NextStep Privacy Policy

Effective date: 24/11/25

At Affinity Labs Ltd ("Affinity Labs", "we", "us", "our"), we respect your privacy and are committed to protecting your personal data. Affinity Labs is the operator of the "NextStep" platform ("NextStep" or the "Platform"). This Privacy Policy explains how we collect, use, share and protect your personal data when you use our products and services.

1. Preamble and scope of application

This Privacy Policy sets out the rules applicable to the collection and processing of your personal information ("Personal Data") via:

  • the NextStep website and any subdomains;
  • the NextStep candidate platform, including our AI recruiter and related interfaces; and
  • the NextStep employer / recruiter interfaces, dashboards and tools

(together, the "Platform" or our "Services").

This Privacy Policy explains:

  • what Personal Data we collect and process via the Platform;
  • why and on what legal bases we process your Personal Data;
  • how we use your Personal Data (including for AI-powered features);
  • with whom we share it;
  • how long we keep it; and
  • what rights you have and how you can exercise them.

This Privacy Policy applies to:

  • Candidates who use NextStep to discover opportunities, talk to our AI recruiter, create a profile, or apply for roles;
  • Employer Users (for example, hiring managers, talent teams, HR staff and other representatives) who use NextStep on behalf of an employer or organisation; and
  • Visitors who browse our sites without creating an account.

Candidates, Employer Users and Visitors are together referred to in this Privacy Policy as "Users" or "you".

This Privacy Policy does not apply to:

  • the independent processing of Personal Data by employers (for example, where an employer receives your profile and then processes it in its own systems); or
  • third-party sites, services or tools that may be linked to or integrated with our Platform (such as an employer's careers site or applicant tracking system).

Those third parties are responsible for their own privacy practices. We are not responsible for how they use your Personal Data and we encourage you to review their privacy policies.

2. Acceptance and updates to this Privacy Policy

By using our Services, creating a NextStep account, interacting with our AI recruiter, applying for opportunities, or otherwise providing us with Personal Data, you confirm that you have read this Privacy Policy and accept it without restriction or reservation. If you do not agree with any part of this Privacy Policy, you should not use our Services.

We may amend the terms of this Privacy Policy from time to time, in particular if we implement new Personal Data processing activities, new AI-powered features or new regulatory requirements. We encourage you to review this page regularly to ensure you are comfortable with any changes.

If we make material changes, we will draw this to your attention, for example by a prominent notice on the Platform, by email, or via your account. Your continued use of the Services after any changes have taken effect will constitute your acceptance of the updated Privacy Policy.

3. Data controller and contact details

Affinity Labs Ltd is the data controller in respect of the Personal Data we collect and process through the NextStep Platform, except where we expressly state otherwise. "NextStep" is the name of the Platform operated by Affinity Labs Ltd.

  • Legal entity: Affinity Labs Ltd
  • Company number: 16564102
  • Registered office: 2nd Floor College House, 17 King Edwards Road, Ruislip, London, United Kingdom, HA4 7AE
  • Privacy contact email: privacy@affinitylabs.ai
  • General legal contact email: legal@affinitylabs.ai

When we share Candidate data with an employer, NextStep and the relevant employer will generally each act as independent controllers of the Candidate data they process for their respective purposes. Employers are responsible for their own compliance with data protection law in relation to their use of Candidate data.

We may appoint a data protection contact or Data Protection Officer (DPO) from time to time. You can reach us on the privacy email above for any questions regarding this Privacy Policy or how we process your Personal Data.

4. What Personal Data we collect and process

"Personal Data" means any information relating to an identified or identifiable natural person. The categories of Personal Data we collect depend on how you use the Platform and your relationship with us.

4.1 Technical and usage data (all Users)

When you access or use the Platform, we may collect technical and usage information such as:

  • IP address and approximate location;
  • device identifiers, browser type and version, operating system;
  • log data (for example, dates and times of access, pages viewed, referral URLs);
  • interactions with the Platform (for example, clicks, scrolling, session duration, features used);
  • cookie identifiers and similar tracking technologies.

We use cookies and similar technologies for functionality, analytics and, where applicable, marketing. Further details may be provided in a separate Cookie Policy or cookie banner.

4.2 Candidate identification and contact data

If you use NextStep as a Candidate, we may collect:

  • first name, last name;
  • email address;
  • phone number (including mobile number);
  • country, city or region;
  • profile picture or avatar (if you upload one);
  • links to professional social profiles (for example, LinkedIn, personal site, portfolio).

