All of Rena’s legal policies and documents are available below. Here you will find our Privacy Policy, Terms of Service, Cookie Policy, and other key legal information, designed to give you clear guidance on how we operate and safeguard your data.
Rena is part of Capital Placement Ltd, a company registered in England and Wales (Company No. 08246863). Registered office: Kemp House, 152–160 City Road, London, England, EC1V 2NX.
We are registered with the Information Commissioner's Office (ICO Registration: ZA208197).
We provide a business‑to‑business applicant tracking and recruitment system and related modules and portals (the Services).
This Privacy Policy explains how we handle personal data when we act as a controller. This includes data about website visitors, prospective customers, customer representatives and users, and applicants for roles.
When candidate data and other recruitment information are processed within the Rena platform for our customers, we usually act as a processor, and our customers act as the controller. In these cases, our customer's privacy notice applies, and our Data Processing Addendum governs how we process Customer Personal Data on their instructions.
If you are unsure whether we are acting as controller or processor, contact us using the details in section 18.
Depending on how you interact with us, we may collect:
Business contact and account data: name, work email, job title, company, phone, billing contacts, and postal address.
Service and usage data: usernames, role assignments, sign‑ins, configuration changes, audit events, session information and support interactions.
Technical and device data: IP address, device and browser type, operating system, identifiers, diagnostics, error logs and similar analytics.
Marketing preferences and communications history: subscriptions, event registrations and campaign interactions.
Recruitment data for roles: CV, cover letter, application answers, scheduling information, interview notes and any other information that you provide.
Sources: directly from you or your employer, through your use of our Services, and from publicly available business sources such as company websites or professional networks for B2B outreach.
We do not need or seek special‑category data in our controller capacity. Please do not send us health information, ethnicity data or biometric identifiers.
Our websites and Services are for business use. We do not knowingly collect personal data from children under 16.
Our customers control candidate and recruitment data in our platform. They decide what to collect, how long to keep it and with whom to share it. If you applied to one of our customers, please read their privacy notice and contact them first to exercise your rights. We support them as their processor under our Data Processing Addendum.
AI interviews, analysis, and similar services: when enabled by a customer, we process recordings, transcripts and derived summaries strictly on that customer's instructions to provide the feature. We do not perform facial recognition or create biometric identifiers for unique identification. We instruct our AI vendors not to use customer data to train public models where such options are available.
We use personal data for:
Providing and administering the Services for your organisation, including account setup, user management, support and troubleshooting. Lawful bases: performance of a contract; our legitimate interests in operating secure Services.
Securing, monitoring and improving the Services, including diagnostics, error logs, analytics, quality assurance, fraud and abuse prevention. Lawful basis: our legitimate interests in security, quality and service improvement.
Billing and finance, including invoicing, payments, accounting and tax. Lawful bases: performance of a contract; legal obligations.
Service communications, such as important updates, maintenance and security notices. Lawful bases: performance of a contract and/or our legitimate interests.
Marketing to business contacts, including product updates, events and surveys. Lawful bases: consent where required by PECR; otherwise, our legitimate interests in B2B marketing. You can opt out at any time.
Recruiting for roles. Lawful bases: steps taken at your request prior to entering into a contract; our legitimate interests in hiring; legal obligations where applicable.
We collect and process only the personal data necessary for the purposes set out in this policy. When acting as processor, our customers control what data is collected, and we encourage them to follow data minimisation principles in accordance with applicable data protection law.
Our platform can provide AI‑based analysis and scoring of interview responses and other materials when our customers choose to enable and use those features. These outputs are advisory only and designed to support, not replace, human judgment.
We do not make solely automated decisions that produce legal or similarly significant effects on individuals. Hiring and other decisions are made by our customers. Our customers are responsible for configuring appropriate human review and for verifying AI outputs before making decisions.
AI outputs may contain errors or bias, and there is a risk of hallucination. We do not promise that AI outputs are accurate, complete, non‑discriminatory or fit for any particular purpose.
