Candidate privacy notice - Extended sourcing

Last updated: 10th March 2026

This notice forms an integral part of our privacy policy and specifies its scope as it applies to our extended sourcing service.

1. How our Extended Sourcing service works

Sourcing is a professional practice that enables recruiters to identify and proactively contact potential candidates, beyond applications submitted spontaneously or in response to a job posting.

To broaden our ability to connect talent with job opportunities, we have developed an extended sourcing service that allows recruiters to access a larger talent pool directly from Welcome to the Jungle.

In practice, this service makes it possible:

  • For recruiters: to identify qualified candidates, including passive talent who are not actively looking for a new role.
  • For candidates: to discover opportunities they might not have applied for spontaneously.

How it works

Step 1 — Building the database

We build a database of professional profiles in partnership with a recognised specialist provider that collects publicly available professional information from:

  • Public professional profiles on professional social networks
  • Professional websites and public portfolios
  • Public professional directories
  • Professional and academic publications

Important: We did not collect this data directly from you. That is why we inform you through this notice and through email notifications when your contact details are accessed.

Step 2 — Recruiters’ search

Our recruiter customers can search this extended sourcing database using criteria of their choice (skills, experience, location, etc.) and view the professional profiles matching those criteria.

Step 3 — Access to contact details

When a recruiter wants to contact a candidate, they click a button to access the candidate’s contact details (email and/or phone number).

Step 4 — Automatic notification

When a recruiter accesses your contact details for the first time, you automatically receive an email informing you that a recruiter is interested in your profile. This email contains a link that allows you to object easily if you do not wish to be contacted. If you object, your personal data will also be deleted from our extended sourcing tool.

2. GDPR roles and responsibilities, and data sources

At Welcome to the Jungle, protecting your privacy and keeping your personal data safe are at the heart of what we do. We are committed to transparency and full GDPR compliance.

It is therefore important to clearly explain the roles and responsibilities of each party:

Welcome to the Jungle — Data Controller

Processing carried out:

  • Building and hosting the database of professional profiles
  • Providing the sourcing tool to recruiter customers using Welcome to the Jungle
  • Notifying candidates when their contact details are accessed
  • Handling requests to exercise data subject rights (access, rectification, objection)

Obligations / safeguards:

  • Ensuring the security of the data contained in the database
  • Informing candidates in a transparent manner
  • Facilitating the exercise of rights
  • Complying with retention periods

Recruiter customers — Independent Data Controllers

Processing carried out:

  • Using candidates’ contact details to contact them about job opportunities
  • Managing the recruitment and selection process
  • Storing candidate data in their own systems

Obligations / safeguards:

  • Informing candidates at first contact about their specific processing
  • Respecting the rights of contacted candidates
  • Managing their own retention periods
  • Complying with the recruitment purpose

Important: When a recruiter accesses your contact details and contacts you, they become an independent controller for the processing of your personal data within their recruitment process. You can exercise your rights directly with that recruiter for that specific processing.

People Data Labs — Data provider

Processing carried out:

  • Collecting and aggregating public professional data
  • Making its database available to Welcome to the Jungle

Obligations / safeguards:

  • GDPR compliance of its collection practices
  • Respect for individuals’ rights
  • Data security

Important: People Data Labs is a recognised partner that assesses all of its data sources from a compliance standpoint and does not collect data from private sites that require login credentials or paid subscriptions.

3. Information we collect and process

Categories of professional data

As part of the extended sourcing service, we process the following professional information:

Identification data:

  • First and last name
  • Email address (where available)
  • Phone number (where available)

Professional background:

  • Positions held (job titles, dates)
  • Current and past employers
  • Industry and function

Skills and education:

  • Technical skills and expertise
  • Qualifications and training
  • Fields of study

Geographic location:

  • City and region

Public professional profiles:

  • Links to public professional network profiles

Nature of the data: This is exclusively professional and non-sensitive data. It does not include any special categories of personal data as defined under Article 9 of the GDPR.

4. Legal basis and purposes of the processing

Legal basis

We rely on our legitimate interest (Article 6(1)(f) GDPR) to:

  • Develop our professional networking services
  • Meet the needs of our recruiter customers
  • Create value for candidates through professional opportunities

We carried out a thorough balancing test confirming that this legitimate interest does not override your interests or fundamental rights and freedoms.

Our recruiter customers, as independent controllers, determine the purposes and legal bases of their own data processing.

Purposes of the processing

Main purpose:

  • Providing a database of professional profiles to our recruiter customers for their sourcing and recruitment activities

Secondary purposes:

  • Notifying candidates when their contact details are accessed
  • Managing requests to exercise data subject rights
  • Improving the quality and security of our services
  • Compliance with our legal obligations

5. Who has access to your data?

Internal recipients (Welcome to the Jungle)

  • Technical teams
  • Support team
  • Legal and compliance team

External recipients

Recruiter customers (independent controllers):

Our professional customers access your data as part of their candidate searches. As soon as a recruiter accesses your full contact details, you are automatically notified by email.

Important: These recruiters act as independent controllers for their own recruitment process and must comply with their own GDPR obligations towards you.

Technical service providers (processors):

  • Hosting and infrastructure (servers, databases)
  • Communication services (sending notification emails)
  • Security analytics and monitoring tools

All of our providers are subject to confidentiality agreements and strict GDPR data processing clauses.