We may use your contact details to reach you via email, phone, SMS, messaging apps (e.g. WhatsApp) or in-product notifications, depending on your preferences and our legal basis for doing so.

4.3 Candidate professional and application data

For Candidates, we may collect and process information relating to your professional background and preferences, including:

  • CVs / résumés, cover letters, and any documents you upload;
  • education history, qualifications, certifications;
  • employment history, job titles, responsibilities, seniority;
  • skills, competencies, languages and other professional attributes;
  • role preferences (for example, job titles, salary expectations, seniority level, work pattern, locations, remote/hybrid preferences);
  • other information you choose to provide in response to questions from our AI recruiter or in forms on the Platform;
  • information about roles you have viewed, saved or applied for through the Platform;
  • status updates and notes relating to your applications and interactions (for example, "interview scheduled", "offer stage").

4.4 Voice calls, AI conversations and transcripts

If you interact with our AI recruiter or other AI tools via voice or text, we may collect:

  • Call recordings and voice data (where you speak with our AI recruiter or other AI interfaces that use audio);
  • Transcripts of calls and text-based conversations;
  • content of your messages, including free-form responses about your experience, goals, preferences, background or other information you voluntarily choose to share;
  • AI-generated summaries of your conversations, profiles or preferences.

These recordings and transcripts may contain information about your professional life and, occasionally, information that could be considered sensitive (for example, health-related details or background information) if you voluntarily choose to share it.

4.5 Employer User data

If you use NextStep as an Employer User (for example, on behalf of your company), we may collect:

  • first name, last name;
  • professional email address;
  • business phone number;
  • job title and role;
  • company / organisation name;
  • sector / industry;
  • login credentials and account configuration;
  • role descriptions and hiring preferences;
  • communications with Candidates and with NextStep.

4.6 Communications and support data

When you contact us (for example, by email, via in-product chat, or through forms on the Platform), we may collect:

  • your contact details;
  • the content of your message or request;
  • any follow-up correspondence;
  • support notes and internal assessments relating to your request.

4.7 Marketing preferences and newsletter data

If you sign up to receive updates or marketing communications, we may collect:

  • your name and contact details;
  • your marketing preferences (for example, topics of interest, channels);
  • details of emails or messages we send and whether you open, read or interact with them.

4.8 Special category or sensitive data

We do not intentionally seek to collect special category data (for example, health, ethnicity, religion, or trade union membership). However, you may choose to volunteer such information in your CV, in a call with our AI recruiter, in a transcript or in free-text fields.

Where relevant and required by law, we will only process such information:

  • where you have explicitly consented to its processing; or
  • where we have another lawful basis permitted by data protection law (for example, for the establishment, exercise or defence of legal claims).

You should avoid including sensitive data unless it is clearly relevant to your search and you are comfortable with us processing it.

5. Whether providing your data is compulsory or optional

When we ask you to provide Personal Data, we will indicate (for example, via an asterisk or equivalent mechanism) which fields are mandatory in order for us to provide the relevant Service (for example, creating an account, enabling introductions, or processing an application).

If you do not provide mandatory information, we may not be able to:

  • create or maintain your account;
  • match you to roles or introduce you to employers; or
  • respond to your requests.

Personal Data not clearly marked as mandatory is optional. Providing optional information helps us better understand your profile or preferences and improve your experience, but is not strictly required to use the core Services.

For cookies and similar technologies, you can manage your preferences through your browser settings and, where applicable, through our cookie banner.

6. For what purposes we process your Personal Data and legal bases

We process your Personal Data only where we have a lawful basis to do so under applicable data protection law (including the UK GDPR and the Data Protection Act 2018). The main purposes and corresponding legal bases are set out below.

6.1 Creating and managing your account (Candidates and Employer Users)

We process your identification, contact and account data to:

  • create and manage your account on the Platform;
  • authenticate you and manage log-ins and access rights;
  • maintain your profile information;
  • handle your preferences and settings.

Legal basis:

  • Contractual necessity, where processing is required to provide you with the Service you requested (for example, setting up a Candidate or Employer account); and
  • Legitimate interests in operating and securing our Platform.

6.2 Finding and managing professional opportunities (Candidates)

For Candidates, we process your Personal Data to:

  • analyse your profile, experience and preferences;
  • match you with relevant roles using AI-driven matching and heuristics;
  • generate Suggestions, shortlists and recommendations for you;
  • facilitate Introductions to employers and allow them to review your profile;
  • allow you to apply for roles, track your applications and manage your activity;
  • enable employers to contact you about relevant roles where permitted.

