Data Processing Addendum (DPA)

Last updated: 08 April 2026

WLH Group B.V. is a company registered in the Netherlands at Oudebrugsteeg 9, 1012 JN, Amsterdam, The Netherlands.

This page sets out WLH Group B.V.’s standard data processing terms and service-level privacy information for the custom recruitment solutions it designs, operates, and supports (the “Services”).

Where WLH processes personal data on behalf of a customer, WLH acts as a processor for that processing. WLH is responsible for the processing carried out within its own Services. Customers remain responsible for their own separate processing activities, internal records, and downstream decisions outside WLH’s Services.

If you are a candidate or applicant using a WLH-powered workflow, WLH may process your personal data in connection with operating the relevant recruitment solution, including where WLH processes data on behalf of the relevant hiring organisation.

1. Setting the stage

WLH’s approach to data processing is straightforward: it should never be a surprise how personal data is handled.

This page explains:

• what categories of personal data may be processed through WLH-operated recruitment solutions,
• why that data is processed,
• how AI-assisted features are used,
• how retention works,
• how data subject requests and incidents are handled,
• which subprocessors may be involved,
• and which baseline security and processor commitments apply.

This page is intended to provide both:

• data processing terms for customer relationships where WLH acts as a processor, and
• service-level privacy information about WLH-operated processing in custom recruitment workflows.

Project-specific agreements or implementation documents may supplement this page where needed.

2. Incorporation of schedules

The following documents form part of this DPA and are incorporated into it by reference:

• WLH’s current Subprocessor List;
• WLH’s current Security Measures Schedule; and
• any applicable service-specific or project-specific processing description agreed between the parties.

WLH may make these documents available by hyperlink, customer portal, secure workspace, or separate written document.

References in this DPA to the Subprocessor List or Security Measures Schedule mean the then-current version made available by WLH in accordance with this DPA.

Unless expressly stated otherwise, if there is any conflict between this DPA and the Subprocessor List or Security Measures Schedule, this DPA will prevail to the extent of the conflict.

3. What we process

Depending on the workflow and enabled features, WLH may process the following categories of personal data.

3.1 Account and recruiter data

This may include:

• names,
• business email addresses,
• phone numbers,
• company names,
• user roles,
• and account administration data.

3.2 Candidate and applicant data

This may include:

• candidate identifiers,
• contact details,
• CVs and uploaded files,
• extracted profile data,
• summaries,
• skills,
• education and employment history,
• preferences,
• and other application-related information submitted by the candidate, customer, or workflow.

3.3 Interview data

This may include:

• speech audio,
• interview transcripts,
• prompts,
• candidate responses,
• language settings,
• recording references,
• model usage data,
• call metadata,
• and interview metadata.

3.4 Vacancy and matching data

This may include:

• job titles,
• vacancy descriptions,
• requirements,
• city-level location inputs,
• travel-time outputs,
• scores,
• recommendations,
• and anomaly flags.

3.5 Technical and support data

This may include:

• logs,
• traces,
• browser and device information,
• error reports,
• and session replay data where enabled in the product configuration.

WLH does not require the use of special category data for normal operation of its recruitment solutions. However, candidates may still include such data in CVs, transcripts, attachments, or free-text responses.

4. Why we process personal data

WLH processes personal data through its recruitment solutions to:

• host, secure, and operate the solution,
• manage recruiter and administrator access,
• receive and store CV uploads and application materials,
• extract structured candidate information from CVs,
• run browser-based, avatar-based, and phone-based interviews,
• process interview audio, transcripts, prompts, and results,
• generate candidate evaluations, recommendations, and job-match scores,
• calculate city-level travel-time and distance outputs where that feature is enabled,
• maintain support, observability, debugging, and service reliability,
• respond to security events and misuse,
• and comply with legal and contractual obligations.

Personal data is processed on the legal basis applicable to the relevant processing activity. Where consent is used, it is requested separately for the specific purpose concerned.

WLH does not rely on consent as the default basis for the core technical processing necessary to run the recruitment workflow.

5. AI-assisted features and human oversight

WLH offers AI-assisted features for tasks such as:

• CV extraction,
• interview orchestration,
• transcription,
• scoring,
• recommendation generation,
• and recruiter decision support.

These features are intended to support human decision-making, not to replace it. WLH’s outputs are designed as advisory or workflow-supporting outputs, not as stand-alone final hiring or rejection decisions.

WLH is responsible for how AI-assisted processing is built and operated within the WLH-managed parts of the solution. That includes providing service-level information about the use of AI-assisted features in the workflow and applying appropriate operational controls within WLH’s scope.

Final recruitment decisions should remain subject to meaningful human review by the relevant hiring organisation. The hiring organisation remains responsible for its own downstream decision-making and for any separate reliance it places on the outputs generated through the solution.

Where a deployment falls within the scope of AI regulation applicable to recruitment or candidate evaluation, WLH is responsible for its own role in the design, operation, and documentation of the relevant system components, while the relevant hiring organisation remains responsible for its own use of outputs, downstream decisions, and off-platform processing.

6. Retention

WLH applies retention schedules based on the nature of the data and the purpose of the processing.

