Last updated: 6th May 2026

Global Privacy Notice

This Global Privacy Notice explains how Quantum People (“we”, “us”, “our”) collects and uses personal data worldwide in connection with our recruitment and talent‑advisory services in quantum, photonics, and deep tech.

Who we are

Quantum People is the trading name of Talent Staffing Services Limited, a private limited company registered in England and Wales (Company No. 16667216). VAT No. 500462049. Registered office: 71–75
Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

We are registered with the UK Information Commissioner’s Office (ICO) as a data controller under reference ZC027132.

How to contact us

Email: privacy@talentstaffingservice.com
Postal: Privacy, Talent Staffing
Services Limited, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Data Protection Lead:
Drew Percival, COO. We have not appointed a formal Data Protection Officer because our processing does not currently meet the mandatory thresholds under UK GDPR Article 37, but we will appoint one and publish details here if and when legally required.

EU/EEA
representative: If and when legally required under EU GDPR Article 27, we will appoint and publish details of an EU representative here.

Scope and applicability

We work globally with companies, roles, and candidates.
This Notice applies to all personal data we process, regardless of where you are located, including:

•        Candidates and job applicants (to our clients’ roles or to join Quantum People)

•        Client and prospective‑client contacts

•        Website visitors and event participants

•        Vendors and partners

•        Members of the quantum, photonics, and deep‑tech professional community whose public professional information appears in our talent map (see Section 4).

This Notice is designed to comply with:

•        United Kingdom: UK GDPR (assimilated EU GDPR), Data Protection Act 2018 (DPA 2018), Privacy and Electronic Communications Regulations 2003 (PECR)

•        European Economic Area: EU GDPR (Regulation 2016/679), national supplementary legislation

•        United States: California (CCPA / CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), and other state privacy laws as applicable

•        Middle East: United Arab Emirates Federal Decree‑Law No. 45 of 2021 (PDPL), Kingdom of Saudi Arabia Personal Data Protection Law (PDPL), Bahrain Law No. 30 of 2018, Qatar Law No. 13 of 2016, Israel Privacy Protection Law 5741‑1981 — where applicable

•        Asia / Asia‑Pacific: Singapore Personal Data Protection Act (PDPA), Japan Act on the Protection of Personal Information (APPI), South Korea Personal Information
Protection Act (PIPA), Hong Kong Personal Data (Privacy) Ordinance (PDPO), India Digital Personal Data Protection Act 2023 (DPDP), People’s Republic of
Australia Privacy Act 1988 — where applicable.

Where regional laws differ, we apply the standard most protective of you, except where local law specifically requires a different approach.

Roles

We primarily act as an independent data controller for candidate and client personal data — for example sourcing, screening, matching, presenting candidates, coordinating interviews, and maintaining our talent map. In some engagements we act as a processor or service provider on specific client instructions (for example, when operating within a client’s Applicant Tracking System). Where our role changes, this is documented in the contract and we process data accordingly. For the avoidance of doubt under the various US state privacy laws, we act as a “business” (controller) and our service providers act as “service providers” or “contractors.”

Personal data we collect

Candidates and job applicants: name; contact details (email, phone, postal address); CV / résumé; work history; education and qualifications; skills and certifications; preferences and notice period; compensation expectations; interview notes and assessment outcomes; right‑to‑work or eligibility evidence (limited to what is necessary in your jurisdiction); references; communications with us.

Clients and prospects: business contact details; role and title; hiring requirements; meeting notes; communications.

Website and marketing: IP address; device and browser; general location; cookie identifiers; pages viewed; referral information; preferences and consent choices. 

Vendors and partners: business contact details; billing details; contract metadata.

Talent map (Tier 1 enrichment programme): for individuals already represented in our CRM, we may add public‑source professional data — publication record, grants record, patent inventorship, employment history, education history, public skills tags, public profile URLs (for example LinkedIn, GitHub, Google Scholar, ORCID), conference speaking history, public awards and recognition, inferred location,
and computed relevance indicators. This data is sourced exclusively from public professional sources (see Section 4) and is gated by an identity‑matching guardrail.

