Privacy Policy
Last updated: 17 March 2026
Treegarden is an Applicant Tracking System (ATS) platform. We process personal data of recruiters, hiring managers and job applicants in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains what data we collect, why, how, and your rights over it.
1. Data Controller
The data controller responsible for your personal data is:
Mason Bedford Ltd (trading as Treegarden)
Company No. 11450172, registered in England and Wales
ICO Registration Reference: ZC105367
16e Railway Approach, East Grinstead, RH19 1BP
United Kingdom
Email: [email protected]
Website: https://treegarden.io
Application: https://app.treegarden.io
For all privacy-related inquiries, data subject requests, or complaints, please contact us at [email protected].
2. Scope of This Policy
This Privacy Policy applies to all personal data processed through:
- The Treegarden web application at app.treegarden.io
- The Treegarden websites at treegarden.ro and treegarden.io
- Any emails, notifications, or communications sent by Treegarden
- Any integrations with third-party services (Google, Stripe, etc.)
It applies to the following categories of data subjects:
- Recruiters, HR Managers, Hiring Managers, Agency Users — employees or contractors of companies using Treegarden
- Job Seekers / Candidates — individuals whose CVs and applications are managed within Treegarden
- Website Visitors — individuals visiting our public websites
3. Categories of Personal Data We Process
3.1 Platform Users (Recruiters, HR Managers, Admins)
- Full name, email address, job title, phone number
- Company name, business address
- Account credentials (hashed passwords; plaintext is never stored)
- Profile photo (optional)
- Login activity logs (IP address, timestamp, browser/device type)
- Payment and billing information (processed via Stripe; card details are never stored by Treegarden)
- Communication preferences and notification settings
- Usage data (features accessed, actions performed, session duration)
3.2 Job Seekers / Candidates
- Full name, email address, phone number, address
- Curriculum Vitae (CV) / résumé — including employment history, education, skills, certifications
- Cover letters and application materials
- Interview notes and assessment scores added by recruiters
- Application status and pipeline stage
- Communication history between candidate and recruiter
- References (if provided)
- Date of birth (if voluntarily provided on CV)
- Nationality or work permit status (if relevant to the role)
- Salary expectations (if provided)
3.3 Website Visitors
- IP address (anonymised where possible)
- Browser type and version, operating system
- Pages visited and time spent
- Referral source
- Cookie data (see Section 11)
4. Purposes and Legal Basis for Processing
We process personal data only where we have a valid legal basis under GDPR Article 6.
| Purpose | Data Categories | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account registration and authentication | Name, email, password hash, login logs | Art. 6(1)(b) — Performance of a contract |
| Providing the Treegarden ATS platform | All user and candidate data | Art. 6(1)(b) — Performance of a contract |
| Processing subscription payments | Billing info, email, company details | Art. 6(1)(b) — Performance of a contract |
| Sending transactional emails (password reset, notifications) | Email address, name | Art. 6(1)(b) — Performance of a contract |
| Sending marketing communications | Email address, name | Art. 6(1)(a) — Consent (withdrawable at any time) |
| Managing job applications and candidate pipelines | CV data, application status, interview notes | Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate interests of the employer |
| Security, fraud prevention, abuse detection | Login logs, IP addresses, usage data | Art. 6(1)(f) — Legitimate interests |
| Platform analytics and performance improvement | Aggregated usage data, anonymised analytics | Art. 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Billing records, contract records | Art. 6(1)(c) — Legal obligation |
| Customer support and dispute resolution | Communications, account data | Art. 6(1)(b) — Contract; Art. 6(1)(f) — Legitimate interests |
5. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.
| Data Category | Retention Period |
|---|---|
| Active user account data | Duration of active subscription + 90 days after termination |
| Candidate CV and application data | As long as the employer's account is active; max. 3 years from last activity |
| Payment and billing records | 7 years (UK Companies Act 2006 and HMRC requirements) |
| Security and access logs | 12 months |
| Email communication records | 3 years |
| Marketing consent records | Until consent is withdrawn + 1 year (proof of consent) |
| Deleted account data | Securely deleted within 30 days of deletion request, except where legal retention applies |
After the applicable retention period, data is securely deleted or anonymised so it can no longer be attributed to an individual.
