Privacy Policy for the Nakama Platform

Content

This version is in effect since March 25th, 2019. Last updated on June 4th, 2020. 

These Privacy Principles apply to the Nakama Products and Services (“Nakama Platform”), being made available under a Software as a Services model, for the benefit of and on behalf of the Nakama Customers (hereafter referred to as the “Services”), including the use you make of them as well as the interactions you have therewith.

1. Privacy in General  

1.1 What is GDPR?

“GDPR” or “General Data Protection Regulation“ (EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC), is the current privacy legislation in effect in the European Economic area (“EEA”).

The GDPR came into effect on 25 May 2018 and introduces a whole new set of rules in respect of the processing of information which relates to You (as being an identified or identifiable natural person) (“Personal Data”). It aims to harmonise data privacy legislation throughout the EEA with the intention to i) increase the general awareness on data privacy, ii) allow individuals to take control over their privacy and their fundamental rights, and, iii) to strengthen security requirements throughout companies and organisations.

Seeing the wide scope pf applicability, the GDPR serves as the basis for the worldwide Nakama privacy program.

(Last update 25 March 2019)

1.2. When does GDRP apply?

The GDPR applies to i) all organisations established in the European Economic area (“EEA”) and ii) to organisations, whether or not established in the EEA, that process Personal Data in connection with either the offering of goods or services to Data Subjects (i.e. identified or identifiable individuals) in the EEA or the monitoring of their behaviour that takes place within the EEA.

As a consequence, from the moment there is an element of processing Personal Data in the EEA or from the moment a Data Subject located in the EEA is targeted, GDPR will apply, also to organisation not located in the EEA.

(Last update 25 March 2019)

1.3. Nakama and GDPR

Convexable BVBA, with address Da Vincilaan 1 – 1930 Diegem (Belgium), by itself or through its affiliates (“Nakama” or ‘Nakama HR”), has developed, exploits and maintains certain Services.

The Services are provided by Nakama under contract as concluded with the organisation who purchased the Services for its employees' use (“Nakama Customer”). The Nakama Customer has commissioned Nakama to set up a referral platform. The Nakama customer can use this platform to invite its employees to register as so-called 'ambassador'.

Nakama acts as a service provider for the Nakama customer and processes data in this respect only on behalf of and only according to specifications and instructions in accordance with a Data Processing Agreement (article 28(3) GDPR.

Responsibility for the use of the referral platform according to article 4 (7) GDPR is therefore the Nakama Customer. Please contact the data protection officer or other person of the Nakama Customer for all data protection-related concerns and for the exercise of your rights.

Nakama embraces the opportunities GDPR brings and ensures putting in place such measures in order to allow for the Nakama Customers to make use of the Services in a compliant way.

As GDPR is the most comprehensive and fully integrated legislation on data privacy, and as the applicability of the GDPR does not stop at the borders of the EEA, Nakama uses GDPR as a standard against which its worldwide program is benchmarked.

(Last update 04 June 2020)

2. Privacy Principles

2.1. When do these Nakama Privacy Principles apply?

These Nakama Privacy principles apply whenever a person makes use of, or is interacting with the Services under any form of a user account, or, as a Third-Party Data Subject (see explanation on “roles” below) being allowed (limited) access by you and an owner of a user account to such Services (“You” or “Your”).

These Privacy Principles equally apply to the products (including front-end clients (e.g. the Nakama mobile application), Web-Interface (e.g. plugins) and/or Connectors to third-party applications) interacting with such Services.

Be informed that if You make use of the Services as part of an entity or organisation that has an agreement with Nakama (like Your employer), the terms of that organisation’s agreement may provide for different or additional terms. Please contact Your organisation for further details.

(Last update 25 March 2019)

2.2. What is the relationship between these Privacy Principles and a Customer Privacy Policy? 

These Nakama Privacy Principles are provided for convenience reasons only and want to try to provide You with as much information as Nakama is able to provide under sections 13 and 14 GDPR.

