Privacy Policy

This Privacy Policy applies to any and all use of the services operated by TaTiO Workforce Ltd., ("Company", "We", "Our", or "Us"), including Our website https://www.tatio.io/, online platform, mobile applications, social media pages, and any other services or products provided by Us through any of the foregoing or by other means (“Services”).

This Privacy Policy governs all use of the services provided by TaTiO Workforce Ltd., ("Company", "We", "Our", or "Us"), including but not limited to Our website https://www.tatio.io/, online platform, mobile applications, social media pages, and any other services or products We offer through these channels or by other means (“Services”).

By accessing or using the Services in any way, you ("You" or "User") acknowledge and agree to the terms of this Privacy Policy, thereby expressing your consent to its provisions.

The purpose of this Privacy Policy is to elaborate and explain how We processes personal information in connection with the Services. It describes the types of personal information We may process the purposes for which it is processed with whom We may share (or transfer to) personal information and the purpose of such sharing (or transfer). It also outlines the rights available to data subjects regarding their personal information and how those rights may be exercised, along with relevant provisions and contact details for our EU representative for data subjects residing in the EU.

If You reside in the EU please refer to Our Notice for EU Residents, which supplements this Privacy Policy with additional information required under Regulation (EU) 2016/679 - the General Data Protection Regulation ("GDPR") along with relevant contact details for our EU representative for data subjects residing in the EU.

If you reside outside of the EU and have questions or requests regarding processing of your personal information, please contact Us directly (Our contact details are provided below).

Please note that you are not legally obligated to provide us with personal information. However, if you choose not to do so, we may be unable to offer our Services, respond to your inquiries, or process your requests effectively.

The Company is established and operates under the laws of the State of Israel. This Privacy Policy reflects our data practices in accordance with Israeli privacy law, including Protection Privacy Law 5741-1981, and the DGPR in relation to data subjects residing in the EU (as set in Our Notice for EU Residents).

What Types of Personal Information Do We Collect?

We collect various types of personal information based on the nature of your interaction with Us or the specific Service We provide. This may include personal information on: (a) individual clients and prospective clients; (b) representatives acting on behalf of clients and prospective clients;(c) applicants participating in assessments or simulation services that we offer to our clients; and (d) visitors and users of our website or other Services.

1. Information We Collect and Process About Clients and Prospective Clients (Natural Persons).

We collect and process personal information about individual clients, which may include:

● Identification Data: First name, last name, and, where applicable, trade name.

● Contact Details: Work address, email, phone number, and mobile number.

● Legally Required Documentation: Such as tax receipts or certificates of exemption from withholding tax approval.

We collect personal and process information about individual prospective clients, which may include:

● Identification Data: first name, last name, and (where applicable) trade name.

● Contact Details: work address, e-mail, phone and mobile number.

2. Information We Collect and Process About Clients’ Representatives and Representatives of Prospective Clients

We collect and process personal information from or about representatives of our clients and prospective clients, which may include:

● Identification Data: first name, last name.

● Professional data: Position or role within the client organization.

● Contact Details: work address, e-mail, phone and mobile number.

3. Information We Collect and Process About Applicants

We provide to Our clients job applicant evaluation services, conducted based on their instructions and specifications. These evaluations are facilitated through an online platform that enables simulation-based assessments.

Applicants' personal information is processed by Us in pseudonymized mode only. We use pseudonymized login credentials for all applicants' access. During the evaluation process, We do not collect, receive, or process any directly identifying information (such as name or email). The entire simulation and assessment workflow operates without access to personally identifiable information. All analysis is performed pseudonymously.

Only after the assessment process is complete, and depending on the client’s system configuration and consent mechanism, applicant identification (e.g., name) may be matched to the assessment results and appended to the report accessible or provided to the client. TaTiO does not independently identify or authenticate any applicant.

We may process anonymous data (derived from applicants pseudonymized personal information) for internal purposes such as service improvement, AI development and training, and statistical analysis. This data is not linked to any identifiable individual and is retained independently from client use.

