GDPR Statement

1. Who We Are

Longlisted Limited (Company No. 16517894) is a UK-registered boutique research firm providing AI-assisted, human-curated talent mapping and market intelligence. We help in-house talent teams, executive search firms and hiring leaders understand specialist and senior markets quickly and clearly.

• Registered office: 8 Jermyn Avenue, Bury St. Edmunds, England, IP32 7LJ.
• Contact: info@longlisted.ai

2. Our Role Under GDPR

Controller: For most of our data processing, including candidate research from public and licensed sources, our website, sales, and client management, we act as an independent controller. This means we determine the purposes and means of the processing, including our use of automation and AI as a supportive tool. We do not make solely automated decisions that produce legal or similarly significant effects on individuals; human researchers retain control over shortlist and prioritisation decisions.

Processor: Where a client provides us with personal data (for example, an internal candidate list or CRM export) and instructs us on how to use it, we act as a processor. In those cases, we will enter into a Data Processing Agreement (DPA) with the client, as required by GDPR.

3. Our Legal Bases for Processing

We process personal data under the following lawful bases:

• Performance of a Contract: To deliver the services our clients have purchased, including building and delivering talent maps, providing analysis, managing revisions, and producing client-branded outputs.
• Legitimate Interests: Our legitimate interest is in providing our clients with talent intelligence and market-mapping services. This includes identifying and profiling professionals by researching publicly available and licensed professional information from sources such as professional networking sites, company websites, news articles and licensed data providers. We use automation and AI as a research assistant to improve speed and scale, but humans retain control over search strategy, verification and key decisions. We have completed Legitimate Interests Assessments (LIAs) and concluded that our interests are not overridden by the rights and freedoms of individuals.
• Legal Obligation: To comply with our legal duties, such as maintaining tax and accounting records.
• Consent: For activities like sending certain marketing communications where consent is required. Where consent is the legal basis, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. Your Data Rights

Under data protection law, you have rights including: your right of access, right to rectification, right to erasure, right to restrict processing, right to object to processing (including profiling based on legitimate interests), and right to data portability. The right to data portability applies only where processing is based on consent or contract and carried out by automated means.

To make a request, please email info@longlisted.ai. You also have the right to lodge a complaint:

• UK: Lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.
• EU/EEA: You can also complain to your local supervisory authority.

5. How We Protect Your Data

We apply strong organisational and technical controls to safeguard personal data, including:

• encryption in transit and at rest where appropriate;
• strict, least-privilege access controls and role-based permissions;
• data minimisation and secure retention schedules;
• supplier vetting and GDPR-compliant contracts with sub-processors;
• regular reviews and an incident response plan.

For our AI-assisted workflows specifically, we apply additional guardrails such as small-batch processing, defensive prompting designed to avoid speculative or fabricated outputs, multi-pass scoring to reduce anomalies, and mandatory human review of high-impact outputs. We do not rely on AI alone for shortlist or hiring recommendations.

6. International Transfers

Where our providers process data outside the UK/EEA, we ensure appropriate safeguards are in place. This includes relying on:

• the UK’s Adequacy Regulations (such as the EU-U.S. Data Privacy Framework and the UK Extension), where applicable; and/or
• Standard Contractual Clauses approved by the UK or EU regulators, with supplementary safeguards where required.

7. Our Sub-Processors

We engage a limited set of trusted service providers (“sub-processors”) under GDPR-compliant terms. Our current key sub-processors include:

• Webflow, Inc. – Website hosting and CMS
• Google LLC (Google Workspace) – Email, documents and storage
• Typeform S.L. – Client intake forms
• Apollo.io, Inc. – Candidate discovery and enrichment
• Xero (UK) Limited – Accounting and invoicing
• n8n GmbH – Workflow automation
• OpenAI, LLC – AI research and drafting assistance (API usage only; we configure services so that input data is not used to train OpenAI’s models)
• Canva Pty Ltd – Design and visual deliverables

We review our sub-processors periodically and will update this list when material changes occur.

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in our Privacy Policy, then delete or anonymise it. As a guide:

• Client records: For 6 years following the end of our business relationship, to meet legal and tax obligations.
• Prospective client data: For 24 months from our last meaningful contact, unless you ask us to delete it sooner.
• Candidate research data: Held for the duration of the project, then retained temporarily and reviewed within 12–24 months for secure deletion or anonymisation, unless there is a lawful basis or ongoing business need to retain it, or unless you object.
• Suppression lists: Kept indefinitely in minimal form to honour “do not contact” or objection requests.

9. Data Processing Addendum (DPA)

Where we act as a processor on your behalf, we will enter into a Data Processing Agreement that meets the requirements of Article 28 UK/EU GDPR. If your organisation requires a DPA, please request it at info@longlisted.ai.

10. Questions

For further information about how we handle personal data, or to exercise your rights, contact us at info@longlisted.ai.