Talk to an expert
Back to site

Legal Information

Skip to menu

Candidate Privacy Notice

Published: February 06, 2026

Table of contents:

  1. Who are we and what is the purpose of this Notice?
  2. Definitions
  3. Personal Information we collect and how we Use it
  4. International Data Transfers
  5. Data Retention
  6. Children’s Privacy
  7. Governing Law
  8. Changes to this Notice
  9. Contact Us
  10. Your Rights and Choices

1   Who are we and what is the purpose of this Notice?

Zafin and its group of companies (“Zafin”, “we”, “us” or “our”) are committed to protecting the privacy and security of Personal Information and handling it in accordance with applicable data protection and privacy laws.

This Candidate Privacy Notice (“Notice”) is part of the Zafin Privacy Program. It describes how we collect, use, and disclose your Personal Information and how your Personal Information can be reviewed and corrected when necessary. This Notice explains what Personal Information we collect from you, how we Use it (as defined below), who we may share it with, and what your rights are.  This Notice also explains how long we retain your Personal Information, how we intend to. protect it, and how we endeavour to enable you to exercise applicable privacy rights.

This Notice applies to employment, internship (including co-op and/or other education programs), and scholarship applicants globally, including individuals located in India whose Personal Data is processed under the DPDPA (2023) and applicable rules.  

If you are successful in your application, your Personal Information will then be processed under our Employee Privacy Notice, which will be made available during onboarding.

Go back to Table of contents

2   Definitions

We have included the following definitions to help you understand the contents of this Notice:

“Collection” occurs when Zafin finds itself in custody or control of Personal Information. Note that this includes information that Zafin receives even when the data was not requested.

“Consent” is an individual’s freely given, specific and informed agreement to the Processing of their Personal Information.

“Controller” (GDPR/UK GDPR) means the natural or legal person which determines the purposes and means of Processing Personal Information.

“Data Fiduciary” (India DPDPA) means the entity determining the purpose and means of processing Personal Data.

“Data Principal” (DPDPA) means the individual to whom the Personal Data relates.

“DPDPA” means India’s Digital Personal Data Protection Act, 2023, together with its implementing Rules, including the updated Rules effective November 2025.

“GDPR” means the General Data Protection Regulation (EU) 2016/679.

Personal Information” means information about an identifiable individual and includes the term “Personal Data” as defined under the GDPR and UK GDPR and “Personal Data” under the DPDPA.

“PIPEDA” means Canada’s federal Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5.

“Process” is an operation or set of operations performed upon Personal Information.

“UK GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 as it forms part of domestic law in the United Kingdom by virtue of section 3 of the EU (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).

Use” means the process of collecting, accessing, storing, reading, modifying, analyzing, or changing Personal Information. This includes when Zafin uses a service provider or vendor to carry out these tasks on its behalf.

Go back to Table of contents

3   Personal Information we collect and how we Use it

Personal Information means information about an identifiable individual. In other words, Personal Information is data about you that a person may use to identify you. We take steps designed to ensure that only those who need access to your Personal Information to fulfill their duties can access it. We have set out below where we collect your Personal Information, what we collect, and how we Use it.  

We only collect Personal Information that is adequate, relevant, and reasonably necessary for the purposes described in this Notice, in line with applicable data minimization obligations.

3.1   How we collect Personal Information and what we collect when you apply for a position at Zafin:

In connection with your application for a position at Zafin (e.g., employment, internship, etc.), we will collect and create personal information throughout the recruitment and evaluation process. This includes, but may not be limited to:

  1. Contact Information: Full name, email address, phone number, and home address.
  2. Evidence of how you meet the requirements of the opportunity such as a resume/CV, cover letter, employment and educational history, right-to-work documentation, professional qualifications, interview notes, correspondence with Zafin or its recruiters with regard to applications (including references), and assessments or skill tests where applicable.
  3. Educational Background: School or institution name, academic records, and major/course of study.
  4. Work experience: Previous employers and/or roles held
  5. Background verification results conducted as permitted by law and after obtaining any required explicit consent.
  6. References: Including letters of recommendation
  7. Demographic Information: Date of birth, gender, nationality, and other relevant demographic data. We collect this only where legally permitted and/or if voluntarily provided.  Such information is optional and not used in hiring decisions.
  8. If you are under 18 and located in India, we will not process your data without verifiable parental consent as required under the DPDPA.

