1. Who we are

Onboardly ("we", "us", "our") operates the Onboardly compliance automation platform. For the personal data of candidates and referees processed through the platform, our customers (the recruitment agencies and employers who use Onboardly) are the data controllers and Onboardly acts as their data processor. For account and billing data relating to our customers themselves, Onboardly is the controller.

If you have any questions about this policy or how your data is handled, contact us using the details at the end of this page.

2. Information we collect

Depending on how Onboardly is used, we may process the following categories of personal data:

• Account data — recruiter name, work email, organisation, and authentication details.
• Candidate data — name, contact details (including WhatsApp number), and the compliance documents you collect, such as passports, Right to Work evidence, DBS certificates, professional registrations, and training certificates.
• Reference data — referee names, email addresses, organisations, and the content of their responses.
• Communications — WhatsApp messages, emails, and uploads exchanged through the platform.
• Usage data — log data, device and browser information, and analytics about how the dashboard is used.

3. How we use your information

We use personal data to provide and operate the compliance workflow, specifically to:

• Collect, request, and track compliance documents from candidates via WhatsApp.
• Validate documents using AI and OCR and flag items for manual review.
• Request, validate, and chase employment references.
• Generate compliance packs and maintain an audit trail of actions taken.
• Provide support, secure the service, and improve our product.

4. Legal bases for processing

Where UK/EU data protection law applies, we and our customers rely on one or more of the following legal bases: performance of a contract; legitimate interests (operating and improving the service and meeting compliance obligations); consent (for example, a candidate consenting before any documents are collected, and separate explicit consent for DBS checks); and compliance with a legal obligation. Special category and criminal-records data (such as DBS information) is processed under the additional conditions required by law.

5. WhatsApp and third-party processors

Onboardly relies on trusted sub-processors to deliver the service. Each is bound by data protection obligations and processes data only on documented instructions:

• Twilio — WhatsApp messaging delivery.
• Supabase — application database and authentication.
• Amazon Web Services (S3) — encrypted document storage.
• OpenAI and Mindee — AI and OCR document validation.
• Resend — transactional and reference emails.
• Vercel — application hosting.

6. Sharing and disclosure

We do not sell personal data. We share it only with the sub-processors listed above, with the customer who controls the relevant candidate or referee data, and where required to comply with the law, enforce our terms, or protect the rights and safety of users.

7. International transfers

Some of our sub-processors may process data outside the UK or EEA. Where this happens, we rely on appropriate safeguards such as adequacy decisions or standard contractual clauses to protect the data.

8. Data retention

We retain personal data for as long as needed to provide the service and to meet our customers' compliance and legal obligations, after which it is deleted or anonymised. Customers can request deletion of candidate data they control, subject to any overriding legal retention requirements.

9. Security

We use technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit and at rest, access controls, and audit logging. No system is perfectly secure, but we work to protect your data and to respond promptly to any incident.

10. Your rights

Subject to applicable law, individuals have rights over their personal data, including the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure of your data.
• Object to or restrict certain processing.
• Request portability of data you provided.
• Withdraw consent at any time where processing is based on consent.

11. Cookies

Onboardly uses cookies and similar technologies that are strictly necessary to operate the dashboard (such as keeping you signed in) and, where applicable, to understand and improve usage. You can control non-essential cookies through your browser settings.

12. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the date at the top of this page and, where appropriate, notify you.

13. Contact us

If you have questions about this policy or wish to exercise your rights, please contact us using the email address in the site footer. Candidates and referees should contact the recruitment agency or employer who is collecting their information in the first instance.