Privacy, data use, and your control.

How HIOFU collects, uses, protects, and limits access to your information across the platform.

Effective Date: November 8, 2025Applies to members and visitors

Introduction Who We Are Our Role Data Collection Data Use AI & Processing Lawful Bases Sharing International Transfers Data Retention Security Measures Your Rights Cookies Children Enterprise Changes Contact

Introduction

Hiofu (“we”, “us”, “our”) is a UK-founded skills-evidence infrastructure platform that enables the discovery, verification, normalisation and structured delivery of skills data into employer hiring workflows.

Hiofu replaces static CV-based screening with structured, verified skills evidence through AI-assisted analysis and enterprise integrations. This Privacy Policy explains how we collect, use, share and safeguard personal data in compliance with UK data protection law.

This Privacy Policy applies to all users: Members (registered users) and Visitors (non-registered users).

We are committed to processing personal data lawfully, fairly and transparently in accordance with:

▸UK General Data Protection Regulation
▸Data Protection Act 2018
▸Privacy and Electronic Communications Regulations 2003

Where users are located in the EU/EEA or Switzerland, equivalent GDPR protections apply.

2. Who We Are

Data Controller:

Hiofu Limited

16611920

Data Protection Officer:

Email: info@hiofu.com

You may lodge a complaint with the UK supervisory authority:

Information Commissioner's Office

3. Our Role: Controller vs Processor

Hiofu acts as:

3.1 Data Controller

For:

▸Member account data
▸Skills Passport data
▸AI-driven platform features
▸Platform analytics
▸Security and fraud prevention
▸Marketing communications

3.2 Data Processor

Where we process personal data strictly on behalf of enterprise customers (e.g., employers integrating Hiofu into recruitment workflows). In those cases, processing is governed by a Data Processing Addendum compliant with Article 28 UK GDPR.

4. Categories of Personal Data We Collect

4.1 Information You Provide

Identity & Account Data

▸Name
▸Email address
▸Telephone number
▸Encrypted password
▸Location (generalised unless precise location is enabled)

Professional & Skills Data

▸Employment history
▸Education history
▸Certifications
▸Skills declarations
▸Structured skills evidence
▸Assessment results
▸Uploaded CVs and documents
▸Skills Passport metadata

Communications Data

▸Messages
▸Applications
▸Posts
▸Support communications

Payment Data

▸Billing information (processed via PCI-DSS compliant providers)

4.2 Information Generated Through Platform Use

▸Login and access logs
▸Device and browser data
▸IP address
▸Session data
▸Interaction analytics
▸AI-generated match scores
▸Competency normalisation outputs
▸Fraud detection signals

4.3 Information From Third Parties

▸Employers and recruiters
▸Applicant Tracking Systems (ATS)
▸Verification providers
▸Learning and assessment partners
▸Enterprise administrators

4.4 Special Category Data

Hiofu does not require special category data (e.g., race, religion, health data) for standard use.

If such data is uploaded voluntarily:

▸It is processed only where lawful under Article 9 UK GDPR.
▸Explicit consent may be required.
▸We do not intentionally use AI to infer protected characteristics.

5. How We Use Personal Data

We process data for the following purposes:

5.1 Service Delivery

▸Account management
▸Skills Passport functionality
▸Assessment hosting
▸Enterprise integrations

Lawful Basis: Contract (Art 6(1)(b))

5.2 AI-Assisted Skills Analysis

We use AI systems to:

▸Structure and normalise skills evidence
▸Generate competency scores
▸Provide match insights
▸Identify skills gaps
▸Assist employer ranking workflows

Lawful Basis:

▸Contract
▸Legitimate Interests (Art 6(1)(f))

AI outputs are assistive and not determinative unless configured by the employer.

5.3 Fraud Prevention & Security

▸Detect misuse
▸Prevent platform abuse
▸Investigate suspicious activity

Lawful Basis: Legal obligation + Legitimate Interests

5.4 Analytics & Service Improvement

▸Improve matching accuracy
▸Conduct workforce insights analysis
▸Enhance AI model performance

Where possible, data is aggregated or pseudonymised.

5.5 Marketing

▸Product updates
▸Platform features
▸Events and insights

Lawful Basis: Consent (in accordance with PECR)

You may withdraw consent at any time.