Legal basis:

  • Contractual necessity to help you search for and manage professional opportunities where you have created an account for this purpose;
  • Legitimate interests of NextStep and employers in recruiting and filling roles efficiently;
  • Consent where required (for example, where you opt-in to specific visibility or marketing preferences, or where we process certain sensitive information you voluntarily provide).

6.3 Use of voice calls, AI conversations and transcripts

We process call recordings, transcripts and conversation data to:

  • support your use of our AI recruiter and related features;
  • automatically populate or update your profile and preferences;
  • refine the relevance and quality of Suggestions and Introductions;
  • conduct quality checks and improve the accuracy and performance of our AI systems;
  • troubleshoot issues, investigate misuse and ensure compliance with our terms.

Human staff with appropriate authorisation may access and review recordings and transcripts only where necessary for legitimate business purposes such as support, product improvement, safety and compliance.

Legal basis:

  • Contractual necessity where required to provide the AI-based features you choose to use;
  • Legitimate interests in developing, training and improving our Services and AI models, ensuring quality, and preventing abuse;
  • Explicit consent where required for processing of any sensitive data you may volunteer.

6.4 Employer product use and candidate search (Employer Users)

For Employer Users, we process your data to:

  • create and manage Employer accounts and access rights;
  • let you publish, manage and update role descriptions;
  • present you with relevant Candidates (for example, Suggestions, shortlists and search results);
  • allow you to contact Candidates through the Platform, where permitted under their preferences;
  • track interactions and outcomes related to Candidate searches and roles.

Legal basis:

  • Contractual necessity to provide the Employer Services;
  • Legitimate interests in enabling employers to recruit effectively, and in ensuring proper use and security of the Platform.

6.5 Communications about our Services

We use your contact details to send you various operational communications, including:

  • emails or in-product messages regarding your account, applications or Candidate searches;
  • notifications about new features, changes to our terms or Privacy Policy;
  • messages about system outages, security alerts or support tickets.

Legal basis:

  • Contractual necessity to keep you informed about the Services you use;
  • Legitimate interests in running and maintaining the Platform.

6.6 Marketing communications and newsletters

Where permitted, we may use your contact details to send you:

  • newsletters and content about career development, hiring or industry insights;
  • information about new products, features or services;
  • invitations to events, webinars or surveys.

You can opt out of marketing communications at any time by using the "unsubscribe" link in the message or by contacting us. Opting out of marketing does not affect service or transactional communications.

Legal basis:

  • Consent where required (for example, for certain email marketing);
  • Legitimate interests in promoting our Services, where local laws allow B2B marketing on this basis, subject to your right to object.

6.7 Analytics, service improvement and AI development

We may use your Personal Data (often in aggregated or pseudonymised form) to:

  • monitor usage of the Platform and understand how Users interact with our features;
  • run statistics (for example, how many Candidates in a particular field actively use NextStep);
  • improve usability, performance and functionality;
  • train, test and refine algorithms and AI models that power the Platform, including matching, summarisation and suggestion features.

Where we use your Personal Data for training or improving AI models, we apply appropriate technical and organisational measures to safeguard your privacy, and we do not use such processing to make solely automated decisions producing legal or similarly significant effects without human involvement.

We may also generate aggregated, de-identified or anonymised data derived from your use of the Platform and from Candidate and Employer activity more broadly. This aggregated data does not identify you personally and may be used for purposes such as market insights, product analytics, service reporting and marketing (for example, indicating the number of Candidates in a certain discipline using NextStep or average salary expectations for particular roles). When we use aggregated or anonymised data in this way, we apply appropriate safeguards to prevent individuals from being identifiable from such datasets.

Legal basis:

  • Legitimate interests in improving and developing the Platform and our AI capabilities;
  • Consent where required by law for certain analytics or AI-related uses (for example, where processing goes beyond what Users would reasonably expect).

6.8 Security, fraud prevention and legal compliance

We process Personal Data as needed to:

  • administer and protect the Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
  • detect, prevent and investigate fraud, abuse, misuse or security incidents;
  • enforce our Terms and Conditions and other policies;
  • comply with legal obligations (for example, responding to lawful requests from authorities, maintaining records required by law);
  • establish, exercise or defend legal claims.

Legal basis:

  • Legitimate interests in protecting the integrity, security and proper functioning of the Platform, our business and our Users;
  • Legal obligation, where processing is required by law or regulation.

7. Data sharing and recipients

We do not sell your Personal Data.

