Real Links Privacy Policy

1. PURPOSE OF THIS POLICY

• REAL LINKS LIMITED (Company number 10570135) of Wellesley House Duke Of Wellington Avenue, Royal Arsenal, London, England, SE18 6SS (Real Links, we, us or our) provides the products and services offered on our website (www.reallinks.app) and through our cloud-based platform to our clients with white-labelled company branding (Services).

• For the purposes of the Data Protection Act 2018 (the Act), we are a data controller (registered with the Information Commissioner’s Office for data protection: #ZA362196), for the personal data processed by us detailed in this Privacy Policy.

• We have adopted this Privacy Policy to ensure that we have standards in place to protect the personal data that we collect and receive about individuals in the course of: i) providing the Services that we offer to our clients; ii) communicating with individuals; and iii) the normal operations of our business.

• By publishing this Privacy Policy we aim to make it easy for our users, clients and the public to understand what data we collect, receive and store, why we do so, how we receive and/or obtain that information, and the rights an individual has with respect to their data in our possession.

2. WHO AND WHAT THIS POLICY APPLIES TO

• Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information about the people in those businesses or companies, referred to in this Privacy Policy as ‘personal data’ or simply ‘data’.

• The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy that relate to an identifiable person.

• We do not provide Services to, or collect data from, children (persons under the age of 18 years).

• We will publicise any changes to this Privacy Policy on our website.

3. VISITING OUR WEBSITE

• You can visit our website without telling us who you are or revealing any information about yourself, including your email address. In this case, our server may collect the name, address, the IP address and domain you used to access the website, the type and version of browser and operating system you are using, and the website you came from and visit next.

• This information is used by us to measure the number of visits, average time spent, page views, and other statistics about visitors to our website in general. We may also use this data to monitor site performance for systems administration purposes, to make our website easier and more convenient to use and to report information in aggregate form to our advisers (e.g. how many visitors log in to our website).

• Refer to our Cookies Policy (below) for further information about the cookies we use to collect information from visitors to our website.

4. CONSENT – OPT IN, OPT OUT AND OBJECTING TO PROCESSING

• Where we rely on their consent as a legal basis for processing, an individual may withdraw consent to that processing at any time. Where we rely on the necessity of our legitimate interests as a legal basis for processing, an individual can object to that processing at any time. Unlike your right to withdraw consent, the right to object is a qualified right, which means that it only applies in certain circumstances. However we will always take such an objection under consideration and will generally comply where possible. We will only refuse such a request with strong and legitimate reasons, which will be communicated to you in writing. There is more information about your rights contained below at paragraphs 13 and 14.Withdrawing consent or objecting to the processing of some types of personal data may prevent us from offering some or all of our Services and may terminate access to some or all of the Services we provide. Where required to do so by law, we will give individuals an opportunity to either:Opt In. Where relevant, the individual will have the right to choose whether or not to have information collected and/or receive information from us; or

• Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us. An individual may also revoke their consent or object to processing at any time, and this decision will be made through the same media which allowed the individual to opt in (and potentially other media).

• If an individual believes that they have received information from us that they did not opt in or objected to receiving, they should contact us using the details below.

5. THE INFORMATION WE COLLECT AND RECEIVE

The Categories of information we may collect or receive is set out below. Please note that, depending on what is being done with this data, we may be acting as a controller or a processor on behalf of a third party (such as a client) when collecting or receiving this information. We have set out our role in relation to the various processing activities that we carry out in the table at the end of this Privacy Policy to help you understand our Services more clearly.

• Personal Information. We may collect or receive personal details such as an individual’s name, job title, work history and other information that allows us to identify who the individual is;

• Internal mobility information. We may receive information about our clients’ employees skills, experience and interests from our clients’ employees (if using the internal mobility platform);

• Contact Information. We may collect or receive information such as an individual’s email address, telephone number, mailing address and other information that allows us to contact the individual;

• Statistical Information. We may collect or receive information about an individual’s online and offline preferences, habits, movements, trends, decisions, and other information for statistical purposes;

• Digital Information. We may collect or receive your IP address and device-specific information; and

• Information provided to us. We may collect or receive any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities, including activities with our clients and partners.

