Skip to content
en

Recruitment Privacy Policy

Purpose

This Recruitment Privacy Policy outlines the principles and procedures for the collection, use, storage, and retention of personal data during the recruitment process at Mindvalley. It ensures compliance with applicable privacy regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Malaysian Personal Data Protection Act (PDPA), and other relevant laws, safeguarding candidate information and maintaining transparency throughout the hiring lifecycle.

The Policy identifies the following:

  • Data Controller: Mindvalley Inc., Mindvalley OU, Mindvalley Labs. In some cases, Third parties providers can act as Data Controllers
  • Data Processor: Third parties providers. In some cases, Mindvalley entities can act as Data Processors.
  • Data Subject: all candidates

Scope & Application

This Policy applies to all individuals who apply for employment or contract roles at Mindvalley, including candidates sourced directly or through recruitment agencies, job portals, or employee referrals. It is applicable across all Mindvalley subsidiaries, affiliates, and third-party service providers involved in the recruitment process.

This Policy intends to ensure compliance to these specific regulations:

  • EU GDPR: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (European Union),
  • CCPA: The California Consumer Privacy Act of 2018 (California),
  • PDPA: The Personal Data Protection Act 2010 or Act 709 (Malaysia).

Definitions

TermsDefinitions
Candidate DataPersonal data relating specifically to job applicants, including information submitted through applications, interviews, and background checks.
Personal Data Any information relating to an identified or identifiable individual (e.g., name, contact information, employment history).
Special Categories of Data Sensitive data, also known as special categories of personal data, encompasses information that requires special protection due to its sensitive nature.
Data Subject A natural person whose Personal Data is processed by a controller or processor.
Data Controller The party responsible for determining the purposes and means of processing the personal data.
Data Processor The party who processes Personal Data on behalf of the Controller.
Third-Party Service Providers External entities engaged by Mindvalley to support recruitment, such as applicant tracking system vendors, recruitment agencies, and background check providers.

Guidelines

Collection of Personal Data

Mindvalley collects and processes personal data during recruitment for legitimate business purposes. The categories of information include, but are not limited to:

  • CVs/Resumes, References, and Cover Letters: Collected directly via applications or referrals and used to assess qualifications and professional experience.
  • Assessment and Interview Data: Includes feedback forms, practical tests, interview notes, and evaluation scores submitted via Ashby (ATS).
  • Background Checks: Information obtained from authorized third-party providers such as Veremark to verify academic qualifications,
    employment history, and criminal background (where legally permitted).
  • Equal Opportunity Information: Voluntarily provided information regarding gender, ethnicity, disability, etc., used exclusively for diversity,
    equity, and inclusion (DEI) monitoring.
  • Other Data: Employment eligibility documents, location and availability details, compensation expectations, and communication logs related to
    the hiring process.

Use and Sharing of Personal Data

Candidate data is used to:

  • Evaluate candidate suitability and make informed hiring decisions.
  • Verify qualifications and credentials.
  • Fulfill legal and regulatory obligations.
  • Monitor and improve equal opportunity and inclusive hiring practices.

Data may be shared with:

  • Internal stakeholders (e.g., Hiring Managers, HRBP, Talent Acquisition
    Team, People Operations team).
  • External service providers (e.g., recruitment platforms, background check
    vendors).
  • Government authorities, where legally required.

Legal Basis for Processing

Processing is based on one or more of the following:

  • Legitimate interests of Mindvalley in recruiting qualified candidates.
  • Candidate consent for specific processing activities (e.g., talent pool inclusion, diversity data).
  • Compliance with legal obligations.
  • Performance of pre-contractual steps at the request of the candidate.

No Sale of Personal Information

Mindvalley does not sell candidate personal information as defined under applicable privacy laws such as the California Consumer Privacy Act (CCPA). Candidate data is used solely for recruitment and related lawful purposes and is not shared with third parties in exchange for monetary or other valuable consideration.

Data Retention

Candidate data will be retained for a period of 24 months from the date of application or final interview, unless:

  • A longer period is required for legal compliance or litigation purposes.
  • The candidate provides explicit consent for longer retention (e.g., talent pool inclusion).
  • The data subject requests deletion, subject to legal and operational constraints.

Data Integrity and Security

Mindvalley employs robust security protocols to safeguard candidate data, including encrypted storage, access controls, and regular system audits. Candidates are encouraged to keep their data accurate and up-to-date.

Candidate Rights

Candidates have the right to:

  • Request access to their personal data in relation to their application.
  • Request correction or deletion of incorrect or outdated data.
  • Object to processing or request data portability (where applicable).
  • Lodge complaints with relevant supervisory authorities.

Requests related to data access or deletion should be submitted to: data.protection@mindvalley.com.

Withdrawal of Consent

Where Mindvalley processes candidate data based on consent (e.g., for talent pool inclusion or diversity data), candidates may withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Instructions to withdraw consent will be provided at the point of data collection or may be requested via data.protection@mindvalley.com.

Automated Decision-Making

Mindvalley does not make hiring decisions based solely on automated processing, including profiling. Any tools used during the recruitment process (e.g., resume screening platforms) are supervised by human reviewers to ensure fair and transparent outcomes.

Diversity, Equity & Inclusion

To support DEI objectives, Mindvalley may collect optional demographic data (e.g., gender identity, ethnicity, disability status, veteran status). The following practices ensure responsible and compliant handling:

  • Purpose & Transparency: Data is collected solely to monitor diversity, comply with reporting
    obligations, and identify bias in recruitment
    Notice at Collection: Applicants are informed of what DEI data is collected, purposes, retention period, and confidentiality measures.
  • Consent & Voluntariness: DEI fields are optional. Applicants can select “Prefer not to say” and face no adverse consequences for non-disclosure
    Where required (e.g., GDPR special category data), explicit consent is obtained prior to collection.
  • Privacy by Design & Data Minimization: Collect only necessary DEI data. As soon as reporting needs are met, data is aggregated or anonymized to prevent re-identification.
  • Access Controls & Security: DEI data is classified as "restricted". Access is limited to authorized personnel responsible for DEI analysis, under robust technical and organizational controls.
  • Reporting: Metrics such as applicant diversity ratios and progression rates are monitored, and recruitment processes are periodically reviewed and refined to reduce bias