We may share your Personal Data with the following categories of recipients, in each case only to the extent reasonably necessary and subject to appropriate safeguards.

7.1 Employers

Where you use NextStep as a Candidate to explore or apply for professional opportunities, we may share your Personal Data with employers as part of the recruitment process, including:

  • your profile information, CV, experience, skills and professional preferences;
  • your contact details;
  • AI-generated summaries of your profile or conversations, where relevant;
  • application-related data (for example, status, notes or interests expressed).

By using NextStep as a Candidate, you acknowledge that:

  • the core purpose of the Platform is to introduce you to employers and help you be considered for roles; and
  • we may therefore share your Candidate data with employers that we reasonably believe align with your experience, skills and interests, subject to any visibility or opt-out settings we provide.

Where we offer specific visibility controls (for example, whether your profile is "discoverable" to employers), we will explain these in the product interface. You may adjust these settings to limit automatic sharing where such functionality is available. Changing your settings may affect which opportunities we can present to you.

Once an employer receives your data, it becomes an independent controller of that data and will process it in accordance with its own privacy notice.

7.2 Automatic Sharing With Employers

For Candidates who create a profile on the Platform or engage with our AI recruiter, we may, by default, make your professional information, profile data, CV, transcripts and contact details available to employers whom we reasonably believe are relevant to your background, skills and stated preferences. This automated visibility is an integral part of how the Platform functions in order to facilitate introductions between Candidates and Employers.

You may change your visibility settings at any time within your account. If you prefer that your data not be shared automatically, you may opt to require explicit confirmation before each introduction. When visibility is set to "restricted," we will only share your data with employers when you explicitly agree to that specific introduction.

You can modify your visibility preferences at any time in the Platform settings, and any change will apply prospectively.

7.3 Service providers and vendors

We use trusted third-party service providers to help us deliver our Services. These include, for example:

  • cloud hosting providers;
  • communication and email delivery platforms;
  • customer support tools;
  • analytics providers;
  • AI and machine-learning service providers (for example, large language model providers and speech-to-text providers);
  • security and monitoring services;
  • payment or billing tools (where applicable).

These service providers may have access to Personal Data only to the extent necessary to perform their functions on our behalf, and they are contractually obliged to:

  • use Personal Data only on our documented instructions;
  • implement appropriate security measures; and
  • not use Personal Data for their own independent purposes.

In particular, we do not permit our service providers to use your Personal Data to train or improve their own models or products for the benefit of other customers, unless such use is clearly disclosed to you and permitted under applicable data protection law.

7.4 Legal and regulatory disclosures

We may disclose Personal Data if we are required to do so by law or reasonably believe that such disclosure is necessary to:

  • comply with a legal obligation or request from an authority;
  • protect the rights, property or safety of NextStep, our Users or the public;
  • investigate suspected unlawful activity, fraud or security issues;
  • enforce our agreements and policies.

7.5 Business transfers

If we are involved in a merger, acquisition, financing, sale of assets, restructuring, insolvency or similar event, your Personal Data may be transferred to one or more third parties as part of that transaction. In such cases, we will ensure that any recipient is bound by confidentiality and data protection obligations consistent with this Privacy Policy.

8. International data transfers

Your Personal Data may be transferred to and processed in countries outside the United Kingdom and the European Economic Area (EEA), including where some of our service providers and AI partners are located.

Where we transfer Personal Data outside the UK/EEA to a country that is not subject to an adequacy decision, we will ensure that appropriate safeguards are in place, such as:

  • the UK International Data Transfer Agreement (IDTA);
  • the UK Addendum to the EU Standard Contractual Clauses; and/or
  • other legally recognised transfer mechanisms.

You can contact us via privacy@affinitylabs.ai if you would like more information about the safeguards we use for international transfers.

9. How long we keep your Personal Data

We retain Personal Data only for as long as is reasonably necessary and proportionate to fulfil the purposes for which it was collected, including any legal, regulatory, accounting or reporting requirements.

Retention periods vary depending on the type of data and the context of processing. As a general guide:

  • Candidate profiles, applications and associated data are kept for as long as your account remains active. If your account is inactive for a prolonged period (for example, several years), we may contact you to ask whether you wish to keep it active. If you do not respond, we may close your account and either delete or anonymise your data.
  • Voice call recordings and transcripts may be retained for as long as necessary to provide the Services and for up to 48 months after account closure or last activity, unless you request earlier deletion (subject to legal obligations and our need to retain certain records).
  • Employer User data (for example, contact details of Employer Users) may be retained for the duration of the contractual relationship with the relevant employer and for a reasonable period afterwards (for example, up to 5 years) to comply with legal obligations and manage any disputes.
  • Newsletter and marketing data is generally retained until you unsubscribe or object to such processing, or after a period of inactivity (for example, if you do not open emails for an extended period).
  • Technical logs and security-related data are retained for such periods as are necessary for security, analysis and legal compliance, typically ranging from a few months to a few years depending on the log type.