You however, need to bear in mind that Nakama is only acting as data processor and not as data controller , which means that any Privacy Policy of the Nakama Customer (“Customer Privacy Policy”) shall have priority over these Nakama Privacy Principles. These Nakama Privacy Principles under no way shall mean that Nakama is taking up a role as data controller. The publication of the Customer Privacy Policy (or absence thereof) does not occur under the responsibility of Nakama.

(Last update 25 March 2019)

2.3. Is Nakama acting as Data "Processor" or Data "Controller" in respect of the Services?

It is the Nakama Customer who grants access and manages the user accounts to the Services (e.g. password reset, access rights, third-party integrations, suspending accounts, grouping users, assigning channels, …), as well as which Third-Party Data Subjects to interact with through the Services (and thus whose Personal Data are to be processed). It is the Nakama Customer that may communicate with You or the Third-Party Data Subject through the Services. It is therefore the Nakama Customer who legally is acting as the so-called “Controller”.

Inquiries by You or any other Data Subject in respect of processing by the Services of one’s Personal Data therefore needs to be addressed to the Nakama Customer, not Nakama.

Nakama is only offering the means allowing the Nakama Customer to interact with their respective Users and third parties through the Services. This means that Nakama is only processing the Personal Data for and on behalf of the Nakama Customer as a “Processor”, in line with the instructions given by the Nakama Customer.

Nakama is only acting as Controller (in a limited way) in respect of certain interactions of or with the Administrator (see Nakama Privacy Policy).

(Last update 25 March 2019)

2.4. Does Nakama export Personal Data outside of the EEA?

Nakama only exports Personal Data outside of the European Economic area (“EEA”) if and when required by:

  • It and its affiliates’ employees and collaborators;
  • Third-party technology and service providers as used for the purposes described in these Privacy Principles;
  • Third-Party maintenance & support recipients (including related service/technology providers);
  • Other third parties to the extent Nakama has good faith belief that such disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request from a public or law enforcement authority; (b) national security; (c) protect the safety of any person from death or serious bodily injury; (d) prevent fraud or abuse; (e) as necessary to protect or enforce our legal rights & those of our collaborators as well as the integrity of our Services.


Such disclosures shall always be limited to the Personal Data as required for the specific purpose of the recipient while taking into account the necessary provisions on confidentiality, integrity, availability and security of the data involved.

In case of Feature Dependent Subprocessors, the Nakama Customer has a choice not to enable that specific service.

In the current set-up of the Services, such export of personal data shall occur and is required in order for the Services to meet the contractual warranties and services levels.

Where such export occurs, Nakama ensures that such transfer occurs under the necessary legal provisions as required by the applicable legislation in order to provide for an adequate level of protection of Your Personal Data (e.g. adequacy decision of the EU commission (e.g. EU-US Privacy Shield), binding corporate rules, EU standard contractual clauses, …).

(Last update 25 March 2019)

2.5. What is Nakama doing in order to help its Customers comply with GDPR?

Nakama has a good number of initiatives in that regard:

  • EU Data centres / US CDN opt out
  • Nakama’s principle hosting infrastructure is located within the EU at a first-class world-renowned hosting partner (AWS – European region: Paris).
  • Nakama data protection manager
  • The Nakama data protection officer supervises the entire data privacy program at Nakama.
  • Vetting by Nakama of its subprocessors
  • Each subprocessor of Nakama is vetted by the Nakama data protection officer in the areas of security, contractual terms, data processing agreements, and, EU standard contractual clauses / Privacy Shield.
  • Contractual documents / privacy policies
  • Our contractual documents are state-of–the-art and contain the necessary provisions, including in respect of data processing agreements, end-to-end confidentiality, and privacy policies (meeting all necessary legal requirements).
  • Product engineering
  • All new product capabilities that are to be introduced within the Service, follow three key cornerstones: (i) the GDPR principles of “privacy by design” and “privacy by default”, (ii) giving flexibility to both EU customers and non-EU customers within the GDPR guidelines – while (iii) keeping all changes as simple as possible.


