This Candidates Privacy Notice (“Notice”) describes how Servi Smart Solutions Ltd. d/b/a Duve and its affiliates and subsidiaries (collectively “Duve”, “we” or “us”) collect and process Personal Data (as defined below) when you apply for a position at Duve (whether for an employee, worker or contractor position, and collectively “Candidates”, “you” or “your”) upon submission of your application, as well as during the recruitment process and thereafter.

This Notice applies to Candidates in the territories in which we offer job opportunities and is subject to applicable data protection laws, including the Israeli Protection of Privacy Law 5741-1981 (“IPPL”) and the EU and UK General Data Protection Regulation (collectively “GDPR”) (collectively the above “Data Protection Laws”).

This Notice provides Candidates with the needed disclosure and information about the types of Personal Data we collect, how your Personal Data will be used, the purposes for which we will use it, how long we will retain it, with whom we share it, and your rights regarding your Personal Data we process. This Notice further includes or incorporates specific information required under applicable Data Protection Laws for residents of certain jurisdictions, among others, if you are a located in the EEA or UK – this Notice further details our lawful basis for processing Personal Data, as well as additional information we are required to disclose to you under the GDPR.

This Notice is an integral part of Duve Privacy Policy governing the use of Duve’s website (in the event your application is submitted from the website), and supplements the information provided therein. In addition, if following the recruitment process you are engaged with Duve, your Personal Data collected through the course of your recruitment will be subject to Duve’s internal policies governing its processing of employees and other staff members Personal Data.

YOU ACKNOWLEDGE THAT YOU ARE NOT UNDER ANY STATUTORY OBLIGATION TO PROVIDE DUVE WITH PERSONAL DATA AND ANY PERSONAL DATA YOU PROVIDE WHEN YOU SUBMIT THE APPLICATION AND THROUGHOUT THE RECRUITMENT PROCESS IS PROVIDED AT YOUR FREE WILL AND CONSENT (WHERE REQUIRED UNDER APPLICABLE DATA PROTECTION LAWS). However, you should be advised that we must collect or receive some Personal Data to examine your application (initially or in later stages), and if you will not provide us with such Personal Data, we will not be able to fulfill certain purposes, for example, decide whether you qualify for a certain position, decide if you are legally entitled to work in certain territories, etc., all as described under Section 2 of this Notice – “Personal Data Processed by Duve, Purposes of Use and Lawful Basis” which details the purposes for which we need and use each type of Personal Data collected.

It is important that you read this Notice, together with any other notices that might be provided on specific occasions when we are collecting Personal Data about you, so that you are aware of how and why we are collecting and using such Personal Data.

For any questions or concerns you might have regarding our collection or use of your Personal Data please contact us as set forth in the Contact Information and Data Controller Information paragraph below.

1. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION

Under applicable Data Protection Laws, Duve is considered as the “datacontroller” of the Personal Data collected from you. This means that Duve and the applicable entity of its company group are responsible for deciding how we process your Personal Data (as shall be described herein), as well as to enable you to exercise your rights.

For any question, inquiry or concern related to this Notice or the processing of your Personal Data, you may contact as follows:

• By Mail: Ha-Khilazon St. 6, Ramat Gan, Israel 5252270
• Data Protection Officer: dpo@duve.com
• Data Protection Representative for Data Subjects in the EU: Duve has designated its French entity as Duve’s representative in the European Union for data protection matters related to the processing of personal data of residents of the EU, pursuant to Article 27 of the GDPR. If you have any comments or questions regarding this Notice, or if you have any concerns regarding your privacy, or if you wish to make a complaint about how your personal data is being processed by Duve, please send an email to dpo@duve.com or by post at: 10-14 Rue Anatole France, 94140, Alfortville, France.

2. PERSONAL DATA PROCESSED BY DUVE, PURPOSES OF USE AND LAWFUL BASIS

For the purpose of this Notice, the term “Personal Data” refers to information that can identify an individual, either directly or through reasonable effort, which can be further defined under Data Protection Laws as “personal information”, “personally identifying information”, etc.

Personal Data may further include types of information defined under applicable Data Protection Laws as “Sensitive Data” (and can be further defined under applicable Data Protection Law as “highly sensitive information”, “special categories of personal data”, “sensitive personal information”, etc.) such as governmental identification number or certificate, professional qualifications, financial information, personality assessments, and health related information, etc.