6. Third-Party Data Processors
We share personal data with trusted third-party service providers (data processors) who act on our instructions and are bound by data processing agreements (DPAs) compliant with GDPR Article 28.
| Processor | Purpose | Data Transferred | Location |
|---|---|---|---|
| Google LLC | Single Sign-On (SSO) via Google OAuth 2.0 | Name, email, Google account ID | USA (SCCs apply) |
| Stripe, Inc. | Payment processing, subscription management, invoicing | Name, email, billing address, payment tokens | USA (SCCs apply) |
| Transactional email provider | Sending notifications, password resets and system emails | Email address, name, email content | EU/EEA or SCC-protected |
| Cloud hosting provider | Server infrastructure, database hosting, file storage | All platform data | EU (Romania / Germany) |
We do not sell, rent, or trade personal data to any third parties for their own marketing purposes.
7. International Data Transfers
Some of our third-party processors (including Google and Stripe) are located outside the European Economic Area (EEA). When we transfer personal data to countries without an adequacy decision from the European Commission, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU)
- The EU–U.S. Data Privacy Framework, where applicable
You may request a copy of the relevant transfer safeguards by contacting us at [email protected].
8. Your Rights as a Data Subject
Under the UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data:
Obtain a copy of the personal data we hold about you and how we process it.
Correct inaccurate or incomplete personal data we hold about you.
Request deletion of your data where it is no longer necessary or where you withdraw consent. Subject to legal retention obligations.
Restrict processing of your data in certain circumstances, such as while you contest its accuracy.
Receive your data in a structured, machine-readable format where processing is based on consent or a contract.
Object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
Withdraw consent at any time without affecting the lawfulness of prior processing.
Treegarden does not make solely automated decisions with significant legal effects. All candidate evaluations involve human review.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure (GDPR Article 32), including:
- Encryption of data in transit using TLS 1.2 or higher (HTTPS)
- Encryption of sensitive data at rest
- Bcrypt hashing of all user passwords (never stored in plaintext)
- Role-based access controls (RBAC)
- Multi-tenant data isolation — each company's data is logically separated
- Regular security assessments and vulnerability scanning
- Access logging and monitoring for suspicious activity
- Strict vendor due diligence for all third-party processors
- Employee training on data protection and security
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay (GDPR Articles 33–34).
10. Candidate Data and Employer Responsibility
Treegarden provides the technical platform. Companies and recruiters using Treegarden are independent data controllers for candidate data they upload, import, or collect through the platform. Treegarden acts as a data processor on their behalf for such data.
Employers are responsible for:
- Having a valid legal basis to collect and process candidate personal data
- Informing candidates that their data is being managed via Treegarden
- Responding to candidate data subject rights requests in a timely manner
- Ensuring candidate data is not retained longer than necessary
Treegarden provides data export and deletion tools to help employers fulfil their obligations. Our Data Processing Agreement (DPA) is available on request at [email protected].
11. Cookies and Tracking Technologies
Treegarden uses cookies and similar technologies to operate the platform and improve user experience.
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly Necessary | Session management, CSRF protection, authentication tokens | Art. 6(1)(b) — Necessary for platform operation (no consent required) |
| Preference | Dark/light mode, UI settings stored in localStorage | Art. 6(1)(f) — Legitimate interests (user experience) |
| Analytics | Platform usage analysis (aggregated, anonymised) | Art. 6(1)(a) — Consent |
You can manage or disable non-essential cookies through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly.
12. Children's Privacy
Treegarden is a professional recruitment platform intended for adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us immediately at [email protected] and we will delete such data promptly.
13. Right to Lodge a Complaint
If you believe that the processing of your personal data violates UK GDPR or applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority. Depending on your location:
Information Commissioner's Office (ICO) — United Kingdom
Treegarden (Mason Bedford Ltd) is registered with the ICO under reference ZC105367.
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113 | Email: [email protected]
Website: ico.org.uk
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP) — Romania
B-dul Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Phone: +40.318.059.211 | Email: [email protected]
Website: www.dataprotection.ro
We encourage you to contact us first at [email protected] so that we can resolve your concern directly.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify registered users via email or an in-app notification
Your continued use of the platform after changes become effective constitutes your acknowledgement of the revised policy.
15. Contact Us
For any questions, requests, or concerns about this Privacy Policy or our data processing practices, please contact:
Mason Bedford Ltd (trading as Treegarden)
Company No. 11450172, registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP
United Kingdom
Email: [email protected]
Website: https://treegarden.io