6. Artificial Intelligence & Automated Processing

6.1 Nature of AI Use

Hiofu deploys machine learning models to analyse structured skills data and support hiring decisions.

AI systems process:

▸Declared skills
▸Verified credentials
▸Assessment performance
▸Employment history metadata

We do not use AI for behavioural surveillance or unrelated profiling.

6.2 Automated Decision-Making Safeguards

We do not make solely automated decisions producing legal or similarly significant effects without:

▸Meaningful human review
▸Clear explanation of logic involved
▸Right to contest
▸Right to request intervention

6.3 AI Governance Framework (2026-Ready)

We implement:

▸Data Protection Impact Assessments (DPIAs)
▸Algorithmic bias testing
▸Fairness audits
▸Explainability documentation
▸Model performance monitoring
▸Periodic retraining reviews
▸Access control to training data
▸Audit trails

AI training datasets are anonymised or pseudonymised wherever feasible.

7. Lawful Bases Summary

We rely on:

▸Contract
▸Consent
▸Legitimate Interests
▸Legal Obligation

A summary of our Legitimate Interests Assessment is available upon request.

9. International Transfers

Where personal data is transferred outside the UK, we rely on:

▸UK International Data Transfer Agreement (IDTA)
▸UK Addendum to EU SCCs
▸Adequacy decisions

Transfer risk assessments are conducted where required.

10. Your Choices & Rights

10.1 Data Retention

We retain your data while your account is active and as required for our services. Some data may remain after account closure if legally required.

10.3 Account Closure

Most of your data will be erased or anonymized within 30 days of account termination.

10.4 Your Rights

Depending on your location, you may have the right to:

Access your personal data

Correct or update your data

Delete your data or account

Restrict or object to processing

Export your data

10. Data Retention

We retain data:

▸While your account is active
▸As required for contractual or legal obligations
▸For defence of legal claims

Inactive accounts may be anonymised after [30 days].

AI training datasets are reviewed periodically to ensure continued necessity.

11. Security Measures

We implement:

▸AES-256 encryption
▸TLS secure transmission
▸Role-based access controls
▸Multi-factor authentication
▸Intrusion detection systems
▸Regular penetration testing
▸Vendor due diligence
▸Secure development lifecycle (SDLC) controls

12. Your Rights

Under UK GDPR, you have the right to:

a. Access

b. Rectification

c. Erasure

d. Restriction

e. Portability

f. Object to processing

g. Object to legitimate interests

h. Not be subject to solely automated decisions

Requests may be submitted to: info@hiofu.com

You also have the right to complain to the Information Commissioner's Office.

13. Cookies & Tracking Technologies

We use cookies and similar technologies in compliance with: Privacy and Electronic Communications Regulations 2003

Non-essential cookies require prior consent. Full details are provided in our Cookie Policy.

14. Children

Hiofu is not intended for individuals under 16. We do not knowingly process children's data.

15. Enterprise Accounts

Where an employer provides access:

The employer may act as Controller for recruitment decisions. Hiofu acts as Processor where operating under employer instruction and Data Processing Agreements govern such relationships

16. Changes to This Policy

We may update this policy to reflect legal, technological, or operational changes. Material changes will be notified via platform notice or email.

17. Contact

Hiofu
Data Protection Officer

31 Red Wing Gardens, Finberry, Kent, United Kingdom, TN25 7LE

hello@hiofu.com

If you have questions about this Privacy Policy or want to exercise a data right, please contact us.

Privacy, data use, and your control.

How HIOFU collects, uses, protects, and limits access to your information across the platform.

Effective Date: November 8, 2025Applies to members and visitors

Introduction

This Privacy Policy applies to all users: Members (registered users) and Visitors (non-registered users).

We are committed to processing personal data lawfully, fairly and transparently in accordance with:

▸UK General Data Protection Regulation
▸Data Protection Act 2018
▸Privacy and Electronic Communications Regulations 2003

Where users are located in the EU/EEA or Switzerland, equivalent GDPR protections apply.

