Candidate Privacy & Consent
How Kit handles candidate data consent on job application and talent pool forms, and how to customize the consent language for your organization.
Why It Matters
When candidates submit applications or join your talent pool, they share personal data — names, email addresses, resumes, and more. Privacy regulations like GDPR, CCPA, and UK GDPR require that you inform candidates about how their data will be used and, in some cases, obtain explicit consent before storing it.
Kit includes built-in consent language on both your job application forms and talent pool sign-up forms, so you’re covered from day one.
How It Works
Job Applications
Every job application form displays a brief disclosure near the submit button. This text informs candidates that their data will be processed for evaluating their candidacy and that resumes may be parsed using AI-assisted tools. No checkbox is required — the disclosure is informational, based on GDPR Article 6(1)(b) (pre-contractual measures).
Talent Pool
The talent pool form includes a required consent checkbox that candidates must check before submitting. Since talent pool data is stored speculatively for future opportunities, explicit consent is required under GDPR Article 6(1)(a). The default text tells candidates how long their data will be retained and how to withdraw consent.
What Gets Recorded
When a candidate submits either form, Kit records:
- When they consented (timestamp)
- What they consented to (the exact text shown at the time)
- Where they submitted from (IP address, encrypted)
This creates an immutable audit trail. If you later change your consent text, existing records still reflect exactly what each candidate agreed to.
Consent Expiration & Renewal (Talent Pool)
Talent pool consent doesn’t last forever. Because talent pool data is stored speculatively, GDPR requires that consent be refreshed periodically. Kit handles this automatically:
- Consent expires after the retention period you set in Hiring Settings (default 24 months)
- Renewal email — Kit sends a renewal request 30 days before expiration
- Reminder email — If the candidate hasn’t responded, a reminder goes out 7 days before expiration
- Auto-anonymization — If no action is taken within 7 days after expiration, the entry is automatically anonymized
Both emails contain a link where the candidate can either renew their consent (resetting the clock) or request that their data be removed immediately.
Data Anonymization
When consent expires without renewal, Kit anonymizes the talent pool entry. Here’s what happens:
| Data | What happens |
|---|---|
Replaced with a placeholder (e.g. [email protected]) |
|
| LinkedIn URL | Cleared |
| Resume | Purged (file deleted) |
| Notes | Deleted |
| Extraction data | Removed (skills, work history, education) |
Anonymized entries remain in the system as placeholder records but contain no personally identifiable information (PII).
For applications: Rejected or withdrawn applications are anonymized after the retention period. Hired candidates are exempt from automatic anonymization. A candidate record is fully anonymized only when all of their applications and talent pool entries have been processed.
What Admins See
Each talent pool entry’s detail page shows a consent status badge:
| Badge | Meaning |
|---|---|
| Valid | Consent is current and the entry is active |
| Expiring Soon | Consent expires within 30 days — a renewal email has been sent |
| Expired | Consent has expired — awaiting the grace period before anonymization |
| Anonymized | Data has been anonymized — no PII remains |
| Not recorded | No consent record exists (e.g. legacy data or bulk-uploaded entries) |
The expiration date is shown alongside the badge so admins can see at a glance when renewal is due.
Customizing Consent Text
You can tailor the consent language to match your organization’s privacy policy and branding.
- Go to Hiring > Settings
- Scroll to the Privacy & Consent section
- Update any of these fields:
| Field | Description |
|---|---|
| Privacy Policy URL | Link to your organization’s privacy notice. When set, a “Privacy notice” link appears in the consent text. |
| Talent Pool Retention | How many months talent pool data is retained (1-60, default 24). Shown in the consent text. |
| Application Disclosure Text | Custom text shown on job application forms. Leave blank for the default. |
| Talent Pool Consent Text | Custom text shown on the talent pool checkbox. Leave blank for the default. |
Using Variables
Both text fields support Liquid template variables:
{{ company_name }}— Your account name{{ privacy_policy_url }}— The privacy policy URL you configured{{ retention_months }}— The retention period in months
You can also use Liquid conditionals. For example, the default text uses {% if privacy_policy_url %} to show the privacy link only when a URL is configured.
Quick Checklist
- Add your privacy policy URL in Hiring Settings
- Set an appropriate retention period for talent pool data
- Review the default consent text — customize if your legal team requires specific language
- Verify the consent text appears on your career portal by viewing a job posting and the talent pool form
- Understand that Kit automatically handles consent expiration — no manual action needed
- Monitor the consent status badges on talent pool entries