Privacy Policy

Document Control.

Effective Date: 13 February 2026.

Data Controllers: F316 LTD (UK) and F316 Nigeria Limited (Nigeria).

Data Protection Contact: Managing Director, hello@f316.com.

Approved By: Managing Director, F316.

1. Introduction and Scope

This Privacy Policy explains how F316 LTD (a company registered in Scotland, Company Number 864077, with its registered office at 3 Hill Street, Edinburgh, EH2 3JP) and F316 Nigeria Limited (registered in the Federal Republic of Nigeria, RC Number 1127806, with its registered office at Mulliner Towers, 2nd Floor, 39 Alfred Rewane Road, Ikoyi, Lagos, Nigeria) (together referred to as “F316”, “we”, “us”, or “our”) collect, use, store, disclose, and protect your personal data.

This Policy applies to all personal data processed through our websites, platforms, and services, including: f316.com, our corporate consulting website (the “Corporate Site”); tn.f316.com, our AI-powered talent marketplace (the “Talent Network” or “F316TN”); and any associated applications, tools, chatbots (Angela and Maya), APIs, and communications.

We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), the Nigeria Data Protection Act 2023 (NDPA), and the Nigeria Data Protection Regulation 2019 (NDPR).

This Privacy Policy is a notice to you and does not form part of any contract between us. Nothing in this Policy is intended to affect or limit your statutory rights, including those under the Consumer Rights Act 2015 (UK) or the Federal Competition and Consumer Protection Act 2018 (Nigeria).

By accessing or using our platforms, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our services.

2. Data Controllers and Applicable Law

2.1 Joint Data Controllers

Depending on your location and the platform you use, the data controller responsible for your personal data is: F316 LTD (United Kingdom, Scotland), which processes data in accordance with UK GDPR, DPA 2018, and PECR 2003; or F316 Nigeria Limited (Federal Republic of Nigeria), which processes data in accordance with NDPA 2023 and NDPR 2019.

Where both entities process your data (for example, where a candidate in Nigeria is matched with a UK-based company), F316 LTD and F316 Nigeria Limited act as joint data controllers under a joint controllership arrangement. In such cases, the higher standard of data protection shall apply.

Joint Controllership Arrangement: In accordance with Article 26 of the UK GDPR and Section 26 of the NDPA 2023, F316 LTD and F316 Nigeria Limited have entered into a joint controllership agreement that sets out each entity’s respective responsibilities for compliance with applicable data protection obligations, including the exercise of data subject rights and the provision of information required under Articles 13 and 14 of the UK GDPR. Regardless of the terms of this arrangement, you may exercise your rights under applicable data protection law in respect of and against either entity. A summary of the joint controllership arrangement is available upon request by contacting our Data Protection Contact.

2.2 Data Protection Contact

For all data protection enquiries, requests, or complaints, please contact:

Data Protection Contact: Managing Director, F316. Email: hello@f316.com. Telephone: +44 (0) 20 8059 1995. Postal Address (UK): F316 LTD, 3 Hill Street, Edinburgh, EH2 3JP. Postal Address (Nigeria): F316 Nigeria Limited, Mulliner Towers, 2nd Floor, 39 Alfred Rewane Road, Ikoyi, Lagos, Nigeria.

Please note that whilst our Managing Director serves as the designated Data Protection Contact, F316 has not appointed a statutory Data Protection Officer under Article 37 of the UK GDPR or Section 31 of the NDPA 2023, as its processing activities do not currently meet the mandatory appointment thresholds. This position will be kept under review as the business grows.

3. Personal Data We Collect

3.1 Personal Data and Anonymised Data

Personal data means any information relating to an identified or identifiable living individual. It does not include data where the identity of the individual has been irreversibly removed (anonymised data). We may collect, use, and share aggregated statistical or demographic data derived from your personal data for any lawful purpose. Aggregated data is not considered personal data in law, as it does not directly or indirectly identify you. However, if we combine or connect aggregated data with your personal data such that it could directly or indirectly identify you, we treat the combined data as personal data and process it in accordance with this Policy.

3.2 Data Collected Directly from You

Account Registration and Profile Data

We collect: full name, email address, telephone number, and postal address; job title, employer or organisation name, and industry; professional qualifications, skills, and work experience (Talent Network users); curriculum vitae (CV) or resume content (uploaded or manually entered); work authorisation status (e.g. right to work in the UK, visa status); salary expectations and employment preferences (location, remote/hybrid, contract type); profile photograph (optional); and LinkedIn profile URL and associated public profile data (where you choose to connect).

