Privacy

Kosma Corp Privacy Policy

Last updated: 07/10/25

Kosma Corp ("Kosma," "we," "us," or "our") is committed to protecting the privacy of natural persons who interact with us—including website visitors, clients, job candidates, and other individuals whose Personal Information we process. This Privacy Policy explains what Personal Information we collect, why we collect it, how we use it, with whom we disclose it, and the choices and rights you have. It applies to:

The websites, landing pages, and mobile applications we own or operate and that link to this Policy (collectively, the "Sites");
Our recruiting, staffing, and head‑hunting activities, including candidate portals, background‑check workflows, and marketing communications (together, our "Services").

Notice at Collection (California & other U.S. state laws) — The table in Annex A summarises the categories of Personal Information we collect, the business or commercial purposes for which we collect them, and whether we "sell" or "share" that information for cross‑context behavioural advertising. Please review it before you submit any information to us.

If you are in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, see Section 8 for GDPR‑specific information, including our legal bases for processing and your additional rights.

Definitions
Information We Collect
How We Use Personal Information
How We Disclose Personal Information
Your Privacy Rights & Choices (U.S. States)
Exercising Your Rights & Identity Verification
Data Retention & Disposal
Additional Disclosures for Individuals in the EEA/UK/Switzerland
Cookies & Similar Technologies
Marketing Communications & TCPA Consent
Security Safeguards
International Transfers
Automated Decision‑Making
Children’s Privacy
Changes to This Policy
Contact Us
Annex A – Notice at Collection / Statutory Categories (U.S.)

1. Definitions

"Personal Information" ("PI") means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. This includes "Personal Data" under the GDPR.

"Sensitive Personal Information" ("SPI") means Personal Information that U.S. or international privacy laws deem sensitive (e.g., government‑issued identifiers, precise geolocation, racial or ethnic origin, biometric data, or background‑check results).

Unless defined in this Policy, terms have the same meaning as in the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CPRA") and the EU General Data Protection Regulation ("GDPR").

2. Information We Collect

We collect the following categories of Personal Information from or about you:

Identifiers — name, postal address, email, phone, IP address, online identifiers.
Professional & Employment‑Related Information — résumé/CV data, education, work history, skills, references, compensation expectations, interview notes.
Sensitive Personal Information — government ID numbers, background‑check results, criminal records (where permitted), and, for payroll clients, bank details.
Internet or Network Activity — log files, device data, cookies, analytics information.
Commercial & Transaction Information — purchase records, payment method, billing details.
Geolocation Data — general location derived from IP address or GPS (if you enable location services).
Audio/Visual Data — CCTV images if you enter our offices; voice recordings of customer‑support calls (with notice).
Inferences & Preference Data — derived from the foregoing to tailor services or marketing.

We collect this information:

Directly from you when you create an account, submit a résumé, complete forms, participate in interviews, or communicate with us.
Automatically through cookies, pixels, SDKs, server logs, and similar technologies.
From third parties such as background‑check providers, public sources, social‑media platforms, and references you authorise.

3. How We Use Personal Information

We use Personal Information for one or more of the following business or commercial purposes:

Recruiting & Staffing — to assess suitability for roles, schedule interviews, run background checks with your consent, and present you to prospective employers.
Account & Contract Management — to create and maintain accounts, process payments, and fulfil contractual obligations.
Marketing & Analytics — to send newsletters (with opt‑out), analyse website traffic, and measure campaign effectiveness.
Compliance & Risk Management — to comply with applicable laws (e.g., anti‑money laundering, employment, equal‑opportunity), enforce our agreements, detect fraud, and maintain security.
Corporate Transactions — in connection with mergers, acquisitions, asset sales, or financing.

We will not collect additional categories of Personal Information or use it for materially different purposes without providing notice.

4. How We Disclose Personal Information

We may disclose your Personal Information to:

Clients / Prospective Employers — when you authorise us to submit your candidacy.
Service Providers & Contractors (as defined under CPRA) — hosting, ATS, CRM, payment, analytics, background‑check vendors, and professional advisers bound by contract to process PI only on our instructions.
Affiliates & Subsidiaries — within Kosma Corp’s corporate family for consistent service delivery (subject to this Policy).
Legal & Regulatory Authorities — when required by law or to protect rights, safety, or property.
Successors — in connection with a corporate transaction (subject to confidentiality restrictions).

No Sale or Sharing for Cross‑Context Behavioural Advertising — We do not “sell” or “share” your Personal Information within the meaning of CPRA §1798.140 nor use it for targeted advertising across unaffiliated entities. If that ever changes, we will provide a clear “Do Not Sell or Share My Personal Information” link and update this Policy in advance.

5. Your Privacy Rights & Choices (U.S. States)

Depending on where you live, you may have some or all of the following rights (subject to lawful exemptions):

Right to Know / Access — request confirmation and specific pieces of PI we hold.
Right to Delete — ask us to delete PI we collected from you.
Right to Correct — request correction of inaccurate PI.
Right to Portability — obtain a copy of PI in a portable format.
Right to Opt‑Out of: (i) sale or sharing of PI; (ii) targeted advertising; (iii) profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to Limit Use & Disclosure of SPI.
Right to Non‑Discrimination / No Retaliation for exercising your rights.
Right to Appeal (CO, CT, VA) — if we deny your request.

