Fluido Recruitment Privacy Policy

Privacy Policy on Recruitment

Effective date: 15-05-2026

Data Controller: Fluido Group [https://www.fluidogroup.com/]

Data Protection Officer: Vasudev Kamath, vasudevrk@infosys.com

Write to: privacy@infosys.com.

1. Introduction

This Candidate Recruitment Privacy Notice (“Notice”) explains how the Company collects, uses, stores, shares, and protects your personal data when you apply for employment or engage with our recruitment processes. We are committed to processing your personal data lawfully, fairly, and transparently, in accordance with the EU General Data Protection Regulation (“GDPR”) and all other applicable data protection laws.

Our recruitment processes are managed through Workday, a cloud-based Human Capital Management platform. When you apply, your personal data will be processed within the Workday Recruitment Module and may be accessible to authorized personnel on a need-to-know basis. By submitting your application, you acknowledge that you have read and understood this Notice.

2. Personal Data We Collect

We collect personal data at various stages of the application process. Certain data elements are mandatory and are required for us to process your application. Other data elements are voluntary, and your decision not to provide them will not affect your candidacy. The tables below describe the personal data we collect, organized by stage of the application process.

2.1 Candidate Profile

The following personal data is collected when you create your candidate profile and submit your application:

2.2 Application — Introduction and Background

The following data is collected or processed during the introductory stage of your application:

2.3 Application — Personal Information (Equal Employment Opportunity Data)

In accordance with applicable equal employment opportunity (“EEO”) laws and regulations, the following personal data is collected on a voluntary self-identification basis. This information is used solely for EEO compliance, reporting, and monitoring purposes and is not used in the evaluation of your candidacy or in any hiring decision. Responses are maintained separately from your application and are not accessible to hiring managers or recruiters involved in the selection process.

2.4 Application — Previous Worker Verification

3. Lawful Bases for Processing

We process your personal data on the basis of one or more of the following lawful bases, as determined by the jurisdiction in which you are located and the applicable data protection law.

3.1 European Union and United Kingdom (GDPR / UK GDPR)

Under the GDPR and UK GDPR, we rely on the following lawful bases under Article 6 and, where applicable, Article 9:

Performance of a Contract or Pre-Contractual Steps (Article 6(1)(b)). The processing of your mandatory application data — including your name, email, phone number, resume/CV, and related information — is necessary in order to take steps at your request prior to entering into an employment contract. Without this data, we cannot evaluate your application or progress your candidacy.

Legitimate Interests (Article 6(1)(f)). We process certain optional and automated data on the basis of our legitimate interests, where those interests are not overridden by your fundamental rights and freedoms. Specifically:

• LinkedIn Profile. Processing a publicly available professional profile serves our legitimate interest in evaluating candidates holistically. We limit our review to information relevant to the role and do not scrape or store entire profile data beyond what is reasonably necessary for assessing your candidacy.
• Referral Employee Name. Processing the name of the referring employee serves our legitimate interest in administering and tracking the effectiveness of our employee referral program. We note that this involves processing a third party’s personal data; the referring employee is separately informed of this processing through our internal privacy notices.
• Recruiting Sources (Auto-Tagging). Automatically tagging the recruitment source through which you arrived serves our legitimate interest in measuring recruitment marketing effectiveness. This automated tagging does not produce any legal or similarly significant effects on your candidacy and does not constitute automated decision-making within the meaning of GDPR Article 22. Tagging is limited to source attribution and does not influence the evaluation of your application.
• Resume Parsing (Automated Extraction). Automatically extracting structured data from your uploaded resume/CV serves our legitimate interest in operational efficiency and improving the candidate experience by reducing manual data entry. The parsed data is presented for your review and correction within your candidate profile. Resume parsing does not involve automated decision-making that produces legal or similarly significant effects; it is a data entry facilitation tool, and all substantive hiring decisions are made by human recruiters and hiring managers.
• Visa Sponsorship Information. Processing information about your current or future visa sponsorship needs serves our legitimate interest in workforce planning and immigration compliance. This information is not used to make discriminatory decisions based on nationality, national origin, or citizenship status; it is used solely to assess the Company’s ability to meet its obligations under applicable immigration laws. We do not use visa sponsorship responses to filter candidates prior to assessing their qualifications and suitability for the role.

