Skip to content
Home About How I work Services Testimonials Contact Candidates Book a Free 15-Min Call →

Legal

Privacy policy

TechWaves Recruitment Ltd

Effective date: 13 May 2026 · Last updated: 13 May 2026

1. Introduction

This Privacy Policy explains how TechWaves Recruitment Ltd ("TechWaves", "we", "us", "our") collects, uses, stores, and protects personal data. We are a UK-based recruitment consultancy specialising in clean energy and e-mobility, and we work with candidates and clients across the United Kingdom, the European Union, the United Arab Emirates, and the United States.

We are committed to protecting your personal data and being transparent about how we use it. We comply with the UK General Data Protection Regulation as amended by the Data (Use and Access) Act 2025 ("UK GDPR"), the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation 2016/679) ("EU GDPR") where applicable, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) ("UAE PDPL") where applicable, and other relevant data protection laws.

2. Who we are and how to contact us

Data controller: TechWaves Recruitment Ltd

Registered office: 1st Floor, 8-12 London Street, Southport, Merseyside, PR9 0UE, United Kingdom

Company number: 11660294

ICO registration reference: ZA551914

Privacy contact (Sharn, Director):

  • Email: sharn@techwavesrecruitment.co.uk
  • Phone: +44 7801 545514
  • Post: as above

We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under UK GDPR Article 37, EU GDPR Article 37, or the UAE PDPL. Sharn is the primary point of contact for all data protection matters.

3. Scope of this policy

This policy applies to personal data we collect:

  • From visitors to our website (techwavesrecruitment.co.uk)
  • From candidates registering interest or being approached by us for roles
  • From clients and prospective clients engaging us for recruitment services
  • From third parties such as referrers, publicly available sources (e.g. LinkedIn), and industry contacts
  • Through any other communication with us (email, phone, WhatsApp, social media, in-person meetings)

It does not apply to data we process purely as a processor on behalf of clients — those activities are governed by the data processing agreement between us and that client.

4. The personal data we collect

We collect and process the following categories of personal data:

4.1 From candidates

  • Identity and contact data: name, title, date of birth (where relevant for right-to-work checks), nationality, photograph (only if voluntarily provided)
  • Contact details: email address, phone number, postal address, social media handles (e.g. LinkedIn)
  • Employment data: current employer, job title, work history, salary and benefits, notice period, qualifications, certifications, skills, education
  • CV content and supporting documents: as provided by you or sourced from public profiles
  • Right-to-work and identity documentation: passport or visa details, residency status (only when proceeding to placement)
  • References: referee contact details and the content of references
  • Communication records: emails, messages, call notes, interview notes, feedback
  • Sensitive personal data (special category data): we only process this where strictly necessary and with your explicit consent. Examples include: health information relevant to reasonable adjustments, ethnicity for voluntary equality monitoring, or disclosure of a criminal record where this is relevant to a regulated role.

4.2 From clients and prospective clients

  • Identity and contact data: name, job title, business email, business phone
  • Company data: company name, sector, size, location, hiring brief contents
  • Communication records: correspondence, meeting notes, contract documentation
  • Billing data: company billing address, VAT number, payment records

4.3 From website visitors

  • Technical data: IP address, browser type and version, time zone, operating system, referring URL, pages visited
  • Usage data: information about how you interact with our website
  • Cookies and similar technologies: see Section 12 below

5. How we collect personal data

We collect personal data through:

  • Direct interaction: when you contact us, register interest, send your CV, fill out a form, or engage us for services
  • Referrals: when a third party refers you to us (we will tell you who referred you on first contact)
  • Public sources: LinkedIn, company websites, industry events, and other publicly available platforms (typical for executive search and candidate sourcing)
  • Automated technologies: cookies, analytics, server logs (see Section 12)
  • Third-party tools: scheduling platforms (Acuity), email systems, applicant tracking systems, and similar (see Section 7)

6. Why we use your personal data and our legal bases

We rely on the following lawful bases under UK GDPR Article 6 (and equivalent provisions of EU GDPR and UAE PDPL):