(Last update 25 March 2019)

2.6. Does Nakama have a Data Processing Agreement available?

To the extent processing of Personal Data within Your organisation falls within the material scope and territorial scope of GDPR (articles 2 and 3 GDPR), the GDPR requires that the processing occurs under a Data Processing Agreement that requires certain minimum criteria to be met (article 28,3 GDPR).

Nakama therefore has created a so-called “Data Processing Agreement” or “DPA” that includes all the required GDPR terms.

Nakama’s DPA reflects the unique aspects of the Services, as well as processing activities, and modifies Your agreement for the Services to bring it into GDPR compliance.

You can find and execute the Nakama Data Processing Agreement by sending email to privacy@nakamahr.eu.

(Last update 25 March 2019)

2.7. What rights do data subjects have?

As an EEA citizen (and potentially other applicable data privacy laws), data subjects whose Personal Data is being processed have the right to:

  • obtain access to one’s Personal Data as processed by Nakama;
  • request rectification, erasure or restriction of processing of one’s Personal Data;
  • object to the processing of one’s Personal Data where processing is based on the legal ground of “consent”;
  • request to receive one’s Personal Data in a format at the discretion of the Controller (e.g. excel, .CSV file, …), that allows for the data portability of such data to a similar service;
  • where Personal Data is processed based on the legal ground of “consent”, withdraw one’s consent for processing one’s Personal Data at any time.

Such rights need to be exercised towards the Nakama Customer. In order to exercise such rights, the individual in question shall have to provide proof of one’s identity by providing an official document (e.g. ID Card, driver’s license, …).

(Last update 25 March 2019)

2.8. Where to log a complaint?

Under these privacy principles, Nakama is acting as Processor under instruction and on behalf of the Nakama Customer. As a result, in case You have a complaint about the processing of Your Personal Data, You should address Your complaint towards the respective Nakama Customer as being the controller of Your Personal Data.

Notwithstanding the above, You can always contact us directly at privacy@nakamahr.eu and we will listen to Your complaint and see if we can help You to resolve this. In any case, Nakama will provide You with a response within one month of receipt. Where necessary or where legally required, Nakama will forward Your request to the respective Nakama Customer who will take this up further with You.

However, if You, as an EEA citizen, have an unresolved complaint, You always have the right to log a complaint with the competent “data protection authority”. Information on the competent data protection authority and the way of logging a complaint can be found here (or the URL as updated by the European Commission).

(Last update 25 March 2019)

2.9. Who can I contact if I require more information?

Nakama has appointed a data protection officer who can be contacted at Office of the Data Protection Officer – CONVEXABLE BVBA – Da Vincilaan 1 – 1930 Diegem (Belgium) or privacy@nakamahr.eu.

(Last update 25 March 2019)

3. Privacy in the Nakama Services

3.1. What do the Nakama Services consist of?

Nakama is offering Services that helps organizations to provide information (job vacancies) and tools to their collaborators that enables them to inform potential job candidates of open positions and bring this job candidate in contact with their organization for recruitment purposes.

To the extent the individual in question is connecting to and interacting with the Services, the Services measure the engagement of such individual in respect of content shared, analyse such individual’s behaviour therewith and enables the organization to reward accordingly.

The Services are offered as a “Software as a Service” model, which is a software licensing and delivery model in which software is centrally hosted and made available to multiple users over a network, including through interacting products (including front-end clients, apps, Web-Interface, plugins, or connectors to third-party applications).

The Personal Data is not processed for any other purpose than allowing the Services to take place for the benefit and under the control of the Nakama Customer.

Where Your Administrator/User/organisation chooses to i) add new functionality or change the behaviour of the Services (outside of what the Services offer as native functionality or behaviour) by integrating/combining third-party applications (e.g. applicant tracking software tools, SSO, etc.) or ii) is making content available through an iFrame, linking to third-party URL’s or similar technology, this may lead to the fact that such third-party applications receive access to certain Personal Data or content either directly from You or through the Services. This activation, implementation, combination and/or content offering occurs solely under the responsibility of Your organisation/third-party application provider and their respective policies, not Nakama’s. Consequently, Nakama does not take any responsibility for this.

