Caio provides compliance decision infrastructure for regulated recruitment. This policy explains what personal data we collect, why we collect it, and the rights you have over it. We act as a data controller for our website and account data, and as a data processor for the candidate and worker data our customers process through the platform.
01Who we are
Caio ("we", "us", "our") is a compliance technology provider operating in the United Kingdom. We are the controller responsible for personal data collected through our website and for the administration of customer accounts. Where we process candidate or worker records on behalf of a recruitment agency or employer, that organisation is the controller and we are the processor acting on their documented instructions.
02Data we collect
Information you give us
- Contact and account details — name, work email, company, job title and any message you send us.
- Demo and enquiry details you submit through our forms.
Information processed on behalf of our customers
- Candidate and worker compliance records — identity documents, right-to-work evidence, qualifications, references and DBS / background-check outcomes.
- Decision metadata generated by the Caio engine, such as compliance status, flags and audit history.
Information collected automatically
- Usage and device data — IP address, browser type, pages viewed and timestamps, collected to keep the service secure and reliable.
03How we use it
- To provide, maintain and improve the Caio platform and run compliance decisions.
- To respond to enquiries, arrange demos and manage customer relationships.
- To maintain audit trails our customers rely on to evidence regulatory compliance.
- To secure the service, prevent misuse and meet our own legal obligations.
We do not sell personal data, and we do not use candidate or worker records to train models for purposes outside the contracted service.
04Legal bases
Where we act as controller, we rely on: legitimate interests (operating and securing our service and responding to business enquiries), contract (administering your account), and legal obligation where applicable. Where we process data on behalf of a customer, the lawful basis is determined by that customer as controller.
06Retention
We keep account and enquiry data for as long as needed to provide the service and for a reasonable period afterwards. Candidate and worker records are retained according to our customer's instructions and the retention periods set by relevant regulators. When data is no longer required, it is deleted or anonymised.
07Security
We apply technical and organisational measures appropriate to the sensitivity of compliance data, including encryption in transit and at rest, role-based access controls, audit logging and regular review of our processors. No system is perfectly secure, but we work to protect data against unauthorised access, loss or alteration.
08Your rights
Subject to UK GDPR, you may have the right to access, correct, delete or restrict the processing of your personal data, to object to certain processing, and to data portability. To exercise a right relating to data held by one of our customers, contact that organisation directly; we will assist them as their processor.
- Make a request by emailing privacy@usecaio.com.
- You may also complain to the UK Information Commissioner's Office (ICO).
09International transfers
We primarily process data in the UK and the European Economic Area. Where data is transferred outside these regions, we use appropriate safeguards such as the UK International Data Transfer Agreement or Standard Contractual Clauses.
11Contact
Questions about this policy or how we handle data can be directed to our team. We aim to respond within 30 days.
Data protection enquiries
privacy@usecaio.com · Caio, United Kingdom