Legal authorities:

If required by law or to protect our legitimate rights.

International transfers

Your data is primarily hosted within the European Union. Where data is transferred outside the EU (e.g. certain technical providers), we ensure that appropriate safeguards compliant with the GDPR are in place:

  • European Commission Standard Contractual Clauses (SCCs)
  • Adequacy decisions
  • Or other validated transfer mechanisms

6. How long do we keep your data?

Retention periods

SituationRetention period
Profiles not viewed by a recruiterMaximum 3 years from the date the data was first included in our database
Profiles viewed by a recruiterMaximum 2 years from the last access
Right to object exercisedImmediate deletion

Regular review and updates

We review our database monthly to:

  • Delete obsolete or outdated profiles
  • Immediately remove profiles for which the right to object has been exercised
  • Update information where necessary
  • Verify the relevance of retained data

7. Your data protection rights

In accordance with the GDPR, you have the following rights regarding your personal data:

Right to object (Art. 21)

You have the right to object to this processing based on legitimate interest.

You can object at any time, without having to justify your request, to the processing of your data as part of our extended sourcing service.

How to exercise this right

Option 1: After receiving a notification

If a recruiter accesses your contact details, you automatically receive a personalised email containing all the information about the access and a direct opt-out link.

Simply click the link to object instantly and be removed from our database.

Option 2: Pre-emptive objection at the source (before any notification)

If you want to object now, even before a recruiter views your profile:

Through our partner People Data Labs:

Go directly to their opt-out form:
👉 https://www.peopledatalabs.com/do-not-sell-or-share

This objection will be processed at the source and will prevent your data from being included in our sourcing database.

Effect of your objection:

  • Deletion of your data from our sourcing database
  • Recruiters will no longer be able to access your profile

Right of access (Art. 15)

You can obtain:

  • Confirmation as to whether we process your data
  • A copy of the personal data we hold about you
  • Information on how we use it and with whom we share it

How to exercise it: via our access request form or by emailing privacy@welcometothejungle.com

Right to rectification (Art. 16)

You can request the correction of inaccurate or incomplete data about you.

How to exercise it: contact us at privacy@welcometothejungle.com and indicate the corrections you would like.

Right to erasure (Art. 17)

You can request the deletion of your data in certain cases, including:

  • After exercising your right to object (in which case your data is deleted automatically)
  • If the data is no longer necessary for the purposes for which it was collected
  • If the processing is unlawful

How to exercise it: via our request form or by emailing privacy@welcometothejungle.com

Right to restriction of processing (Art. 18)

You can request a temporary restriction of processing in certain circumstances (for example, while verifying the accuracy of disputed data).

How to exercise it: contact us at privacy@welcometothejungle.com

Automated decision-making and profiling (Art. 22)

Our extended sourcing service involves the matching of professional profiles against search criteria defined by recruiters. This constitutes profiling within the meaning of Article 4(4) of the GDPR. However, no decision with legal or similarly significant effects is made solely on the basis of automated processing. All recruitment decisions are made by human recruiters.

Response timelines

We commit to responding to any request within one month of receipt, in accordance with the GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.

Identity verification

For security reasons and to protect your data against unauthorised access, we may request a copy of an identity document to verify your identity before processing your request.

8. Security of your data

The security of your data is a top priority. We have implemented robust technical and organisational measures adapted to the level of risk:

Technical measures

  • Data encryption (AES-256) in transit and at rest
  • Strong authentication and access controls based on the principle of least privilege
  • Security monitoring and real-time incident detection
  • Regular, encrypted, tested backups
  • Network segmentation and advanced firewalls
  • Penetration tests and regular security audits
  • Intrusion detection and prevention systems

Organisational measures

  • Ongoing training and awareness for teams on data protection
  • Documented procedures for managing security incidents
  • Strict confidentiality clauses for all employees and providers
  • Compliance audits and quarterly security reviews
  • Access and authorisation management policy
  • Regular security and privacy reviews

In the event of a data breach

If a personal data breach that is likely to result in a high risk to your rights and freedoms were to occur, we would inform you as soon as possible in accordance with our legal obligations (notification to the CNIL within 72 hours and notification to the individuals concerned where a high risk is identified).

9. Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority.

In France — Commission Nationale de l’Informatique et des Libertés (CNIL):

In the United Kingdom — Information Commissioner’s Office (ICO):

You can also lodge a complaint with the data protection authority of your EU Member State of habitual residence, place of work, or the place of the alleged infringement.

We nevertheless invite you to contact us first (privacy@welcometothejungle.com) so that we can address your concern and try to resolve it directly with you.

10. Changes to this notice

We reserve the right to amend this information notice to reflect:

  • Changes in our practices and services
  • Changes in legal and regulatory requirements
  • User feedback and expectations

The date of the last update is always indicated at the top of this notice.

In the event of a substantial change affecting your rights, we will inform you by:

  • Email, if we have your contact details
  • Notification on our website
  • Any other appropriate means

We encourage you to review this notice regularly to stay informed about how we protect your data.

11. Contact us

For any question about this notice or your personal data

Data Protection Officer (DPO):

For general questions about our services

To exercise your right to object quickly