We instruct our AI service providers not to use customer data to train their public models. Where AI vendors offer such options, we enable the strictest data protection settings. We conduct regular reviews of our AI vendors' data processing practices.
While we implement measures to reduce bias in AI outputs, we cannot guarantee that AI assessments are free from bias. Customers remain responsible for ensuring their use of AI features complies with applicable equality and non‑discrimination laws.
We use essential cookies to operate our site. With your consent, where required, we also use analytics and similar technologies to understand usage and improve our Services.
These are necessary for the Services to function and cannot be disabled. They include authentication cookies, security cookies, and load balancing cookies.
With your consent, we use analytics cookies (Google Analytics, Microsoft Clarity, and similar services) to understand how users interact with our Services. You can disable these through your browser settings or our cookie banner.
You can control cookies through your browser settings. Please note that disabling essential cookies may affect your ability to use the Services. Most browsers allow you to:
For more information about cookies and how to manage them, visit www.allaboutcookies.org.
Production hosting locations: United Kingdom, Sweden and the United Arab Emirates.
Some AI analysis operations are performed in the United States.
For enterprise customers requiring data residency in Saudi Arabia, dedicated infrastructure is available subject to separate commercial agreement.
When personal data is transferred to a country without an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses together with the UK Addendum where applicable. We also carry out transfer risk assessments where required and apply additional technical and organisational measures such as encryption in transit and at rest.
We may share personal data with:
Service providers that help us run our Services and website, for example, cloud hosting, security, communications, analytics and support. Examples include Microsoft (Azure and 365), Google (Cloud and Workspace) and SendGrid for email delivery. We remain responsible for their performance and require appropriate contractual protections.
Integrations you connect for your organisation, such as calendars, email, job boards or e‑signature providers. Those providers act as your processors (not our sub‑processors); we share only what is needed to provide the integration and only on your instructions.
Professional advisers, insurers, auditors and regulators where necessary, and authorities where required by law or to protect rights, safety or security.
Buyers or investors as part of a corporate transaction, under confidentiality.
When we act as processor for our customers, we engage the following categories of sub‑processors:
A detailed and current list of all sub‑processors, including their locations and certifications, is available in our Data Processing Addendum. This information is provided to customers during the compliance and due diligence stages of our engagement process. We provide at least 14 days' notice of any new or replacement sub‑processors.
All sub‑processors are subject to data protection obligations equivalent to those in our Data Processing Addendum and maintain appropriate security certifications (ISO 27001, SOC 2, or equivalent).
We implement layered technical and organisational measures appropriate to risk, including encryption in transit and at rest, least‑privilege access and periodic reviews, multi‑factor authentication for administrator access, logging and monitoring, vulnerability and patch management, secure change control, tested backup and disaster recovery, and incident response procedures.
We conduct annual independent security testing and remediate findings based on severity. We are in the final stages of ISO/IEC 27001:2022 certification (expected early November 2025). Once certified, we will maintain certification and make our certificate available on request.
We apply privacy by design and by default, carry out Data Protection Impact Assessments where appropriate, and train staff on security and data protection.
If we experience a security incident that affects personal data, we will:
When acting as controller: Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with UK GDPR requirements.
When acting as processor: Notify our customer (the controller) within 72 hours of becoming aware of the breach. Our customer is responsible for notifying affected individuals as required by law. We will provide all necessary information to assist our customer in meeting their notification obligations.
In the event of a breach, we will provide available information about the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
Customer business records such as contracts, billing and support: contract term plus up to six years to meet legal and tax requirements. UK tax law requires six‑year retention for financial records, and the Limitation Act 1980 provides for a six‑year limitation period for contract claims.
User account and audit data: for the contract term and a short period afterwards (typically 30‑90 days) for security and troubleshooting, then deletion or anonymisation.
Support tickets: typically up to 24 months after closure to maintain service quality, resolve recurring issues, and demonstrate our response to any complaints or disputes.
