TalentFlow AIExplore Platform
Trust & LegalPrivacy Notice

Privacy Notice

How Rockface collects, uses, retains, and shares personal data — written for the people behind every record we hold.

Effective date: 30 April 2026

Rockface Limited ('Rockface', 'we', 'us') provides AI-powered talent management software to employers ('Customers'). This notice explains how we handle personal data of (a) employees, contractors, and candidates of our Customers ('Workforce Data Subjects'), and (b) visitors to our website and people who contact us ('Website Visitors'). This notice is written to satisfy UK GDPR, EU GDPR, and the UK Data Protection Act 2018.

1. Our role: processor for workforce data, controller for our website

When our Customer uploads or syncs data about its workforce or candidates, the Customer is the controller of that personal data and Rockface is the processor. We only process workforce data on the Customer's documented instructions, under a Data Processing Addendum (DPA). When you visit our website, fill in a form, or contact our sales/support team, Rockface is the controller of that personal data.

2. What personal data we process

Data subjectCategoriesSource
Workforce (employees / contractors)Identifiers (name, work email, employee ID), employment data (role, dept, manager, location, dates), compensation, performance ratings, learning history, skills, engagement signalsCustomer's HRIS, ATS, LMS, performance and engagement tools — synced under the Customer's authority
CandidatesIdentifiers, application data, resume content, interview scorecards, sourceCustomer's ATS
Website VisitorsIP, device, pages visited, form submissions (name, email, company)Directly from you and our analytics/cookies — see our Cookie Notice
Customer admins / end-usersAccount identifiers, auth metadata, audit-log entriesAccount creation and product use

3. Purposes and lawful bases

PurposeLawful basis (UK/EU GDPR Art. 6)
Provide the contracted service to our Customer (workforce data)Performance of contract with the Customer; the Customer relies on its own lawful basis (typically legitimate interests / employment law) under Art. 6(1)(b)/(f)/(c)
Operate, secure, and improve the platform (aggregated, de-identified)Legitimate interests (Art. 6(1)(f))
Sales, marketing, and website analyticsLegitimate interests + consent for non-essential cookies (PECR)
Comply with legal obligations (tax, fraud, lawful requests)Legal obligation (Art. 6(1)(c))

4. How we use AI on workforce data

AI features (e.g. attrition risk, succession readiness, skills extraction, internal matching) run inside the Customer's tenant. We do NOT use Customer workforce data to train shared or general-purpose models. Outputs are generated per-tenant and never blended across Customers. Every AI output ships with explainability (top contributing factors) and adverse-impact testing across protected characteristics where legally permitted. Customers can disable any AI feature.

5. Retention periods

Data classDefault retention
Workforce records (active)For the duration of the Customer's subscription
Workforce records (after subscription ends)Returned or deleted within 30 days of termination, per the DPA
Audit logs13 months (extendable per Customer request)
Candidate recordsPer Customer's configured retention (default 24 months from last activity)
Website / marketing data24 months from last interaction
BackupsEncrypted backups expire on a 35-day rolling schedule

6. Who we share personal data with

  • Our sub-processors (cloud hosting, observability, support tooling) — full list at /legal/subprocessors. They are contractually bound to UK GDPR-compliant terms.
  • Our Customer (when you are a Workforce or Candidate Data Subject — your employer or prospective employer is the controller).
  • Our professional advisers (legal, accounting, audit) under confidentiality.
  • Authorities, where we are legally compelled. We push back on overbroad requests and notify Customers unless legally prohibited.
  • We do NOT sell personal data and we do NOT share it for cross-context behavioural advertising.

7. International transfers

By default, EU/UK Customer data is processed in our EU region (Frankfurt, Ireland). Where data is transferred outside the UK/EEA (for example, US-based sub-processors), we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses, plus supplementary technical measures (encryption in transit and at rest, customer-managed keys on request).

8. Your rights

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent where we rely on it. Automated decision-making rights under Art. 22 also apply. If you are a Workforce Data Subject, please contact your employer (the controller) first — we will support your employer in fulfilling your request. For Website Visitor data we control directly, contact rockface@rockface.biz.

9. Security

  • TLS 1.3 in transit, AES-256 at rest, customer-managed keys (CMK) on request
  • SSO via SAML, SCIM provisioning, granular role-based access control
  • ISO 27001 and SOC 2 Type II audited annually
  • Region pinning (US, EU, APAC) and configurable data residency
  • Immutable audit log streamable to your SIEM
  • See /solutions/it-security for our full security posture

10. Changes to this notice

Material changes are notified to Customer admins by email at least 30 days before they take effect. Past versions are archived and available on request.

Contact us

Data Protection Officer · Rockface Limited Email: rockface@rockface.biz Postal: Suite RA01, 195-197 Wood Street, London, E17 3NU, United Kingdom For UK/EEA residents, you also have the right to lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.

This page is a plain-English summary. If anything here conflicts with your signed agreement (MSA, DPA, or order form), the signed agreement controls.