Skip to main content

Privacy notice

Candidate privacy notice

How Treba collects, uses, and protects personal data submitted by applicants to the Treba talent network. Read alongside our general privacy policy for non-recruitment processing.

Last updated:

1. Who this notice covers

This notice applies to anyone who submits an application to the Treba talent network through treba.io/careers/, or who otherwise sends Treba a CV, profile, or expression of interest in being placed with a Treba client.

It explains what we do with that data, how long we keep it, and the rights you have under the Kenya Data Protection Act 2019 and UK GDPR.

2. The data controller

Treba Ltd is the data controller for applications submitted to the Treba talent network.

  • UK company registration: 17014197
  • Registered office: 86–90 Paul Street, London EC2A 4NE, United Kingdom
  • Operations centre: Westlands, Nairobi, Kenya
  • Kenya ODPC registration: Registered with the Office of the Data Protection Commissioner — reference number available on request from privacy@treba.io

3. What data we collect

When you submit an application, we collect:

  • Full name, email address, phone number, and current city of residence.
  • LinkedIn profile URL.
  • Pillar of interest, current or most recent role, and years of professional experience.
  • Qualifications, certifications, and the answer you give to our strong-candidate question.
  • Your CV (PDF), uploaded directly to our content management platform.
  • How you heard about Treba, if you tell us.

We also automatically capture limited technical metadata at submission — your IP address, the page that referred you, and your browser's user-agent string — used solely for abuse prevention and audit. We do not use this data for advertising or tracking.

If your application progresses, we may also process notes from any screen calls, skills assessments, structured interviews, and reference checks Treba conducts. Those activities are described in our How We Hire page.

4. Why we collect it (lawful basis)

We process your application data on the lawful basis of legitimate interests — specifically, evaluating candidates for placement into client engagements operated by Treba as an Employer of Record. We have balanced this against your rights and freedoms and do not consider it intrusive: candidates submit data voluntarily, only fields strictly needed to assess fit are required, and you can withdraw at any time (see Section 8).

Where you tick the consent checkbox on the application form, you also explicitly consent under the Kenya Data Protection Act 2019 to Treba processing your data for recruitment purposes.

5. Who we share it with

Your application data is accessible to:

  • Treba personnel — the founder, Nairobi operations lead, and recruiters involved in reviewing applications and matching candidates to client briefs.
  • Prospective UK clients — only if your application is shortlisted for a specific client engagement, and only the fields needed for that client to evaluate fit (typically name, role history, CV, and assessment results). Each client engagement is governed by a Data Processing Agreement and an International Data Transfer Agreement (see Section 6).
  • Service providers — Treba uses third-party platforms to operate the talent network: Sanity (content management, CV storage, EU/US infrastructure), Resend (transactional email, EU/US infrastructure), and Upstash (rate-limit metadata, EU/US infrastructure). These providers act as data processors under contract.
  • Background-check providers — only if your application advances to the reference-check stage, and only with your prior knowledge.
  • Legal and regulatory bodies — where Treba is required by law to disclose data (e.g. response to a lawful order from a Kenyan or UK regulator).

We do not sell your data, and we do not use it to train machine-learning models.

6. Cross-border data transfers

Treba is a UK-registered company operating from Nairobi, Kenya. Application data routinely crosses borders between Kenya and the UK, and may also reach EU/US processors used by our service providers (see Section 5).

For UK-bound personal data, transfers are governed by an International Data Transfer Agreement (IDTA) — the UK GDPR-approved mechanism for international transfers. Treba executes an IDTA with every UK client that handles personal data of Kenyan candidates or staff. Where appropriate, additional safeguards are applied under each client's Data Processing Agreement.

For Kenya-bound personal data, processing is covered by Treba's registration with the Office of the Data Protection Commissioner under the Kenya Data Protection Act 2019.

7. How long we keep your data

We retain unsuccessful applications for 24 months from the date of submission, so we can re-review your profile when new client engagements come in. After 24 months, applications are deleted as part of a routine retention sweep, unless you have specifically asked us to keep your data longer or your application has progressed to a placement.

If you are placed with a Treba client, your data moves into the standard employment lifecycle and is retained under the legal record-keeping requirements that apply to Treba as your employer in Kenya.

You can ask us to delete your data sooner at any time — see Section 8.

8. Your rights

Under the Kenya Data Protection Act 2019 and UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data at any time before the 24-month retention period elapses.
  • Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller, where technically feasible.
  • Objection — object to our processing of your data on the basis of legitimate interests, in which case we will stop unless we can demonstrate compelling legitimate grounds that override your interests.
  • Withdrawal of consent — withdraw any consent you have given, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint — see Section 10.

To exercise any of these rights, email privacy@treba.io from the email address on your application. We will respond within 30 days as required by law and may need to verify your identity before acting.

9. How we protect your data

Treba operates ISO 27001-aligned controls across data handling. The Westlands operations centre uses biometric access control, 24/7 CCTV monitoring, network segmentation between client environments, dual fibre ISPs, and a clean-desk policy. Personal devices are not permitted on client networks.

Application CVs and profile data are stored in our content management platform with role-based access restricted to Treba personnel involved in candidate review. We test our controls regularly and notify candidates promptly in the event of a personal data breach affecting them, in line with statutory deadlines.

10. Contact and complaints

For any question about this notice, your data, or to exercise your rights, contact our privacy team:

If you remain dissatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your jurisdiction:

  • Kenya: Office of the Data Protection Commissioner (ODPC) — odpc.go.ke.
  • United Kingdom:Information Commissioner's Office (ICO) — ico.org.uk.

11. Changes to this notice

We may update this notice from time to time. The version date at the top of the page reflects the most recent revision. Material changes affecting how we use your application data will be communicated to active candidates by email where we hold a valid address.