When processing data linked to pseudonymized identifiers, we act as a data processor on behalf of the client. The identity of the applicant is generally unknown to us. We typically receive only pseudonymized identifiers (such as a ‘system ID’ or ‘token’) assigned by the client. We do not independently verify or collect directly identifying information. To the extent that the client provides us identifying information, such data is stored separately from assessment data encrypted and linkable to the client (to support client's referral and delivery process).

In this context, we collect or may collect:

● Assessment Session Interaction Data: Applicants’ responses to tasks and simulations, and session logs documenting applicant activity within the system.

● Audio/Visual Data: if requested by a client, and subject to applicants’ consent, We may collect audio recordings (by default if consented) and video recordings during simulation sessions.

Evaluation Results: based on the assessment session interaction data (and when applicable the audio/video data), We automatically generate insights or scores, which are matched to applicants only after completion and solely in accordance with clients’ instructions or specifications.

The purposes, processing logic, and retention periods for these recordings are further explained in the sections: “Why Do We Collect Information? How We Use It?”, “Automated Decision-Making”, and “Data Retention”.

4. Information We Collect and Process About Website Visitors and Service Users

For Users accessing our website or digital interfaces within our Services, We may collect:

● Device and Technical Data: including IP address, browser type, device identifiers, operating system, and language preferences.

● Usage and Interaction Data: such as pages visited, buttons clicked, session duration, and referral sources.

● Cookies and Interaction Data: see the “Cookies and Similar Technologies” section for more details.

Why Do We Collect Personal Information? How We Use It?

We collect and process personal information regarding prospective clients and their representatives to facilitate marketing communications, evaluate potential business relationships, and manage pre-contractual negotiations related to Our services.

We collect and process personal information about clients’ representatives for provision, management, improvement or development of Our Services.

We collect and process personal information about applicants solely to provide Our Services to our clients, in pseudorandomized mode as explained above, and always based on their documented instructions.

When acting as a data processor on behalf of a client We do not determine the purposes or legal basis for such processing and do not use applicants’ personal information for any independent purpose. All such processing is conducted solely based on documented instructions from the client, who acts as the data controller. We may create statistical, aggregated or otherwise anonymized data for our internal purposes when We do so We act as data controller.

When acting as a data controller, we use personal information for the following purposes:

● Provision of Our Services.

● Marketing (in accordance with applicable law).

● Managing client accounts and communications;

● Providing platform access to authorized users;

● Responding to technical or user inquiries;

● Ensuring system integrity and security;

● Improving the performance, functionality and usability of the Services;

● Developing Our Services;

● Sending service-related communications or respond to demo requests, in accordance with applicable law.

Additionally, we may process statistical, aggregated or anonymized data, which cannot be used to identify any individual, for the purposes of Services development, AI model training, statistical analysis, or research related to simulation design and recruitment trends.

EU Residents: For more information on our legal bases for processing under the GDPR, please refer to the Notice to EU Residents.

Sharing or Transferring Personal Information to Third Parties

We transfer or share personal information with third parties in the following instances and for the following purposes:

● Upon the User's request and/or explicit consent.

● Assessments to Our clients.

● To comply with applicable law, legal obligations, or a request or order from a competent authority, court or regulatory body.

● In the event of any dispute, claim, demand, or any legal proceedings that the Company is involved with.

● Restructure, merger, acquisition, sell of assets on advanced negotiations towards any of the foregoing.

● If We believe your use of the Service involves or constitutes an unlawful act or omission, or may harm the Company, its property, or its legitimate interests.

● In any event where the Company deems that it is necessary to prevent serious harm to you or the others, including harm to personal safety or property.

Where personal information is transferred to a third country or international organization, we will ensure appropriate safeguards are implemented in accordance with applicable data protection laws.

● To Our service providers for provision of their services to Us (in accordance with applicable law).

Where we act as a data controller (e.g., for client users or website visitors), such transfers are made based on legal obligation, or user consent, as appropriate.

Where we act as a data processor (e.g., in relation to applicant assessment data), we transfer personal information to third parties (save from the foregoing) based on documented instructions from the client (the data controller) and in accordance with applicable data processing agreements.