Duve collects, stores, and uses various types and categories of Personal Data about Candidates, which may further include Sensitive Data. The table below details the categories of Personal Data Duve collects and processes, along with the purposes for which Duve collects and uses each such category, as well as our lawful basis for processing where the GDPR applies to your Personal Data.

Please be aware that the specific categories or types of Personal Data collected may vary depending on the position you apply to and legal requirements under applicable Data Protection Laws.

Duve will not process your Personal Data to perform automated decision-making.

Categories and Types of Personal Data	Purpose of Collection and Use	Lawful Basis (under the GDPR, where applicable)
* Identification information Your full name and identifying information such your photo, government issued identification number, a copy of such identification certificates (e.g., ID, passport number) and date of birth. * Contact information Your email address, phone number, and residence address. * Employment history, education, and qualification Your previous employers and job positions you fulfilled, dates of employment, responsibilities, achievements, educational institutions you studied, certifications and degrees, fields of study, etc. * Skills and abilities Information related to your relevant competencies, skills, language proficiency, and any other expertise that may be relevant to the position you apply for. * Assessment results Information we gather from tests, interviews, or assessments conducted by us during your recruitment process, to evaluate suitability for the position you apply for. * Background check information (to the extent applicable) Information obtained through background checks, such as, subject to applicable laws (i.e., where required or permitted under such laws) verification of your previous or current employment and education. * Eligibility to work Information regarding your legal right to work in the relevant country, such as citizenship or visa status. * Communication with you and internal records Our correspondences with you, records or recording of phone calls, interviews or other interactions between you and us during the recruitment process. * Any additional information provided by you voluntarily Information included in your application or resume (CV), and supporting documents submitted by you.	* Job application processing and evaluation To assess your qualifications, experience, skills, and suitability for the position you applied for. In addition, to facilitate our decision-making process, as well as, subject to applicable laws, identify potential matches with other open positions offered by Duve. * Communication with you To facilitate our correspondence with you during the recruitment process, including scheduling interviews, providing updates, and addressing inquiries. * Verification and reference checks To verify the accuracy of the information provided by you, for example your employment history, education, and professional references, as well as conducting background checks where necessary and subject to applicable laws. * Compliance with legal requirements To ensure comply with relevant labor laws, regulations, and industry standards. * Eligibility to work To confirm your legal right to work in the relevant country or territory where the position is offered, and ensure we comply with immigration requirements, if applicable. * Decision-making To facilitate the decision-making process, and ultimately select the most suitable individual for the position. * Record-keeping and documentation To maintain records of the recruitment process, including evaluations, assessments, and decisions, which may be used for future reference or to address potential disputes or legal claims. * Administration and performance of human resources related duties, obligations, and procedures. * Continuous improvement of our recruitment process To track an application through the recruitment process and to analyze and refine our recruitment strategies, practices, and processes.	Our lawful basis to process Personal Data depends on the purpose for which we collect, use, and retain it, as set forth below:  * Legitimate interest Personal Data is mainly processed under our legitimate interest, as needed for our assessment, selection process and decisions making. Meaning we mainly process all types of Personal Data listed herein to determine if you are suitable to a certain job position and decide which Candidate we find the most suitable to our requirements, needs and criteria.  We may further retain certain types of Personal Data, even after we have decided not to engage with you, for the purpose of record keeping, compliance with applicable laws, evaluating our recruiting processes, and to address and defend against potential legal claims and disputes. * Consent Where required under applicable Data Protection Laws, we will obtain your consent to process Personal Data – for example for certain background checks, or to further retain and use Personal Data for future job opportunities offered at Duve. You have the right to withdraw consent at any time.

3. HOW WE COLLECT PERSONAL DATA

We typically collect Personal Data about Candidates, as follows:

• Personal Data that you directly provide– this includes information you voluntarily provide as part of your application, CVs, etc.; and
• Personal Data provided by third parties – this includes information we obtain from employment agencies, recruitment, or professional networking platforms, background check services (as applicable and subject to applicable law), or your references former employers, etc.