6.1 For candidates

Purpose Legal basis (UK & EU GDPR) Basis under UAE PDPL
Assessing your suitability for roles, contacting you about opportunities, putting forward your application to clients Legitimate interests (running a recruitment service) Necessary for the performance of services / consent
Communicating with you about ongoing searches Legitimate interests Consent / contract performance
Conducting reference checks and right-to-work verification Legitimate interests; Legal obligation (right-to-work) Necessary for performance of contract / legal obligation
Processing sensitive personal data (e.g. health, ethnicity) Explicit consent Explicit consent
Keeping your details on our database for future opportunities Legitimate interests, subject to your right to object Consent
Complying with legal and regulatory obligations Legal obligation Legal obligation

6.2 For clients

Purpose Legal basis
Performing our contract with you Performance of a contract
Communicating with you about searches and candidates Performance of a contract / legitimate interests
Billing, payment, and credit control Performance of a contract / legal obligation
Business development and marketing to existing clients Legitimate interests

6.3 For prospective clients (cold outreach and marketing)

  • Cold outreach for B2B recruitment services: legitimate interests (recital 47, UK GDPR), subject to your right to object. We do not send cold marketing emails to personal (non-business) email addresses without consent.

6.4 For website visitors

  • Essential cookies: legitimate interests (running the website)
  • Analytics and non-essential cookies: consent

We have conducted Legitimate Interests Assessments (LIAs) for each instance where we rely on legitimate interests. You can request a summary of our LIAs by contacting us.

7. Who we share your personal data with

We do not sell personal data. We share personal data only with the following categories of recipient:

  • Clients (employers): where you are a candidate, we share your information with prospective employers only after you have consented to being put forward for a specific role. Clients are independent data controllers.
  • Service providers (processors) acting on our behalf:
  • Email, calendar, file storage, and cloud productivity: Microsoft 365 (Microsoft Ireland Operations Ltd) — covering Outlook email, OneDrive cloud storage, and associated Microsoft 365 services
  • Scheduling: Acuity Scheduling (Squarespace, Inc.) — for discovery and strategy calls
  • Applicant tracking / CRM: Atlas (recruitwithatlas.com) — our recruitment CRM, used to manage candidate and client records
  • Website hosting and domain management: 102.ai (site build and hosting) and Squarespace, Inc. (domain registration and DNS)
  • Analytics: Google Analytics 4 (Google Ireland Ltd) — for measuring website traffic and visitor behaviour; only loaded after you give consent through our cookie banner
  • Payment processing: Stripe Payments Europe Ltd (via Acuity Scheduling) — for collecting payment on strategy call bookings
  • Professional advisers: our accountants, solicitors, and insurers — when necessary to manage our business
  • Regulators and authorities: where required by law (e.g. HMRC, ICO, courts, law enforcement)
  • Successors: in the event of a sale, merger, or reorganisation of TechWaves

All processors we use are bound by written data processing agreements that meet the requirements of UK GDPR Article 28, EU GDPR Article 28, and UAE PDPL Article 22.

8. International data transfers

Because our clients and candidates are located across the UK, EU, UAE, and US, personal data may be transferred internationally. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

  • Transfers to the EU: the EU has an adequacy decision in place with the UK; no additional safeguards required
  • Transfers to the US: we rely on the UK Extension to the EU-US Data Privacy Framework, or the International Data Transfer Agreement (IDTA) / Addendum, or alternatively explicit consent
  • Transfers to the UAE: the UAE does not currently have a UK or EU adequacy decision; transfers are made under the UK IDTA / EU Standard Contractual Clauses, or with explicit consent
  • Transfers from the UAE: where we process data of UAE residents and need to transfer it out of the UAE, we comply with UAE PDPL cross-border transfer rules using approved safeguards or explicit consent

You can request a copy of the transfer mechanisms applicable to your data by contacting us.

9. How long we keep personal data

We retain personal data only as long as necessary for the purpose for which it was collected. Specifically:

Data type Retention period
Candidate data — active candidates 2 years after engagement ends, unless we remain in active contact
Candidate data — passive/database candidates 3 years from last meaningful contact, subject to your right to object or be erased
Placed candidate records 6 years from placement, or 6 years from last contact, whichever is later
Client records 6 years after engagement ends (UK limitation period for contractual claims)
Billing and accounting records 6 years (HMRC requirement)
Website analytics 14 months (Google Analytics 4 default), unless you've configured a different period
Marketing data (for non-clients) Until you object, or 3 years from last engagement, whichever is sooner

After the retention period, we either delete or anonymise the data.