We do not collect special categories personal data, however, if we do inadvertently process special categories personal data we will do so in accordance with this Privacy Policy and delete it as soon as practicable after becoming aware of it.If we collect or receive other personal data about an individual not mentioned above, it will be processed in accordance with this Privacy Policy and the relevant individuals will be notified where it is not impossible or impracticable to do so.

6. HOW INFORMATION IS COLLECTED

• Most information will be collected or received in association with:1. an individual’s use of our website(s) and/or Services, an enquiry about Real Links or generally dealing with us; or

• our engagement to provide our Services to clients who provide us with information relating to individuals that are employees, staff or job candidates. To the extent using the Internal Mobility Platform, we may also receive Internal Mobility information directly from individuals that are employees of our clients that relates to themselves.

• Real Links will publish changes to the way that information is collected at the point of collection and within this policy.

7. HOW DATA IS STORED

• We will retain data for the period necessary to fulfil the purposes outlined in this policy unless a longer retention period is required or permitted by law.

8. WHEN DATA IS USED

• We use personal data in a variety of different ways depending on who you are and how you are interacting with us. We have prepared a table (found at the end of this Privacy Policy) which provides an overview of the personal data that we collect where it applies to specific categories of data subjects, our role in relation to that personal data, the purposes for which that data is used, the legal basis which permits us to use it and the rights that you have in relation to your personal data. Where it is our clients who act as the controller for your personal data, our clients will take primary responsibility for your personal data and you should refer to their privacy notices or policies to understand how they use your data. However, we have included details of how your data is used under our Services in our Privacy Policy to help you, as a data subject, understand our Services more clearly and to help our clients, as controllers, to be as transparent as possible. Please refer to the table at the end of the Privacy Policy for a more detailed explanation of how we (and our clients when using our Services) use your personal data.

• In general, we use personal data to:enable us to operate our business and provide Services to our clients;

• answer enquiries and questions from individuals and communicating with future opportunities and/or registration;

• develop appropriate new features, functions and content for our Services;

• investigate any complaints about or made by an individual or client, or if we have reason to suspect that an individual or client is in breach of any of our terms and conditions or that an individual or client is or has been otherwise engaged in any unlawful activity;

• carry out regulatory checks and meeting our obligations to our regulators; and/or

• as required or permitted by any law (including the Act).

3. If you publicly post about Real Links, or communicate directly with us, on a social media website, we may collect and process the data contained in such posts or in your public profile for the purpose of addressing any customer’s Services requests you may have and to monitor and influence public opinion of Real Links.

9. WHEN DATA IS DISCLOSED

• It may be necessary for us to disclose an individual’s data to third parties in a manner compliant with the Act in the course of our business, such as for processing activities like website hosting.

• We will not sell an individual’s data to unrelated third parties, unless applicable consent has been obtained for us to partner with those companies to offer you related services, or employ other companies to perform tasks on our behalf and we need to share your information with them to provide products and Services to you.

• There are some circumstances in which we must disclose an individual’s information:1. Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;

• As required by any law (including the Act) including court orders; and/or

• In order to sell our business (as we may transfer data to a new owner).

• We will not disclose an individual’s data to any entity outside of the UK, unless a) that entity operates in a jurisdiction with laws that are at least equivalent to the Act or the UK General Data Protection Regulation, which includes any jurisdiction within the European Economic Area and any jurisdictions found adequate by the European Commission or the UK Government (Adequate Jurisdictions). We will take reasonable steps to ensure that any disclosure to an entity or body based outside of an Adequate Jurisdiction will not be made until that entity has agreed in writing with us to safeguard data as we do using up to date standard contractual clauses.