2. Who We Are

Data Controller:

Hiofu Limited

16611920

Data Protection Officer:

Email: info@hiofu.com

You may lodge a complaint with the UK supervisory authority:

Information Commissioner's Office

3. Our Role: Controller vs Processor

Hiofu acts as:

3.1 Data Controller

For:

▸Member account data
▸Skills Passport data
▸AI-driven platform features
▸Platform analytics
▸Security and fraud prevention
▸Marketing communications

3.2 Data Processor

4. Categories of Personal Data We Collect

4.1 Information You Provide

Identity & Account Data

▸Name
▸Email address
▸Telephone number
▸Encrypted password
▸Location (generalised unless precise location is enabled)

Professional & Skills Data

▸Employment history
▸Education history
▸Certifications
▸Skills declarations
▸Structured skills evidence
▸Assessment results
▸Uploaded CVs and documents
▸Skills Passport metadata

Communications Data

▸Messages
▸Applications
▸Posts
▸Support communications

Payment Data

▸Billing information (processed via PCI-DSS compliant providers)

4.2 Information Generated Through Platform Use

▸Login and access logs
▸Device and browser data
▸IP address
▸Session data
▸Interaction analytics
▸AI-generated match scores
▸Competency normalisation outputs
▸Fraud detection signals

4.3 Information From Third Parties

▸Employers and recruiters
▸Applicant Tracking Systems (ATS)
▸Verification providers
▸Learning and assessment partners
▸Enterprise administrators

4.4 Special Category Data

Hiofu does not require special category data (e.g., race, religion, health data) for standard use.

If such data is uploaded voluntarily:

▸It is processed only where lawful under Article 9 UK GDPR.
▸Explicit consent may be required.
▸We do not intentionally use AI to infer protected characteristics.

5. How We Use Personal Data

We process data for the following purposes:

5.1 Service Delivery

▸Account management
▸Skills Passport functionality
▸Assessment hosting
▸Enterprise integrations

Lawful Basis: Contract (Art 6(1)(b))

5.2 AI-Assisted Skills Analysis

We use AI systems to:

▸Structure and normalise skills evidence
▸Generate competency scores
▸Provide match insights
▸Identify skills gaps
▸Assist employer ranking workflows

Lawful Basis:

▸Contract
▸Legitimate Interests (Art 6(1)(f))

AI outputs are assistive and not determinative unless configured by the employer.

5.3 Fraud Prevention & Security

▸Detect misuse
▸Prevent platform abuse
▸Investigate suspicious activity

Lawful Basis: Legal obligation + Legitimate Interests

5.4 Analytics & Service Improvement

▸Improve matching accuracy
▸Conduct workforce insights analysis
▸Enhance AI model performance

Where possible, data is aggregated or pseudonymised.

5.5 Marketing

▸Product updates
▸Platform features
▸Events and insights

Lawful Basis: Consent (in accordance with PECR)

You may withdraw consent at any time.

6. Artificial Intelligence & Automated Processing

6.1 Nature of AI Use

Hiofu deploys machine learning models to analyse structured skills data and support hiring decisions.

AI systems process:

▸Declared skills
▸Verified credentials
▸Assessment performance
▸Employment history metadata

We do not use AI for behavioural surveillance or unrelated profiling.

6.2 Automated Decision-Making Safeguards

We do not make solely automated decisions producing legal or similarly significant effects without:

▸Meaningful human review
▸Clear explanation of logic involved
▸Right to contest
▸Right to request intervention

6.3 AI Governance Framework (2026-Ready)

We implement:

▸Data Protection Impact Assessments (DPIAs)
▸Algorithmic bias testing
▸Fairness audits
▸Explainability documentation
▸Model performance monitoring
▸Periodic retraining reviews
▸Access control to training data
▸Audit trails

AI training datasets are anonymised or pseudonymised wherever feasible.

7. Lawful Bases Summary

We rely on:

▸Contract
▸Consent
▸Legitimate Interests
▸Legal Obligation

A summary of our Legitimate Interests Assessment is available upon request.

9. International Transfers

Where personal data is transferred outside the UK, we rely on:

▸UK International Data Transfer Agreement (IDTA)
▸UK Addendum to EU SCCs
▸Adequacy decisions

Transfer risk assessments are conducted where required.

10. Your Choices & Rights

10.1 Data Retention

We retain your data while your account is active and as required for our services. Some data may remain after account closure if legally required.

