EREWHON (“Company”, “we”, or “us”) values the trust you place in us when you give us
access to your personal data. We respect the privacy rights of individuals and are committed to
handling personal information responsibly and in accordance with applicable laws.
The Company is a “data controller” of your personal data (for the purpose of the General Data
Protection Regulation (“GDPR”) and is responsible for the lawfulness of what we do with your
information where you apply to a job opening posted directly by us. Where you apply to a job
opening for our Company through the application process of another source, such as a job board,
that source may collect and retain your personal information as part of the application process.
Any use of your personal information by another source shall be in accordance with that source’s
We use Applicant Tracking Software, branded as ModernHR, an online applicant tracking
tool, as a “data processor” to process personal information on our behalf. Applicant Tracking
Software is only entitled to process your personal data in accordance with our instructions.
Data Protection Principles
Your data will be:
- Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to you and not used in any way
that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
Security Technology and Practices
We always transmit and store personal information securely. This prevents potential hackers from
“tapping” a data conversation. The data security standards we have in place include auditing,
logging, backups, and safe-guarding data. Our servers are housed in datacenters that are ISO27001
certified, the highest and most current standard for managing systems and data securely. All
datacenter facilities are protected by professional security staff utilizing video surveillance,
intrusion detection systems and other electronic means. Authorized staff must pass two-factor
authentication a minimum of two times to access data center floors. We are SOC 2 compliant and
audited annually by a third party CPA firm.
No method of transmission over the Internet, or method of electronic storage, is 100% secure,
however. Therefore, we cannot guarantee its absolute security. If you have any questions about
security on our website, you can contact us at
Your personal data will be deleted upon receipt of a written request by you to us.
What information do we collect as part of the application process?
We may collect and process some or all of the following types of information from you when you
apply for one of our positions:
- Name and other personal information such as gender, date and place of birth;
- Contact information, such as address, telephone number, and e-mail address;
Employment history (including current and/or previous employers, job titles, or positions) and
Other academic, professional, training and salary-related information, such as academic degrees
and professional qualifications;
Your CV/résumé (which may include details of any memberships or interests constituting Sensitive
Personal Information (as that term is defined herein));
National identifiers such as nationality/ies, national IDs/passport, social security/ insurance
numbers, immigration information, and visa status;
Information relating to previous applications you have made to our Company and/or any previous
employment history with our Company;
- A record of your progress through any hiring process we may conduct;
- If you contact us, we may keep a record of that correspondence;
- Your video interview if one was performed; and
Any other information you voluntarily provide throughout the process, including information
provided during an interview or as part of an assessment.
Sensitive Personal Information
As a general rule, during the recruitment process, we try not to collect or process any
“Sensitive Personal Information” unless authorized by law or where necessary to comply with
applicable laws. Sensitive Personal Information includes the following: information that reveals
your racial or ethnic origin, religious, political, or philosophical beliefs, or trade union
membership; genetic data; biometric data for the purposes of unique identification; or
information concerning your health, sex life, or sexual orientation.
However, in some circumstances, we may need to collect, or request on a voluntary disclosure
basis, some Sensitive Personal Information for legitimate recruiting-related purposes. For
example, information about your racial/ethnic origin, gender and disabilities may be collected
for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and
for government reporting obligations. Any reports prepared for this purpose would not contain
personal information, i.e., the information would be aggregated and anonymized. Furthermore,
information about your physical or mental condition may be collected in order to consider
accommodations we need to make for the recruitment process and/or subsequent job role.
You may provide, on a voluntary basis, other Sensitive Personal Information during the
Information we may collect from other sources (in each case where permissible and in
accordance with applicable law):
- References provided by referees;
Other background information provided or confirmed by academic institutions and training or
- Criminal records data obtained through criminal records checks;
Information provided by background checking agencies and other external database holders (for
example credit reference agencies and professional / other sanctions registries);
- Information provided by recruiting or executive search agencies; and
Information collected from publicly available sources, including any social media platforms you
use or other information available online.
If you fail to provide personal data when requested, which is necessary for us to consider your
application (such as evidence of qualifications or work history), we may not be able to process
your application further. For example, if we require references for this role and you fail to
provide us with relevant details, we will not be able to take your application further.
What other information do we collect?
Social Media Widgets
Our website includes Social Media Features, such as the Facebook and Twitter buttons or
interactive mini-programs that run on our site. These Features may collect your IP address,
which page you are visiting on our site, and may set a cookie to enable the Feature to function
properly. Social Media Features and Widgets are either hosted by a third party or hosted
of the company providing it.
Purposes for processing personal information
We collect this personal information to be used primarily for recruiting purposes – in
particular, to determine your qualifications for employment and to make a hiring decision. This
includes assessing your skills, qualifications and background for a particular role, verifying
your information, carrying out reference and / or background checks (where applicable) and
generally managing the hiring process and communicating with you about it.