• We may partner with or utilise third-party service providers (such as Gmail from Google, Inc) to communicate with an individual or client and to store contact details about an individual or client. We have agreed with these service providers that they should store our data in servers based in Adequate Jurisdictions. However, they may occasionally access personal data from outside of an Adequate Jurisdiction to provide essential maintenance, including from the United States of America. As detailed above, where this is the case, our service providers have put in place contractual, technical and organisational measures to ensure your data is protected to same level as it would be in an Adequate Jurisdiction.

• If Real Links gets involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, we may share personal data with that company before and after the transaction closes but only when necessary to fulfill our legitimate interests and it will remain subject to the same protections provided from under this Privacy Policy.

10. CONNECTED THIRD-PARTY SOCIAL MEDIA ACCOUNTS (TIKTOK)

• Our Services include an optional integration that allows an individual to connect their personal TikTok account in order to publish company-approved content to their own TikTok profile. This integration is only activated when the individual explicitly initiates a “Connect TikTok” action within our Services and grants consent on TikTok’s authorisation screen.

• When an individual connects their TikTok account, we receive and store the following information from TikTok, limited to the scopes the individual has consented to:1. A unique TikTok user identifier and the public display name of the connected account (via the user.info.basic scope), used to display the connected account inside our Services so the individual can confirm the correct profile before posting.

• An OAuth access token, stored only to enable the individual to publish content to their TikTok account through our Services. Tokens are stored under the security safeguards described in Section 12 and are never shared with third parties.

3. We use this information solely to:

• Display the connected TikTok account inside the individual’s profile in our Services;

• Publish content directly to the individual’s TikTok profile at the individual’s request, using the privacy level selected by the individual (via the video.publish scope); and

• Upload content as a draft to the individual’s TikTok inbox at the individual’s request, so the individual can finish editing the post inside the TikTok app before publishing (via the video.upload scope).

4. We do not request, receive, store, or analyse the individual’s existing TikTok posts, followers, watch history, or any other TikTok activity beyond what is strictly required to perform the actions described above. Each post is initiated by the individual; we do not post automatically on the individual’s behalf.5. We do not sell or share TikTok-derived data with any third party. Data received from TikTok is processed under the same safeguards described elsewhere in this Privacy Policy.6. An individual may disconnect their TikTok account at any time by:

• Replacing or removing their TikTok connection within their profile settings in our Services, which invalidates our stored access token; and/or

• Removing Real Links Shares from the connected applications list inside their TikTok account settings at https://www.tiktok.com/setting/connected-apps.

7. Use of the TikTok integration is also subject to TikTok’s own Terms of Service and Privacy Policy, available at https://www.tiktok.com/legal.

10A. CONNECTED LINKEDIN ACCOUNTS (“REAL LINKS” AND “REAL LINKS COMMUNITY” LINKEDIN APPS)

• Our Services include optional integrations with LinkedIn delivered through two separate LinkedIn Developer applications operated by Real Links Limited. Each application has its own LinkedIn Client ID, its own OAuth credentials, its own consent screen, its own approved scope set and its own access tokens; no data, token or permission is shared between them.

  • “Real Links” — the original LinkedIn application, in production use by Real Links customers for several years. It is used solely for individual LinkedIn sign-in / account linking and for publishing Employer-approved content to the individual member’s own personal LinkedIn feed. Its scope set is limited to member-level sign-in and personal-feed publishing (historically r_liteprofile / r_emailaddress / w_member_social, and their openid / profile / email equivalents on LinkedIn’s newer consumer OIDC stack). It does not request, and has never requested, any organisation-level scope.