3.2  How we collect Personal Information and what we collect when you apply for a scholarship:

In connection with your application for a scholarship opportunity, Zafin will collect and create personal information about you during the course of your application with Zafin. This includes:

  1. Contact Information: Full name, email address, phone number, and home address.
  2. Educational Background: School or institution name, academic records, and major/course of study.
  3. Scholarship Application Details: Information provided in the scholarship application form, including essay responses, letters of recommendation, and other submitted materials.
  4. Demographic Information: Date of birth, gender, nationality, and other relevant demographic data. We do not request or require sensitive or higher-risk data for scholarship evaluations unless legally necessary.

3.3  How We Use Your Information

We use the collected Personal Information for the following purposes:

  1. Employment or Internship Application: To assess your suitability for employment and qualifications for the opportunity.
  2. Scholarship Application Evaluation: To assess your eligibility and qualifications for our scholarship program.
  3. Identification & Verification: To conduct background checks and verify the information provided.
  4. Communication: To contact you regarding your application status, additional information requests, and employment, internship, or scholarship-related updates.
  5. Compliance with Legal Obligations: To comply with applicable laws, regulations, and reporting requirements.
  6. Aggregated Data Analysis: To analyze and improve our recruitment and scholarship program and related initiatives, while ensuring individual data remains anonymized.
  7. To prevent fraud and protect the security of our systems.
  8. To maintain business, audit, and compliance records.

3.4  Sensitive Information

Unless necessary for recruitment, legally required, or performed with explicit consent, we avoid collecting certain types of Personal Information that are considered a protected ground under the applicable human rights legislation (e.g. race, ethnicity, religious beliefs, health information), as these do not impact our recruitment or selection decisions.

Other types of sensitive Personal Information, such as criminal records, may be requested after an offer of employment or internship has been made, as part of Zafin’s standard background verification process.

3.5 Legal Basis for Processing Personal Information

We process Personal Information only where we have a valid legal basis to do so under applicable privacy laws. Because Zafin operates globally, different jurisdictions require different legal justifications. The purposes for which we process Personal Information are consistent across regions, but the legal bases vary depending on your location.

Our processing of your Personal Information is based on the following legal grounds:

  1. Consent: We rely on consent only where legally required (e.g., certain background checks, optional demographic information, or where you voluntarily provide additional information not required for recruitment). Consent is not used as the primary basis for assessing your candidacy under GDPR/UK GDPR or PIPEDA. Where consent applies, you may withdraw it at any time by contacting [email protected]. Withdrawal does not affect processing already completed, but it may impact our ability to continue evaluating your application where the information is necessary.
  2. Deemed Consent (India, DPDPA): For applicants located in India, we may process Personal Data under the Digital Personal Data Protection Act (DPDPA) where “deemed consent” applies, including when:

    • Processing is reasonably expected for recruitment
    • It is necessary for employment-related purposes
    • It is necessary to comply with Indian law
    • It is required for fraud prevention, network security or other legitimate purposes permitted under the DPDPA Rules (2025)

  3. Contractual Necessity (Canada, UK/EU, India): Processing is necessary to take steps at your request prior to entering into a contract (e.g., assessing your qualifications, arranging interviews, confirming your eligibility) and, where applicable, to manage any agreement relating to your application..
  4. Legitimate Interests: We rely on legitimate interests to operate, manage, and improve our recruitment processes, evaluate applicants, maintain hiring records, and ensure the security and integrity of our systems. We conduct a balancing assessment to ensure these interests do not override your rights and freedoms. Legitimate interests are not used where consent or contractual/legal obligations provide more appropriate bases.
  5. Legal Obligations (Canada, UK/EU, India): We process Personal Information where necessary to comply with legal obligations applicable to Zafin, including identity verification, right-to-work checks, recordkeeping, tax or regulatory reporting, or responding to lawful requests from authorities.
  6. Reasonable Purposes (Canada): Under PIPEDA, we may process Personal Information for purposes a reasonable person would consider appropriate in the circumstances, such as evaluating suitability for employment, preventing fraud, ensuring information security, and maintaining business records.

