Qode is an AI-powered recruitment platform that helps organisations source candidates, retrieve contact information, screen and evaluate applicants, schedule interviews, and manage private talent pools, including through Tracy, our AI recruiting assistant. We are committed to protecting personal data and to processing it lawfully, fairly and transparently.
This Privacy Policy explains how Olik Pte Ltd, Company Registration Number: 202103692E (“Qode”, “we”, “us”) collects, uses, discloses, transfers and protects personal data when you use our websites, applications and services (the “Services”).
We design and operate the Services in compliance with applicable data protection, privacy and artificial intelligence laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the EU Artificial Intelligence Act, Vietnam’s Law on Personal Data Protection and Decree 13/2023/ND-CP, Vietnam’s Law on Artificial Intelligence, and Singapore’s Personal Data Protection Act. Our information security programme is independently examined against the AICPA SOC 2 Type II standard.
Our role depends on the context:
This Policy covers: (a) Users as individuals who create accounts or use the Services on behalf of a customer; (b) Candidates as individuals whose professional profiles appear in, or are processed through, the Services; (c) Website visitors; and (d) Business contacts of prospective and existing customers and vendors.
Where our customer is the controller of candidate data, the customer’s privacy notice applies in addition to this Policy, and candidates should direct requests concerning that data to the relevant customer; we will assist the customer in responding as required by law and our Data Processing Agreement.
| Category | Examples |
|---|---|
| Identity and contact data | Name, email address, phone number, employer, job title, postal address, professional profile links. |
| Candidate professional data | CVs/resumes, work history, portfolio links, publicly available professional profile information, interview availability, assessment and screening outputs. |
| Account and transaction data | Login credentials, subscription and billing details, support requests, communication history. |
| Usage and device data | Search queries, scheduling activity, talent-pool management actions, log data, IP address, browser and device identifiers, approximate location derived from IP, cookie data. |
| AI interaction data | Inputs and outputs exchanged with Tracy and other AI features, and related logs kept for quality, safety and audit purposes. |
The Services are not designed to collect sensitive or special category data (e.g. health, racial or ethnic origin, religious beliefs, trade union membership). We instruct customers not to upload such data unless they have a lawful basis. Where sensitive personal data is nonetheless processed, we apply the heightened protections required by applicable law, including specific notification to the data subject where required.
We process personal data on the legal bases recognised by applicable law, including your consent, performance of a contract, compliance with legal obligations, and our legitimate interests (balanced against your rights, with the ability to object). For individuals in Vietnam, we rely primarily on your consent unless another statutory ground applies.
| Purpose | Data categories and basis |
|---|---|
| Providing the Services: candidate search, contact retrieval, screening, interview scheduling, talent-pool management | Identity, candidate professional, account and AI interaction data - contract performance; legitimate interests for sourced candidate data, subject to balancing and your right to object. |
| Operating and improving AI features, including Tracy | Usage, AI interaction and candidate professional data - legitimate interests; consent where required. |
| Communications: service updates, notifications, responses to enquiries | Identity and account data - contract performance; legitimate interests. |
| Marketing (with opt-in / opt-out as required by local law) | Identity and usage data - consent; legitimate interests for business contacts where permitted. |
| Security, fraud prevention, abuse detection, audit logging | Usage, device and account data - legitimate interests; legal obligation. |
| Compliance with law, regulators and courts; establishing or defending legal claims | As relevant - legal obligation; legitimate interests. |
| Analytics and product improvement | Usage and device data (aggregated or pseudonymised where possible) - legitimate interests; consent for non-essential cookies. |
We do not sell personal data, and we do not process personal data for purposes incompatible with those described above without informing you and, where required, obtaining your consent.
Tracy is an artificial intelligence system. Whenever you interact with Tracy or another automated conversational feature, we identify it clearly as AI. AI-generated content produced through the Services (e.g. synthesised outreach messages or summaries) is marked or labelled, including in machine-readable form, where the law requires.
