Logo

Privacy Policy & Terms of Service

This page explains how P&P Consultancy handles personal data and provides the terms for using our public features, including CV uploads, bookings, and contract signing in the P&P Nexuss Software.

1. Who we are and scope

P&P Consultancy ("we", "our") provides recruitment and HR software. This policy covers our public-facing features used by candidates and recruiters: (a) CV upload portals, (b) booking pages, and (c) contract signing flows. For employer-customized processing, the employer (recruiter organization) is typically the data controller and P&P acts as processor.

2. Legal basis (GDPR & Belgian law)

  • Recruitment processing: legitimate interest of the recruiter and/or steps prior to entering a contract (GDPR Art. 6(1)(f) / 6(1)(b)).
  • Bookings and notifications: performance of a contract or legitimate interest (GDPR Art. 6(1)(b)/(f)).
  • Contract signing: performance of a contract and legal obligation for record-keeping (GDPR Art. 6(1)(b)/(c)); eIDAS-aligned evidence.
  • Consent: where required (e.g., specific marketing or optional features), we request explicit consent (GDPR Art. 6(1)(a)).

3. Data we process

  • CV uploads: the file you provide, filename, type, size, upload timestamp, and technical logs for security.
  • Booking data: candidate name and email (and optional notes), recruiter identity, selected time slot, and meeting metadata (IDs, links).
  • Contract signing: full name, email, signature image/coordinates, IP address, timestamps, document hash and audit trail.
  • Technical data: device/browser info, basic telemetry and logs strictly for security, abuse prevention, and reliability.

4. Google Calendar scopes and why we use them

We integrate with Google Calendar so candidates can book meetings with recruiters without back-and-forth emails. We request the minimum necessary scopes to read availability and create events:

  • https://www.googleapis.com/auth/calendar.readonly - to check free/busy availability using the FreeBusy API.
  • https://www.googleapis.com/auth/calendar.events - to create and manage the booked meeting in the recruiter’s calendar.

How we use these scopes: we read only the time ranges necessary to compute free slots, then show available options to the candidate. When the candidate selects a slot, we create the calendar event for both parties and include a Google Meet link. Both receive an email with the details. We do not access email content, contacts, or any unrelated Google data. We do not sell or share Google data for ads.

Security: recruiters authenticate via Google OAuth; we never receive their password. OAuth tokens are stored encrypted at rest, scoped to the recruiter’s workspace, and can be revoked at any time from the Google Account security page. Access is strictly role-based; administrators cannot see or use a recruiter’s credentials. For this feature, recruiters must enable two-factor authentication (2FA) for extra account security.

Compliance: we adhere to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google data to provide the booking functionality requested by the recruiter and candidate.

5. How booking works

  • We read free/busy time windows from the recruiter’s calendar to compute available time slots.
  • The candidate picks a slot; we create a calendar event for both parties with a Google Meet link.
  • We may store event IDs and minimal metadata to allow rescheduling/cancellation. We do not store full calendar contents.
  • Notification emails are sent to participants and may include the meeting link, time, and title.

6. Contract signing

  • We collect your full name, email, signature, IP address, timestamps, and a document hash/audit trail.
  • Purpose: to execute the agreement, provide evidence of consent, and comply with applicable legal retention duties.
  • We provide downloadable copies and keep an audit log for evidentiary purposes in line with EU/eIDAS principles.

7. Retention

  • CV uploads: retained for a maximum of 180 days unless contractually agreed otherwise or required by law.
  • Booking metadata: typically retained up to 24 months to support audit and support needs.
  • Contract signing records: retained for the contract term and applicable statutory periods (often up to 10 years).
  • Security logs: retained for up to 12 months unless a longer period is needed to investigate abuse.

8. Security measures

  • Encryption in transit (TLS) and at rest for sensitive data, including OAuth tokens.
  • Mandatory 2FA for recruiters using calendar integrations; strict role-based access controls and least-privilege principles.
  • Segregation of customer data by workspace; continuous monitoring and audit logging.

9. International transfers

Where data is transferred outside the EEA, we rely on appropriate safeguards such as EU Standard Contractual Clauses and provider commitments. We prefer EU data residency options where available.

10. Sharing and sub-processors

We may share data with trusted sub-processors strictly to provide our services (e.g., cloud hosting, email delivery, observability). Google acts as an independent controller for your Google Account data you authorize. We sign Data Processing Agreements where required. We never sell personal data.