Communications and Enquiries

We collect: messages sent through contact forms on f316.com (consulting, speaking, general enquiries); in-platform messages between candidates and companies on the Talent Network; chatbot conversations with Angela (f316.com) and Maya (Talent Network); email correspondence with F316 staff; and newsletter subscription preferences.

Payment and Billing Data

We collect: billing name and address; transaction history, invoices, and subscription tier. Payment card details are processed securely by our payment processors (Stripe for UK transactions, Paystack for Nigerian transactions) and are not stored on our servers.

3.3 Data Obtained from Third-Party Sources

In addition to data you provide directly, we may obtain personal data about you from the following third-party sources. Where we obtain data about you from a third party and have not collected it from you directly, we provide you with the information required under Article 14 of the UK GDPR and Section 34 of the NDPA 2023 through this Policy.

Single Sign-On (SSO) Providers

If you register or log in using Google or LinkedIn SSO, we receive limited profile information from those providers, including your name, email address, and (for LinkedIn) your public professional profile data such as job title, employer, and profile photograph. The specific data shared depends on your privacy settings with those providers and the permissions you grant during the authentication process.

Company-Provided Candidate Data

In certain circumstances, a Company user may share information about prospective candidates with us through the Talent Network (for example, referral details or candidate contact information). Where we receive personal data about you from a Company user, we will notify you of the data received and the purposes for which we intend to process it within one month of obtaining the data, or at the point of first contact with you, whichever is earlier.

Publicly Available Sources

We may collect professional information about you from publicly available sources, including company websites, professional directories, Companies House (UK), the Corporate Affairs Commission (Nigeria), and public social media profiles, for the purposes of business development and lead generation. Where we do so, we rely on our legitimate interests in conducting business development activities, subject to your right to object.

3.4 Data Collected Automatically

We automatically collect: IP address, browser type and version, operating system, and device information; pages visited, time spent on pages, click patterns, and referral source (via Plausible Analytics and Mixpanel); cookie data and similar tracking technologies (see our Cookie Policy for full details); UTM parameters and marketing attribution data (source, medium, campaign identifiers); and authentication tokens and session data.

3.5 Data Generated by Our Systems

Our systems generate: AI-generated match scores between candidates and job postings (calculated by our Gemini API-powered matching engine); CV parsing confidence scores and extracted structured data; lead scores and priority classifications (for consulting enquiries); profile completeness scores; and chatbot intent classifications and conversation metadata.

3.6 Special Category Data

We do not intentionally collect special category data (also known as sensitive personal data) such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation.

However, certain information you voluntarily include in your CV or profile (for example, membership of professional associations or diversity-related information) may incidentally constitute special category data. Where this occurs, we process it on the basis of your explicit consent (Article 9(2)(a) UK GDPR) or because you have manifestly made it public (Article 9(2)(e) UK GDPR). Under the NDPA 2023, we rely on your explicit consent for any processing of sensitive personal data.

3.7 Consequences of Not Providing Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you (or are about to enter into with you), and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. This may include being unable to create your Account, process your Subscription, parse your CV, generate match scores, or provide other platform features. In such cases, we will notify you at the time.

Where provision of data is optional (for example, profile photograph, LinkedIn URL, or detailed work preferences), we will clearly indicate this, and your decision not to provide such data will not affect your ability to use the core features of the Platforms.

4. Purposes and Lawful Bases for Processing

We process your personal data only where we have a lawful basis to do so. The following sets out the purposes for which we process your data and the applicable lawful basis under UK GDPR and NDPA 2023.

Account creation and management: We process identity, contact, and profile data for the performance of our contract with you (UK GDPR Article 6(1)(b); NDPA Section 25(b)).

AI-powered candidate-job matching: We process skills, experience, work authorisation, salary expectations, and location data for the performance of our contract with you (UK GDPR Article 6(1)(b); NDPA Section 25(b)).

CV parsing and profile enhancement: We process CV content and professional history for the performance of our contract with you (UK GDPR Article 6(1)(b); NDPA Section 25(a) consent).

Processing payments and subscriptions: We process billing data and transaction records for the performance of our contract with you (UK GDPR Article 6(1)(b); NDPA Section 25(b)).