  • “Real Links Community” — a separate, newer LinkedIn application, registered independently in the LinkedIn Developer Portal and currently being submitted for LinkedIn app verification and scope approval. It is used exclusively by individuals who are authorised administrators of a LinkedIn company page, to publish Employer-approved content to a company page they are entitled to manage (and, where the administrator opts in, to read aggregated post-level analytics for content we published on that page’s behalf). Its scope set is limited to organisation-level scopes (r_organization_admin / rw_organization_admin, w_organization_social, and, where opted in, r_organization_social). The Real Links Community app does not provide individual sign-in, does not post to personal LinkedIn feeds, and does not share state with the original Real Links app.

  Each integration is activated only when the individual explicitly initiates a “Sign in with LinkedIn”, “Connect LinkedIn” or “Connect LinkedIn Page” action within our Services and grants consent on LinkedIn’s authorisation screen for the specific app concerned.

• When an individual connects a LinkedIn account through the “Real Links” app, we may receive and store the following information from LinkedIn, limited to the OAuth scopes the individual has consented to:

  1. A LinkedIn member identifier (sub / member URN) and basic profile fields (name and profile picture, via the profile / openid scopes), used to display the connected account inside our Services so the individual can confirm the correct profile before posting.
  2. The individual’s primary email address (via the email scope) where required for account linking or notifications.
  3. An OAuth access token (and, where issued by LinkedIn, a refresh token), stored only to enable the individual to publish Employer-approved content to their own LinkedIn feed (via the w_member_social scope) at the individual’s request. Tokens are stored under the security safeguards described in Section 12 and are never shared with third parties.

• When an authorised page administrator connects an organisation through the “Real Links Community” app, we may additionally receive and store, limited to the scopes the administrator has consented to:

  1. The list of LinkedIn organisations / company pages the administrator is authorised to manage and the administrator’s role on those pages (via the r_organization_admin / rw_organization_admin scopes), used to let the administrator select the correct page.
  2. An OAuth access token, stored only to enable publishing of Employer-approved content to the selected company page (via the w_organization_social scope) and, where the administrator opts in, to read aggregated post-level performance metrics for content we published on the page’s behalf (via the r_organization_social scope).

• We use this information solely to:

  • Display the connected LinkedIn account or company page inside our Services so the individual can confirm what they are posting to;
  • Publish content directly to the individual’s LinkedIn profile or to the selected company page at the individual’s express request, using the visibility setting selected by the individual; and
  • Where opted in, report back to the Employer aggregated, post-level performance metrics for content we published, so the Employer can measure the effectiveness of its referral campaign.

• What the “Real Links” and “Real Links Community” LinkedIn apps DO NOT do. For the avoidance of doubt, neither app:

  • reads, ingests, stores or analyses the individual’s LinkedIn feed, connections, network, messages, InMail, notifications, search history or browsing activity;
  • downloads or stores the individual’s connection graph, follower list or contact list;
  • posts, comments, likes, follows, sends connection requests or sends messages automatically or on a schedule — every post is initiated by an explicit, in-product action by the individual or page administrator;
  • posts on behalf of an individual to a third party’s profile or to any LinkedIn surface other than (i) the individual’s own feed (Real Links app) or (ii) a company page the administrator is verifiably authorised to manage (Real Links Community app);
  • shares, sells, rents, licenses or transfers any data received from LinkedIn to any advertiser, data broker, AI training dataset or other third party; or
  • uses LinkedIn data to build advertising profiles, to retarget individuals outside our Services, or for any purpose not described in this Privacy Policy.

• We do not retain LinkedIn-derived data longer than necessary for the purposes above. Access tokens are revoked and deleted when the individual disconnects their account, when the token expires and is not refreshed, or on closure of the Real Links account.

• An individual or page administrator may disconnect a LinkedIn account at any time by:

  • Replacing or removing the LinkedIn connection within their profile or page settings in our Services, which invalidates our stored access token; and/or
  • Removing the “Real Links” or “Real Links Community” application from the permitted-services list inside their LinkedIn account at https://www.linkedin.com/mypreferences/d/data-sharing-for-permitted-services.