Consent (Article 6(1)(a)). Where we rely on your consent as the lawful basis for processing, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

3.2 Special Category and Sensitive Data (Cross-Jurisdictional)

Certain data elements collected during the application process may constitute special category data (under the GDPR and UK GDPR) or otherwise require heightened protections under applicable law. We process such data only where a specific legal exemption or authorization applies in the relevant jurisdiction.

Gender, Race/Ethnicity, Hispanic or Latino Origin, Veteran Status, and Disability Status.

• EU/UK (GDPR / UK GDPR): Processed based on Article 9(2)(b), Article 9(2)(g) — processing is necessary for the purposes of carrying out our obligations and exercising our specific rights in the field of employment and social security law, insofar as it is authorized by applicable law.

This data is collected separately from the substantive evaluation of your application, is not accessible to hiring decision-makers, and is used only in aggregate for compliance reporting and workforce diversity monitoring.

Gender Pronouns. We recognize that gender pronouns may, in certain circumstances, reveal information about an individual’s sex life or sexual orientation, which constitutes special category data under GDPR Article 9(1). Accordingly, we collect gender pronouns on an entirely voluntary basis:

• EU/UK: Processed based on GDPR Article 9 (2) (a) your explicit consent.

You are under no obligation to provide your gender pronouns, and your decision not to do so will have no effect on your application. If you do choose to share your pronouns, we will use them solely for the purpose of addressing you respectfully throughout the recruitment process. You may withdraw your consent and request deletion of this data at any time by contacting us at privacy@infosys.com.

3.3 Legal Name (as on Government ID)

The collection of your legal name at the application stage is processed on the basis of Article 6(1)(b) pre-contractual steps. However, we acknowledge that this data element is not typically required at the initial application stage and becomes necessary only at later stages such as background verification and employment contract execution. If your legal name differs from your preferred name, you are not required to provide it at the point of application; we will request it at the appropriate stage if your candidacy progresses. Where collected at the application stage, legal name data is stored securely, and access is restricted to authorized personnel who require it for identity verification or pre-employment screening purposes.

Photograph / Visual Introduction: Where Fluido invites you to submit a photograph or visual introduction, this is collected on an entirely voluntary basis. Under the GDPR, we process this data based on Article 9(2)(a) your explicit consent — recognizing that photographic images may reveal racial or ethnic origin, health conditions, or religious beliefs.

4. Automated Processing and Profiling

4.1 Resume Parsing

When you upload your resume or CV, our recruitment system may use automated tools to extract and structure information such as your name, contact details, work history, education, and skills. This automated extraction is performed solely to facilitate the population of your candidate profile and improve the efficiency of the application process. It does not constitute solely automated decision-making that produces legal or similarly significant effects within the meaning of GDPR Article 22. All substantive decisions regarding your candidacy — including screening, shortlisting, and selection — are made by human recruiters and hiring managers who review your complete application.

4.2 Recruiting Source Auto-Tagging

Our recruitment system may automatically identify and record the source through which you arrived at our career site (e.g., a specific job board, social media platform, or career page URL). This automated tagging is used for recruitment analytics and does not influence the evaluation of your application or any hiring decision. You will not be subject to any adverse decision on the basis of your recruitment source.

4.3 Your Rights Regarding Automated Processing

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you (GDPR Article 22). If at any stage of the recruitment process you believe that a decision affecting your candidacy has been made solely by automated means without meaningful human involvement, you have the right to request human intervention, to express your point of view, and to contest the decision. To exercise this right, please contact us at [Privacy Contact Email].

5. How We Use Your Personal Data

We use your personal data for the following purposes:

• To evaluate your qualifications, experience, skills, and suitability for the position for which you have applied and, where you consent, for other positions that may become available.
• To communicate with you regarding your application status, interview scheduling, and other recruitment-related matters.
• To verify the information you have provided, including through background checks and reference checks (at the appropriate stage of the process and with your knowledge).
• To comply with applicable legal and regulatory obligations, including equal employment opportunity reporting and immigration law requirements.
• To administer and track the effectiveness of our recruitment channels, sources, and employee referral program.
• To improve our recruitment processes and candidate experience through analytics and reporting on aggregated, non-identifying data.
• To address you respectfully and in accordance with your stated preferences (e.g., gender pronouns), where voluntarily provided.
• To assess logistical and administrative considerations such as work location, relocation, compensation alignment, and engagement model (e.g., full-time versus freelance/consulting).

