Back to home

GDPR

Effective May 14, 2026

If you live in the European Economic Area or the United Kingdom, this page covers how Quala handles your personal data and the rights you have under the GDPR and UK GDPR.

01

Roles

For candidate session data, the inviting company is the data controller and Quala is the data processor — we act on the company's documented instructions to run the assessment and produce a report.

For account, billing, and marketing data, Quala is the data controller.

02

Legal bases (Article 6)

  • Contract performance — to provide the platform and deliver assessments to paying customers.
  • Consent — for optional features such as opting in to our model-improvement program or to marketing emails.
  • Legitimate interests — for fraud prevention, platform security, and improving the core service. We balance these against your rights and have documented the assessment in our Records of Processing.
  • Legal obligation — to respond to valid legal requests and to retain financial records.
03

Your rights (Articles 15–22)

You have the right to:

  • Access the personal data we hold about you (Article 15);
  • Rectify inaccurate or incomplete data (Article 16);
  • Erase your data — “the right to be forgotten” (Article 17);
  • Restrict our processing while you contest its accuracy or lawfulness (Article 18);
  • Port your data to another service in a machine-readable format (Article 20);
  • Object to processing based on legitimate interests (Article 21);
  • Avoid solely automated decisions that produce legal or similarly significant effects (Article 22). Quala scores are intended as evidence for human reviewers, not as the sole basis for a hiring decision.

To exercise any of these rights, email dpo@quala.dev from the address associated with your account or assessment. We respond within 30 days.

04

International transfers

When personal data is transferred outside the EEA or the UK, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, for UK data, the UK Addendum to those clauses. We perform a transfer-impact assessment for each recipient and apply additional safeguards (encryption, pseudonymization, contractual restrictions) where needed.

05

Data Protection Officer

Our DPO can be reached at dpo@quala.dev for any GDPR-related question or request.

06

EU representative

Under Article 27, our EU representative is Quala EU Rep B.V., reachable at eu-rep@quala.dev.

07

UK representative

Our UK GDPR Article 27 representative is Quala UK Rep Ltd., reachable at uk-rep@quala.dev.

08

Supervisory authorities

You have the right to lodge a complaint with your local supervisory authority. For EEA residents, that is the Data Protection Authority of your country of residence. For UK residents, it is the Information Commissioner's Office (ICO) at ico.org.uk.

09

Related policies

See our Privacy Policy for the broader picture and our Security page for the technical safeguards.