(Last update 25 March 2019)

3.2. What roles / interactions exist within the Nakama Services, and what do they mean?

You can interact with or through the Services through the following roles:

  • “Administrator”: someone managing User accounts, having privileges for making content available for use by the User through the Services, monitoring usage statistics, as well as being able to monitoring Third-Party Data Subject’s engagement with such content;
  • “User”: someone who through the Services is i) interacting with the content being made available to him by the Administrator and ii) making Content available to a Third-Party Data Subject , and/or iii) monitoring that Third-Party Data Subject’s engagement with such content (viz. a job candidate reacting to the content shared by the concerned User) as well as its usage statistics;
  • “Third-Party Data Subject” someone (usually the potential employee or contractor) receiving specific information from the User through the Services in respect of an open job vacancy with the User’s organisation.

Each of these roles will generate their specific analytics as to the way how they interact with the content being made available through the Services.

Third-Party Data Subject personal data will be visible:

  • to Users and Administrators.
  • User personal data will be visible:
  • to Users and Administrators.


(Last update 25 March 2019)

3.3. What categories of Personal Data are being processed through the Nakama Services?

The Services processes certain “information relating to an identified or identifiable natural person, for and on behalf of its Customers.

For each role (Administrator, User, Third-Party Data Subject), certain contact information is being processed (i.e. direct identifiable Personal Data such as an e-mail addresses or name), as well as certain account information, profiling/behavioural information, device information, connection information, content, integrations with HR automatisation/ATS services, geolocation (i.e. indirect identifiable Personal Data requiring a whole dataset in order to identify 1 single person).

In certain instances, the Services may also process certain video or other material (comments, reviews, …) that an Administrator, User or Third-Party Data Subject may upload or provide to the Services. In most circumstances it is the aim of such video or other material to be used as assessment and review material for the people within the organisation of the Nakama Customer.

For specific information on which types of Personal Data are being processed, contact the Nakama data protection officer at privacy@nakamahr.eu.

(Last update 25 March 2019)

3.4. Are the Nakama Services processing so-called "sensitive Personal Data?

No so-called “sensitive Personal Data” (e.g. as per section 9 GDPR) is being processed by or through the Services (e.g. medical information, biometrical information, racial information, social security information, criminal information …), nor should the Services be used for such data.

(Last update 25 March 2019)

3.5. Are the Nakama Services processing financial data / PCI data?

The Services are not processing any (personal) financial data or data that is regulated by rules of the Payment Card Industry (PCI).

(Last update 25 March 2019)

3.6. Under what legal basis is Personal Data being processed through the Services?

Before each Administrator’s, Privileged User’s, User’s and/or Third-Party Data Subject’s Personal Data is processed, consent from the respective individual will be sought at the different levels within the Services:

  • Administrator/Privileged User/User: consent will be sought at the moment of creation of their account;
  • Third-Party Data Subject: consent will be sought at the moment of first interaction with the Services or the content made available.

Consent is an allowed basis for the lawful processing of Personal Data (see section 6,1 (a) GDPR).

Additionally, certain Personal Data is processed based on legitimate interest (see section 6,1 (f) GDPR) because:

  • necessary for technical reasons, e.g
  • IP address is used to determine origin of the request resulting in certain privacy settings becoming applicable or not;
  • email address of a (re-shared) Third-Party Data Subject is used for the technical aspects of delivering the message to the recipient under an SMTP protocol
  • in order to capture consent (e.g. online meetings).
  • used as training material for internal training purposes of the Nakama Customer, e.g.:
  • (deactivated) account analytics (e.g. User analytics of (former) Administrators/Privileged Users/Users)
  • training video’s
  • (peer) reviews/comments


Next to that, certain limited Personal Data may be processed as required for Nakama as a controller to administer the (contractual) relationship between Nakama and its Customer (also through the Administrators) as well as to comply with certain legal obligations / legitimate interest of Nakama (e.g. consent log files). More info can be found in the Nakama Privacy Policy.