6. How We Share Your Personal Data

We may share your personal data with the following categories of recipients, each of whom is bound by appropriate confidentiality and data protection obligations:

Internal Recipients. Your application data will be accessible to authorized personnel within the Company who are directly involved in the recruitment process, including recruiters, hiring managers, and members of the relevant interview panel. EEO data is accessible only to authorized HR and compliance personnel and is not shared with hiring decision-makers.

Service Providers and Data Processors. Your personal data is processed within the Workday Recruitment Module, a cloud-based platform operated by Workday, Inc. as a data processor on behalf of the Company. A Data Processing Agreement has been executed with Workday governing its obligations with respect to your personal data. Your data may also be shared with other service providers engaged by the Company to support the recruitment process, such as background check providers, assessment or psychometric testing providers, and recruitment agencies, each under appropriate data processing agreements.

Legal and Regulatory Authorities. We may disclose your personal data to governmental or regulatory authorities where required to comply with applicable laws, regulations, or legal proceedings, including EEO reporting obligations.

Group Entities. Where the Company is part of a group of affiliated entities, your personal data may be shared with affiliates for the purposes of centralized recruitment administration, subject to appropriate data sharing agreements.

We do not sell your personal data to third parties. We do not share your personal data with third parties for their own direct marketing purposes.

7. International Data Transfers

Your personal data may be transferred to, stored in, or accessed from countries outside the European Economic Area (“EEA”), the United Kingdom, or Switzerland, including the United States, and also India where parent entity operates. Where such transfers occur, we ensure that appropriate safeguards are in place, including:

• Adequacy Decisions adopted by the European Commission under GDPR Article 45.
• Standard Contractual Clauses (“SCCs”) approved by the European Commission under GDPR Article 46(2)(c).
• Binding Corporate Rules approved by the competent supervisory authority as part of intra-group entities.

You may request a copy of the applicable transfer mechanism by contacting us at privacy@infosys.com.

8. Data Retention

We retain your personal data for the following periods:

Successful Candidates. If you are offered and accept employment with the Company, your recruitment data will be transferred to your employee personnel file and retained in accordance with our Employee Privacy Notice and applicable retention policies.

Unsuccessful Candidates. If your application is unsuccessful, we will retain your personal data for a period of [insert period — typically six months to two years, depending on jurisdiction] following the conclusion of the recruitment process, in order to defend against potential legal claims, to comply with applicable legal obligations, and to contact you about future opportunities (where you have consented to this). After the expiration of this retention period, your personal data will be securely deleted or anonymized.

Talent Pool. Where you have provided your consent, we may retain your personal data in our talent pool for the purpose of contacting you about future job opportunities. You may withdraw your consent and request removal from the talent pool at any time.

9. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of Access — to request a copy of the personal data we hold about you.
• Right to Rectification — to request correction of inaccurate or incomplete personal data.
• Right to Erasure — to request deletion of your personal data where processing is no longer necessary or where you withdraw consent.
• Right to Restriction of Processing — to request that we restrict the processing of your personal data in certain circumstances.
• Right to Data Portability — to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to Object — to object to the processing of your personal data on grounds relating to your situation, where processing is based on legitimate interests.
• Right Not to Be Subject to Automated Decision-Making — to not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
• Right to Withdraw Consent — where processing is based on consent, to withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint — to lodge a complaint with your local data protection supervisory authority.

To exercise any of your rights, please contact us at privacy@infosys.com. We will respond to your request within the timeframe required by applicable law.

10. Security

We have implemented appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, role-based access controls, multi-factor authentication, and regular security assessments. Your personal data is processed within the Workday Recruitment Module, which maintains SOC 2 Type II certification, ISO 27001 certification, and other industry-recognized security standards.

11. Changes to This Notice

We may update this Notice from time to time to reflect changes in our recruitment practices, applicable laws, or the technology we use. Where material changes are made, we will notify you by posting the updated Notice on our career site and updating the effective date. We encourage you to review this Notice periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Notice or the If you have any questions, concerns, or requests regarding this Notice or our processing of your personal information, please contact us at: privacy@infosys.com

Data Protection Officer: Vasudev Kamath, vasudevrk@infosys.com

You also have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

United Kingdom: Information Commissioner’s Office (ICO) Website: https://ico.org.uk/ Complaints information: https://ico.org.uk/make-a-complaint/

Annexure – List of Data Controllers