Responding to enquiries and providing support: We process contact data and communications on the basis of our legitimate interests in providing customer service (UK GDPR Article 6(1)(f); NDPA Section 25(c)).

Lead scoring and business development: We process contact data, enquiry details, and company information on the basis of our legitimate interests in business development (UK GDPR Article 6(1)(f); NDPA Section 25(c)).

Marketing to new contacts: We process email addresses and preferences on the basis of your consent (UK GDPR Article 6(1)(a); PECR Regulation 22; NDPA Section 25(a)).

Marketing to existing users and clients (similar services): We process email addresses and service history on the basis of our legitimate interests (UK GDPR Article 6(1)(f); PECR Regulation 22(3) soft opt-in; NDPA Section 25(c)).

Platform analytics and improvement: We process usage data, device information, and cookies on the basis of our legitimate interests in improving our services (UK GDPR Article 6(1)(f); NDPA Section 25(c)).

Fraud prevention and platform security: We process IP addresses, login data, and activity logs on the basis of our legitimate interests in protecting the platform (UK GDPR Article 6(1)(f); NDPA Section 25(c)).

Compliance with legal obligations: We process data as required by applicable law on the basis of legal obligation (UK GDPR Article 6(1)(c); NDPA Section 25(d)).

Legitimate Interests Assessment: Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You may request a copy of our legitimate interests assessment by contacting our Data Protection Contact.

4.1 Marketing Communications

We distinguish between two categories of marketing recipients:

New contacts and prospects: If you have not previously used our Services or engaged with us commercially, we will only send you marketing communications where you have given your prior consent (in accordance with PECR Regulation 22 and NDPA Section 25(a)). You may withdraw your consent at any time.

Existing users and clients: If you are an existing Talent Network user, Subscription holder, or consulting client whose contact details were obtained in the course of providing our Services, we may send you marketing communications about similar services without prior consent, in reliance on the PECR Regulation 22(3) “soft opt-in” exemption. In each case: (a) you will have been given a clear opportunity to opt out when your details were first collected; (b) every marketing communication will include a simple, free-of-charge opt-out mechanism; and (c) the marketing will relate only to our own similar products and services. Under Nigerian law, we rely on our legitimate interests for such communications, subject to your right to object at any time.

Where you represent a business (rather than acting as an individual consumer), we may provide you with direct marketing communications where we reasonably believe this is relevant to your business, provided you have not opted out. You can opt out of all marketing communications at any time by contacting us at hello@f316.com, clicking the unsubscribe link in any marketing email, or adjusting your notification preferences in your Account settings.

5. AI Processing and Automated Decision-Making

5.1 How We Use Artificial Intelligence

Our platforms use AI technology for the following purposes: CV Parsing, which involves automated extraction of skills, experience, education, and qualifications from uploaded CVs, with a confidence score assigned to each extracted field; Candidate-Job Matching, which uses a multi-factor scoring algorithm that calculates compatibility between candidate profiles and job postings based on skills (40% weighting), experience (25%), work authorisation (20%), location (10%), and salary expectations (5%); Chatbot Interactions, where Angela (f316.com) and Maya (Talent Network) use AI-powered intent classification to understand and respond to user queries; and Lead Scoring, which involves automated classification of consulting enquiries by value and urgency to prioritise business development activities.

5.2 Automated Decision-Making and Profiling

Under Article 22 of the UK GDPR and Section 36 of the NDPA 2023, you have specific rights regarding automated decision-making that produces legal effects or similarly significant effects.

Our AI matching engine produces match scores that influence which candidates are presented to companies and which job opportunities are shown to candidates. Whilst these scores inform the presentation order, they do not constitute solely automated decisions with legal effect because: all hiring decisions are made by human decision-makers at the relevant company; candidates can request a breakdown of their match score from Maya; companies review full candidate profiles, not just match scores, before making contact; and all candidate profiles are visible to companies regardless of match score, with the score serving as a guide to compatibility rather than a gatekeeping mechanism.

Notwithstanding the above, you have the right at any time to: request human review of any automated assessment; express your point of view regarding any automated decision; contest any decision that significantly affects you; and opt out of profiling for marketing purposes.

6. Data Sharing and Third-Party Processors

6.1 Categories of Recipients

We share your personal data with the following categories of recipients, and only to the extent necessary for the purposes described in this Policy.

