• Join Amby
  • Book a Call

Privacy Policy

Last updated 10.02.2025

Who we are and what does this Privacy Policy cover?

Amby AS is a Norwegian company registered in the register of the Norwegian Central Coordinating Register for Legal Entities under number 997901916 (“Amby” or “we” or “us” or “our”). As a recruitment company, we are committed to protecting the privacy of our candidates, clients, and users of our website.

This Privacy Policy explains what we do with your personal data, whether we are in the process of introducing ourselves to you, helping you to find a job, continuing our relationship with you once we have found you a role, providing you with a service, receiving a service from you, or when you are visiting our website www.amby.com and all its subdomains, including any other media form, media channel, mobile website, or mobile application related or connected thereto (collectively, the “Site”). Please read this privacy policy carefully.

Amby may change and update this policy from time to time to comply with any governmental or legal changes, as well as company policies. Any changes or modifications will be effective immediately upon posting the updated Privacy Policy. We will notify you of any changes by posting the new Privacy Policy on this page. You are advised to review this Privacy Policy periodically for any changes.

To learn more about the processing of personal data of our website and app users, please get familiar with our Website Cookie Settings.

What kind of Personal Data do we collect?

As a recruitment agency, employer, and service provider, in order to undertake our core business, we collect a range of personal data on prospective and placed candidates, clients, users of our websites and apps, service providers, employees, and consultants.

Prospective Candidates

We collect information including your name, contact details, work experience, education, acquired credentials, and skills. This information can be obtained from publicly available sources such as LinkedIn and other websites that hold information on potential candidates. We may also acquire this information through a referral from another candidate, consultant, client, or employer. In some cases, with your consent, we may also create AI-generated interview notes, which will require a recording of the meeting.

Candidates

We collect information that you provide when you apply for a role. This includes information provided through an online job site, via email, in person at an interview, or by any other method.

In particular, we process personal details such as name, personal identifiers, online identifiers, Internet Protocol (IP) address, account name, email address, home address, telephone number, date of birth, qualifications, experience, information relating to your employment history, current job title, salary, earnings and benefits, transcript of grades, references, your resume, communications created, stored, or transmitted for professional or job-related purposes using our networks, as well as your video in case you conduct your interview using the Video Interview feature.

If you contact us, we may keep a record of that correspondence. We may also collect details of your visits to our website, including but not limited to traffic data, location data, weblogs, and other communication data, the site that referred you to our website, and the resources that you access.

Where permitted by law, we may collect information regarding your gender, health, race and ethnicity notably for the purposes of equal opportunity monitoring, as well as details of any criminal record if required by the client or the role for which we are recruiting.

We may also collect information about you from third parties, including Applicant Tracking Systems (ATS) such as Teamtailor, personality and ability test platforms such as mapTQ from Aon, educational institutions, former employers and referees, systems that hold public information about candidates such as LinkedIn, and clients who have entered the recruitment process with you or have provided feedback on your application.

Clients and Suppliers

We collect information regarding your or your representatives’ names, contact details, positions, and functions held in the organization, enabling us to potentially establish and maintain a business relationship with you or your company. We may also maintain a record of our communications with you.

Others

Where you have consented to our processing of your personal data for marketing purposes, we will utilize your name and contact information, including, among others, your email address, to inform you about events we organize, promotional campaigns, and offers that may interest you.

If you agree to participate, in any of our events or promotional campaigns, we may use your personal data in the form of your name, email address and phone number in order to properly organize the event. Additionally, for some of the events we organize, photographs may be taken depicting the event with groups of attendees, which may then be used by us for marketing and promotional purposes, as well as to document the event.

How and why do we process your Personal Data?

Prospective Candidates and Placed Candidates

We collect personal data about prospective and placed candidates when they:

  • make an application through our ATS or otherwise, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn; and
  • use the Service to connect with our staff, adding personal data about themselves either personally or by using a third-party source such as Facebook or LinkedIn.
  • provide identifiable data in the chat and such data is of relevance to the application procedure;

We process your personal data to determine whether you are interested in or can benefit from our recruitment services. Your name and contact details will allow us to contact you regarding the recruitment process.

We may also use your personal data to:

  • consider your application in respect of a role for which you have applied
  • consider your application in respect of other roles if you have agreed to be part of our Talent Pool
  • communicate with you in respect of the recruitment process
  • enhance any information that we receive from you with information obtained from third-party data providers
  • find appropriate candidates to fill our and our clients’ job openings
  • help our service providers (such as Teamtailor and its processors and data providers) and partners (such as the job sites through which you may have applied) improve their services

We may also process your data to assert possible claims or defend against claims.

Automatic decision-making/profiling

We may use ATS’s technology to automatically select suitable candidates based on criteria explicitly defined by us or commonly associated with the role you have applied for. However, the final decision on the candidate to be engaged for the job opening will be made by our staff.

Clients and Suppliers

We process your personal data to provide our services to you fulfill our other contractual obligations communicate with you.

Others

Where you have consented to our processing of your data for marketing purposes, we will utilize your data to inform you about events we organize, promotional campaigns, and offers that may interest you.

Depending on the type of consent you provide and the extent of our legitimate interest, we may process your name and email address to successfully organize events and marketing campaigns. Additionally, for some of the events we organize, photographs may be taken depicting the event with groups of attendees, which may then be used by us for marketing and promotional purposes, as well as to document the event.

We may also process your data to assert possible claims or defend against claims.

What is our legal basis for Personal Data processing?

Legitimate interest

As long as our interests are not overridden by your interests or fundamental rights and freedoms, we rely on legitimate interest as the lawful basis on which we collect and use your personal data. Our legitimate interests involve recruiting staff for our business, and the exchange of personal data between our candidates and client contacts is an essential part of this process.

To support the career aspirations of our candidates and the staffing needs of our clients, we may use your personal information to pursue our legitimate interests or those of third parties. We rely on legitimate interest during the first steps of collecting data on potential candidates. We evaluate the personal data of potential candidates with our clients and then contact them to inquire about their interest in participating in a recruitment process.

We may also process your data to assert possible claims or defend against claims, which is our legitimate interest.

Consent

When you apply for a job opening by adding personal data about themselves either personally or by using a third-party source as Facebook or LinkedIn, through Indeed Apply functionality or by sending us your resume/candidate information, we rely on your freely given consent, obtained during the application process, to process your personal data for the purpose of conducting the recruitment process. Your consent may pertain to participating in a specific recruitment process for a particular position with a specific client. However, you may also provide consent for the processing of your personal data for future unspecified recruitments with our other clients to explore other appealing job opportunities and be included in our Talent Pool.

You have the right to withdraw your consent for data processing at any time, without affecting the lawfulness of the processing that was conducted based on your consent prior to its withdrawal.

Compliance with a legal obligation

If there is a need to process your personal data to comply with legal or regulatory obligations.

Contract

To fulfill our obligations under a contract we have entered into with you or your employer, it may be necessary for us to process your personal data. In such cases, our legal basis for processing activities will be the performance of a contract. This applies to all stages of the contractual life cycle, including pre-contractual processing, performance of the contract, and termination of the contract.

Processing of Special Categories of Personal Data

In certain circumstances, we may process Special Categories of Personal Data, such as physical limitations and special needs, health, and nationality.

We will process this type of data if the processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment, social security, and social protection law, to the extent authorized by applicable law with appropriate safeguards for the fundamental rights and interests of the data subject. Processing may also be necessary to protect the vital interests of the data subject or another natural person when the data subject is physically or legally incapable of giving consent, or when the data subject has manifestly made the data public. Additionally, processing may be necessary for the establishment, exercise, or defense of legal claims, or purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, or the management of health or social care systems and services based on applicable law or under a contract with a health professional, subject to specific conditions and safeguards.

In other cases, where required by law, we will obtain your express written consent for processing your Special Categories of Personal Data.

With whom do we share your Personal Data?

We may share your information with our affiliates, including our parent company, subsidiaries, joint venture partners, or other companies under common control with us. We will require our affiliates to comply with this Privacy Policy.

We may also disclose your information if legally required to do so in order to comply with applicable laws, governmental requests, judicial proceedings, court orders, or legal processes. This includes responding to court orders, subpoenas, or requests from public authorities to meet national security or law enforcement requirements.

If you are a candidate who has applied or agreed to participate in a specific recruitment process, we may share your data with the potential client/employer assigned to that process. Your data will be shared with the potential employer to carry out the recruitment process, including assessing your qualifications, skills, and experience, establishing contact with you, scheduling interviews, and providing updates on the recruitment process. In such cases, Amby will act as the Data Processor, while the client for whom the recruitment is being conducted will be the Data Controller. Details on how a potential employer will process your personal data will be available in that employer's privacy documents, typically published on its website. If you have agreed to be part of our Talent Pool and to participate in future recruitments conducted by Amby, we will act as the Data Controller and your data will also be shared with other potential employers.

As mentioned above, we may also share your information with third-party service providers, such as Teamtailor, who will only use it in accordance with our instructions and as required by law.

At Amby, we might use AI tools, including OpenAI-based models, Teamtailor's Co-Pilot, Metaview, Fireflies, Google Gemini (which may process emails), and AI-driven features in Google Workspace, to enhance efficiency in recruitment and HR consultancy. These tools assist with drafting documents, automating processes, and improving data analysis while adhering to GDPR and our internal privacy policies. We might also use AI tools for note taking during our meetings. As a rule, we do not use AI tools to process personal data; however, in certain recruitment processes where it is permitted by law—especially with your consent—personal data may be processed, but only when necessary and with strict access controls and human oversight. We carefully assess third-party AI providers to ensure compliance with data protection standards.

If you have applied for a job opening through the Indeed Apply functionality and provided consent for this disclosure, we will disclose certain personal data to Indeed, including a unique identifier used by Indeed to identify you, information about your progress through our hiring process for the relevant job opening, and other relevant information about you as an applicant. Please refer to Indeed's Privacy Notice for information on how Indeed uses the disclosed data, which can be found on Indeed's website.

If you have applied to a job opening through another service provider, we may disclose similar data to that service provider. The service provider will be the data controller of this data and will be responsible for complying with all applicable laws regarding its use following the transfer by us. Any use of your data by the service provider will be governed by their privacy policies.

Your personal information may be transferred and processed in one or more other countries, both within and outside the European Union. We will only transfer your data outside the EU to countries that the European Commission deems to have an adequate level of protection, or where we have implemented appropriate safeguards to ensure the privacy of your information. These countries may include the United States of America.

You can find the full list of our sub-processors under this link.

Where do we store your Personal Data?

As a rule, we store and process your personal data inside the EU/EEA. We store your personal data in our systems which are located in Norway and on Teamtailor’s servers which are located in Ireland. 

The data we collect from you and process using third-party service providers for employment or business-related administrative purposes may also be transferred to and stored in a destination outside of your country or the European Economic Area (EEA). It may be processed by staff operating outside the EEA who work for us or our suppliers. These staff members may be involved in fulfilling your orders, processing payment details, and providing support services. Some recipients outside the EEA are in countries that have received adequacy decisions from the European Commission, ensuring an adequate level of data protection under European data protection laws. When necessary, we establish agreements (such as Standard Contractual Clauses) to ensure that recipients of Employee Data located outside the EEA provide an adequate level of data protection and implement appropriate security measures to protect the data. 

If you would like more information, please contact us (see 'How to contact us?' below). We will not transfer your personal data outside of the EEA, except to organizations governed by public international law or established under agreements between two or more countries.

How long do we store your Personal Data?

We generally retain your personal data for as long as necessary to fulfill the purpose for which it was collected. The specific duration for which we retain your personal information may vary depending on the type of information and the purpose of its collection.

We will keep your information for as long as required to comply with legal, accounting, or regulatory obligations. Additionally, we may retain your data to maintain historical records, and address potential legal claims. Certain personal information may be retained on a long-term basis, such as data that needs to be retained for legal purposes, which will be done in accordance with customary commercial practices and regulatory requirements.

In case you have chosen to be part of our Talent Pool, we store your data until you withdraw your consent which you can do by using the appropriate option in Teamtailor.

Safety and Security

We implemented appropriate measures to ensure the security of all personal data, including safeguards to prevent accidental loss, unauthorized access, or unauthorized use. We restrict access to your personal data to individuals who have a legitimate business need to access it. Those processing your information will do so only in an authorized manner and are bound by confidentiality obligations.

We have established procedures to handle any suspected data security breaches. If a data security breach is suspected and we are legally obligated to do so, we will notify you and the relevant regulatory authorities.

Please note that while we strive to protect your personal data to the best of our ability, the transmission of information over the internet is not entirely secure. Therefore, any transmission of data through online means is done at your own risk.

What are your rights?

Under the General Data Protection Regulation, you have a number of important rights that can be exercised free of charge. These rights include:

  • The right to withdraw your consent to the processing of your personal data at any time (where applicable).

  • The right to request access to your personal data and to obtain certain additional information.

  • The right to request the correction of any inaccurate or incomplete personal data we hold about you.

  • The right to request the erasure of your personal data in certain circumstances.

  • The right to object to the processing of your personal data in certain circumstances, including where we rely on legitimate interests as the legal basis for processing.

  • The right to object to decisions based solely on automated processing, including profiling, that significantly affect you.

  • The right to object at any time to the processing of your personal data for direct marketing purposes.

  • The right to request the restriction of processing of your personal data in certain circumstances.

  • The right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format and to transmit those data to another data controller in certain situations.

  • The right to seek compensation for damages caused by our breach of any data protection laws.

You can exercise most of the rights listed above by making the appropriate selection in the ATS, such as Teamtailor. In case the ATS does not offer this option please contact us using the contact information provided below and specify the nature of your request.

How to contact a supervisory authority?

We hope that we can resolve any query or concern you raise about our use of your information.

The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred. The supervisory authority in Norway is the Norwegian Data Protection Authority who may be contacted at https://www.datatilsynet.no/en/about-us/contact-us/.

How to contact us?

All questions, comments, and requests regarding your rights, our processing of your personal data, and this Privacy Policy should be addressed to dpo@amby.com.

Amby AS

Thorvald Meyers gate 7

0555 Oslo, Norway

hello@amby.com