(Last update 25 March 2019)

3.7. How long does the Personal Data remain available in the Nakama Services?

  • Data in Nakama hosted environment (production):
  • Administrator/User: From the moment the account is deleted by the Nakama Customer or where the contract with the Nakama Customer is terminated, the account and the Personal Data is deleted, and the insights anonymised (deletion is irreversible). For avoidance of doubt, deactivation of an account does not by itself remove the account, the Personal Data or the insights; the account is only suspended.
  • Third-Party Data Subject: As long as the respective Third-Party Data Subject is interacting with or through the Services and for a certain period after the last interaction such Party has had with or through the Services, as determined and set by the Nakama Customer, as well as all Personal Data is deleted, resulting in the fact that analytics are anonymised.
  • Any action performed is sync’ed automatically throughout the entire production environment (including any deletions).

(Last update 25 March 2019)

3.8. Does Nakama make use of subprocessors for the Nakama Services?

Nakama uses two types of subprocessors; 1) “Core Subprocessors” and 2) “Feature dependent Subprocessors”.

• Core Subprocessors (e.g. hosting partners) are subprocessors that are key to the functioning of the Services and without whom Nakama cannot guarantee the functioning of the respective Services.

• Feature dependent Subprocessors are subprocessors that offer a certain functionality that is either not present in all versions of the Services, either are optional (and thus can be switched off).

For more information on which subprocessors are used in the Services, contact the Nakama data protection officer at privacy@nakamahr.eu.

(Last update 25 March 2019)

3.9. Which parties may receive Personal Data as processed through the Nakama Services?

Nakama only shares Your Personal Data with its (as well as its affiliates’):

  • employees and collaborators in respect of their respective duties as required for the exploitation, support and maintenance of the Services;
  • Third-party technology and service providers in respect of their services as part of the Services and as used for the purposes described in these Privacy Principles;
  • Third-party maintenance & support recipients (including related service/technology providers);
  • Other third parties to the extent Nakama has good faith belief that such disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request from a public or law enforcement authority; (b) national security; (c) protect the safety of any person from death or serious bodily injury; (d) prevent fraud or abuse; (e) as necessary to protect or enforce our legal rights & those of our collaborators as well as the integrity of our Services.


Such disclosures shall always be limited to the Personal Data as required for the specific purpose of the recipient while taking into account the necessary provisions on confidentiality, integrity, availability and security of the data involved.

For avoidance of doubt, Nakama does not sell or otherwise commercialises the Personal Data.

Nakama shall remain responsible to ensure that such export occurs in a legally compliant way, as well that the performance of the subprocessors Nakama has engaged remains in line with the applicable data protection legislation.

Mind you that personal data is shared within the Nakama Services to the different stakeholders as set forth in section C2.

(Last update 25 March 2019)

3.10. Is the data processed through the Nakama Services used for direct marketing purposes or automated decision making?

Nakama does not use the Personal Data processed through the Services for Nakama’s direct marketing purposes, nor does the Service employs automated decision-making processes or techniques which create or deny rights to the individuals in question.

Nakama only processes the Personal Data under instruction and under control of the Nakama Customer for the purpose of exploiting its Services for the benefit of its Customers, as described above.

(Last update 25 March 2019)

3.11. What Security measures does Nakama employ for its Service?

Nakama has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Nakama shall thereto take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

While we aim to implement industry-leading safeguards designed to protect Your Personal Data, no security system is impenetrable and due to the inherent nature of the Internet, there always is an inherent risk that non-authorised persons may obtain access e.g. by way of hacking. In addition, we cannot guarantee that any Personal Data which was incidentally collected by You or Your organisation is maintained at levels of protection to meet specific needs or obligations You may have relating to that information.

(Last update 25 March 2019)

3.12. Do the Nakama Services use Cookies?

For more information on Cookies used by Nakama and the way of managing/removing them, see the respective “Cookie Policy” statement on the Nakama website.

(Last update 25 March 2019)

3.13. Are the Nakama Services targeted at Children?

The Services are typically solutions that aim at recruiting employees and interim managers for professional organisation. As such, the Services are not aimed for children under the age of 18 year, nor should it be used for such purpose. We consequently do not knowingly collect Personal Data from children.