• Use of the LinkedIn integrations is also subject to LinkedIn’s own User Agreement (https://www.linkedin.com/legal/user-agreement), Privacy Policy (https://www.linkedin.com/legal/privacy-policy) and Professional Community Policies (https://www.linkedin.com/legal/professional-community-policies). LinkedIn is a separate controller for the data it holds about its members; that data remains governed by LinkedIn’s own terms and policies.

11. COOKIE POLICY

• Our website may use cookies to distinguish you from other users of our platform. This helps us to provide you with a good experience when you browse our platform and also allows us to improve our website. Your consent will be obtained prior to our use of cookies on our platform and you are able to revoke that consent by following the method below.

• A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your device’s hard drive. You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website for which we require the use of cookies.

12. THE SAFETY & SECURITY OF DATA

• We will take all reasonable precautions to protect an individual’s and our client’s data from unauthorised access, loss and unplanned unavailability. This includes appropriately securing our physical facilities and digital networks. We limit access to your personal data to those who have a genuine business need to know it. Those with access to your information will only use it in an authorised manner and are subject to a duty of confidentiality.

• We also have a process in place to deal with any suspected security incident that involves unauthorised access, loss or unavailability of your personal data. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

• Unfortunately, the security of online transactions and the security of communications sent by electronic means cannot be guaranteed. Although we take reasonable steps to protect your personal data. each client and individual that provides information to us does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data where we have taken reasonable steps to protect against thee threats and/or the absolute security of information is not within our control.

• We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s data to in accordance with this Privacy Policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies. It is important that you read any such policies, including those of our clients, to ensure you clearly understand how your personal data is being processed.

• If you suspect any misuse or loss of, or nauthorized access to, their data, please let us know immediately using the contact details in this Privacy Policy.

13. HOW TO ACCESS AND/OR UPDATE INFORMATION

• The Act gives you the right to make certain requests from us in respect of the personal data that we have about you.

• You have a right to request i) a copy of the personal data we hold about you, ii) correction of any inaccuracies in the information we hold about you, iii) the deletion of information that we hold about you, iv) that we port your personal data to another controller. You also have the right to object to how we process your personal data, which is covered in more detail above at paragraph 4 above and paragraph 14 below. Some of these rights are qualified rights, which means they only apply in certain circumstances. You can find out more about when these apply by visiting the ICO website (linked here).

• It is an individual’s responsibility to provide us with accurate and truthful data. Please ensure you let us know if there is a change in your circumstances which would require us to update the details we hold about you.

• Generally, we do not charge for responding to any of the above mentioned requests. However, we may charge an individual a reasonable fee for our administrative costs incurred in responding to access requests that are manifestly unfounded or excessive. We may also need to clarify the parameters or scope of your request before responding substantively.

• We will aim to respond to any of the above requests within one month but it may take longer if the request involves large amounts of information or many different sources. We will always let you know if this is the case.

• We do not use your information for automated decision making.

14. ACCOUNT DELETION

• If you wish to delete your account and all associated personal data, you can do so at any time by visiting our account deletion page: /public/delete-account

• When you request account deletion:Your account will be marked for deletion immediately

• All personal data will be permanently deleted within 30 days of your request

• Please note that account deletion is permanent and cannot be undone. If you have any questions about account deletion, please contact us at support@reallinks.app before proceeding.

15. COMPLAINTS AND DISPUTES

• You have the right to object to:1. processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);

• direct marketing; and

• processing for purposes of scientific/historical research and statistics unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.

2. If an individual has an objection or complaint about our handling of their data, they should address their complaint in writing to the details below.3. You have the right to lodge a complaint with a supervisory authority such as the ICO if you consider that the processing of your data infringes the Act or the UK General Data Protection Regulation.4. If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue directly between us.

16. ADDITIONS TO THIS POLICY

• We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

• If we decide to change this Privacy Policy, we will post the changes on our website at www.reallinks.co.uk/privacy. It is your responsibility to refer to this Privacy Policy to review any amendments.