6.1 Default candidate-file retention

As a WLH default, personal data relating to a candidate’s application is retained for 12 weeks after the end of the relevant hiring process for that candidate, unless a different lawful retention period applies to the relevant workflow.

For this purpose, the end of the relevant hiring process means the point at which the candidate is no longer actively under consideration in that specific recruitment procedure.

6.2 Longer retention where justified

A longer retention period may apply where justified by the purpose of the processing, the solution design, or applicable law. This may include, for example:

• talent-pool or future-vacancy retention where lawfully supported,
• internal records needed to document a recruitment process,
• security logs,
• observability data,
• operational records,
• backups,
• incident records,
• and AI-system logs where a separate compliance or security retention track applies.

6.3 Anonymised and aggregated data

WLH may retain aggregated or truly anonymised data for analytics, security, service quality, and reporting purposes where that data no longer relates to an identified or identifiable person.

6.4 End of service

Upon termination of the relevant Services, WLH will delete or return personal data within 30 days, unless:

• retention is required by law,
• the data remains in technically unavoidable backups,
• the data is part of retained security or incident records,
• or a separate lawful retention obligation applies.

7. Your rights and how requests are handled

Depending on the processing activity and the applicable legal role, individuals may have rights such as:

• access,
• rectification,
• erasure,
• restriction,
• objection,
• portability,
• withdrawal of consent where consent applies,
• and the right to seek human review where law applies to solely automated decisions.

If WLH receives a privacy request from a candidate, applicant, or other data subject, WLH will handle or route that request according to the role WLH has in the relevant processing activity and, where appropriate, coordinate with the relevant hiring organisation.

If your request relates mainly to:

• a hiring decision,
• internal employer records,
• off-platform HR processing,
• or another downstream activity determined by the hiring organisation,

WLH may refer you to that organisation or coordinate the response with them.

For privacy-related questions or requests, contact support@welovehumans.io.

8. Where WLH acts as a processor

Where WLH processes personal data strictly on behalf of a customer, WLH will:

• process that data only on documented instructions from the customer, unless otherwise required by law,
• ensure that authorised personnel are subject to confidentiality obligations,
• implement appropriate technical and organisational security measures,
• engage subprocessors under written terms that provide appropriate protection,
• assist the customer with data subject requests where required,
• assist with breach response, security obligations, and DPIA-related information where applicable,
• delete or return personal data at the end of the Services, subject to lawful retention requirements,
• and make information reasonably available to demonstrate compliance with applicable processor obligations.

9. Security and confidentiality

WLH implements technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

WLH’s baseline technical and organisational measures are described in WLH’s current Security Measures Schedule, which forms part of this DPA and is made available to customers separately or at the URL designated by WLH.

These measures include, among other things:

• primary production hosting in AWS in eu-central-1 (Frankfurt, Germany),
• encrypted transport for public service traffic,
• encryption at rest where supported by the underlying platform services,
• application-level encryption for selected profile fields,
• role-based access restrictions for personnel and contractors,
• service logging and monitoring for reliability and incident response,
• and internal processes for breach investigation, containment, remediation, and notification.

WLH also uses:

• AWS-native monitoring for infrastructure logs, and
• Sentry in the DE region for application monitoring and observability.

Where session replay is enabled, WLH uses masking controls and limited configured unmasking for selected interface elements needed for support and debugging.

All persons authorised to process personal data on behalf of WLH are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

10. Personal data breaches

If WLH becomes aware of a personal data breach affecting personal data processed through the Services, WLH will take appropriate steps to investigate, contain, and remediate the incident.

Where required, WLH will notify the relevant customer without undue delay and provide the information reasonably available to help that customer meet its own legal obligations.

Where WLH is itself responsible for the relevant processing activity, WLH will handle the incident in accordance with the legal obligations applicable to that role.

11. International transfers

Some WLH subprocessors operate outside the EEA. Where WLH carries out a restricted transfer of personal data, WLH uses an available transfer mechanism under applicable data protection law, such as:

• an adequacy decision,
• Standard Contractual Clauses,
• or another lawful safeguard.

Some providers offer regional storage or regional processing for customer content while still handling some system data, support data, account data, or metadata outside the selected region. Where relevant, this is reflected in WLH’s use of subprocessors and regional service configuration.

12. Subprocessors

WLH uses the subprocessors listed in WLH’s current Subprocessor List to deliver the Services. The Subprocessor List forms part of this DPA and is made available to customers separately or at the URL designated by WLH.

Some subprocessors are feature-dependent, which means they are only used if the corresponding feature is enabled in the relevant solution.

WLH may update the Subprocessor List from time to time. For any material new or replacement subprocessor that will process personal data in connection with the Services, WLH will normally provide notice at least 30 days in advance, unless a shorter notice period is required for urgent security, legal, or service continuity reasons.

13. Contact

WLH Group B.V.
Oudebrugsteeg 9
1012 JN Amsterdam
The Netherlands
support@welovehumans.io

14. Updates to this page

WLH may update this page from time to time to reflect changes in:

• the Services,
• subprocessors,
• security measures,
• legal requirements,
• or operational practices.

The latest version will always be published here with the updated revision date.