribe link included in each email. Withdrawal triggers the deletion of the data from the talent pool, the unsubscription from email communications, and the removal of the profile from the Mainder client network, save where retention is legally required. Mainder will continue to act as Data Processor under the same contractual and security conditions indicated. The data subject retains all their rights, which may be exercised before the Controller or Mainder.