4. DISCLOSURE OF PERSONAL DATA

We disclose your Personal Data internally with our personnel involved in the recruitment and hiring process (i.e., human resources, managers, affiliates), or externally with our third party contractors, consultants and service providers that help us with our recruitment process and operation as well as administration and performance of human resources related duties, obligations and procedures, and where needed to comply with our legal obligations or to exercise and defend our rights.

We implement measures to ensure your Personal Data will be accessed only by those who really need to in order to perform their tasks and duties, and to third parties who need such access in order to provide their services as required by Duve and in accordance with our instructions.

The table below outlines the categories of such third parties we share Personal Data with and purpose of sharing.

Category Of Recipient	Purpose of Sharing
Duve Company Group	We may share Personal Data within our affiliates or company group to allow us to manage our recruitment process as a global group at the organizational level, and for human resources management. This will include information shared with third party involve in a corporate event such as a merger, acquisition or purchase of all or part of our assets. The categories of Personal Data that will be shared can include any of the types of Personal Data detailed under this Notice, as needed to fulfill such purposes.
Our contractors and Service Providers	We may disclose Personal Data to our trusted agents, vendors, and service providers so that they can perform the requested services on our behalf. These third parties may include service providers and vendors related to recruitment, talent acquisition and administration, technology services (e.g., SaaS recruitment management providers and cloud providers), background checks service providers, legal counsels, etc. We contractually obligate these third parties to use your Personal Data only to provide us with requested services and not for any other purpose. The categories of Personal Data that will be shared can include any of the types of Personal Data detailed under this Notice, as needed to fulfill such purposes.
Third Parties You Have Requested Us to Share Your Personal Data With	We will share your Personal Data if you direct or request us to share it. In such event, the provision of your Personal Data will be subject to such third parties’ policies and practices. The categories of Personal Data that will be shared will be as requested by you.
Governmental Agencies, Authorized Third Parties, or Disclosure due to a Legal Process	In the event of legal and law enforcement inquiry or requirement, we may disclose certain Personal Data, such as in response to an order, a verified requests relating to criminal investigations or alleged illegal activity. We may further disclose Personal Data in the event of any activity that may expose us, you, or any other third party to legal liability, as well as to defend against potential, threatened, or actual claims, demands or litigation process. The categories of Personal Data that will be shared can include any of the types of Personal Data detailed under this Notice, as needed to fulfill such purposes, however, solely to the extent necessary to comply with such purpose.

5. SECURITY

At Duve, security is our highest priority. We design our systems with your security and privacy in mind. We have implemented physical, technical, and administrative security measures that comply with applicable laws and industry standards in order to protect your Personal Data. These measures are further detailed in our trust center available at: https://duve.com/security-center/

Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: dpo@duve.com if you feel that your privacy was not dealt with properly, in a way that was in breach of this Notice, or if you become aware of a third party’s attempt to gain unauthorized access to any of your Personal Data.

6. DATA RETENTION

Your Personal Data will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice, including for the purposes of satisfying any legal, administrative, record keeping, or reporting requirements. 

The criteria according to which we determine the retention periods are as follows: 

• The type of Personal Dataand the purpose of the collection:we take into consideration for how long we need to retain the Personal Data in order to achieve the purposes for which it was collected, as well as the scope, nature, and sensitivity of the Personal Data and the potential risk of harm from unauthorized use or disclosure.
• The stage of the recruitment process:we take into consideration the stage in which we have decided regarding your application (i.e., not to proceed with employment or engagement process). This stage may further affect the potential of legal claims and disputes and thus, is taken as a factor.
• Our legal obligations:the period for which we will retain certain types of Personal Data further depends on the laws of the applicable territory, as under certain laws, we may be required to retain certain Personal Data (for minimum retention periods). In addition, we may retain certain types of Personal Data in the event we are required to do so subject to a binding legal request or a court order.  
• Dispute, claims, and legal proceedings: we may retain certain types of Personal Data where we find it reasonably necessary to defend against a threatened or potential legal claim or litigation process. The periods of retention are determined mainly according to statutory limitation periods. In the event of a dispute between you and us, including any legal proceedings, we will retain the Personal Data until such dispute is resolved, and following, if we find it necessary, in accordance with applicable statutory limitation periods. In addition, if you request to exercise your rights related to your Personal Data, we will maintain the applicable records for as long as needed to demonstrate compliance, usually also in accordance with statutory limitation periods.
• Your reasonable expectations or consent: depending on the applicable Data Protection Laws, we may further retain Personal Data for as long we consider it to be applicable to examine your application as per new or future job position. This is based also on what we believe to be a reasonable expectation of Candidates, or otherwise, if required, based on the Candidate’s consent we will obtain for such use. If you would like to opt-out from Duve’s policy of retaining your information for the purposes of considering you for other job opportunities, or otherwise, where applicable, withdraw consent, please contact us at: dpo@duve.com.