Special category data — including data concerning health (such as accommodation needs), racial or ethnic origin (where collected for diversity reporting), political opinions,
religious beliefs, trade union membership, genetic data, biometric data, or data concerning sex life or sexual orientation — is collected only where relevant, lawful, and appropriately safeguarded. Criminal‑records data is processed only where required or permitted by law or client instruction and with the necessary legal bases and safeguards. We do not process special category data as part of the Tier 1 enrichment programme.

Sources

We obtain personal data from the following sources:

Directly from you (forms on our website, email, phone, interviews, events, social media interactions).

Public and professional sources, including specifically:

–   LinkedIn—  for example public profile data captured via a HubSpot Chrome Extension or Equivalent tool when our recruiters view a profile.

–       Jeeva (provided by Involve Inc) — sales engagement and contact data platform.

–       OpenAlex — open scholarly publications database operated by OurResearch.

–       ORCID — open researcher identifiers.

–       GitHub — public developer profiles and repositories.

–       Google Patents (via the public BigQuery dataset) — patent inventorship records.

–       UKRI Gateway to Research — UK public research grants register.

–       Companies House — UK statutory companies register.

–       Crossref — open scholarly metadata register.

–       Serper — search engine results aggregator used to surface public conference speaker history, awards, and other public professional signals from a defined list of professional websites.

–      Anthropic Claude (Haiku model) is used solely to canonicalise raw skill, topic, and tag values into a consistent vocabulary; we do not transmit personal identifiers to Anthropic in this process.

–      Referrals from clients, candidates, and contacts.

–      Our service providers (for example secure email and telephony, cloud productivity, CRM and ATS hosting, website hosting and analytics, professional advisors) in the course of providing their services.

Purposes and legal bases

We use personal data for the following purposes:

Sharing your data

We share personal data, where necessary, with:

• Clients — where we present you for, or place you in, a role.
• Service providers under contract — for example secure email and telephony (Microsoft 365), cloud productivity (Microsoft 365), CRM (HubSpot), Azure cloud infrastructure (Microsoft Azure, UK South region), engagement platforms (Jeeva), language‑model canonicalisation (Anthropic — abstract strings only, no personal identifiers), and search‑engine query relay (Serper).
• Referees and background‑check providers — when applicable, lawful, and on your instructions or your prospective employer’s instructions.
• Regulators, courts, and law enforcement — when legally required.
• Professional advisors — lawyers, auditors, accountants — under duties of confidence. 
• Business transferees — as part of corporate transactions (mergers, acquisitions, restructurings); subject to confidentiality and to honouring this Notice.

We do not sell personal data. We do not “share” personal information for cross‑context behavioural advertising as that term is defined under California, Colorado, Connecticut, Virginia, or other US state privacy laws, and we do not engage in equivalent practices under other regional laws.

International data transfers

Because we work worldwide, we may transfer personal data across borders — including from the UK / EEA to the United States, Middle East, Asia, and Australia. Equally, where we receive personal data from outside the UK we may transfer it back to the UK (where our HubSpot CRM and Microsoft Azure infrastructure are hosted). We implement appropriate safeguards for international
transfers, including:         
From the UK: UK adequacy regulations where in force; the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses for transfers to non‑adequate jurisdictions; UK extension to the EU‑US Data Privacy Framework where applicable.

From the EEA: EU adequacy decisions where in force; EU Standard Contractual Clauses (SCCs) for transfers to non‑adequate third countries; EU‑US Data Privacy Framework where applicable.

From Middle East jurisdictions with cross‑border restrictions (UAE PDPL, KSA PDPL, etc.): contractual safeguards and consent where required by local law.

From Asia jurisdictions with cross‑border restrictions (PIPL, PIPA, APPI, India DPDP, Singapore PDPA, etc.): contractual safeguards, regulator approvals where required, and consent where required by local law.

Technical and organisational measures — encryption in transit and at rest, access controls, least‑privilege identity, audit logging, vendor due diligence, and data minimisation.

