VaultHire & Legatum Group

Privacy Policy

Last updated [DATE TO INSERT BEFORE PUBLISHING]
Effective [DATE TO INSERT BEFORE PUBLISHING]

This Privacy Policy explains how Legatum Group Limited ("we", "us", "Legatum") collects, uses, and protects personal data in connection with the VaultHire platform ("VaultHire", "the Service", "the platform").

We are committed to protecting your privacy and handling your data transparently. This policy is written in plain English and explains what we do, why, and what your rights are.

If you have any questions about this policy, please contact us at privacy@legatumgroup.uk.

1. Who we are

Data controller: Legatum Group Limited Company number: [PENDING — TO BE INSERTED ON PUBLICATION] Registered office: [REGISTERED ADDRESS TO BE INSERTED] ICO registration: [REGISTRATION NUMBER TO BE INSERTED] Privacy contact: privacy@legatumgroup.uk Data Protection Lead: Stephen Brauner

VaultHire is a recruitment intelligence platform operated by Legatum Group Limited, a company registered in England and Wales.

2. What data we process

We process the following categories of personal data:

Account holders (our customers)

Information you provide when you sign up and use VaultHire:

  • Name and email address
  • Password (stored hashed, never in plain text)
  • Company name and country
  • Subscription plan and billing information (payment cards processed by Stripe — we never see or store full card details)
  • Communications you send us (support enquiries, feedback)
  • Usage data (which features you use, search queries, login times)

Hiring manager contact data (third-party business contacts)

VaultHire surfaces business contact information for hiring decision-makers at companies posting public job vacancies. This may include:

  • Full name
  • Job title
  • Business email address
  • Business phone number
  • LinkedIn URL
  • Employer (current company)

This data is sourced from third-party providers (see Section 9: Sub-processors) who collect it under their own legal bases. We aggregate and present it to our customers for the legitimate purpose of B2B recruitment outreach.

Technical data

When you use the platform we automatically collect:

  • IP address
  • Browser type and version
  • Device information (browser-derived fingerprint, used only for trial-abuse prevention)
  • Pages visited and actions taken within the platform
  • Cookies (see our Cookie Policy)

3. Lawful basis for processing

We process personal data under the following lawful bases under UK GDPR Article 6:

For account holders

  • Performance of a contract (Article 6(1)(b)) — to provide the Service you have signed up for
  • Legitimate interests (Article 6(1)(f)) — for service improvement, fraud prevention, and security
  • Legal obligation (Article 6(1)(c)) — for tax, accounting, and regulatory compliance
  • Consent (Article 6(1)(a)) — where you opt in to marketing communications

For hiring manager contact data

  • Legitimate interests (Article 6(1)(f)) — for the legitimate purpose of facilitating B2B business communications between recruiters and hiring decision-makers in the course of business

We have completed a Legitimate Interests Assessment ("LIA") for hiring manager data which is reviewed annually. A summary is available on request to privacy@legatumgroup.uk. The LIA balances our customers' legitimate interest in identifying hiring contacts against the rights and reasonable expectations of those data subjects, who have made their professional information publicly available in a business context.

Every outreach communication facilitated through VaultHire includes a clear opt-out mechanism. Once a hiring manager opts out via that mechanism, their data is suppressed across our platform.

4. How we use your data

Account holder data

  • To provide and operate VaultHire
  • To process payments and manage subscriptions
  • To send service emails (account verification, billing, security notifications)
  • To respond to your questions and provide customer support
  • To improve the platform and develop new features
  • To detect and prevent fraud or abuse
  • To comply with our legal obligations
  • With your consent, to send product updates and marketing emails

Hiring manager contact data

  • To present search results to our customers
  • To facilitate B2B outreach by our customers
  • To honour opt-out requests
  • To maintain data accuracy (we refresh records and remove stale data)

We do not sell personal data. We do not use personal data for automated decision-making that produces legal or similarly significant effects.

5. Who we share data with

We share personal data only with:

Sub-processors

Service providers that help us operate VaultHire. We have contractual data protection agreements with all sub-processors. The current list is published at /legal/sub-processors and is updated when changed. Customers are notified in writing 30 days before any new sub-processor is added.

Legal and regulatory bodies

Where required by law, court order, or to protect our legal rights or the safety of others.

Business transfers

If Legatum Group Limited is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We do not share your personal data with third parties for their own marketing purposes.

6. International transfers

We host VaultHire infrastructure in the UK and EU. All production data is stored within the UK or EU.

Some of our sub-processors are based outside the UK/EU (see Section 9). Where personal data is transferred to these jurisdictions, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

The processing location for stateless compute (e.g. Cloudflare Workers serving page requests) may be at the edge nearest the user globally. UK GDPR governs where data is stored and transferred, not the execution location of stateless compute. All data storage remains within the UK/EU.

