Formerly known as Recfindr Engage. We've rebranded to Rylo — same great platform, fresh new look.

FeaturesHow it worksPricingBlog
Sign in

Privacy Policy

Rylo – operated by Recfindr Ltd

Effective Date: 2 April 2026 | Version 2.0

1. Who We Are

Rylo is a product operated by Recfindr Ltd, a company registered in England and Wales.

Legal EntityRecfindr Ltd
Company Number14419156
Registered AddressArquen House, 4-6 Spicer Street, St. Albans, England, AL3 4PQ
Support Contactsupport@sendrylo.co.uk
Privacy LeadAlexandra Chirica (acting)
Phone07825 368964

We operate Rylo, a software platform that enables recruitment agencies to create branded client workspaces for sharing proposals, candidate profiles, terms, and analytics through a single secure link.

2. Our Role as Controller and Processor

Depending on context, we act in two distinct capacities:

2.1 Data Controller

We act as a Data Controller for data associated with registered users of Rylo — including recruiters, administrators, and invited employer contacts — and for data collected through our website and marketing activities.

2.2 Data Processor

We act as a Data Processor where our customers (recruitment agencies) upload or enter data relating to their clients, candidates, or third parties into Rylo workspaces. In this capacity we only process such data on our customers' documented instructions and do not access or use it for our own purposes unless required to resolve a support issue with the customer's express permission.

Where we act as Processor, our Data Processing Agreement (available on request) governs the relationship between us and the customer (who acts as Controller).

3. Types of Data We Collect

We may collect and process the following categories of personal data:

Contact InformationName, email address, job title, company name, meeting link URL
Authentication DataLogin credentials, login method (Google, Microsoft, LinkedIn SSO)
Platform Usage DataPage views, block interactions, workspace views, file upload events, session activity
Technical IdentifiersIP address, browser type, device type, session tokens
Communications DataSupport queries, in-app comments, feedback submissions, call notes
Uploaded ContentFiles, links, images, or text voluntarily added to Rylo workspaces by authorised users
Lead & Enquiry DataName, email, company, notes captured via contact or demo request forms

We do not collect:

  • Special category data (race, health, religion, political opinions, etc.)
  • Biometric data
  • Financial or payment card data (payments are not processed through the platform)
  • Data concerning children

4. Legal Basis for Processing

We rely on the following legal bases under UK GDPR / EU GDPR for our processing activities:

Account creation and platform accessContractual necessity (Article 6(1)(b))
Product usage analytics and improvementLegitimate interests (Article 6(1)(f))
Support and troubleshootingLegitimate interests (Article 6(1)(f))
Marketing communications to current usersLegitimate interests (Article 6(1)(f))
Responding to demo or contact form requestsConsent (Article 6(1)(a))
Legal compliance and auditLegal obligation (Article 6(1)(c))
Processing customer-uploaded data (as Processor)Contractual necessity / customer instruction

Where we rely on legitimate interests, we have conducted a balancing test and concluded that our interests are not overridden by the rights and freedoms of data subjects. You may request a copy of our legitimate interests assessment by contacting support@sendrylo.co.uk.

5. Product Analytics

We use PostHog for product analytics. PostHog tracks how users interact with Rylo — for example, which workspace blocks are used, how long sessions last, and which features drive engagement. This data is used to:

  • Improve product design and user experience
  • Identify and resolve bugs or performance issues
  • Understand feature adoption and user workflows
  • Inform product roadmap decisions

Analytics data is stored securely and access is restricted to authorised internal team members. We do not share analytics data with third parties for commercial purposes, and we do not use analytics for automated decision-making or profiling that produces legal or significant effects on individuals.

PostHog may process data outside the UK/EEA. Where this occurs, appropriate safeguards are in place (see Section 8 – International Transfers).

6. Cookies and Tracking Technologies

Our website and platform use cookies and similar technologies to maintain sessions, remember preferences, and support analytics. By continuing to use Rylo after being presented with our cookie notice, you consent to non-essential cookies being set.

You may withdraw consent for non-essential cookies at any time via your browser settings or by contacting us. Withdrawal of consent does not affect the lawfulness of prior processing.