If you are accepted for a role at our Company, the information collected during the recruiting
process will be processed in accordance with applicable law, including any Employee Privacy
Notice, a copy of which will be provided when you are on-boarded as an employee if applicable.
If you are not successful, we may still keep your application to allow us to consider you for
other suitable openings with our Company in the future.
Automated Decision Making
We may use Applicant Tracking Software’s technology in order to automatically sort, select, rate,
or filter candidates using criteria specified by us. However, any decision made with respect to
hiring a candidate for one of our positions will be made by our staff.
Disclosures of your personal information and transfers abroad
We take care to allow access to personal information only to those who require such access to
perform their tasks and duties, and to third parties who have a legitimate purpose for accessing
it. Whenever we permit a third party to access personal information, we will implement appropriate
measures to ensure the information is used in a manner consistent with this Notice and that the
security and confidentiality of the information is maintained.
Transfers Within Our Company
Your personal information may be shared with other members of our Company around the world in
order to administer our recruitment processes and store data.
Transfers to Third Party Service Providers
In accordance with applicable law, certain personal information may be made available to third
parties who provide services relating to the recruiting process, including (a) recruiting or
executive search agencies involved in your recruiting; (b) background checking or other
screening providers and relevant local criminal records checking agencies; (c) data storage,
shared services and recruiting platform providers, IT developers and support providers and
providers of hosting services; and (d) third parties who provide support and advice including in
relation to legal, financial / audit, management consultancy, insurance, health and safety,
security and intel and whistleblowing / reporting issues.
Your personal information may also be disclosed to third parties of other lawful grounds,
including: (a) where you have provided your consent; (b) to comply with our legal obligations,
including where necessary to abide by law, regulation or contract, or to respond to a court
order, administrative or judicial process, including, but not limited to, a subpoena, government
audit or search warrant; (c) in response to lawful requests by public authorities (including for
tax, immigration, health and safety, national security or law enforcement purposes); (d) as
necessary to establish, exercise or defend against potential, threatened or actual legal claims;
(e) where necessary to protect your vital interests or those of another person; and/or (f) in
connection with the sale, assignment or other transfer of all or part of our business.
Your personal information may be processed by third parties for the reasons explained in this
Notice, third party vendors, who may be based in countries other than your country of residence.
These countries may have data protection laws that are different, and potentially less
protective, than the laws of your own country. However, our Company will implement measures with
any recipients of your personal information to ensure it remains protected in accordance with
this Notice and applicable data protection laws.
Legal basis for processing your personal information (EEA applicants only)
Under European data protection law, our legal basis for collecting and processing your personal
information will depend on the information concerned and the context in which we collect it.
However, we will normally collect personal information from you only where: (a) the processing is
in our legitimate interests (as summarized above) (and not overridden by your data protection
interests or fundamental rights and freedoms); (b) we need the information to comply with
applicable immigration and/or employment laws and regulations; (c) we need the information to take
steps prior to entering an employment contract with you, where you are considered for employment;
(d) you have made the data public; (e) we have your consent to do so; and (f) we need to protect
the rights and interests of our Company, our employees, applicants and others, as required and
permitted by applicable law.
Where we rely on your consent to collect and process your personal information, you have the right
to withdraw or decline your consent at any time. Please note that withdrawing your consent will
not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it
affect processing of your personal information conducted in reliance on lawful processing grounds
other than consent.
Your rights in connection with personal data
Under certain circumstances, by law you have the right to:
Request access to your personal data (commonly known as a “data subject access request”).
This enables you to receive a copy of the personal data we hold about you and to check that it
is being lawfully processed.
Request correction of the personal data that we hold about you. This enables you to have
any incomplete or inaccurate data we hold about you corrected.
Request erasure of your personal data. This enables you to ask us to delete or remove
personal data where there is no good reason for us continuing to process it. You also have the
right to ask us to delete or remove your personal data where you have exercised your right to
object to processing (see below).
Object to processing of your personal data where we are relying on a legitimate interest
(or those of a third party) and there is something about your particular situation which makes
you want to object to processing on this ground. You also have the right to object where we are
processing your personal data for direct marketing purposes.
Object to decisions being taken by automated means which produce legal effects concerning
you or similarly significantly affecting you.
Request the restriction of processing of your personal data. This enables you to ask us
to suspend the processing of personal data about you, for example if you want us to establish
its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party.
If you would like to exercise any of those rights, please contact us using our Contact information
below, allow us to collect enough information to identify you, and provide us with the information
to which your request relates.
Links to 3rd party sites
Our site includes links to other websites whose privacy practices may differ from those of our
Company. If you submit personal information to any of those sites, your information is governed by
Who to contact
Please address any questions or requests relating to this Notice to
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO),
the UK supervisory authority for data protection issues.