You may request details of the specific safeguards used for transfers of your data by contacting privacy@talentstaffingservice.com.

How long we keep your data 

Retention Principles

We retain personal data only for as long as necessary for the purposes set out in this Notice, to comply with legal and regulatory obligations across the UK, EEA, US, Middle East, Asia and other regions, and to establish, exercise, or defend legal claims. We apply storage limitation (UK/EU GDPR Article 5(1)(e) and equivalent local principles), data minimisation, and clear purpose‑based retention schedules with defined start and end triggers.

We periodically review retention periods and may adjust them for changes in law, regulation, industry standards, or our services. Where a longer or shorter period is mandated locally or by contract, that requirement prevails.

Default retention periods

•        Active candidate profiles (not placed): up to 24 months from last meaningful contact; you may request earlier deletion.

•        Talent pool (consented): up to 36 months from last meaningful contact, or until consent is withdrawn.

•        Talent map (legitimate interests, public‑source enrichment): up to 7 years rolling from last meaningful contact or last enrichment update, whichever is later. Active enrichment cycles (typically every 30–365 days depending on source) reset the 7‑year clock. Records with no enrichment activity for 7 years AND no contact will be deleted or anonymised. Earlier deletion will be applied on receipt of a valid erasure
or objection request, subject to legal hold or statutory exception.

•        Placed candidates / assignees: up to 6 years from end of engagement to manage contractual claims, fees, warranties, and statutory record‑keeping.

•        Right‑to‑work / identity checks: UK — generally 2 years after employment / assignment ends; US I‑9 — 3 years from hire or 1 year after termination, whichever is later; other jurisdictions — as required locally.

•        References / background screening: in line with the underlying candidate record; evidence of checks retained up to 6 years where needed for audit / claims.

•        Client and prospect B2B contacts: up to 36 months from last meaningful contact or end of contract.

•        Contracts, orders, invoices, payments: 6–7 years from financial year end (jurisdiction‑specific).

•        Customer service and complaints: up to 6 years after closure.

•        Marketing lists and consent logs: active while subscribed; consent / opt‑out logs for at least 6 years after last change.

•        Website analytics and telemetry (non‑essential, consent‑based in UK/EU): 3–26 months depending on tool / configuration.

•        Security and access logs: 90–365 days (higher‑risk systems up to 24 months).

•        Telephony / voicemail / meeting recordings (if used): 90–180 days (metadata up to 12 months) unless needed for training, quality, or legal reasons.

•        Vendor / partner records: duration of relationship plus 6 years.

•        Legal, audit, and dispute files: until matter closes plus limitation period (typically 6 years; longer for certain claims). “Meaningful contact” includes submitting or updating a CV, interacting with us about roles, attending interviews, replying to communications, attending our events, or explicitly asking us to keep your profile.

Deletion, anonymisation, and archiving standards

•        Deletion removes records from active systems followed by purge from near‑line storage on scheduled jobs; cloud replicas honour vendor service‑level agreements.

•        Anonymisation is irreversible removal of identifiers so individuals are no longer identifiable; anonymised data may be kept indefinitely.

•        Pseudonymisation replaces identifiers with tokens to reduce risk during the retention period; pseudonymised data remains personal data.

•        Archiving: where a legitimate archival purpose exists (for example audit trails), we store minimal datasets with stricter access controls and longer review intervals.

•        Backups are kept solely for business continuity and disaster recovery; not for routine processing. Typical backup cycles are daily with 35–90‑day rolling retention. When a record reaches end‑of‑life in production, it disappears from backups after the rolling window. Post‑restore (if a restore ever occurs after end‑of‑life), outstanding deletions are re‑applied.

Legal holds and exceptions

Anticipated or active disputes, investigations, audits, or legal proceedings place relevant records on legal hold, overriding ordinary
deletion. Statutory retention requirements (for example tax, accounting, immigration, employment, or equal opportunity records) override ordinary deletion for the relevant record category. Where multiple regimes apply, we retain for the longest applicable mandatory period.