If a parent or guardian becomes aware that his or her child has provided Personal Data that is processed through the Services without their consent, he or she should contact Nakama at privacy@nakamahr.eu. If we become aware that a child has provided us with Personal Data, Nakama will take the necessary steps to have that Personal Data irrevocably removed from the Services.

(Last update 25 March 2019)

3.14. What about Functional/Technical Data in the Services?

The Services also track certain data other than Personal Data, more specifically technical, analytical data, and metadata which is collected automatically when a person is interacting with or through the Services (“Functional Data)”, which Functional Data is the sole property of Nakama.

Nakama collects the following Functional Data:

  • General usage Information. including:
  • the applications and features You use in respect of the Services;
  • the sizes, titles and type of the files or folders You upload, download, share or access while using the Services;
  • the content You access, and any actions taken in connection with the access and use of the content in the Services;
  • Dwell time;
  • Interaction types with third-party applications
  • Click activity.
  • Log Information. including:
  • Your Internet Protocol (“IP”) address;
  • Access times;
  • Browser type and language;
  • URL’s of referring/exiting exit pages;
  • Internet Service Provider (“ISP”).
  • Device Information. including:
  • the hardware model;
  • operating system and version;
  • mobile network information (as allowed by the mobile network) or platform information (as allowed by the specific platform type).

Subject to the other provisions of these FAQ’s Nakama may use the Functional Data for a variety of purposes, including to:

  • Provide, operate, maintain and improve the Services
  • Enable You to technically access and use the Service
  • Respond to Your comments, questions, and requests and provide service and support;
  • Monitor and analyse trends, usage, and activities in connection with the Services;

4. Which data is collected and how is it used?

4.1 General

The subject of data protection is personal data. According to Article 4 No. 1 GDPR, this is all information that relates to an identified or identifiable natural person (hereinafter "data subject"); An identifiable person is a natural person who can be identified directly or indirectly, in particular by assigning an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics, the expression of the physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person.

4.2 Automatically collected usage data

When accessing the website https://app.usenakama.com, your internet browser automatically transmits certain usage data for technical reasons. This so-called log file information is stored separately from other data that you have provided to us:

  • Date and time and duration of access,
  • Browser type / version,
  • operating system used,
  • URL of the previously visited website,
  • amount of data transferred,
  • IP address (internet protocol address),
  • Name of the service provider,
  • Name of the retrieved files,
  • http status code (e.g. "Request successful")
  • and URL of the website accessed.


This data is technically necessary for us to offer you the functions of our recommendation platform and to ensure stability and security (legal basis: art. 6 (1).1.f GDPR). We store them for a period of 30 days. Data whose further storage is necessary for evidence purposes are excluded from deletion until the respective incident has been finally clarified.

4.3 Notes for employees of the Nakama Customer and applicants

4.3.1 Data processing for ambassadors

4.3.1.1 User data of the ambassador

Employees are invited as ambassadors from their employer, the Nakama Customer, to spread certain open jobs and recommend potential applicants. This is done via the Nakama company account of the Nakama Customer. There, ambassadors can share and multiply vacancies in various ways (e.g. social networks, via WhatsApp, by email). To be able to use the recommendation platform, an ambassador must register with the Nakama platform.

With the Ambassador's consent (Article 6 (1).1.a GDPR), the following data is processed about the registration and the personal settings within the platform:

  • First name,
  • Surname,
  • E-mail address

Handling and visibility:

Part of the above Data (first name, last name) are made available to all registered users within a Nakama account. They are visible to the responsible recruiters, company administrators and all other registered ambassadors of the company. In addition, part of the data (first name, last name) is visible to potential applicants who click on a job that was previously shared by an ambassador via email, link or a social network.

4.3.1.2 Statistics

4.3.1.2.1 Individual user statistics

Ambassadors also give their consent for the Nakama Customer to collect individual statistics as part of the referral process. This makes the actions taken visible to users in the Nakama company account and saved.