In addition to the above, we may retain limited Personal Data as a reference for any future applications submitted.  If you are hired, we will store your Personal Data collected through the recruitment process for the term of your employment and thereafter, according to our practices and policies related to our employees and staff members’ Personal Data.

Except as we are required by applicable law, we will not be obligated to retain your Personal Data for any specific period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so.

7. DATA TRANSFER

Due to our global operation, your Personal Data may need to be processed or accessed in countries or territories other than your jurisdiction, including, for example, when shared or accessed by our service providers or other affiliates. This may include transfer of Personal Data to, or from, the State of Israel, the US and the EEA.

Duve only transfers Personal Data to another country, including within its corporate group, in accordance with applicable Data Protection Laws. We take appropriate measures to ensure that your Personal Data receives an adequate level of protection, including by using contractual obligations or other data transfer mechanisms that were per-approved by applicable data protection authorities to ensure your Personal Data is protected.

Where you consent is required under applicable Data Protection Laws for the transfer of your Personal Data, by submitting your application you are deemed to have consented to the transfer of your Personal Data, as described herein.

8. PRIVACY RIGHTS

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what Personal Data we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your Personal Data.

Depending on your relationship with us, your jurisdiction and the applicable Data Protection Laws, these rights may include one or more of the following principal rights: 

• The right to know what Personal Data we collect about you, the purpose of collection, with whom we share your Personal Data, and additional information such as the categories of sources from which the Personal Data is collected – as provided under this Notice;
• The right to access and inspectyour Personal Data. This right entitles you to review or receive a copy of certain Personal Data we hold about you;
• The right to correct inaccuracies in your Personal Data. This right entitles you to have any incomplete, inaccurate or not updated Personal Data we hold about you corrected (or otherwise request its deletion);
• The right to request deletion of your Personal Data. This right entitles you to request us to delete Personal Data (subject to applicable Data Protection Laws, which permits or requires the retention of certain Personal Data);
• The right to request to restrict processing of your Personal Data.This right entitles you to request to limit the purposes for which your Personal data is processes (subject to certain conditions under Data Protection Laws); 
• The right to object to processing of Personal Data.This rightentitles you to object to our processing of your Personal Data (subject to certain conditions under Data Protection Laws);
• Data Portability – this right entitles you to receive the Personal Data you have provided, in a structured, commonly used and machine-readable format and transmit it to another controller;

The right to withdraw consent, where we are processing your Personal based on your consent;

• The right to appeal or lodge a complaint. In the event that we do not fulfill your request, we will inform you without undue delay as required under applicable Data Protection Laws and you may have the right to appeal such decision. For EU/UK Candidates, you have the right to lodge a complaint with the applicable Data Protection Authority in the EU or the Information Commissioner in the UK. 

If you wish to exercise your rights, directly or through an agent, please contact us at: dpo@duve.com.

You may have additional rights as described in this Notice or applicable laws. We sometimes need to request specific information from you to help us confirm your identity and ensure the requested rights apply to you. This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. Information provided in connection with such request will be processed only for the purpose of processing and responding to your request, and it may be shared with our legal and administrative teams.

9. NOTICE AMENDMENTS

We reserve the right to periodically revise this Notice, which will have immediate effect upon posting of the revised Notice on our website. The last revision date will be reflected in the “Last Updated” heading at the top of the Notice. We will make a reasonable effort to provide a notice if we implement any changes that substantially change our privacy practices or your rights, and where required under applicable Data Protection Laws, obtain your consent. We recommend you review this Notice periodically to ensure that you understand our privacy practices and to check for any amendments.