How to request deletion or changes

Contact privacy@talentstaffingservice.com or use our online privacy request form at  quantumpeople.net/privacy-request/.
We will verify identity / authority, assess legal obligations or holds, execute deletion or anonymisation across systems and processors, and confirm completion noting any lawful exemptions. Where we cannot fully delete due to ongoing legal obligation, we will isolate and minimise your data.

Security

We use proportionate technical and organisational measures, including:

•        Encryption in transit and at rest

•        Access controls, least‑privilege identity, multi‑factor authentication, conditional access

•        Audit logging and monitoring

•        Employee confidentiality and training

•        Vendor due diligence and contractual data processing terms (UK GDPR Article 28 / equivalents)

•        Incident detection and response, including a documented breach response runbook

•        ICO‑grade and equivalent regional regulator notification processes where applicable

If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of awareness as required by UK / EU GDPR Article 33, and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34) — together with equivalent obligations under other regional regimes.

Your rights

Subject to verification of identity and any local exceptions, you have rights over your personal data. To exercise any right,
contact privacy@talentstaffingservice.com or use our online privacy request form at quantumpeople.net/privacy-request/.
We will respond within the timeframes required by law (typically 30 days under UK / EU GDPR; varying under other regimes).

United Kingdom (UK GDPR / DPA 2018)

You have the right to:

•        Be informed about the processing (this Notice).

•        Access your personal data (Article 15).

•        Rectification of inaccurate data (Article 16).

•        Erasure (“right to be forgotten”) (Article 17), subject to exceptions.

•        Restriction of processing (Article 18).

•        Object to processing based on legitimate interests, including for our talent map (Article 21). Direct marketing objections are absolute.

•        Data portability in a structured, commonly used, machine‑readable format (Article 20).

•        Withdraw consent where processing is based on consent (Article 7(3)).

•        Not be subject to solely automated decision‑making that produces legal or similarly significant effects (Article 22).

You may lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk.

European Economic Area (EU GDPR)

You have equivalent rights to those listed under UK GDPR (the article numbers are the same). You may lodge a complaint with your local supervisory authority, or with the supervisory authority of the EU/EEA Member State in which the alleged infringement occurred.

United States — state privacy laws

Subject to verification and scope limits under the law of your state, you have rights to:

•        Know / access your personal information.

•        Correct inaccurate personal information.

•        Delete your personal information.

•        Portability (where provided).

•        Opt out of “sale” or “sharing” for cross‑context behavioural advertising (we do not engage in either).

•        Opt out of certain profiling that produces legal or similarly significant effects (we do not engage in solely automated significant decisions).

•        Limit use of sensitive personal information (we do not use sensitive personal information for purposes other than those expressly permitted by law).

•        Non‑discrimination for exercising your rights.

•        Appeal any denial of a request (Colorado, Connecticut, Virginia and others). Authorised agents may act on your behalf where local
law permits. We will verify the agent’s authority before responding. You may lodge a complaint with your state Attorney General or, in California, the California Privacy Protection Agency (CPPA).

Middle East

•     United Arab Emirates (UAE Federal Decree‑Law No. 45 of 2021 — PDPL): rights to information, access, correction, deletion, restriction, objection, automated
decision‑making safeguards, and portability. The UAE Data Office is the supervisory authority.

•        Kingdom of Saudi Arabia (PDPL): rights to information, access, correction, deletion, and limited portability. The Saudi Data and AI Authority (SDAIA) is the supervisory authority.

•        Bahrain (Law No. 30 of 2018): rights to information, access, correction, deletion, and objection. The Personal Data Protection Authority is the supervisory authority.

•        Israel (Privacy Protection Law 5741‑1981): rights to information, access, correction, and deletion. The Privacy Protection Authority is the supervisory authority.

•        Qatar (Law No. 13 of 2016) and other regional regimes: equivalent core rights apply where the law applies to our processing of your data.

Asia and Asia‑Pacific

•      Singapore (PDPA): rights to access, correction, withdraw consent, and request data portability (where available). The Personal Data Protection Commission (PDPC) is the supervisory authority.

