You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data Sharing

We share data only with those who have a legitimate need:

•   Internal hiring team (across our offices)

•   Applicant tracking system provider

•   Skills assessment and testing platform providers

•   Video interview and communication platform providers

•   Email and recruitment communication service providers

•   Background check and identity verification providers (where applicable)

•   Immigration and visa service providers (where applicable)

•   Professional advisors (legal, tax, audit) as necessary

•   Regulatory authorities, courts, or law enforcement where required by law

All processors operate under written data processing agreements. We do not sell your personal data. To the extent that cookies or similar technologies on our careers site transmit data to third-party analytics or advertising providers, such activity is governed by Section 15 (Cookies and Tracking) and your consent preferences. We do not use candidate personal data submitted through applications for cross-context behavioral advertising purposes.

6. International Transfers

Your data may be transferred to countries other than where you reside. We implement safeguards as required by law, including Standard Contractual Clauses (SCCs) for EEA transfers, the UK International Data Transfer Agreement or UK Addendum for UK transfers, equivalent safeguards under the UAE PDPL, and applicable adequacy decisions. Contact privacy@puffy.com to request copies of transfer safeguards.

7. Assessment Process and Use of Algorithmic Tools

Our recruitment process may include technology-enabled assessments administered through third-party platforms. These assessments use algorithmic scoring to evaluate candidates on skills, aptitude, psychometric attributes, and other role-relevant competencies. Assessment results are algorithmically generated based on your responses.

What Is Collected During Assessments

•   Assessment responses and interactions are recorded and algorithmically scored

•   Proctoring photographs may be captured at specific checkpoints for identity verification

•   For certain roles, audio recordings and transcripts of live interviews may be collected and shared with our global hiring team

Technical Requirements

•   Webcam access is required when specified

•   Full-screen mode and active window focus are mandatory

•   Switching applications may result in immediate assessment termination

Candidates who use assistive technology that requires application switching should request an accommodation before beginning the assessment (see Section 13).

Human Oversight

All assessment results are reviewed by our recruitment team before any hiring decision is made. Algorithmic scores inform but do not determine hiring outcomes. No candidate is advanced or rejected based solely on an algorithmic score without human review. You have the right to request information about the logic involved in algorithmic assessment and to request meaningful human intervention in any evaluation decision.

EU AI Act Compliance

AI systems used in recruitment and candidate evaluation are classified as high-risk under Annex III of the EU AI Act (Regulation (EU) 2024/1689). In accordance with Article 26 obligations for deployers of high-risk AI systems, we ensure: human oversight of all AI-assisted evaluations, transparency about the use of algorithmic tools in candidate assessment, monitoring for potential discriminatory outcomes, and maintenance of appropriate documentation and logs. If you have questions about how algorithmic tools are used in your assessment, contact privacy@puffy.com.

NYC Automated Employment Decision Tools (Where Applicable)

For roles where candidates reside in or the position is associated with New York City, we comply with NYC Local Law 144. Where an automated employment decision tool (AEDT) is used, we provide advance notice to candidates and make available a summary of the most recent independent bias audit results. Contact privacy@puffy.com for audit summary information.

Assessment platforms process data on our behalf under data processing agreements. Each platform maintains its own privacy policy and data security standards. Data storage locations vary by platform.

8. Retention

•   Successful candidates: data becomes part of employment records.

•   Unsuccessful candidates: retained for 12 months from the final decision.

•   Withdrawn candidates: retained for 12 months from withdrawal.

•   Biometric data: we instruct our assessment platform provider to delete biometric data following completion of the hiring process for the applicable role.

After the retention period, data is securely deleted or anonymized. You may request earlier deletion, subject to our legal obligations.

9. Your Rights

Depending on your location and applicable law:

EEA / UK (GDPR / UK GDPR)

•   Access, rectification, erasure, restriction, portability, objection

•   Withdraw consent at any time

•   Lodge a complaint with your local supervisory authority

California (CCPA / CPRA)

•   Know categories and specific pieces collected, delete, correct

•   Non-discrimination for exercising rights

We do not sell, share, or use sensitive personal information to infer characteristics.

UAE (PDPL)

•   Access, rectification, erasure, restriction, portability, objection

•   Complaint to the UAE Data Office

India (DPDPA)

•   Access, correction, erasure, grievance redressal, nomination

Canada (PIPEDA)

•   Access, correction, withdrawal of consent

•   Complaint to the Office of the Privacy Commissioner of Canada

Brazil (LGPD)

•   Confirm processing, access, correct, anonymize/block/delete, portability, revoke consent

•   Information about entities data is shared with

•   Complaint to the ANPD

Australia (Privacy Act)

•   Access, correction

•   Complaint to the OAIC

Other Jurisdictions

We honor applicable rights under your local data protection law. Contact privacy@puffy.com.

How to Exercise

Email privacy@puffy.com. Response within the timeframe required by applicable law: one calendar month (GDPR/UK GDPR), extendable by two further months for complex or voluminous requests with notice; 45 days (CCPA/CPRA), extendable by an additional 45 days with notice; or as specified by other applicable law. Identity verification may be required.

10. Decision-Making

All screening, evaluation, and hiring decisions involve human review. No candidate is rejected without individual human consideration. Algorithmic assessment scores are used as one input among several and do not solely determine any outcome.

11. Recruitment Communications

You may receive application-related communications via email, phone, or text. To opt out of non-essential communications, contact careers@puffy.com. This will not affect communications necessary to process your active application.

12. Interview Recordings

Where interviews are recorded (audio or video), you will be informed before recording begins and your consent will be obtained. In all jurisdictions requiring all-party consent for recordings, recording will not proceed without your affirmative consent.

13. Disability Accommodation

If you have a need that requires accommodation during the recruitment process, including an inability to complete an automated assessment, please contact careers@puffy.com so we can arrange an alternative evaluation process. We are committed to providing reasonable accommodations as required by the Americans with Disabilities Act (ADA) and equivalent laws in other jurisdictions.

14. References

If you provide referee details, you are responsible for obtaining their consent before sharing their information with us.

15. Cookies and Tracking

careers.puffy.com uses cookies for analytics and site functionality. Non-essential cookies (including analytics and advertising cookies) require your consent via our cookie preference center, which is presented when you first visit the site. You can update your preferences at any time through the cookie settings available on the site.

16. Changes

We may update this notice. The version number and dates above indicate the most recent revision. Material changes will be communicated to affected candidates where practicable.

17. Contact

Privacy and rights requests: privacy@puffy.com

Recruitment inquiries and accommodation requests: careers@puffy.com

Puffy has assessed its processing activities and determined that the appointment of a Data Protection Officer is not required under current candidate data processing volumes. This determination is reviewed periodically in accordance with applicable law.

Acknowledgment and Consent

By submitting your application, you acknowledge that you have read and understood this Candidate Privacy and Consent Notice. This acknowledgment does not constitute consent for any specific processing activity described in this notice.

We process your data on the legal bases described above. For processing activities that require your consent (proctoring photographs, biometric data collection, sensitive personal data, and background checks), we obtain your explicit consent through a separate affirmative action at the relevant stage of the recruitment process. This may include a consent checkbox, a written consent form, or a recorded verbal confirmation, depending on the activity and applicable legal requirements. You may withdraw consent at any time by contacting privacy@puffy.com, without affecting the lawfulness of processing carried out before withdrawal.