10.3 Account Closure

Most of your data will be erased or anonymized within 30 days of account termination.

10.4 Your Rights

Depending on your location, you may have the right to:

Access your personal data

Correct or update your data

Delete your data or account

Restrict or object to processing

Export your data

10. Data Retention

We retain data:

▸While your account is active
▸As required for contractual or legal obligations
▸For defence of legal claims

Inactive accounts may be anonymised after [30 days].

AI training datasets are reviewed periodically to ensure continued necessity.

11. Security Measures

We implement:

▸AES-256 encryption
▸TLS secure transmission
▸Role-based access controls
▸Multi-factor authentication
▸Intrusion detection systems
▸Regular penetration testing
▸Vendor due diligence
▸Secure development lifecycle (SDLC) controls

12. Your Rights

Under UK GDPR, you have the right to:

a. Access

b. Rectification

c. Erasure

d. Restriction

e. Portability

f. Object to processing

g. Object to legitimate interests

h. Not be subject to solely automated decisions

Requests may be submitted to: info@hiofu.com

You also have the right to complain to the Information Commissioner's Office.

13. Cookies & Tracking Technologies

We use cookies and similar technologies in compliance with: Privacy and Electronic Communications Regulations 2003

Non-essential cookies require prior consent. Full details are provided in our Cookie Policy.

14. Children

Hiofu is not intended for individuals under 16. We do not knowingly process children's data.

15. Enterprise Accounts

Where an employer provides access:

The employer may act as Controller for recruitment decisions. Hiofu acts as Processor where operating under employer instruction and Data Processing Agreements govern such relationships

16. Changes to This Policy

We may update this policy to reflect legal, technological, or operational changes. Material changes will be notified via platform notice or email.

17. Contact

Hiofu
Data Protection Officer

31 Red Wing Gardens, Finberry, Kent, United Kingdom, TN25 7LE

hello@hiofu.com

If you have questions about this Privacy Policy or want to exercise a data right, please contact us.

Privacy, data use, and your control.

Introduction

2. Who We Are

3. Our Role: Controller vs Processor

4. Categories of Personal Data We Collect

4.1 Information You Provide

4.2 Information Generated Through Platform Use

4.3 Information From Third Parties

4.4 Special Category Data

5. How We Use Personal Data

5.1 Service Delivery

5.2 AI-Assisted Skills Analysis

5.3 Fraud Prevention & Security

5.4 Analytics & Service Improvement

5.5 Marketing

6. Artificial Intelligence & Automated Processing

6.1 Nature of AI Use

6.2 Automated Decision-Making Safeguards

6.3 AI Governance Framework (2026-Ready)

7. Lawful Bases Summary

8. Data Sharing

8.1 Employers

8.2 Service Providers

8.3 Legal Disclosures

9. International Transfers

10. Your Choices & Rights

10.1 Data Retention

10.3 Account Closure

10.4 Your Rights

10. Data Retention

11. Security Measures

12. Your Rights

13. Cookies & Tracking Technologies

14. Children

15. Enterprise Accounts

16. Changes to This Policy

17. Contact

Privacy, data use, and your control.

Introduction

2. Who We Are

3. Our Role: Controller vs Processor

4. Categories of Personal Data We Collect

4.1 Information You Provide

4.2 Information Generated Through Platform Use

4.3 Information From Third Parties

4.4 Special Category Data

5. How We Use Personal Data

5.1 Service Delivery

5.2 AI-Assisted Skills Analysis

5.3 Fraud Prevention & Security

5.4 Analytics & Service Improvement

5.5 Marketing

6. Artificial Intelligence & Automated Processing

6.1 Nature of AI Use

6.2 Automated Decision-Making Safeguards

6.3 AI Governance Framework (2026-Ready)

7. Lawful Bases Summary

8. Data Sharing

8.1 Employers

8.2 Service Providers

8.3 Legal Disclosures

9. International Transfers

10. Your Choices & Rights

10.1 Data Retention

10.3 Account Closure

10.4 Your Rights

10. Data Retention

11. Security Measures

12. Your Rights

13. Cookies & Tracking Technologies

14. Children

15. Enterprise Accounts

16. Changes to This Policy

17. Contact