User’s Access and Delete or Amend rights

In accordance with the Israeli Protection of Privacy Law: (1) users may request to accesses their personal information processed by the Company. (2) users may request to amend or erase their personal information processed by the Company if they believe it is inaccurate or not updated. If You wish to exercise Your rights please contact us at: info@tatio.io.

If you are an applicant using our Services, We are not able to independently verify your identity, therefore we cannot fulfill data subject rights requests. Please contact the organization or person who invited you to use Our Services in order to exercise your rights.

EU Residents: For details on your rights under the GDPR—including rights to access, rectification, erasure, restriction, objection, and data portability—please refer to the Notice to EU Residents below.

Cookies and Similar Technologies

To support the operation of Services, and to enhance Our Services users experience, We may use various tracking technologies, including cookies, pixels, tags, clear Gifs, Web Beacons and similar technologies. These are used for purposes such as collecting information about your usage of the Services, verifying user identity, enhancing usability, personalizing content based on your preferences, and supporting Our information security measures.

Cookies are small text files that are stored by Our servers through your browser. The cookies do not contain information that identifies you personally, but they may include information about your activity on the Our Services. Cookies enable Us to provide faster, more efficient service, save your preferences, and reduce the need to re-enter your information repeatedly.

You may adjust your browser setting to refuse or delete cookies. However, some features of the Services may not function properly without them.

In addition to our own technologies, we may also use third-party tools and cookies, including those provided by Google and Facebook, for similar purposes such as analytics, functionality improvements, and personalized advertising. These may include:

• Google Analytics, Tag Manager, and Firebase

• Facebook Pixel

You can find out more information and control the information that these companies collect about you by visiting the links listed below:

• https://www.facebook.com/policies/cookies

• https://policies.google.com/technologies?hl=en

Please note that the information collected through these companies may be stored in databases outside Israel.

EU Residents: For additional information regarding how we process personal information collected through cookies and the choices available to you under applicable EU data protection laws —please refer to the Notice to EU Residents below.

Data Retention

Unless otherwise specified in this Privacy Policy or agreed upon with the client, we retain personal information only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the applicable legal, regulatory, and contractual obligations.

When we act as date processors (e.g., for applicant assessments), the retention period is determined by the client, save audio and video recordings. Applicants' data is collected and processed in pseudonymized mode during the simulation or assessment process and no identifying information is used in generating the evaluation results. If the client chooses to append identification after the assessment via integration, it is added only at the report stage and retained per the client’s instructions. Audio and video recordings are deleted within a maximum period of six months of collection. Clients may ask for a shorter period.

During retention period We may produce statistical, aggregated or anonymized data We may retain such anonymized data for indefinite period.

When we act as data controllers (e.g., for Client User accounts, Service usage data, or communications), we retain personal information in accordance with our internal retention schedule. This includes data needed for account management, system security, or customer service history.

In certain cases, we may retain personal information for longer periods if required by law or if necessary to protect our legal rights. This may include retaining information for compliance with legal, tax, or audit obligations; handling User inquiries or disputes; or preparing for potential legal proceedings.

Please note that, unless otherwise required by applicable law or by specific agreement, we are not obligated to retain personal information for any fixed period and may securely delete or restrict access to it at our discretion.

EU Residents: We retain personal information originating from the European Economic Area (EEA) only for as long as necessary for the purposes for which it was collected, or as required under applicable law. Where we act as a processor, our retention is governed by instructions from the client (data controller).

You may exercise your rights under the GDPR (e.g., erasure, objection) at any time by contacting the relevant data controller. If we are the controller, please contact us directly at info@tatio.io.

Data Security

We take data security seriously. The company is ISO 27001 certified.

In respect of its overall operations, and particularly on its Services, the Company implements organizational and technical measures and procedures for information security (including processing sensitive data in pseudo anonymized mode and retaining sensitive data for short periods). While these measures and procedures reduce the risks of data breaches, they do not provide absolute security. Therefore, the Company does not guarantee that the Services will be completely immune to data breaches.