7. How long we keep data

Data category Retention period
Account information Duration of subscription + 90 days
Hiring manager contact data Refreshed every 6 months; stale records purged
Search history and usage logs 24 months rolling
Billing records 7 years (HMRC requirement)
Customer support communications 24 months
Marketing email lists Until consent is withdrawn

When data reaches the end of its retention period, we delete it or fully anonymise it.

8. Your rights

Under UK GDPR you have the following rights:

  • Right of access — to see what personal data we hold about you
  • Right to rectification — to have inaccurate data corrected
  • Right to erasure ("right to be forgotten") — to have your data deleted
  • Right to restriction — to limit how we use your data
  • Right to data portability — to receive your data in a structured format
  • Right to object — to object to processing based on legitimate interests
  • Right to withdraw consent — where consent is the lawful basis
  • Right to lodge a complaint — with the Information Commissioner's Office

To exercise any of these rights, email privacy@legatumgroup.uk. We will respond within 30 days as required by UK GDPR. There is no charge for these requests in most circumstances.

If you are not satisfied with our response, you can complain to the ICO at https://ico.org.uk or by phone on 0303 123 1113.

9. Sub-processors

The current list of sub-processors used by VaultHire is published at /legal/sub-processors. At the date of this policy, our sub-processors include:

  • Cloudflare (UK/EU regions) — hosting, content delivery, edge compute
  • Stripe (UK/EU regions) — payment processing
  • Resend — transactional email delivery
  • Anthropic — AI inference for query expansion and content drafting
  • Apollo, Lusha, ContactOut — third-party contact data providers
  • Companies House (UK Government) — public company data

Each sub-processor has its own privacy policy and processes data under contractual data protection agreements with us.

10. Cookies

We use cookies and similar technologies. Full details are in our Cookie Policy.

11. Security

We take security seriously. Measures we have in place include:

  • Encryption of all data in transit (TLS 1.3)
  • Encryption of data at rest (AES-256)
  • Role-based access control with least-privilege principles
  • Multi-factor authentication for administrative access
  • Daily automated backups in a separate region with 30-day retention
  • Documented incident response plan with a 72-hour ICO notification commitment for any breach involving personal data
  • Regular security review and audit

While we use industry-standard measures, no system is 100% secure. We will notify you and the ICO promptly of any data breach affecting your personal data, in accordance with UK GDPR.

12. Use of artificial intelligence

VaultHire uses AI to help recruiters work faster. We believe in being transparent about where AI is involved, what it does, and where it does not.

Where we use AI

  • Search expansion — when you search for a role, we use a large language model (Anthropic's Claude) to suggest related job titles and refine the search. This helps surface roles that don't exactly match your search wording.
  • Hiring manager identification — for each role you view, we use AI to help reason about which job titles in a company are likely to belong to the actual line manager (e.g. an "Engineering Manager" for a software developer vacancy, rather than the CFO). This is a contextual judgement we then test against contact data we already hold.
  • Outreach drafting — if you choose to draft an outreach email, AI can produce a first draft based on your inputs. You always review, edit, and decide whether to send.

Where we do NOT use AI

We do not use AI to:

  • Make automated decisions about candidates
  • Score, rank, screen, or evaluate job applicants
  • Make decisions that produce legal effects or similarly significant effects on any data subject
  • Process special-category personal data (e.g. health, ethnicity, religion)
  • Operate without human review of any output sent externally

Our position under the EU AI Act

VaultHire is provided to professional recruiters and sales operators who use it as one tool among many. Every output produced by AI in our platform is reviewed by a human (the recruiter using VaultHire) before any external action is taken. No automated decisions affecting candidates, employees, or any data subject are made by our system.

On this basis, we have classified VaultHire as out of scope of the high-risk AI categories listed in Annex III of the EU Artificial Intelligence Act. Specifically, VaultHire is not used to filter job applications, evaluate candidates, place targeted job adverts, or make employment decisions. Our customers are recruitment professionals; the candidates they ultimately approach are surfaced through the customer's own judgement, not through automated scoring by our system.

We meet the transparency obligations of Article 50 by disclosing where AI is used in our platform (this section), labelling AI-generated content where required, and ensuring our team and customers maintain appropriate AI literacy as required by Article 4.

We monitor regulatory guidance and will update our position if our understanding of the regulation, or our use of AI in the platform, materially changes. A more detailed risk classification rationale is available to enterprise customers and procurement teams on request to security@legatumgroup.uk.

13. Children

VaultHire is a B2B platform for professional use only. We do not knowingly collect data from anyone under 18.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will reflect any changes. For material changes, we will notify you by email or through a notice in the platform.

15. Contact us

For any privacy-related question or to exercise your rights, contact us at:

Email: privacy@legatumgroup.uk Postal: Legatum Group Limited, [Registered Office Address]

For all other enquiries: hello@legatumgroup.uk