•        Japan (APPI): rights to disclosure, correction, suspension of use, deletion, and disclosure of third‑party transfer records. The Personal Information Protection Commission (PPC) is the supervisory authority.

•        South Korea (PIPA): rights to access, correction, deletion, suspension of processing, and to object. The Personal Information Protection Commission (PIPC) is the supervisory authority.

•        Hong Kong (PDPO): rights to access and correction. The Office of the Privacy Commissioner for Personal Data is the supervisory authority.

•        India (DPDP Act 2023): rights to information, access, correction, completion, erasure, and grievance redressal. The Data Protection Board of India is the supervisory authority.

•        People’s Republic of China (PIPL): rights to information, access, correction, deletion, restriction, objection, portability, and to withdraw consent. The Cyberspace Administration of China (CAC) and other regulators have supervisory authority. Note: we do not actively target processing of China‑resident personal information; if you are a China resident, please contact us before transmitting personal data.

•        Australia (Privacy Act 1988): rights to access and correction under the Australian Privacy Principles. The Office of the Australian Information Commissioner (OAIC) is the supervisory authority.

Other jurisdictions

If you are located in a jurisdiction with privacy laws that grant you specific rights in respect of our processing, please contact us — we will evaluate and apply the rights that local law confers on you, in good faith.

Marketing preferences

•        UK / EU: consent where required (for example non‑essential cookies, certain direct electronic marketing); B2B marketing under legitimate interests with a clear opt‑out under PECR Section 22 (UK) and equivalent.

•        United States: we follow applicable state rules; you may opt out at any time via the unsubscribe link in any marketing email or by emailing privacy@talentstaffingservice.com.

•        Middle East and Asia: consent for marketing where required by local law (for example UAE PDPL Article 5, Singapore PDPA, China PIPL); opt‑out always available.

We do not disclose personal data to third parties for their own direct marketing.

Cookies and similar technologies

We use necessary cookies for site operation and security. With consent (where required by UK / EU PECR or equivalent local law), we may use analytics or marketing technologies.

Children

Our services are intended for adults and professional users. We do not knowingly collect personal data from children — under 16 in the UK and EEA (or the lower minimum age set by Member State law), under 13 in the United States, and the equivalent age threshold in other regions. If you believe a child has provided data to us, contact privacy@talentstaffingservice.com to request deletion.

Automated decision‑making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you. We may use ranking and search tools to organise candidate profiles, always with human review, including in the Tier 1 talent map programme. The relevance scores produced by our talent map are decision‑support signals only; they do not determine the outcome of any candidate recommendation in isolation.

Changes to this Notice

We may update this Notice from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you of material changes. The current version is always available at quantumpeople.net/privacy/.

How to make a complaint

If you have a concern about how we handle your personal data, please first contact us at privacy@talentstaffingservice.com so that we can try to resolve it directly. You also have the right to complain to a supervisory authority:

•        United Kingdom: Information Commissioner’s Office — ico.org.uk — 0303 123 1113

•        European Economic Area: your local Data Protection Authority (full list at edpb.europa.eu)

•        United States: your state Attorney General; in California, the California Privacy Protection Agency (cppa.ca.gov)

•        United Arab Emirates: UAE Data Office

•        Saudi Arabia: Saudi Data and AI Authority (SDAIA)

•        Bahrain: Personal Data Protection Authority

•        Israel: Privacy Protection Authority

•        Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg

•        Japan: Personal Information Protection Commission (PPC) — ppc.go.jp

•        South Korea: Personal Information Protection Commission (PIPC) — pipc.go.kr

•        Hong Kong: Office of the Privacy Commissioner for Personal Data — pcpd.org.hk

•        India: Data Protection Board of India

•        People’s Republic of China: Cyberspace Administration of China (CAC)

•        Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

Talent Staffing Services Limited (trading as Quantum People) is registered in England and Wales (Company No. 16667216), VAT No. 500462049, ICO registration ZC027132.
Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.