Platform Users

If you are a candidate on the Talent Network, your profile (including name, skills, experience, and work authorisation status) is visible to pre-authorised company users. Profile completeness and match scores affect the prominence of your profile in search results, but do not prevent your profile from being visible. If you are a company user, your organisation name, job postings, and contact information are visible to candidates. We do not disclose candidate salary expectations to companies, nor do we share company subscription tier details with candidates.

Third-Party Service Providers (Data Processors)

We engage the following third-party service providers who process personal data on our behalf under written data processing agreements:

Google (Gemini API): AI matching, CV parsing, and chatbot intelligence. Processes CV data, skills, profile information, and chatbot messages. Located in the United States (UK adequacy safeguards in place).

Sanity.io: Content management, database, and email services. Processes platform content, user data, and email communications. Located in the EU / United States.

Resend: Transactional and marketing emails. Processes email addresses, names, and email content. Located in the United States.

Stripe: UK and international payment processing. Processes billing data and transaction records. Located in the United States / Ireland.

Paystack: Nigerian payment processing. Processes billing data and transaction records. Located in Nigeria.

Plausible Analytics: Privacy-focused website analytics. Processes anonymised usage data only (no personal data). Located in the European Union.

Mixpanel: Product analytics and event tracking. Processes usage events, device information, and user identifiers. Located in the United States.

HubSpot: Customer relationship management (CRM). Processes contact data, enquiry details, and company information. Located in the United States / Ireland.

GoDaddy: Domain and hosting services. Processes website data and DNS records. Located in the United States.

Google / LinkedIn: Single Sign-On (SSO) authentication. Processes authentication tokens and public profile data. Located in the United States.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our written instructions.

Legal and Regulatory Disclosures

We may disclose your personal data where required by law, regulation, legal process, or enforceable governmental request, including to the UK Information Commissioner’s Office (ICO), the Nigeria Data Protection Commission (NDPC), law enforcement agencies, or courts of competent jurisdiction.

Business Transfers

If F316 is involved in a merger, acquisition, reorganisation, or sale of all or substantially all of its assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal data.

7. International Data Transfers

As we operate across the United Kingdom and Nigeria and engage service providers located in various jurisdictions, your personal data may be transferred internationally. We ensure all transfers comply with applicable data protection laws.

7.1 UK to Third Countries

Where we transfer personal data from the UK to countries outside the UK that have not received an adequacy decision from the UK Secretary of State, we implement appropriate safeguards including: UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses; Binding Corporate Rules where applicable; or your explicit consent, where no other safeguard is available and you have been informed of the risks.

7.2 Nigeria to Third Countries

Under Section 43 of the NDPA 2023, international transfers of personal data from Nigeria are permitted where the receiving country provides an adequate level of data protection, or where we have implemented appropriate safeguards such as: contractual clauses approved or recognised by the Nigeria Data Protection Commission; binding corporate rules approved by the NDPC; or the data subject’s explicit consent after being informed of the possible risks.

7.3 UK-Nigeria Transfers

Transfers of personal data between F316 LTD and F316 Nigeria Limited are governed by our intra-group data transfer agreement, which incorporates the UK IDTA and contractual safeguards compliant with the NDPA 2023. These transfers are necessary for the performance of our cross-border talent matching services and are also covered by our joint controllership arrangement referred to in Section 2.1.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements.

The following retention periods apply:

Active user accounts and profiles: Retained for the duration of the account plus 2 years post-closure, for the purposes of contract performance and enabling account reactivation.

Candidate CVs and parsed data: Retained for the duration of the account plus 2 years post-closure, for the purposes of contract performance and match history.

Job postings: Retained for 12 months after the posting closes, for analytics and matching improvement purposes.

Payment and billing records: Retained for 7 years from the transaction date, in accordance with UK tax and accounting obligations (HMRC) and the Federal Inland Revenue Service (FIRS) requirements in Nigeria.

Consulting enquiries and lead data: Retained for 3 years from last contact, for business development purposes and within the limitation period for contractual claims.

Chatbot conversation logs: Retained for 12 months, for service improvement and AI training purposes.

Analytics and usage data: Retained on a rolling 26-month basis, for platform improvement purposes in line with industry standards.

Marketing consent records: Retained for the duration of consent plus 3 years, as evidence of consent under PECR and the NDPA.

Security and audit logs: Retained for 12 months, for fraud detection and incident investigation.

GDPR/NDPA data subject requests: Retained for 6 years from completion, as a legal obligation and evidence of compliance.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and research purposes.