Changes to the Privacy Policy

We may change or update this Privacy Policy from time to time. Such changes will take effect upon their publication on the Company's Services. Your continued use of the Company's Services should be deemed to constitute your consent to the amended Privacy Policy.

Notice to EU Residents

If you are a resident of the European Union or the European Economic Area (together the “EU”), the following notice supplements the general terms of Our Privacy Policy and provides additional disclosures required under the GDPR. It should be read together with the rest of the Privacy Policy, which applies to all users, including those in the EU.

This Notice includes additional details regarding:

● Information regarding Our EU local representative;

● The legal bases We rely on when processing personal information;

● How personal information may be transferred outside the EU;

● Your rights as a data subject under the GDPR;

● Our roles as a data controller or data processor, depending on the context.

Data Controller & Contact Information

In most cases, where You are an applicant participating in an assessment or simulation, We process your personal information as a data processor on behalf of our client (the entity or person that invited You to use Our Services). In such cases, the client acts as the data controller and is responsible for determining the purpose and means of processing and for handling your data subject rights under the GDPR.

For processing activities where We act as data controllers – such as visits to our website, Service analytics, or direct communication with Client representatives – Your personal information is controlled by:

TaTiO Workforce Ltd.

George Weiz 18 Ramat Aviv

Email: info@tatio.io

We have appointed an EU representative in accordance with Article 27 GDPR. You may contact our representative:

Hugo Bernardes

R. Filipe Folque 2 Sala 1D-1F

1050-113 Lisboa, Portugal

Phone: +351963013966

Email: hugo.bernardes@thekeytalent.com

International Data Transfers

Your personal information may be transferred to, stored in, or accessed from countries outside Your country of residence, including jurisdictions that may not offer the same level of protection as those in Your country of residence.

Our primary operations are based in Israel, where our headquarters are located. Israel has been recognized by the European Commission as providing an adequate level of data protection under Article 45 of the GDPR. In addition, our data may be hosted or processed through cloud-based infrastructure located in other jurisdictions, including the United States and the European Union.

Where we transfer personal information from the EU to countries that do not benefit from an adequacy decision by the European Commission or relevant supervisory authorities, we implement appropriate safeguards to ensure an adequate level of protection. These may include:

● The Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner’s Office;

● Reliance on the EU-U.S. or UK-U.S. Data Privacy Framework (DPF), where applicable; and

● Other legally valid transfer mechanisms or contractual commitments.

In all such cases, we ensure that recipients of personal information are subject to obligations that provide a level of data protection consistent with applicable laws.

Your Rights Regarding Your Personal Information

If You are reside in the EU and we act as the data controller for your personal information, you have the following rights under the GDPR.

Please note that if you are an applicant participating in an assessment, We typically act as a data processor on behalf of our client, who is the data controller. In such cases, We are not able to independently verify your identity or fulfil your request, but we will refer it to the relevant client, who is solely responsible and for handling it.

Right to be Informed

You have the right to be informed about our data collection and processing practices, including what personal information we collect, how we use it, and with whom we may share it. This privacy policy provides such information in full.

Right to Access

You may request a copy of the personal information we hold about you. If we are the processor (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

Right to Rectification

If you believe that your personal information is inaccurate or incomplete, you may request that we correct or complete it. (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

Right to Erasure (Right to Be Forgotten)

You may request deletion of your personal information under certain conditions, such as when the data is no longer needed or was processed based on consent. This right may be limited if data must be retained to fulfill legal or contractual obligations. If we are the processor (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

Right to Restriction of Processing

You may request that we temporarily or permanently stop processing all or some of your personal information, depending on the context and applicable legal basis. If we are the processor (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

Right to Data Portability

Where processing is based on your consent or a contract, and carried out by automated means, you may request a copy of your personal information in a structured, commonly used, and machine-readable format to transfer it to another service provider. If we are the processor (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

Right to Object

You have the right to object to the processing of your personal information where we rely on legitimate interests as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds to continue.