6. Exercising Your Rights & Identity Verification

Submit a request via our Privacy Request Portal at https://kosmacorp.com/privacy‑request, email privacy@kosmacorp.com, or call +1‑800‑555‑0199 (toll‑free).
We will verify your identity (and authority, if you use an authorised agent) by matching information you provide with information we maintain and may request additional ID.
We will respond within 45 days (extendable once for another 45 days with notice) or as otherwise required by law.
If we deny your request, you may appeal by emailing appeals@kosmacorp.com. If you are in Colorado, Connecticut, or Virginia and remain unsatisfied, you may contact your state Attorney General.

7. Data Retention & Disposal

We retain Personal Information only for as long as reasonably necessary to fulfil the purposes described above, comply with legal obligations, resolve disputes, and enforce agreements. The typical retention periods are:

Candidate & Recruiting Records: 7 years after the last engagement or final disposition of an application.
Client & Billing Records: 7 years after the end of the client relationship.
Marketing Contact Data: 2 years after the last interaction or until you opt‑out.
Website Log Files & Analytics Data: 24 months.

When retention periods expire, we permanently delete, de‑identify, or aggregate the data in accordance with NIST SP 800‑88 guidelines.

8. Additional Disclosures for Individuals in the EEA/UK/Switzerland

8.1 Controller & Representative

Kosma Corp, 1422 Edinger Ave, Suite 110, Tustin, CA 92780, USA, is the controller of your Personal Data. Our EU representative pursuant to Article 27 GDPR is **Kosma EU Rep Ltd.*, 6 Lower Baggot St, Dublin 2, Ireland. Our Data Protection Officer ("DPO") can be reached at dpo@kosmacorp.com.

8.2 Legal Bases for Processing

We rely on one or more of the following legal bases: (a) Contract, (b) Legitimate Interests (e.g., recruiting, fraud prevention), (c) Consent (for marketing or sensitive data where required), (d) Legal Obligation, or (e) Public Task where applicable.

8.3 International Transfers

We transfer Personal Data to the United States and other countries with appropriate safeguards such as the EU Standard Contractual Clauses and UK Addendum, or participation in the EU–U.S. Data Privacy Framework (once certified).

8.4 GDPR Rights

You have the right to access, rectify, erase, restrict, or object to processing, and the right to data portability and not to be subject to automated decision‑making. You may also lodge a complaint with your local supervisory authority.

9. Cookies & Similar Technologies

We use first‑party and third‑party cookies, pixels, and SDKs for analytics, functionality, and security. You can manage cookies via your browser settings or by clicking “Cookie Settings” on the Site footer.

10. Marketing Communications & TCPA Consent

If you opt in to receive SMS or telephone communications, you consent to receiving autodialled or prerecorded calls or texts for recruiting and marketing purposes. Message and data rates may apply. Reply STOP to any SMS to unsubscribe.

11. Security Safeguards

We employ administrative, technical, and physical measures consistent with industry standards to protect Personal Information, including encrypted data‑at‑rest, TLS in transit, role‑based access controls, regular penetration testing, and vendor due‑diligence reviews.

12. International Transfers (additional details)

Where we transfer Personal Information outside your jurisdiction, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms and will provide copies upon request.

13. Automated Decision‑Making

We do not use automated decision‑making that produces legal or similarly significant effects without human review.

14. Children’s Privacy

Our Sites and Services are not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect PI from children. If you believe we have collected such data, please contact us and we will delete it.

15. Changes to This Policy

We may update this Policy from time to time. We will post the updated version on this page and change the "Last Updated" date. Material changes will be notified via email or prominent notice on the Sites.

16. Contact Us

If you have any questions about this Policy or our privacy practices, please contact:

Postal Address: Kosma Corp Privacy Office, 1422 Edinger Ave, Suite 110, Tustin, CA 92780, USA
Email: privacy@kosmacorp.com
Toll‑Free: +1‑800‑555‑0199

17. Annex A – Notice at Collection / U.S. Statutory Categories

CPRA Category	Examples	Source	Purpose	Disclosed To	Sold/Shared?	Retention
Identifiers	Name, email, phone, IP	You	Recruiting, account management	Service providers, clients	No	7 yrs (candidates) / 2 yrs (marketing)
Professional or Employment Information	Résumé, job history	You / References	Recruiting	Clients	No	7 yrs
Sensitive PI	SSN, background check	Background-check vendor	Compliance	Clients (with consent)	No	7 yrs
Internet Activity	Log files, cookies	Automatic	Analytics, security	Analytics providers	No	24 mo
Geolocation	IP-based city	Automatic	Fraud prevention	Analytics providers	No	24 mo
Commercial Info	Transaction records	You	Billing	Payment processors	No	7 yrs

KOSMa