9. Your Rights

9.1 Rights Under UK GDPR and DPA 2018

If you are located in the United Kingdom or your data is processed under UK law, you have the following rights: Right of Access (Article 15) to request a copy of the personal data we hold about you; Right to Rectification (Article 16) to request correction of inaccurate or incomplete personal data; Right to Erasure (Article 17) to request deletion of your personal data where there is no compelling reason for its continued processing; Right to Restriction of Processing (Article 18) to request that we restrict processing in certain circumstances; Right to Data Portability (Article 20) to request your data in a structured, commonly used, machine-readable format; Right to Object (Article 21) to object to processing based on legitimate interests or for direct marketing purposes; Rights Related to Automated Decision-Making (Article 22) to request human intervention in automated decisions; and the Right to Withdraw Consent where processing is based on consent, without affecting the lawfulness of prior processing.

9.2 Rights Under NDPA 2023 and NDPR 2019

If you are located in Nigeria or your data is processed under Nigerian law, you have the following rights: Right to be Informed (Section 34) to clear information about how your data is processed; Right of Access (Section 35) to request access to your personal data; Right to Rectification (Section 37) to request correction of inaccurate personal data; Right to Erasure (Section 38) to request deletion of your personal data, subject to legal exceptions; Right to Restrict Processing (Section 39) in specified circumstances; Right to Data Portability (Section 40) to request your data in a structured, machine-readable format; Right to Object (Section 41) to processing, including for direct marketing; Right Not to be Subject to Automated Decision-Making (Section 36) to object to decisions based solely on automated processing; and Right to Compensation (Section 58) to seek compensation for damage suffered as a result of a breach of the NDPA.

9.3 Exercising Your Rights

To exercise any of the above rights, please contact our Data Protection Contact at hello@f316.com or write to the postal addresses provided in Section 2.2. We will respond to your request within one calendar month (UK GDPR) or 30 days (NDPA 2023). This period may be extended by a further two months (UK) or 30 days (Nigeria) where the request is complex; in that case, we will inform you of the extension and the reasons for it.

We may request proof of identity before processing your request. This is a security measure to ensure that personal data is not disclosed to anyone who is not authorised to receive it. Requests are free of charge unless manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

9.4 Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the relevant supervisory authority. In the United Kingdom: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; website: ico.org.uk; telephone: 0303 123 1113. In Nigeria: Nigeria Data Protection Commission (NDPC), Abuja, Federal Capital Territory; website: ndpc.gov.ng.

10. Children and Minors

Our platforms and services are not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a minor, we will take immediate steps to delete that data. If you believe a minor has provided us with personal data, please contact us at hello@f316.com.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: encryption in transit using TLS 1.3 for all data transmitted between your browser and our servers; encryption at rest using AES-256 for stored personal data; Row Level Security (RLS) policies at the database level, ensuring users can only access their own data; role-based access controls (RBAC) limiting internal access to personal data on a need-to-know basis; regular security audits and vulnerability assessments; secure authentication with support for multi-factor authentication; and incident response procedures with defined escalation and notification protocols.

In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They are subject to a duty of confidentiality and will only process your personal data on our instructions.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours (Article 33 UK GDPR) and the NDPC within 72 hours (Section 44 NDPA 2023), and will notify affected individuals without undue delay where the breach is likely to result in a high risk.

12. Cookies and Tracking Technologies

Our platforms use cookies and similar tracking technologies. For comprehensive information about the cookies we use, how to manage your preferences, and your rights in respect of cookies, please refer to our separate Cookie Policy, available on our websites.

13. Third-Party Links and Services

Our platforms may contain links to third-party websites, services, or applications (including LinkedIn, Google, and payment processors). We are not responsible for the privacy practices or content of these third-party services. We encourage you to read their privacy policies before providing any personal data.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. Where changes are material, we will notify you by posting a prominent notice on our platforms, sending an email to the address associated with your account, or requesting renewed consent where the change affects processing based on consent.

The “Effective Date” at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

F316 LTD (United Kingdom): 3 Hill Street, Edinburgh, EH2 3JP (By appointment only). Company No. 864077.

F316 Nigeria Limited: Mulliner Towers, 2nd Floor, 39 Alfred Rewane Road, Ikoyi, Lagos, Nigeria (By appointment only). RC: 1127806.

Telephone: +44 (0) 20 8059 1995

Email: hello@f316.com

Websites: f316.com | tn.f316.com