Right to Withdraw Consent

If we process your personal information based on your consent (e.g., for cookies or marketing or audio/video recordings), you may withdraw your consent at any time. You can do so via cookie settings, unsubscribe links in emails, or by contacting us directly.

Right Not to Be Subject to Automated Decision Making

You have the right not to be subject to a decision based solely on automated processing—including profiling—that has legal or similarly significant effects. Where such processing occurs, you may request human review or to express your point of view. If we are the processor (e.g., processing applicants’ personal information for our clients), please direct your request to the client who invited you to use our Service.

To exercise any of the above rights, please contact Our EU Local Representative (contact details are provided above). We may need to verify your identity before processing your request.

Automated Decision-Making and AI-Based Evaluation

Some assessments and simulations provided through our Service include the use of automated processing technologies, including artificial intelligence (AI) and machine learning, to analyze interactions and evaluate applicant interactions. These outputs may include performance scores, categorizations, or summaries of performance – based on predefined criteria set by the client. These outputs are then made available to the client for review as part of their recruitment process.

These outputs are intended solely to support human decision-makers and do not result in hiring decisions or other outcomes based solely on automated means. We do not make any decisions with legal or similarly significant effects on applicants.

In accordance with Article 22 of the GDPR, You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. You also have the right to request human intervention, express your point of view, and contest the decision.

If you believe that your assessment involved automated decision-making and wish to exercise your rights in this regard, please contact the client who invited you to the assessment. Where appropriate, we will assist the client in responding to your request.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. You can find contact detailed for your supervisory authority here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

Legal Basis for Processing Your Personal Information

Under the GDPR, we are required to identify and document a lawful basis for any processing of personal information. We rely on different legal bases depending on the context and relationship.

Where we act as a data processor (e.g., in relation to applicant assessments), the client that invited you is the data controller, responsible for determining the lawful basis. In such cases, we process your data strictly according to their documented instructions.

When we act as a data controller (e.g., for client representatives, natural person clients, or visitors to our website), the following legal bases apply:

Clients – Natural Persons and Prospective Clients

Personal Information: Identification information (e.g., first name, last name, trade name); contact details (e.g., email, phone number, address); documentation required under applicable law (e.g., tax receipt, withholding certificate)
Purpose: To provide access to the platform, manage the business relationship, respond to inquiries, and fulfill contractual or pre contractual obligations
Lawful Basis: Contractual Necessity (Art. 6(1)(b))
User Rights: ✓ Access, ✓ Rectification, ✓ Portability, ✓ Restriction (if applicable), ✓ Erasure (if no longer needed)

Representatives of Client Entities or Prospective Clients

Personal Information: Identification data, contact details, and professional information Identification information (e.g., first name, last name); role at client (e.g., job title, function); business contact details (e.g., email, phone number, work address)
Lawful Basis: Contractual Necessity (Art. 6(1)(b)
User Rights: ✓ Access, ✓ Rectification, ✓ Restriction (if applicable), ✓ Erasure (where no longer required for contract or legal compliance)

Clients (all types)

Personal Information: Messages submitted via contact forms, emails, or support requests
Purpose: To respond to support inquiries and maintain client relationships
Lawful Basis: Contractual Necessity (Art. 6(1)(b))
User Rights: ✓ Access, ✓ Rectification, ✓ Erasure (if no longer needed)

Service Users

Personal Information: Usage Logs and Service Analytics (e.g., login history, Service interactions, API token logs)
Purpose: To monitor platform integrity, improve performance, and detect abuse
Lawful Basis: Legitimate Interest (Art. 6(1)(f))
User Rights: ✓ Access, ✓ Object, ✓ Restriction

Website Visitors and Service Users

Personal Information: Cookie identifiers, browsing behavior, page views, IP address, session metadata
Purpose: To improve usability, personalize experience, analyze performance, and deliver targeted content
Lawful Basis: Consent (Art. 6(1)(a)
User Rights: ✓ Withdraw Consent, ✓ Object, ✓ Erasure (via cookie preferences or browser controls)

Last updated 9th June 2025