3.6 Data Sharing and Disclosure

We may share Personal Information with trusted service providers for processing and to help us provide, maintain, and improve our recruitment processes and scholarship program. We remain accountable for that Personal Information’s privacy and security and use contractual or other means to ensure that service providers meet our privacy and security requirements. All service providers are bound by written agreements containing data protection, confidentiality, and security obligations consistent with GDPR Art. 28, PIPEDA contractual measures, and DPDPA requirements.

For India-based applicants, transfers outside India are permitted unless restricted by the Government of India. As of the date of this Notice, no such restrictions apply.

We may share your personal information with the following parties:

  1. Zafin Representatives: Our employees and authorized representatives involved in the application management, evaluation, and selection process.
  2. Third-Party Service Providers: Trusted third-party service providers, such as application tracking systems, interviewers / evaluators, and background verification services, to assist us in managing and assessing applications.
  3. Entities, organizations or individuals for legal reasons: We will share your Personal Information with entities, companies or individuals where this is strictly necessary to comply with any law, rule, regulation, governmental request or legal procedure that is applicable to us.
  4. Entities, companies or individuals to obtain advice: We will share your Personal Information with external professional advisors such as lawyers or accountants in order to take advice and for the purposes of legal and tribunal proceedings or enforce the terms of our agreements.

We will only disclose such Personal Information to any third party as is necessary to enable them to carry out the function or purpose for which it is disclosed. If you would like further information on the third parties we may share your Personal Information with and our legal basis for sharing your Personal Information with third parties, please contact the Privacy Office (see How to Contact Us).

Go back to Table of contents

4   International Data Transfers

We may transfer Personal Information across borders in accordance with applicable laws.

  • For EEA/UK applicants, we use adequacy decisions or Standard Contractual Clauses.
  • For Canada, transfers must include contractual protections.
  • For India, transfers are permitted unless a country is placed on the restricted list.

Go back to Table of contents

5   Data Retention

We retain Personal Information only for as long as necessary for the purposes described in this Notice or as required by law. Applicant records are generally kept for 12–24 months, unless:

  • you are hired by Zafin for an employment, internship, or other position (as applicable);
  • you voluntarily consent to longer retention to be considered for future opportunities;
  • a longer period is required for legal or audit purposes, in which case data is then securely deleted or anonymized.

Go back to Table of contents

6   Children’s Privacy

The application is not directed to children under the age of 18, and we do not knowingly collect Personal Information from children under the age of 18 without obtaining parental consent. If you are under 18 years of age, please do not engage in the application process at any time or in any manner. If we learn that Personal Information has been collected from persons under 18 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 18 years of age has provided Personal Information, then you may alert us as set forth in the “How to Contact Us” section and request that we delete that child’s Personal Information from our systems.

Go back to Table of contents

7   Governing Law

Zafin processes Personal Information in accordance with the laws that apply to you based on your location. Where data is transferred to other jurisdictions, we apply appropriate contractual, technical, and organizational safeguards. Your Personal Information may be stored or processed in any country in which Zafin or its service providers have facilities, and by completing and submitting this application you agree to the transfer of your information to countries outside your country of residence, which may have different data protection rules than in your country. While such information is outside of Canada, it is subject to the laws of the country in which it is held. It may be subject to disclosure to the governments, courts, law enforcement, or regulatory agencies of such another country, pursuant to such a country’s laws. 

Go back to Table of contents

8   Changes to this Notice

We may change this Candidate Privacy Notice in the normal course of business, in accordance with applicable laws and legislation. Changes to this Notice become effective when posted on our website, please note the “Last Updated” date. Your continued use of the website after the revised Notice has become effective indicates that you have read, understood, and agreed to the current version of the Notice.