The following statistics are displayed in figures by the Nakama platform:

  • Sum of the points collected
    A

Handling and visibility: These individual usage statistics are only visible to the respective Ambassador.

4.3.1.2.2 Leaderboard

Ambassadors also give their consent for the Nakama Customer to collect individual success statistics as part of the referral process. This makes the services and achievements made visible to other users and saved.

The following success statistics are processed by the Nakama platform and displayed in the Nakama account:

  • Total points in the referral program
  • Ranking based on the total number of points compared to all other ambassadors registered in this account

Handling and visibility: These success statistics are visible to all registered users within an account.

4.3.1.3 Referral reward management

Ambassadors give their consent for personal information to be collected for referral reward management in the course of a referral that they have successfully generated. This makes the due premium visible to the ambassador and saved.

The following information is processed by the Nakama platform and displayed in the Ambassador's Nakama account:

  • Number of collected points
  • Title of the job that generated the points

Handling and visibility: The information on due premiums is only visible to the ambassador and company administrators concerned.

4.3.1.4 Social media

When connecting to a social network, a job can be shared on behalf of the Ambassador via the Nakama platform with the consent of the Ambassador on the news feed of the respective network (e.g. Facebook, LinkedIn) or on a chat (e.g. WhatsApp).

The connection is only there to be able to share jobs on behalf of the Ambassador. Nakama does not send any personal data to the social networks.

Handling and visibility: Which social networks an Ambassador has connected with is not visible to anyone else than the user. Nakama can also be used without being connected to a social network.

4.3.1.5 Right of withdrawal

Ambassadors can withdraw their consent to the processing of their personal data at any time with future effect. You can email the data protection officer or likewise of the Nakama Customer.

4.3.2 Data processing by recruiters and company administrators

Company administrators (“job providers”) are responsible for the management of the Nakama company account. They invite ambassadors, create jobs and administer the recommendations. To do this, they must also register with the Nakama recommendation platform beforehand.

With the consent (Article 6 (1).1.a GDPR) of the recruiter or company administrators, the following data about the registration and the personal settings within the platform are processed:

  • First name Last Name
  • E-mail address

Handling and visibility: part of the above Data (first name, last name) are made available to all registered users within a Nakama account. They are visible to the users of the referral program (other administrators and ambassadors). In addition, part of the data (first name, last name) is visible to potential applicants who click on a job that was previously shared by a recruiter or company administrator via email, link or a social network.

4.3.2.1 Referral reward management

In addition to user and job management, reward management is also one of the tasks of company administrators. As soon as a recommendation from an ambassador as been set, the recruiters and company administrators will be shown and saved the referral reward due for approval.

The following information is processed by the Nakama platform and displayed to recruiters and company administrators:

  • Number of points & value of the referral reward
  • Title of the job for which the referral reward is due
  • Name of the ambassador
  • Name of the referred person

Handling and visibility: The information on due premiums is only visible to the ambassador and company administrators concerned.

4.3.2.2 Right of withdrawal

Company administrators can revoke their consent to the processing of their personal data at any time with future effect. Company administrators can email the data protection officer, or likewise, of the Nakama Customer.

4.3.3 Data processing for applicants

4.3.3.1 Applicant data of the applicant

If a potential applicant is made aware of a vacant job via an ambassador, he or she can apply via the Nakama referral platform. As soon as a potential applicant decides to apply via the Nakama referral platform, the following data might also be processed in the e-recruiting system of the Nakama Customer with the applicant's prior consent (Article 6 (1).1.a GDPR).

  • First name Last Name
  • E-mail address
  • Phone number*
  • Application documents (curriculum vitae, certificates, letter of motivation, etc.)*
  • Link to public profile on LinkedIn*


*Not mandatory

Handling and visibility: In the case of an application, the data collected is made available to the company responsible for the vacant job. The data is visible to all administrators. In addition, part of the data (first name and last name) is also visible to the Ambassador who previously shared the job to which the applicant applied for via email, link or a social network.