We recognise that AI used in recruitment is treated as high-risk under applicable AI laws. We design and operate these features accordingly, including risk management, data governance and quality controls, technical documentation, logging, accuracy and bias testing, and effective human oversight, and we support our customers in meeting their own obligations as deployers of these features.
Qode’s AI features are decision-support tools. The Services do not make final hiring, rejection or other decisions producing legal or similarly significant effects about candidates on a solely automated basis. Recruiters and hiring managers review and remain responsible for outcomes. Where a customer configures processing that involves automated decision-making with significant effects, the customer is responsible for ensuring a lawful basis, meaningful human involvement and the safeguards required by law, and Qode provides the contractual and technical means to do so.
We do not sell or rent personal data, and we do not share it with third parties for their own direct marketing.
We may transfer personal data to countries other than the one in which you are located, including, but not limited to, Singapore, the United States, Vietnam and Indonesia. Where we do, we apply the safeguards required by the law of the originating jurisdiction, such as adequacy decisions, approved standard contractual clauses or equivalent transfer mechanisms, transfer impact assessments, regulatory filings or notifications where required, and supplementary technical measures such as encryption in transit and at rest and strict access controls. You may request a copy of the relevant safeguards (redacted where necessary) via the contacts in Section 1.3.
We retain personal data only as long as necessary for the purposes described in this Policy, after which it is deleted or irreversibly anonymised. Indicative periods:
| Data | Indicative retention |
|---|---|
| Account data | Life of the account + 90 days after closure, except as needed for legal claims or statutory record-keeping. |
| Customer-managed candidate data (Qode as processor) | Per customer instructions and the Data Processing Agreement; deleted or returned on termination within 60 days. |
| Sourced candidate profiles (Qode as controller) | Reviewed and refreshed quarterly; deleted on objection/erasure request or when no longer accurate or necessary. |
| AI interaction logs | 12 months, for security, quality and audit purposes. |
| Billing and tax records | As required by applicable tax and accounting law. |
| Security logs | 12 months. |
Where applicable law sets shorter deadlines, we honour them: in particular, when individuals in Vietnam withdraw consent or validly request deletion, we action the request within 72 hours of receipt, subject to statutory exceptions.
We maintain a written information security programme aligned with the AICPA Trust Services Criteria. Qode undergoes an independent SOC 2 Type II examination covering the Security, Availability and Confidentiality criteria over a rolling audit period; the resulting report is available to customers under NDA. Our measures include:
We maintain a documented incident response plan. Where a personal data breach occurs, we will notify the competent regulators and, where required, affected individuals without undue delay and within the timeframes required by applicable law (in most of our jurisdictions, within 72 hours of becoming aware of the breach), and we will notify affected customers without undue delay so they can meet their own obligations.
Subject to the conditions and exemptions in applicable law, you have the right to:
Submit requests to privacy@qode.world. We may need to verify your identity. We respond within the timeframes set by applicable law generally within one month, and within shorter statutory deadlines where they apply.
Where we rely on consent, consent is obtained through a clear affirmative act, is specific to each purpose, and is recorded in a form that can be printed or reproduced. Silence or inactivity does not constitute consent. You may withdraw consent at any time via your account settings or by contacting us; withdrawal does not affect the lawfulness of processing before withdrawal. Upon withdrawal, we will cease the relevant processing and confirm within the timeframe required by applicable law.
We use strictly necessary cookies to operate the Services and, with your consent where required, analytics and functional cookies. You can manage preferences through our cookie banner and your browser settings.
The Services are intended for professional use and are not directed at children. We do not knowingly process personal data of anyone under 16 (or the higher age set by applicable law). Where local law requires, processing of a child’s personal data is carried out only with the consent of a parent or guardian. If you believe we hold a child’s data, contact us and we will delete it.
We prohibit the use of any automated system or software (including bots, crawlers and scrapers) to extract data from the Services. This protects the personal data within the Services against unauthorised access and disclosure. Violations may result in suspension, termination and legal action.
We may update this Policy from time to time. We will post the updated version on this page with a revised “Last updated” date and, for material changes, provide reasonable advance notice (e.g. by email or in-product notice) and, where required by law, seek renewed consent.