Go back to Table of contents

9   Contact Us

If you have any questions or comments about this Notice or your Personal Information, to make an access or correction request, to exercise any applicable rights, to make a complaint, or to obtain information about our policies and practices, our Privacy Office can be reached using the following information:

Mail123 Front Street West, Suite 1501
Toronto, Ontario
M5J 2M2
Attention: Privacy Office
Email[email protected]

Go back to Table of contents

10   Your Rights and Choices

The rights available to you depend on the privacy laws that apply in your location. Regardless of jurisdiction, Zafin is committed to enabling individuals to understand and control how their Personal Information is used. You may exercise your rights by contacting our Privacy Office (see Section 9).

10.1 General Rights (All Applicants)

All applicants have the right to:

  • Access: Request confirmation of whether we process your Personal Information and obtain a copy of such information.
  • Correction: Request that we correct or update Personal Information that is inaccurate or incomplete.
  • Deletion: Request deletion of your Personal Information where appropriate and permitted by law.
  • Withdraw Consent: Where we rely on consent, you may withdraw it at any time. Withdrawal may affect our ability to continue evaluating your application.

To help us maintain accurate information, please keep your profile and application details up to date.

10.2 Rights of Individuals in the UK and the European Economic Area (EEA)

If you are located in the UK or EEA, you also have the following rights under the GDPR and UK GDPR:

  • Object to Processing: You may object to processing based on legitimate interests.
  • Restrict Processing: You may request that we restrict the processing of your Personal Information in certain circumstances.
  • Data Portability: You may request that we provide your Personal Information in a structured, commonly used, and machine-readable format, or transfer it to another controller where technically feasible.
  • Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.
  • Complain to a Supervisory Authority: You may lodge a complaint with your local data protection authority.

10.3 Rights of Individuals in Canada (PIPEDA)

Under PIPEDA, applicants in Canada have the right to:

  • Access and obtain information about how their Personal Information is collected, used, and disclosed;
  • Request corrections where the information is inaccurate or incomplete;
  • Challenge our compliance with PIPEDA and file a complaint with the Office of the Privacy Commissioner of Canada.

10.4 Rights of Individuals in India (DPDPA)

If you are located in India, you have the following rights under the Digital Personal Data Protection Act (DPDPA):

  • Access: Request a summary of your Personal Data and information about processing activities.
  • Correction and Deletion: Request correction, completion, updating, or deletion of your Personal Data.
  • Grievance Redressal: Raise a complaint through Zafin’s grievance mechanism.
  • Nomination: Appoint another person to exercise your rights in the event of your incapacity or death.
  • Complaint to the Data Protection Board: Escalate issues to the Data Protection Board of India if you are not satisfied with our response.

10.5 Rights of Individuals in the United States

If you are applying from the United States, your privacy rights may vary depending on the state in which you reside. Several U.S. states—including California, Colorado, Connecticut, Virginia, and others—have enacted comprehensive privacy laws that grant individuals certain rights regarding their Personal Information. Subject to applicable state law, you may have the right to:

  • Access: Request confirmation of whether we process your Personal Information and obtain a copy of such information.
  • Correction: Request correction of inaccurate Personal Information.
  • Deletion: Request deletion of your Personal Information, subject to legal and operational exceptions.
  • Right to Know / Transparency: Request information about the categories of Personal Information collected, the purposes for which it is used, and the categories of third parties to whom it is disclosed.
  • Appeal: In certain states, appeal a decision if we decline to take action on a rights request.
  • Non-Discrimination: You will not be treated adversely for exercising your privacy rights.

Zafin does not “sell” or “share” Personal Information as defined under U.S. state privacy laws.  The specific rights available to you depend on your state of residence, and we will respond to your request in accordance with the requirements of the applicable U.S. privacy law.

Go back to Table of contents

Sign up for our newsletter!

Subscribe to Banking Blueprints—your source for expert insights, market trends, and resources shaping the future of financial services.