10. How we keep your data secure

We have put in place appropriate technical and organisational measures to prevent personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. These include:

  • Multi-factor authentication on all email, cloud storage, and business systems
  • Encryption of data in transit (TLS 1.2 or above) and at rest
  • Access controls limiting personal data access to those who need it
  • Regular reviews of vendors and processors
  • Confidentiality obligations on all third-party processors
  • Secure deletion of data at the end of retention periods

In the event of a personal data breach likely to result in a risk to your rights and freedoms:

  • UK and EU: we will notify the ICO (UK) or the relevant supervisory authority (EU) within 72 hours of becoming aware, and notify affected individuals without undue delay where the risk is high
  • UAE: we will notify the UAE Data Office immediately (within 72 hours of discovery) and notify affected individuals where harm is likely

11. Your rights

Your rights depend on where you reside. We will respond to all valid requests within the timeframes set by the applicable law: one month (UK GDPR), one month (EU GDPR), or 14 days (UAE PDPL).

11.1 If you are in the UK or EU

You have the right to:

  • Access your personal data (Article 15)
  • Rectify inaccurate personal data (Article 16)
  • Erasure ("right to be forgotten") in certain circumstances (Article 17)
  • Restrict processing in certain circumstances (Article 18)
  • Data portability (Article 20)
  • Object to processing based on legitimate interests, including direct marketing (Article 21)
  • Not be subject to a decision based solely on automated processing, including profiling, where it produces legal or similarly significant effects (Article 22 / Article 22A under UK GDPR following DUAA)
  • Withdraw consent at any time, where we are processing on the basis of consent

To exercise any of these rights, email sharn@techwavesrecruitment.co.uk. We may need to verify your identity before responding.

11.2 If you are in the UAE

Under the UAE PDPL, you have the right to:

  • Be informed about how your data is processed
  • Request access to your personal data
  • Request correction of inaccurate data
  • Request erasure of your data
  • Restrict or stop processing in certain circumstances
  • Request data portability
  • Object to processing for direct marketing
  • Object to automated decision-making where it has legal effects
  • Withdraw consent at any time

To exercise these rights, email sharn@techwavesrecruitment.co.uk. We will respond within 14 days.

11.3 If you are in the US

Although we believe we are not currently subject to the CCPA / CPRA or other US state privacy laws, we voluntarily extend the following rights to US-based individuals:

  • The right to know what personal data we hold about you
  • The right to request deletion of your personal data
  • The right to correct inaccurate personal data
  • The right to opt out of any "sale" or "sharing" of personal data (we do not sell or share personal data for cross-context behavioural advertising)
  • The right to non-discrimination for exercising your rights

To exercise these rights, email sharn@techwavesrecruitment.co.uk.

12. Cookies and similar technologies

Our website uses cookies and similar technologies. A separate Cookie Policy is available at techwavesrecruitment.co.uk/cookies explaining what cookies we use and how to manage them.

In summary:

  • Strictly necessary cookies are used without consent (these are essential for the website to function)
  • Analytics, marketing, and other non-essential cookies are only set after you give consent through our cookie banner
  • You can change your preferences at any time via the cookie settings link in our footer

13. Children's data

Our services are not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe we have inadvertently collected such data, please contact us and we will delete it.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of the policy will indicate when it was most recently revised. For material changes, we will notify you by email (if we have your email address) or by a prominent notice on our website.

15. Complaints

If you have concerns about how we handle your personal data, please contact us first at sharn@techwavesrecruitment.co.uk and we will do our best to resolve the issue.

You also have the right to lodge a complaint with a supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk — 0303 123 1113
  • European Union: the data protection authority in your country of residence (a full list is available at edpb.europa.eu)
  • United Arab Emirates: UAE Data Office — bayanat.ae
  • United States (California residents): California Privacy Protection Agency — cppa.ca.gov

16. Contact us

For any questions about this Privacy Policy or how we handle your personal data:

  • Email: sharn@techwavesrecruitment.co.uk
  • Phone: +44 7801 545514
  • Post: TechWaves Recruitment Ltd, 1st Floor, 8-12 London Street, Southport, Merseyside, PR9 0UE, United Kingdom

This Privacy Policy was last reviewed on 13 May 2026. We review it at least annually and whenever there are material changes to our data processing activities.