Where data is no longer needed in identifiable form, we may anonymise it so that it no longer constitutes Personal Data and use it for statistics, analytics, service improvement and AI training.

10. Security of your Personal Data

We implement appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include, where appropriate:

  • encryption of data in transit and at rest;
  • access controls and role-based permissions;
  • authentication and logging;
  • secure development and deployment practices;
  • regular security reviews and monitoring;
  • staff training on confidentiality and data protection.

However, no system is completely secure. While we strive to protect your Personal Data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect any unauthorised access to your account.

11. Your rights

Depending on your location and subject to applicable law, you may have some or all of the following rights in relation to your Personal Data:

  • Right of access: to obtain confirmation as to whether we process your Personal Data and to receive a copy of that data.
  • Right to rectification: to have inaccurate or incomplete Personal Data corrected.
  • Right to erasure ("right to be forgotten"): to request deletion of your Personal Data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no other legal basis).
  • Right to restriction of processing: to request that we restrict the processing of your Personal Data in certain cases (for example, while we verify the accuracy of data you contest).
  • Right to data portability: to receive your Personal Data that you have provided to us in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible and where processing is based on consent or contract and carried out by automated means.
  • Right to object: to object, on grounds relating to your particular situation, to certain processing based on our legitimate interests, including profiling. You also have the right to object at any time to processing of your Personal Data for direct marketing purposes.
  • Right to withdraw consent: where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint: you have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been infringed. In the UK, the supervisory authority is the Information Commissioner's Office (ICO).

How to exercise your rights

You can exercise many of your rights directly within your account settings (for example, by updating profile information or changing marketing preferences).

You may also contact us at privacy@affinitylabs.ai (or legal@affinitylabs.ai) with your request, specifying:

  • your name and the email address associated with your account;
  • the nature of your request; and
  • any relevant context (for example, which part of the Service it relates to).

We may need to verify your identity before acting on your request and may ask for additional information if necessary. We will respond within the timeframes required by applicable law.

If you are not satisfied with our response or believe that we are processing your Personal Data in breach of the law, you may lodge a complaint with the Information Commissioner's Office (ICO) or your local supervisory authority.

12. Automated decision-making and profiling

Our Platform uses algorithms and AI-driven processes to:

  • score and rank Candidates against certain role criteria;
  • generate Suggestions and recommendations for Candidates and employers;
  • auto-populate or refine profiles based on CVs and conversational data.

These activities involve profiling in the sense that they analyse aspects of your professional information and behaviour to assess or predict preferences or suitability for roles.

However, we do not rely solely on automated decision-making to make decisions that produce legal effects or similarly significant effects on you (for example, we do not automatically reject or accept you for a role without any human involvement). Employers ultimately make their own hiring decisions, and our tools are intended to assist, not replace, human judgement.

If you have concerns about any automated processing, you can contact us and we will explain how the relevant systems work in more detail, within the limits of protecting our proprietary technology and trade secrets.

13. Children

Our Services are intended for adults involved in employment and recruitment. We do not knowingly collect or process Personal Data from children under 18. If you believe that we have collected Personal Data from a child under 18, please contact us at privacy@affinitylabs.ai so that we can take appropriate action, including deleting such data where relevant.

14. International users

If you access the Platform from outside the United Kingdom, you do so on your own initiative and are responsible for compliance with local laws where they apply. By providing your Personal Data, you acknowledge that it may be processed in, or transferred to, the United Kingdom and to other jurisdictions where our providers operate, in accordance with this Privacy Policy and subject to appropriate safeguards described in Section 8.

15. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements or other factors. The "Effective date" at the top of this document indicates when it was last updated.

If we make material changes to this Privacy Policy, we will take appropriate steps to inform you, such as:

  • posting a prominent notice on the Platform;
  • sending an email to the address associated with your account; or
  • presenting an in-product notification.

Where required by law, we will obtain your consent to any material changes that affect how we use your Personal Data.

16. Contact us

If you have any questions, concerns or requests regarding this Privacy Policy or how we process your Personal Data, you can contact us at: