Keystone AI

Privacy Policy

Last updated:

1. Purpose of This Policy

This Privacy Policy ("Policy") explains how CGP Group Companies ("we", "us", or "our") collect, use, disclose, and process personal data of individuals (hereinafter referred to as "Users") applying for job positions with us as well as website visitors who submit any enquiry or feedback.

Depending on how our services are used, we may act as a data controller or a data processor. We act as a data controller where we determine the purposes and mean of processing personal data (for example, candidate sourcing, recruitment matching, and platform analytics). We act as a data processor where we process personal data on behalf of our clients (for example, where clients use our platform to manage candidates or workforce data).

This Policy complies with applicable data protection laws across the jurisdictions in which we operate or receive personal data, including but not limited to: Singapore's Personal Data Protection Act (PDPA), Malaysia's Personal Data Protection Act, Vietnam's Personal Data Protection Law (PDPL), Thailand's Personal Data Protection Act, China's Personal Information Protection Law (PIPL), Colombia's Ley 1581 de 2012 (Habeas Data), the European Union's General Data Protection Regulation (GDPR), the United Kingdom's Data Protection Act 2018 and UK GDPR, and applicable United States federal and state privacy laws (including the California Consumer Privacy Act / California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, and Utah Consumer Privacy Act).

This Policy applies to personal data in our possession or under our control, including data handled by third-party organizations we engage in for recruitment-related purposes.

This Policy is an addendum to our data collection forms (job applications, contact, service enquiry, etc.) and should be kept as part of the complete application documentation.

2. Data Controller

This Policy applies to Cornerstone Global Partners Pte. Ltd. ("CGP"), which acts as the primary data controller for personal data collected through our websites, platforms, and related services.

Corporate Address: 30 Cecil Street Prudential Tower #14-01 Singapore 049712

Licensing: EA Licence Number 19C9859

Privacy Inquiries: If you have questions about how we handle your data or wish to exercise your privacy rights, please refer to the contact channels designated in Section 19 (Data Protection Officer) of this Policy

We operate as a global enterprise. Personal data is shared with and processed by affiliated companies and subsidiaries within CGP Group Companies where necessary to fulfil the business purposes described in this Policy. This includes recruitment operations, workforce solutions, Employer of Record (EOR) services, platform administration, global business management, and legal compliance obligations. Please refer to our regional entities on our Locations page.

Where a specific CGP Group entity independently determines the purposes and means of processing personal data within a localized jurisdiction, that entity will act as a separate or joint data controller in strict accordance with applicable regional laws. All intra-group international transfers are subject to the safeguards outlined in Section 13 (Third-Party Disclosure and Cross-Border Data Transfers) of this Policy.

3. Who This Policy Applies To

This Policy applies to all individuals (hereinafter referred to as "Users") who apply for any job position with us ("Job Applicants") as well as website visitors ("Clients/Employers/Enquirers") who submit any enquiry or feedback, including users of our Keystone platform, Employer of Record (EOR) services, and related digital applications.

Candidates / Jobseekers / Job Applicants

We collect candidate personal data, including contact details, CV information, work and education history, skills, remuneration details, and any information provided during applications or interviews to assess suitability for current and future roles, manage the recruitment process, communicate on application status, and present profiles to potential employers. We may retain candidate data for a reasonable period to maintain our talent pool, comply with legal or regulatory requirements, and manage any queries or disputes. Your data will be used only for purposes notified to you and in accordance with consent obtained under the applicable data protection laws of your jurisdiction.

Employers / Clients

We collect personal data from employers and clients, including key contact persons' names, business contact details, job requirements, hiring preferences, and feedback to deliver recruitment and related services, understand hiring needs, recommend suitable candidates, manage our commercial relationship, and perform administrative functions such as billing, reporting, and compliance obligations. Your data will only be used for these business purposes or other purposes you have been notified of or consented to, in line with applicable data protection laws.

Enquirers

We collect personal data from website visitors and enquirers including names, contact details, enquiry content, and limited technical information such as IP address or cookies where applicable to respond to enquiries, provide information on our services, manage subscriptions or alerts, maintain and improve website performance and security, and analyze site usage on an aggregated basis. Where required, we obtain consent for the use of cookies, analytics tools, or marketing communications. Your data will only be used for the purposes notified to you or for purposes reasonably related to them, in compliance with the applicable laws.

Data submitted through forms on our websites (such as contact forms, "Book a Demo" requests, newsletter subscriptions, and pricing enquiries) is stored and managed in our customer relationship management (CRM) system, operated by Spott (Spott.io). We use this data to respond to your enquiry, follow up on your interest in our services, and — where you have provided the required consent — send marketing communications such as updates about our products, events, or industry insights. You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting our Data Protection Officer using the details in Section 17.

4. What is Personal Data

"Personal data" refers to any information that can identify any User, either on its own or when combined with other data we have or are likely to have access to.

5. Types of Personal Data We Collect

We may collect the following personal data from Users:

  • Full name
  • Date of birth
  • Mobile number (which, for US users, may be used to send service-related SMS communications — see Section 22 for details)
  • Email address
  • Company or organization name
  • Job title or role
  • Country or region of residence
  • Any other information you provide to us (e.g., free-text content submitted via contact, demo request, or enquiry forms)

In certain countries where we operate, we may also collect sensitive personal data if required for recruitment purposes. This may include:

  • Health information
  • Biometric data
  • Criminal records
  • Other data classified as sensitive under local laws

Where sensitive data is collected, we will obtain your explicit consent and apply appropriate safeguards to protect it in line with legal requirements.

6. Collection, Use, and Disclosure of Personal Data

We generally collect personal data in the following ways:

  • Directly from you when you submit an application, contact us, request a demo, or otherwise interact with our websites or services.
  • Through a third party you have authorized (such as a job placement agent or a referrer), after you (or your authorized representative) have been informed of the purpose of the data collection and have given the required consent.
  • From professional networks and recruitment platforms (such as LinkedIn, job boards, talent marketplaces, and similar professional sources), where candidate profiles are made publicly available for recruitment-related purposes. We use this data to identify potential candidates, match candidate profiles with available job opportunities, and build our talent pool. Where required by applicable law, we will notify individuals identified through these sources of our processing and provide them with the opportunity to access, correct, or request deletion of their data (see Section 8 and Section 16).
  • Without consent, where such collection and use is permitted or required under applicable data protection laws, including but not limited to: Singapore PDPA, Malaysia PDPA, Thailand PDPA, Vietnam PDPL, China PIPL, EU GDPR, UK GDPR, and applicable US state privacy laws — including processing under legitimate interest in recruitment activities.

These laws provide for alternative legal basis such as:

  • Contract performance
  • Legal obligations
  • Vital interests (such as emergencies)
  • Public interest or national security
  • Legitimate interests, where permitted and subject to balancing tests

We will always seek your consent before collecting additional personal data or using your data for purposes not previously notified—unless another lawful basis applies under applicable data protection laws, including contract performance, legal obligations, or legitimate interests.

Where personal data is obtained from third-party sources (such as professional networks and recruitment platforms), we provide individuals with the information required under applicable laws — including the categories of sources of the data and the purposes of processing — at the point of first contact or within the prescribed timeframe. Individuals may opt out at any time, and CGP maintains a suppression list to prevent further contact. 

Where we act as a data processor on behalf of clients, such clients are responsible for determining the legal basis for processing, and we process personal data only in accordance with their instructions and applicable law.

Purpose of Collection, Use, and Disclosure

As a User, your personal data may be collected, used, and disclosed for the following purposes:

  • To assess and evaluate your suitability for current or future employment opportunities within our organization
  • To respond to enquiries, demo requests, and contact form submissions received through our websites
  • To manage our commercial relationships through our customer relationship management (CRM) system (Spott.io), including tracking your enquiries, scheduling follow-up, and recording interactions
  • To send marketing communications about our products, services, events, or industry insights, where you have provided the required consent (you can unsubscribe at any time)
  • To verify your identity and the accuracy of the information you have provided
  • To comply with applicable laws, regulations, codes of practice, or to assist in investigations by government or regulatory authorities
  • To share with unaffiliated third parties, including service providers, agents, and relevant authorities (in Singapore, the United States, or overseas), for the above purposes
  • For purposes reasonably necessary and proportionate to the above activities, in accordance with applicable data protection laws.

If you provide us with personal data of another individual (e.g., a referee), you must obtain their consent before disclosing their data to us.

Your consent for the collection, use, and disclosure of your personal data remains valid until you withdraw it in writing via email.

To withdraw your consent, please email your request to our Data Protection Officer at the contact details provided. We may require reasonable time to process your request, depending on its complexity and impact on our relationship with you.

  • We aim to process your request within 10 business days.
  • If more time is needed, we will inform you within the initial 10-day period.
  • In jurisdictions where laws require faster action, we will respond as quickly as possible and notify you if additional time is needed.

Depending on the nature of your request, we may not be able to proceed with your application or continue our engagement with you. If so, we will inform you before completing the withdrawal process.

If you change your mind, you may cancel your withdrawal by informing us in writing via email.

Withdrawal of consent does not affect our right to continue collecting, using, or disclosing your personal data that was permitted or required by law.

8. Access to Personal Data

If you wish to request access to a copy of the personal data we hold about you, or to understand how your personal data is being used or disclosed, please submit your request in writing via email to our Data Protection Officer at the contact details provided below.

  • A reasonable fee may be charged to process your access request. If applicable, we will inform you of the fee before proceeding.

We will respond to your request as soon as reasonably possible, and within the timelines required by applicable data protection laws:

  • Singapore (PDPA): within 30 calendar days
  • Malaysia (PDPA): within 21 calendar days
  • Vietnam (PDPL): within 2 business days
  • Thailand (PDPA): within 30 calendar days
  • China (PIPL): within 30 calendar days
  • Hong Kong (PDPO): within 40 calendar days
  • Japan (APPI): without undue delay, typically within 30 calendar days
  • Colombia (Ley 1581 / Habeas Data): within 15 business days for claims; 10 business days for consultations
  • European Union (GDPR): within 1 month (extendable by up to 2 additional months for complex requests, with notice to you)
  • United Kingdom (UK GDPR / Data Protection Act 2018): within 1 month (extendable by up to 2 additional months for complex requests)
  • United Arab Emirates (Federal Data Protection Law): within 30 calendar days
  • Saudi Arabia (PDPL): within 30 calendar days
  • United States — California (CCPA / CPRA): within 45 calendar days (extendable by an additional 45 days, with notice to you)
  • United States — Virginia, Colorado, Connecticut, Utah: within 45 calendar days
  • Other jurisdictions: within a reasonable timeframe and in compliance with applicable local law

If exceptional circumstances prevent us from meeting the required timeline, we will notify you via email, explain the reason for the delay, and outline the steps being taken to address it—always in accordance with applicable laws.

If we are unable to provide the requested personal data, we will generally inform you of the reasons—unless we are not required to do so under applicable data protection laws or jurisdictions of laws.

Depending on your request, we may only be required to provide access to the personal data contained in relevant documents, not the documents in full. In such cases, we may provide a summary or confirmation of the personal data we have on record, especially where your data forms only a minor part of the document.

9. Correction of Personal Data

If you wish to correct or update any personal data we hold about you, please submit your request in writing via email to our Data Protection Officer.

  • We aim to respond to correction requests within 10 business days.
  • If we are unable to complete the correction within this timeframe, we will notify you via email and provide an estimated timeline.

Our internal target of 10 business days applies unless a shorter response time is required by law. Statutory timelines include:

  • Singapore (PDPA): within 30 calendar days
  • Malaysia (PDPA): within 21 calendar days
  • Vietnam (PDPL): within 2 business days
  • Thailand (PDPA): within 30 calendar days
  • China (PIPL): within 30 calendar days
  • Hong Kong (PDPO): within 40 calendar days
  • Japan (APPI): without undue delay, typically within 30 calendar days
  • Colombia (Ley 1581 / Habeas Data): within 15 business days for claims; 10 business days for consultations
  • European Union (GDPR): within 1 month (extendable by up to 2 additional months for complex requests, with notice to you)
  • United Kingdom (UK GDPR / Data Protection Act 2018): within 1 month (extendable by up to 2 additional months for complex requests)
  • United Arab Emirates (Federal Data Protection Law): within 30 calendar days
  • Saudi Arabia (PDPL): within 30 calendar days
  • United States — California (CCPA / CPRA): within 45 calendar days (extendable by an additional 45 days, with notice to you)
  • United States — Virginia, Colorado, Connecticut, Utah: within 45 calendar days
  • Other jurisdictions: within a reasonable timeframe and in compliance with applicable local law

If we are unable to make the requested correction, we will generally inform you of the reasons—unless we are not required to do so under applicable data protection laws or jurisdictions of laws.

10. Protection of Personal Data

To protect your personal data from unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks, we have implemented appropriate administrative, physical, and technical safeguards. These include:

  • Up-to-date antivirus and firewall protection
  • Encryption of data in transit and at rest
  • Use of privacy filters
  • Secure storage and transmission protocols

Access to personal data is restricted internally and to authorized third-party service providers and agents on a strict need-to-know basis.

Please note that while we strive to maintain the highest standards of security, no method of transmission over the Internet or electronic storage is completely secure. We are committed to continuously reviewing and enhancing our security measures to protect your personal data.

11. Accuracy of Personal Data

We rely on the personal data provided by you (or your authorized representative). To ensure your data remains current, complete, and accurate, please notify us of any changes by contacting our Data Protection Officer in writing via email.

12. Retention of Personal Data

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable laws.

  • If your job application is successful, your personal data will be retained as part of your employment records or as required by local laws.

We will cease to retain your personal data, or remove the means by which it can be associated with you, when it is reasonable to assume that:

  • The data is no longer needed for the original purpose; and
  • It is no longer required for legal or business purposes.

13. Third-Party Disclosure and Cross-Border Data Transfers

We are committed to protecting your personal data and ensuring transparency in how it is shared and transferred across borders.

We may share your personal data with contracted third-party service providers, some of whom may be located outside your country of residence. These providers support various business functions, including but not limited to:

  • Subsidiaries and affiliated companies of CGP Group
  • Data storage and cloud infrastructure
  • Recruitment and talent management software
  • Payroll and employment-related services
  • Competency and psychometric testing providers
  • Educational or vocational institutions for qualification verification
  • Your nominated referees
  • Prospective employers and clients seeking to engage your services
  • Our suppliers, service providers, or partners supporting operational, administrative, or employment-related functions
  • Other operational services necessary to support our business functions

All third-party engagements are governed by contractual obligations and internal policies to ensure your data is handled securely and lawfully. These third parties act as our service providers or sub-processors and are engaged subject to contractual obligations, including data protection requirements consistent with applicable laws.

Specific named sub-processors currently in use across our websites and product platforms include:

  • Clerk — authentication and session management for the Keystone AI product platform (United States). See https://clerk.com/privacy.
  • Google LLC — Google Analytics 4 and Google Tag Manager for website analytics across all CGP properties (United States). See https://policies.google.com/privacy.
  • Datadog — Browser Real User Monitoring (RUM) for performance monitoring across our websites and product platforms (United States). See https://www.datadoghq.com/legal/privacy/.
  • Spott.io — Customer relationship management (CRM) system. Receives and stores data submitted through website forms (contact, demo requests, newsletter, pricing enquiries), and powers our "Book a Demo" scheduling workflow. See https://spott.io/cookie-policy and https://spott.io/privacy-policy.
  • Amazon Web Services (AWS) — cloud infrastructure (ECS Fargate compute, CloudFront content delivery, Application Load Balancer) for our product platforms (United States). See https://aws.amazon.com/privacy/.

As we operate across multiple jurisdictions, it may be necessary to transfer your personal data overseas in connection with our business activities and service delivery. These transfers may occur to, but are not limited to, the following countries or regions:

Singapore, Malaysia, Thailand, Vietnam, Mainland China, Hong Kong SAR, Japan, the United States, the European Union, and other jurisdictions where we operate from time to time.

We ensure that any personal data transferred overseas is protected to a standard comparable to the data protection laws of the originating jurisdiction, including through contractual safeguards such as data processing agreements, standard contractual clauses, or equivalent mechanisms where required. For transfers from the EU, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms approved under the GDPR. Where required by applicable law, we conduct assessments of cross-border data transfers and implement supplementary measures where necessary.

14. Regional Data Protection Compliance

We are committed to complying with applicable data protection laws in all jurisdictions where we operate or receive job applications. This includes:

  • Singapore: Personal Data Protection Act (PDPA) — applicable through Cornerstone Global Partners Pte Ltd
  • Malaysia: Personal Data Protection Act (PDPA) — applicable through Agensi Pekerjaan Cornerstone Global Partners (Malaysia) Sdn. Bhd.
  • Vietnam: Personal Data Protection Law (PDPL) — applicable through Cornerstone Global Partners (Vietnam) Company Limited
  • Thailand: Personal Data Protection Act (PDPA) — applicable through CGP Recruitment (Thailand) Co., Ltd
  • China: Personal Information Protection Law (PIPL) — when processing data of individuals located in or relating to Mainland China
  • Hong Kong: Personal Data (Privacy) Ordinance (PDPO) — when processing data of individuals in Hong Kong
  • Japan: Act on the Protection of Personal Information (APPI) — when processing data of individuals in Japan
  • Colombia: Ley 1581 de 2012 (Habeas Data) and applicable regulations on personal data protection — applicable through Cornerstone Global Partners Colombia SAS
  • European Union: General Data Protection Regulation (GDPR) — when processing data of individuals in the EU/EEA
  • United Kingdom: Data Protection Act 2018 and UK GDPR — when processing data of individuals in the UK
  • United Arab Emirates: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE Data Protection Law) — when processing data of individuals in the UAE
  • Saudi Arabia: Personal Data Protection Law (PDPL) — when processing data of individuals in Saudi Arabia
  • United States: Applicable federal and state privacy laws, including the California Consumer Privacy Act (CCPA / CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA) — applicable through Cornerstone Global Partners Columbus Inc

We ensure that personal and sensitive data collected from Users is processed lawfully, fairly, and transparently.

Where personal data is transferred across borders—including jurisdictions with extraterritorial data protection laws—we implement appropriate contractual, technical, and organizational safeguards to protect data integrity, confidentiality, and security. These safeguards are designed to ensure compliance with local legal requirements and maintain a level of protection comparable to that of the originating jurisdiction.

15. Notice About AI Use in Recruitment Operations

As part of our recruitment operations, we use AI-powered tools to assist with two broad activities: (a) processing applications and other materials that candidates submit directly to us, and (b) identifying potential candidates from professional networks and recruitment platforms (such as LinkedIn, job boards, and talent marketplaces) and matching their profiles with relevant job opportunities.

These tools may process personal data such as:

  • Your name
  • Contact details
  • Employment history
  • Education
  • Other information provided during the application process or available through professional platforms

Purpose of AI Use

The use of AI tools is strictly limited to supporting internal recruitment functions, including:

  • Extracting relevant information to facilitate candidate profiling
  • Enhancing consistency and accuracy in candidate records
  • Identifying potential candidates from professional networks (such as LinkedIn) and recruitment platforms based on publicly available or platform-provided profile data
  • Matching candidate profiles with available job opportunities based on skills, experience, location, and other relevant criteria
  • Ranking or prioritizing candidate profiles based on relevant criteria such as skills, experience, qualifications, and job requirements
  • Supporting operational efficiency in recruitment workflows

AI-assisted processing may include the scoring or ranking of candidate profiles to support recruiter decision-making. These outputs are generated based on analysis of professional information such as qualifications, experience, skills, and other relevant attributes. Such processing may influence the prioritization of candidates in recruitment workflows but is not used as the sole basis for decisions.

Human Oversight and Decision-Making

These tools do not make automated decisions about your suitability for employment. AI-assisted features are used for decision-support purposes only and do not replace human judgement. All evaluations and selections are made by qualified recruitment professionals, with human oversight at every stage of the decision-making process. AI-generated outputs are reviewed as part of the decision-making process, and final decisions are always made by human recruiters. AI-generated matches between candidate profiles and vacancies are always reviewed by a human recruiter before any candidate is contacted or shortlisted. Employers and clients remain responsible for decisions made using outputs generated by such tools and for ensuring compliance with applicable laws. Where required under applicable law, you may request a human review of processing that significantly affects you.

Logic of Processing

The logic of AI-assisted processing is designed to identify relevant relationships between candidate profiles and job requirements based on professional criteria such as experience, qualifications, skills, and role suitability.

This processing is limited to recruitment-related assessment and does not involve fully automated decision-making producing legal or similarly significant effects.

Legal Basis for AI Processing

The processing of personal data through AI tools is conducted in accordance with applicable data protection laws in the jurisdictions where we operate. Depending on the context, legal base for processing may include:

  • Legitimate interest, where processing is necessary for recruitment operations and does not override your rights
  • Contract performance, where processing is necessary in connection with job applications or potential employment
  • Legal obligations, where processing is required to comply with applicable laws or regulatory requirements
  • Explicit consent, where required by law, particularly for sensitive personal data

Where applicable under local laws, additional mechanisms such as notification-based consent or deemed consent may be relied upon in accordance with those laws.

Where we act as a data processor on behalf of clients, the relevant client determines the legal basis for processing.

Safeguards

We implement appropriate safeguards to ensure that AI-assisted processing is fair, transparent, and proportionate. These may include:

  • Human oversight of AI-assisted outputs
  • Data minimization and purpose limitation controls
  • Technical and organizational security measures
  • Periodic review of AI-assisted processes
  • Data protection impact assessments where required

16. Users' Rights

Depending on your jurisdiction, you may have additional rights under applicable data protection laws. These may include:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to or restrict processing, including the right to object to profiling or automated processing were permitted by law
  • Right to lodge a complaint with a supervisory authority

The availability and scope of these rights may vary depending on your jurisdiction and the legal basis on which your personal data is processed.

16.1 Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know the categories and specific pieces of personal information we collect, use, disclose, and share
  • Right to Delete personal information we have collected from you (subject to certain exceptions)
  • Right to Correct inaccurate personal information we maintain about you
  • Right to Opt-Out of the sale or sharing of personal information for cross-context behavioral advertising
  • Right to Limit the Use and Disclosure of Sensitive Personal Information
  • Right to non-discrimination for exercising your privacy rights

We do not sell personal information in exchange for monetary consideration. We also do not knowingly sell or share personal information for cross-context behavioral advertising purposes. We may share personal information with service providers and business partners only for the purposes described in this Policy.

To exercise these rights, contact our Data Protection Officer at the email below. We will respond within 45 days; if more time is needed, we may extend the response period by an additional 45 days and will notify you of the extension.

You may also designate an authorized agent to make a request on your behalf. We may require verification of your identity and the agent's authorization before processing the request.

16.2 Rights for Other US State Residents

Residents of Virginia, Colorado, Connecticut, and Utah have similar rights under their respective state privacy laws (VCDPA, CPA, CTDPA, UCPA), including the right to access, correct, delete personal data, and to opt out of certain processing activities such as targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects, and, where applicable, the sale of personal data.

To exercise these rights, please contact our Data Protection Officer using the contact details below.

16.3 Rights for European Union and United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Union, the United Kingdom, or another jurisdiction covered by the GDPR or UK GDPR, you have the rights listed in Section 16 above, subject to applicable legal limitations and the lawful basis relied upon for processing, plus the right to withdraw consent at any time (where consent is relied upon as the legal basis for processing) and the right to lodge a complaint with your local supervisory authority. For EU residents, our lead supervisory authority will be determined according to the GDPR's one-stop-shop mechanism where applicable.

17. Data Breach Notification

In the event of a personal data breach, we will promptly assess the scope, nature, and potential impact of the incident and take appropriate technical and organizational measures to contain, mitigate, and remediate the breach.

Where required under applicable data protection laws, we will notify relevant regulatory authorities and, where there is a risk to the rights and freedoms of individuals or where otherwise required by law, affected individuals, within the prescribed legal timelines. For example, certain jurisdictions may require notification to authorities within 72 hours of becoming aware of a breach.

We will take reasonable steps to investigate the circumstances of the breach, identify its root cause, and implement corrective actions to address any identified vulnerabilities and reduce the risk of recurrence.

Depending on the nature and scope of the breach, notifications to affected individuals may be provided via appropriate means, including email, website notice, or other communication channels deemed effective in the circumstances.

We maintain internal incident response procedures to ensure that personal data breaches are managed in a timely and effective manner, in accordance with applicable legal and regulatory requirements.

Our website may contain links to third-party websites, platforms, or services, including social media networks such as LinkedIn.

These external websites are not operated or controlled by us. If you choose to access such third-party sites, any personal data you provide or that is collected by those third parties will be subject to their respective privacy policies and practices.

We do not accept responsibility for the content, security, or data processing practices of any third-party websites. We encourage you to review the privacy policies of these third parties before providing any personal data.

Job Postings on LinkedIn: We may publish job postings to LinkedIn through their automated job feed for distribution purposes. If you apply to one of our roles via LinkedIn, your information is initially collected by LinkedIn under their privacy policy before being shared with us. Once received, we process your personal data in accordance with this Policy.

19. Data Protection Officer

If you have any enquiries or feedback regarding our personal data protection policies and procedures, or if you wish to make a request, please contact:

Data Protection Officer: DPO Office

Email: dpo@cgpgroup.com

20. Effect of Policy and Changes to Policy

This Policy applies in conjunction with any other policies, notices, contractual clauses, and consent of clauses that relate to the collection, use, and disclosure of your personal data.

We may revise this Policy from time to time without prior notice. You can check for updates by referring to the "Last Updated" date at the top of this document. Your continued participation in our recruitment process or employment with us constitutes your acknowledgement and acceptance of any changes.

If you are a minor under the minimum age defined by applicable privacy laws, you represent and warrant that your parent or legal guardian has been informed of and has agreed to this Privacy Policy.

Where legally required, you are responsible for obtaining valid parental consent before providing us with your personal data.

We may request evidence of such consent and reserve the right to delete any personal data collected from you if we cannot verify that the necessary consent has been obtained. We are not liable for any failure to obtain parental consent as required by law.

In most cases, we do not require sensitive personal data during the job application process. You should avoid submitting such data unless it is necessary or relevant.

However, we may collect and handle sensitive personal data—including health information, financial details, criminal history, or other data considered sensitive under applicable laws—under the following conditions:

  • You voluntarily include such information in your application materials, in which case we will treat such submission as an indication of your consent were permitted by applicable law, and may seek explicit confirmation where required
  • You have provided explicit consent for us to collect, use, or disclose your sensitive personal data for specific purposes
  • There is another legal basis under applicable laws that permits us to process such data without explicit consent

We may request confirmation of your explicit consent where required and reserve the right to delete any sensitive personal data submitted without a valid legal basis or necessary consent. In situations where explicit consent is required by law, we will be contacting you separately.

By submitting forms via website, you acknowledge and agree to the following:

  • You have read, understood, and agreed to the above Policy, and acknowledge that your personal data will be processed in accordance with this Policy and applicable data protection laws, based on consent or other lawful grounds where permitted.
  • You understand that the legal basis for processing may include contract performance, legal obligations, or legitimate interests, depending on the context of your interaction with us.
  • If your job application or personal data was submitted by a third party, you warrant that the third party was duly authorized by you to disclose your personal data to us for the stated purposes.
  • Your personal data may be processed using AI-assisted tools for recruitment and related services, in accordance with this Policy.
  • You acknowledge that such AI-assisted processing is used as a decision-support tool and is subject to human oversight.
  • Your personal data may be transferred to third-party service providers and across jurisdictions as described in this Policy
  • The personal data you have provided is accurate and complete to the best of your knowledge.
  • You understand that you may contact us at dpo@cgpgroup.com to withdraw your consent, request manual processing, or opt out of AI-powered tools, subject to applicable legal and operational limitations.

24. US-Only SMS Communications Addendum

For individuals located in the United States, the use of mobile phone numbers for service-related SMS communications is governed by a supplementary document: the U.S. Service-Related SMS Messaging Addendum (the "SMS Addendum"), which applies specifically to Cornerstone Global Partners Columbus Inc.

The SMS Addendum supplements this Privacy Policy in relation to:

  • Service-related SMS, MMS, and similar mobile messages (e.g., meeting confirmations, reminders, scheduling or rescheduling notices, follow-up communications, account or relationship administration messages)
  • Opt-out mechanisms (reply STOP, UNSUBSCRIBE, CANCEL, END, or QUIT to any message) and assistance keywords (reply HELP)
  • Data collection, retention, and sharing related to SMS activity
  • Permitted use cases (operational and relationship-management purposes only — not marketing)

CGP Group does not sell, rent, share, transfer, or otherwise disclose mobile numbers, SMS opt-in information, or text messaging consent data to third parties or affiliates for their own marketing or promotional purposes.

The SMS Addendum is available upon request via the Data Protection Officer at the contact details in Section 17 above. The terms of this Privacy Policy remain the primary statement governing data ownership, processing purposes, retention, cross-subsidiary data use, and individual rights; the SMS Addendum is supplementary.

Disclaimer: This mailbox is designated for matters related to Data Protection. For enquiries unrelated to data protection, submit your request via our Official Contact Form. Kindly note that non-DPO-related queries sent to this mailbox may not receive a response.