7. Leads and Demo Requests

If you submit a contact or demo request form, we may store:

  • Your name, email address, job title, and company
  • Notes regarding your expressed interest or requirements
  • Correspondence, including emails and call notes

This data is held in our internal CRM system and used solely to:

  • Respond to your enquiry
  • Follow up on expressed interest in Rylo
  • Support internal sales planning and pipeline management

We do not send marketing emails without your consent. You may withdraw consent at any time by emailing support@sendrylo.co.uk or clicking 'unsubscribe' in any email we send.

8. Data Sharing and Third Parties

We do not sell personal data to third parties. We may share data in the following limited circumstances:

8.1 Sub-processors

We use a limited number of trusted third-party service providers (sub-processors) to operate Rylo. These include infrastructure providers, analytics tools, and communication platforms. All sub-processors are subject to data processing agreements and provide adequate safeguards for personal data. A current list of sub-processors is available on request.

8.2 Legal Requirements

We may disclose personal data if required to do so by law, court order, or in response to a request from a competent regulatory authority.

8.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as part of that transaction. We will notify affected individuals in advance where required by applicable law.

9. International Data Transfers

Where personal data is transferred outside the United Kingdom or European Economic Area, we ensure that appropriate safeguards are in place, including one or more of the following:

  • The receiving country has been deemed 'adequate' by the UK Secretary of State or the European Commission
  • We rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs)
  • The transfer benefits from another lawful derogation under Article 49 UK/EU GDPR

Further information about our transfer mechanisms is available on request.

10. Data Retention

Active user account dataRetained for the lifetime of the active account
Former user dataUp to 12 months following account deletion, unless a longer period is required for legal or audit purposes
Analytics dataMay be retained in pseudonymised or aggregated form indefinitely for product improvement purposes
Lead and CRM dataRetained while a commercial relationship exists or for up to 3 years following last contact, whichever is earlier
Customer-uploaded contentRetained in line with the customer's workspace and content settings; deleted when the user removes content or the account is closed, subject to system cleanup cycles

11. Your Rights

You have the following rights under UK GDPR and/or EU GDPR, subject to applicable exemptions:

  • Right of Access – to obtain a copy of your personal data and information about how it is processed
  • Right to Rectification – to correct inaccurate or incomplete personal data
  • Right to Erasure – to request deletion of your personal data in certain circumstances
  • Right to Restriction – to restrict processing of your personal data in certain circumstances
  • Right to Data Portability – to receive your personal data in a structured, machine-readable format
  • Right to Object – to object to processing based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent – where processing is based on consent, to withdraw it at any time without affecting prior lawful processing
  • Right to Lodge a Complaint – with the Information Commissioner's Office (ICO) at ico.org.uk, or your national supervisory authority

To exercise any of these rights, please email support@sendrylo.co.uk. We will respond within one calendar month of receipt. Where requests are complex or numerous, we may extend this period by a further two months with notice to you.

We will not charge a fee for handling rights requests unless they are manifestly unfounded or excessive.

12. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security practices include:

  • Encryption of data in transit (TLS) and at rest
  • Access controls restricted to authorised personnel on a need-to-know basis
  • Regular security monitoring and logging
  • Encrypted backups with access restricted to system administrators
  • Vendor due diligence for all sub-processors

Notwithstanding these measures, no system is entirely immune from risk. We encourage users to use strong passwords, enable multi-factor authentication where available, and notify us promptly of any suspected security incident.

13. Personal Data Breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where feasible.

Where a breach is likely to result in a high risk to individuals, we will also notify affected data subjects without undue delay, in accordance with Article 34 UK GDPR.

Where we act as Processor, we will notify the relevant Controller without undue delay upon becoming aware of a personal data breach affecting data processed on their behalf.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The effective date at the top of this document will be updated accordingly.

Where changes are material, we will notify registered users by email or via an in-platform notification prior to the changes taking effect. We encourage you to review this Policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact:

CompanyRecfindr Ltd (operating as Rylo)
Emailsupport@sendrylo.co.uk
Phone07825 368964
AddressArquen House, 4-6 Spicer Street, St. Albans, England, AL3 4PQ
ICO Registrationico.org.uk (for complaints)