Marketing contact data: until you opt out or for a standard business cycle (typically three years of inactivity). We keep a suppression list indefinitely to honour your opt‑out.
Applicants: typically up to 12 months after application to consider you for future opportunities, or longer where you have provided explicit consent or where permitted by law (such as for legal defence purposes under legitimate interests).
When we act as processor, our customers (as controllers) determine how long to retain personal data about job candidates, employees, and other individuals within our platform. These retention periods are based on our customers' own privacy policies and legal obligations.
Upon contract termination with a customer, we provide a 60‑day export window for that customer to retrieve all data from our platform. After this 60‑day period, we delete such data from active systems unless the law requires retention. Data in backup systems is deleted on our standard backup rotation schedule, which does not exceed 90 days after the export window closes.
During an active customer contract, retention of specific records (such as completed job applications or closed employee files) is managed by the customer through the platform in accordance with their own data retention policies.
Subject to legal limits, you can:
If your data sits in our platform because you applied to a customer's role, please contact that customer first so they can manage your request as the controller. We will support them as their processor.
To exercise any of these rights, please contact us using the details in section 18.
We send product updates and marketing to business contacts under our legitimate interests or with consent, where required by PECR. You can opt out at any time using the unsubscribe link in emails or by contacting us. We maintain a suppression list to ensure we respect your choice.
Our site or Services may link to third‑party websites or services. Their privacy practices are outside our control. We encourage you to read their privacy notices.
We are established in the United Kingdom and primarily serve business customers in the UK, Middle East, and Asia‑Pacific regions.
EU Representative: For matters relating to the processing of personal data under EU GDPR, our representative in the UK (which maintains adequacy status with the EU) is:
Niranjan Thampu
Capital Placement Ltd
Kemp House, 152–160 City Road
London, EC1V 2NX
Email: [email protected]
If you are located outside the UK, you may have additional rights under your local laws. For region‑specific data protection enquiries, please contact us at [email protected].
We may update this policy to reflect changes in law or our Services. We will post the updated policy with a new effective date. If the changes are material, we will provide reasonable advance notice to customer administrators or by a prominent notice on our website.
Privacy enquiries and rights requests: [email protected] or write to:
Rena Privacy
Capital Placement Ltd
Kemp House, 152–160 City Road
London, EC1V 2NX
United Kingdom
Data Protection Officer: We have appointed a Data Protection Officer to oversee our data protection practices. You can contact our DPO at:
Niranjan Thampu
Email: [email protected]
Address: As above, marking correspondence "FAO: Data Protection Officer"
We are registered with the Information Commissioner's Office:
ICO Registration Number: ZA208197
Registration expires: 28 September 2026
View our registration: https://ico.org.uk/ESDWebPages/Entry/ZA208197
If you are not satisfied with our response to your data protection concerns, you can file a complaint with the UK Information Commissioner's Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Telephone: 0303 123 1113
Website: www.ico.org.uk
We would appreciate the chance to address your concerns first before you approach the ICO.
Controller, processor, personal data, processing, special‑category data and personal data breach have the meanings given in the UK GDPR.
Customer means the business organisation that subscribes to our Services (the legal entity that signs our Terms of Service).
Authorised User or User means an individual employee or contractor of a Customer who is authorised to access and use the Services.
Data Subject means an individual whose personal data is processed (such as job candidates, employees, or recruitment contacts).
Customer Personal Data means personal data that our customers upload to or collect through the Services and that we process on their instructions.
Services means the Rena platform and any related modules and features provided to business customers.
Provide and administer the Services for your organisation: contract; legitimate interests in operating secure Services.
Secure, monitor and improve the Services: legitimate interests in security, quality and improvement.
Billing and finance: contract; legal obligations.
Service communications: contract and/or legitimate interests.
B2B marketing: consent where required by PECR; otherwise legitimate interests. Opt‑out at any time.
Recruitment at Capital Placement: steps prior to a contract; legitimate interests; legal obligations where applicable.
Rena provides all your hiring solutions, saving you not just time but also money.
Book a call