11. Your rights

  • Access, rectification, erasure, restriction, portability, and objection (GDPR Arts. 15-21).
  • Withdraw consent at any time where processing is based on consent.
  • Revoke Google access from your Google Account security settings at any time.
  • Lodge a complaint with the Belgian Data Protection Authority (GBA/APD).

12. Cookies

Public pages use essential cookies only, where needed for security and session integrity. No marketing cookies are used on public flows.

13. Terms of Service

  • You will only upload or enter information you are permitted to share and that does not contain malicious content.
  • You will not misuse the services (e.g., spam, security testing without authorization, or rights violations).
  • Availability: we strive for high uptime but provide services on an "as is" and "as available" basis.
  • Liability: to the maximum extent permitted by Belgian law, we exclude indirect/consequential damages and cap direct damages to fees paid for the relevant service period.
  • Governing law: Belgian law applies; competent courts in Belgium have jurisdiction.

14. Role clarity

  • Recruiters: you are the controller for candidate data you collect. You must enable 2FA, manage authorized users, and configure retention in line with your policies.
  • Candidates: you can request deletion of your CV or booking data via the recruiter who invited you or by contacting us directly.
  • Credentials: admins cannot access recruiter credentials; OAuth tokens are encrypted and restricted to scoped actions only.

15. No sale or third‑party advertising

We do not sell, rent, or license your personal data to third parties. We do not permit third‑party advertising technologies to use your data for cross‑context behavioral advertising. Sub‑processing occurs only under written agreements that limit use to providing the contracted services to us, with appropriate confidentiality and security commitments.

16. Marketing & social media use

We will never use your CV, booking details, contract content, or brand assets for testimonials, case studies, social media posts, or other promotional purposes without prior written consent or a signed contract explicitly authorizing such use. Any consent can be withdrawn at any time, and we will cease further use except where retention is required by law (e.g., evidentiary archives of published materials).

17. Purpose limitation & data minimization

We collect and process only what is necessary to provide the features you use and to maintain security and reliability. We do not repurpose data for materially different objectives without a compatible legal basis and, where needed, renewed notice or consent.

18. Automated decision‑making

We do not engage in solely automated decision‑making that produces legal or similarly significant effects about you within the meaning of GDPR Article 22. If such features are introduced, we will provide clear notice and the safeguards required by law.

19. Government & law‑enforcement requests

We only disclose data when legally required to do so, after assessing the scope and validity of the request. Where permitted by law, we will notify the relevant customer or individual prior to disclosure to allow them to seek protection.

20. Security incidents & breach notification

We maintain an incident response program. In the event of a personal‑data breach, we assess risk and notify affected controllers and, where applicable, supervisory authorities and individuals in accordance with GDPR Articles 33–34 and Belgian law.

21. Children’s data

Our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us data, please contact us so we can take appropriate action.

22. How to exercise your rights

You can exercise your rights by contacting the recruiter (controller) or P&P. We respond to valid requests within one month (extendable by two months for complex requests). We may request reasonable information to verify identity before acting on a request.

23. Changes to this notice

We may update this Privacy Policy & Terms from time to time. Material changes will be posted on this page with an updated effective date, and we will provide additional notice where required by law.

24. Data Processing Agreement (DPA)

Where P&P acts as a processor for a recruiter (controller), our processing is governed by a Data Processing Agreement. You can review our standard terms here: Data Processing Agreement (DPA). If you require a signed copy, please contact us. Our list of sub‑processors is available here: Sub‑processor list. For international transfers, we incorporate the EU Standard Contractual Clauses where applicable.

25. Contact

For privacy requests or questions, contact your recruiter or reach us at: [email protected] .We will respond in accordance with GDPR timelines.

Effective date: 2025-01-01. We may update this document; material changes will be communicated on this page.

P&P Consultancy

Phone:+32 496 26 30 25

Email:[email protected]

VAT:BE1033.210.247

Address:Elegemstraat 1, 1700 Dilbeek

PRIVACY POLICYCOOKIE POLICY

© 2026 P&P Consultancy

Made by Xander Wauters

  • LinkedIn
  • Instagram

We use cookies.

We use cookies to ensure that we give you the best experience on our website.
Read cookies policy