4.3.3.2 Hiring an applicant

Applicants also give their consent for the Nakama referral platform to also process data on successful recruitment. This is data that recruiters collect from applicants as part of the recruitment process.

The following information is entered by the recruiter in the course of a setting:

  • whether the applicant is hired or not
  • whether a premium is due for the Ambassador

Handling and visibility: The recruitment data of an applicant are made available to the recruiters and company administrators of a company for historical traceability and reward management. The Ambassador, who is responsible for the applicant's application, will also be informed of the applicant's recruitment.

Note: Communication with the applicant when hiring does not take place via the Nakama referral platform.

4.3.3.3 Closure of an applicant

Applicants also give their consent that data on the closing (termination) of their application is also processed via the Nakama platform. This is data that recruiters collect from applicants as part of the closing process.

Handling and visibility: The closing dates of an applicant serve the company administrators of a company for historical traceability. Furthermore, the ambassador, who is responsible for the applicant's application, is informed about the applicant's closure.

Note: Communication with the applicant upon closure does not take place via the Nakama referral platform.

4.3.3.4 Referral reward management

Applicants also give their consent for information to be processed in the course of their recruitment via the Nakama referral platform for reward management. This makes the due referral reward visible to the ambassador and saved.

The following personal information is processed by the Nakama referral platform and displayed in the Ambassador's Nakama account, which recommended the applicant:

  • Number of collected points and its value
  • Title of the job for which the referral was set
  • Name of applicant

Handling and visibility: The information on due referral rewards is only visible to the ambassador and company administrators concerned.

4.3.3.5 Right of withdrawal

Applicants can withdraw their consent to the processing of their personal data at any time with future effect. Applicants can email the data protection officer, or likewise, of the Nakama Customer.

4.3.4 General usage data and success statistics

General usage and success statistics are data that are processed about the referral activities within the Nakama company account. The data are used by the Nakama Customer to get an overview of the success of their own talent search and to make better use of the Nakama referral platform:

  • Total number of job views
  • Total number of open job positions
  • Total number of closed jobs
  • Total number of hired applicants

Handling and visibility: These general usage and success statistics are visible to company administrators within a Nakama company account and serve as an overview of the activities and effectiveness of their referral network.

4.4 How long do we store your data?

4.4.1 User data (ambassadors and administrators)

If the user's data is no longer required for the purposes mentioned in this section, it will be deleted. If a user account is deletes by the company administrator, the profile will be completely and permanently removed. Insofar as data must be kept for legal reasons, it will be blocked. The data will then no longer be available for further use.

Unused Ambassadors accounts are identified and deleted by the administrator after 12 months.

4.4.2 Applicant data

Applications received on the Nakama referral platform might transferred to the Nakama Customer e-recruiting system and processed further there. Contact the privacy policy of the Nakama Customer for deletion periods there.

As long as an application is in the application process, the corresponding data remains stored. After the application process has ended, the data will be deleted - this will be done automatically after 8 months at the latest.

5. Relation with other Nakama policies / documents

5.1. Privacy & Cookie Policy website

The Nakama Privacy & Cookie Policy website shall apply in addition in case you are:

Making use of, or visiting any Nakama website other than the Nakama Products and Services;

  • Using the Nakama Products and Services under an administrator account or User account;
  • Direct interactions with Nakama, including accessing and/or interacting with content belonging to or controlled by Nakama as being made available to You by a collaborator of Nakama through the Nakama Products and Services;
  • Interacting with (software) tools related to the foregoing; and/or
  • As otherwise accepted by You.

(Last update 25 March 2019)

5.2. Terms of Use

The Nakama Terms of Use shall apply in addition in case you are:

  • Accessing and/or interacting with content belonging to or controlled by a Nakama Customer as being made available to You by or on behalf of that Nakama Customer through the Nakama Products and Services; and/or
  • Making use of, or visiting any Nakama website other than the Nakama Products and Services; and/or
  • As otherwise accepted by You.


(Last update 25 March 2019)

5.3. Data Processing Agreement

If You are looking for the Nakama Data Processing Agreement, please contact us hello@nakamahr.eu

(Last update 25 March 2019)