17. CONTACTING US

All correspondence with regards to data protection should be addressed to:Real Links Limited, Wellesley House, Duke Of Wellington Avenue, Royal Arsenal, London, SE18 6SS, United Kingdom (registered in England and Wales, company number 10570135). info@reallinks.appWe ask that you contact us by email in the first instance.Real Links processing activities quick reference guideCategory of data subjectPurposePersonal data usedLegal basisRolesWhich rights apply?*Data subjectDescription of activity and purposeData categoryLegal basisOur roleYour rightsWebsite visitorsTo maintain our website and facilitate contact with website visitors.Personal Information, Contact Information, Digital Information, Statistical Information.Necessary to achieve a legitimate interest. It is in our interest to maintain our website to promote our business and Services and to enable contact with interested third parties.We act as a controller for these processing activities.The generally applicable rights plus the right to object.Employees of our clientsFor the provision of Services to a client, which includes to:

• Manage your personal data and account on our Services;

• Help you and your employer by sharing jobs and content with your networks;

• Help you and your employer match your skills and interests to job openings and assist you applying for these jobs and connecting with appropriate mentors (only if using the Internal Mobility Platform).

• Help you understand your role and responsibilities when acting as a mentor (only if using the Internal Mobility Platform);

• Send you notifications within the Services about the status of referrals you have made to your employer;

• Respond to questions, comments, and other requests; and

• Give your account access to key features of our platform such as rewards.

Personal Information, Contact information, Internal Mobility information (only if using the Internal Mobility Platform), Digital Information, Statistical Information.Please refer to our clients’ privacy notices or policies for confirmation of the legal bases they rely on.We act as a processor for these processing activities on behalf of our clients who act as the controller.Please refer to our clients’ privacy notices or policies for confirmation of the rights available.Potential candidatesFor the provision of Services to a client, which includes to:

• Facilitate the creation of an account and the referral/recruitment process for clients on our platform;

• Help our clients match your skills and experience to job openings advertised by our clients (only if using the Internal Mobility Platform);

• Allow you to apply for a job with one of our clients if you wish to do so (only if using the Internal Mobility Platform); and

• Send notifications to the employee who referred you about the status of your application.

Personal Information, Contact InformationPlease refer to our clients’ privacy notices or policies for confirmation of the legal bases they rely on.We act as a processor for these processing activities on behalf of our clients who act as the controller.Please refer to our clients’ privacy notices or policies for confirmation of the rights available.Employees of our clients and potential candidates of our clientsFor our own administrative, business or legal purposes, which includes to:

• Analyse the use of the platform by users to assess how different functions/features are performing and develop new functions/features for our Services;

• Enforce our legal rights and the provisions of our terms and conditions; and

• Investigate and/or report where we suspect that an individual or client is in breach of any of our terms and conditions or that an individual or client is or has been otherwise engaged in any unlawful activity.

Digital Information, Statistical Information

• Necessary for compliance with a legal obligation e.g. to report fraudulent or criminal activity.

• Necessary to achieve a legitimate interest. All of these purposes are necessary to achieve our legitimate interests in ensuring the continued progress and smooth running of our business.

We act as a controller for these processing activities.

• The generally applicable rights only when relying on legal obligation.

• The generally applicable rights plus the right to object when relying on legitimate interest.

Employees of our clientsFor the purpose of promoting our products and Services, which include to provide you with materials about offers for products and Services that may be of interest to you, including new content or Services.Personal Information, Contact Information, Digital Information, Statistical Information

• Your explicit consent or our legitimate interest.

• If we have a preexisting relationship with you through the Services we may rely on a ‘soft-opt’ and that processing is necessary in our legitimate interest to publicise our Services to clients/customers and third parties.

We act as a controller for these processing activities.The generally applicable rights plus the right to object or withdraw consent.