GDPR Compliance

Last updated: March 2026

Our Commitment

Onrolo is built for UK-based recruitment teams. We take UK GDPR compliance seriously — not just as a legal requirement, but as a core part of building a trustworthy product for agencies who process sensitive candidate data.

Controller vs Processor

When you use Onrolo to process candidate data, your organisation is the data controller — you determine the purpose and means of processing. Onrolo is the data processor — we process data only on your instructions. This distinction is important: you must have a lawful basis (typically legitimate interest or consent) for processing candidates' personal data.

Data Processing Agreement

Enterprise customers may request a formal Data Processing Agreement (DPA) by emailing privacy@onrolo.ai. By accepting our Terms of Service, all customers acknowledge the data processing activities described in our Privacy Policy.

Candidate Rights

Candidates whose data is processed through Onrolo have rights under UK GDPR. As the data controller, you are responsible for responding to candidate data rights requests. Onrolo provides tools to export and delete candidate data to assist you in fulfilling these obligations.

Data Storage

All data is stored within the EU (Supabase EU region). We do not transfer personal data to countries outside the UK or EEA without appropriate safeguards.

AI Processing

FlowScreen AI screening uses Anthropic's Claude API to evaluate candidate responses. No personally identifiable information is used to train AI models. Screening is provided as a decision-support tool — all final hiring decisions remain with the human recruiter.

Contact

GDPR enquiries: privacy@onrolo.ai
ICO registration reference: To be added prior to launch