Effective Date: October 27, 2025
Data Controller: Pentaleap GmbH, Kurfürstendamm 11, 10719 Berlin, Germany, HRB 266578 B, Amtsgericht Charlottenburg, ("Pentaleap", "we", "us").
Contact Email:privacy@pentaleap.com
Data Protection Officer (DPO): HeyData GmbH, Urbanstraße 71, 10967 Berlin, Germany — dpo@heydata.eu (please include "Pentaleap" in the subject line). (GDPR Art. 13(1)(a)–(b))
This Notice explains how we collect, use, store, and protect your personal data during our recruitment process for employees and interns. It fulfils our transparency duties toward candidates. (GDPR Art. 13(1)–(2))
We process the data you provide when applying for a position, including:
We do not request special categories of data. If you voluntarily include such information, we will either delete it or process it only under a valid legal basis (e.g., your explicit consent). (GDPR Art. 9)
We process your data to: (i) evaluate your application and suitability; (ii) communicate with you; (iii) organise and conduct interviews; and (iv) maintain a talent pool only with your separate consent.
Legal bases: our legitimate interest in managing and evaluating applications (GDPR Art. 6(1)(f)); and your explicit consent for talent-pool retention beyond the current vacancy (GDPR Art. 6(1)(a)) — which you may withdraw at any time without affecting prior processing (GDPR Art. 13(2)(c)).
a) Description. To improve efficiency and consistency, we use AI technology for an initial relevance scoring of CVs. (Transparency under GDPR Art. 13(2)).
b) How it works. Your CV text is transmitted to the AI model "Mistral Small" provided by our cloud partner Scaleway SAS (France). The model compares your experience, education, and skills to job criteria and generates a recommendation score for human reviewers. (GDPR Arts. 28 & 13(2)(f))
c) Human review (no solely automated decisions). We do not make decisions solely by automated means: the AI score is only a supporting tool; final decisions are made by human recruiters or hiring managers. (GDPR Art. 22(1)).
d) Risk & fairness. We conducted a Data Protection Impact Assessment (DPIA) covering fairness, bias, transparency, and risk mitigation measures, with support from our external DPO. (GDPR Art. 35).
We inform you that AI is used to assist in the pre-screening of candidate applications. We maintain human oversight, and upon request we will explain the purpose and limitations of the tool and how AI affects the evaluation process. (AI Act Art. 52(1)).
Regulatory note. AI systems used for recruitment and employment may fall under Annex III (Employment) and be classified as high-risk under AI Act Art. 6(2). Pentaleap currently uses AI only as an assistive tool with human decision-making; however, if the system were to qualify as high-risk, Pentaleap would comply with the obligations of deployers (human oversight, logging, monitoring, user instructions, training, risk mitigation) under AI Act Art. 26.
For AI-assisted analysis, we use Scaleway SAS, 8 rue de la Ville-l'Évêque, 75008 Paris, France, acting as our data processor. Processing occurs within the EU, strictly on our documented instructions, under a Data Processing Agreement (DPA) that prohibits secondary use (e.g., model training) and requires adequate security. (GDPR Art. 28).
External DPO access (not a processor). Our external DPO (HeyData GmbH) acts independently under GDPR Arts. 38–39 and is not a data processor for candidate data. Where necessary (e.g., for a complaint or complex request), the DPO may access data strictly to the extent required and subject to confidentiality.
Pentaleap remains fully responsible for all processing activities conducted on its behalf. (GDPR Art. 28(10)).
Where recruitment involves our affiliated entity Pentaleap Inc. (United States) or access from outside the EEA, we transfer personal data in accordance with GDPR Chapter V, relying on the EU Standard Contractual Clauses (SCCs) and appropriate technical and organisational safeguards (e.g., access controls and minimisation). Copies of the relevant SCCs can be provided upon request.
If you apply specifically for a role at Pentaleap Inc., that entity acts as a separate data controller for the U.S. recruitment process.
We retain personal data for 6 months after the vacancy is closed to handle potential claims and reconsider your application for similar roles. After this period, data is deleted or anonymised. If we wish to keep your data longer (e.g., for a talent pool), we will obtain your explicit consent. Certain data may be retained longer if required by law or due to ongoing legal matters. (GDPR Art. 5(1)(e), 13(2)(a)).
You may exercise the following rights: access, rectification, erasure, restriction, and withdrawal of consent (without affecting prior processing). (GDPR Arts. 15–18, 7(3)).
Regarding AI use and profiling, you may: request human intervention, express your view, and contest any AI-based assessment. (GDPR Art. 22; AI Act Art. 52).
To exercise your rights, contact privacy@pentaleap.com or dpo@heydata.eu. You may also lodge a complaint with the Berlin Data Protection Authority (BlnBDI) or another EU supervisory authority. (GDPR Art. 77).
We implement appropriate technical and organisational measures ("TOMs"), including encryption, access controls, and secure EU-based hosting, to protect data against unauthorised access or disclosure. (GDPR Art. 32).
Where a system is classified as high-risk under the AI Act, we ensure ongoing monitoring, logging, and suspension procedures if risks to fundamental rights are identified, in line with AI Act Art. 26.
We may update this Notice periodically to reflect legal or operational changes; material updates will be communicated appropriately before further processing. (GDPR Art. 13(3)).
Pentaleap GmbH
We respect your privacy and use AI responsibly — always with human oversight, transparency, and fairness — in line with the GDPR and the EU Artificial Intelligence Act.