Abbiamo appena lanciato Wavi.io

Privacy Policy – StepsConnect

(Website, ATS Platform and Related Services)

Last updated: 25/01/2025

This Privacy Policy explains how STEPS SRL, trading as StepsConnect (“StepsConnect”, “we”, “us”), processes personal data when you use:

hire.stepsconnect.com may host client career pages and application flows; the candidate-facing privacy notice is provided by each client company (as Controller).

app.stepsconnect.com is the end-user environment used for the application experience and related communications (where enabled by the client).

Important (Candidates): when you apply to a job posted by a company using StepsConnect, the data controller is the client company running the recruitment process. StepsConnect processes candidates’ data as a data processor on behalf of that client.

1. Data Controller

Controller: STEPS SRL trading as StepsConnect
Address: Via Luigi Galvani 24, 15121 Alessandria (AL), Italy
VAT: IT 02618180067
Email: admin@stepsconnect.com
PEC: steps.edu@legalmail.it

2. Scope and privacy roles

2.1 Processing where StepsConnect acts as Controller

StepsConnect acts as Controller when it processes personal data for:

  • browsing and security of the website and its portals;
  • handling demo/contact requests and pre-contractual/commercial communications;
  • managing user accounts and access (especially for security, logging, support and service administration), to the extent required to provide the service.

2.2 Processing where StepsConnect acts as Processor

When a candidate applies to a job managed through the StepsConnect ATS, StepsConnect processes the candidate’s data as Processor on behalf of the client Controller.

The full candidate-facing privacy notice is provided by the client company via its application form/career page.

3. Categories of personal data we process

3.1 Website visitors and commercial contacts
  • identification and contact data (name, email, phone number, company/role);
  • content of requests submitted via forms/email;
  • technical data (IP address, device/browser, logs, security data);
  • cookie preferences (consent/refusal and granular choices).

3.2 Platform users (client’s users)
  • account data (name, email, role, permissions);
  • access and usage logs (audit trail and security events);
  • support-related data (tickets and operational communications).
3.3 Candidates (on behalf of the client)
  • data entered in the application form (contact details, professional information);
  • CV, attachments and answers to questionnaires configured by the client.

StepsConnect does not require the collection of special category data. Any fields and information requested from candidates are defined and managed by the client in accordance with applicable law.

4. Sources of personal data

Personal data may be collected from the following sources:

  1. Directly from the data subject
  • when you fill in a form on our website (e.g., demo/contact request) or contact us;
  • when you use the platform as a client user;
  • when, as a candidate, you submit information and attachments through a client’s application form.

  1. From the client (Controller)
  • when a client creates or manages user accounts for platform access;
  • when a client configures workflows, forms and fields for the recruitment process.

  1. From third parties chosen by the client
  • through integrations enabled by the client (e.g., job boards): StepsConnect may receive candidate data from the platform where the candidate applied, within the scope of the integrations activated and the client’s instructions.

5. Purposes, legal bases and retention

The table below summarizes the main processing activities where StepsConnect acts as Controller (website and user management).
For candidate data processed through the ATS, StepsConnect acts as Processor: purposes, legal bases and retention are determined by the client Controller.

Website / Contacts

  • Purpose: Handling demo/contact requests and pre-contractual communications
  • Legal basis: Pre-contractual steps / contract
  • Retention: Up to 24 months after the request is closed, unless a business relationship is established

Website / CRM

  • Purpose: Managing commercial relationships and organizing contacts (e.g., CRM)
  • Legal basis: Legitimate interests and/or pre-contractual steps (case-by-case)
  • Retention: Up to 24 months after the request is closed, unless a business relationship is established

Website / Security

  • Purpose: Security, fraud/abuse prevention, incident management, technical logs
  • Legal basis: Legitimate interests and security obligations
  • Retention: 6–12 months, unless needed for incident response/investigations or legal obligations

Platform / Client users

  • Purpose: Creating and managing accounts, access control and authorizations
  • Legal basis: Contract (service to the client) + legitimate interests for security
  • Retention: Contract term + up to 24 months for operational/security needs

Platform / Support

  • Purpose: Technical assistance and ticket handling
  • Legal basis: Contract / legitimate interests in service quality
  • Retention: Up to 24 months

Administration

  • Purpose: Accounting, tax and legal compliance; contract management and disputes
  • Legal basis: Legal obligation / legitimate interests
  • Retention: For statutory periods (typically 10 years)

ATS / Candidates (on behalf of client)

  • Purpose: Recruitment and application management
  • Legal basis: Determined by the client Controller
  • Retention: Determined by the client Controller (configurable). Limited technical copies (e.g., backups) per service policy and contract

6. AI features, matching and no automated decisions

StepsConnect may offer AI-based support features (e.g., summaries, analysis, candidate-role matching) with human oversight. StepsConnect does not make automated decisions producing legal effects or similarly significant effects on candidates.

When using third-party AI providers, we apply data minimization and de-identification/pseudonymization where possible. Data is not used for training and is not retained by the provider according to the configurations and agreements in place.

7. WhatsApp (Meta) – enabled feature and candidate opt-in

StepsConnect may provide a WhatsApp-based feature (via Meta infrastructure) to support parts of the recruitment process, such as application-related communications, screening questions, and interview scheduling. This feature is disabled by default and must be explicitly enabled by the client company.

Where WhatsApp is used:

  • the client company (Controller) is responsible for providing the candidate privacy notice and collecting any required opt-in/consent before starting WhatsApp communications;
  • StepsConnect processes messages for delivery and technical handling within the service and does not retain message content beyond what is necessary for those purposes, unless required by law or documented technical needs.

8. Job board integrations

StepsConnect:

  • sends to job boards only job posting data (job content);
  • receives candidate applications from job boards according to integrations enabled by the client.

Clients select the job boards they use and with which they have contractual relationships; StepsConnect acts as a technical integrator within the ATS service.

9. Recipients and service providers (sub-processors)

To operate the website/portals and provide the service, StepsConnect may use service providers that process data as processors or, in some cases, as independent controllers, depending on the service and applicable terms.

An updated list of the main sub-processors is available upon request by contacting admin@stepsconnect.com or the PEC above.

10. International data transfers

As a rule, data is processed in the EU/EEA. If transfers outside the EU/EEA are necessary, StepsConnect implements appropriate safeguards (e.g., Standard Contractual Clauses) and supplementary measures where required.

11. Cookies and similar technologies

The website uses cookies and similar technologies:

  • strictly necessary/technical cookies (operation and security);
  • analytics and/or marketing cookies, enabled only with your consent via the cookie banner/cookie center.

If you refuse non-essential cookies, marketing/analytics tools are not enabled and only technical, security and functional cookies remain active.
You can change your choices at any time via the “Cookie settings” link on the website.

For details (categories, duration and providers), please use the cookie banner/cookie center (“Cookie settings”) available on the website. A dedicated Cookie Policy page may be published/updated from time to time.

12. Security measures

StepsConnect implements appropriate technical and organizational measures to protect personal data (e.g., access controls, logging/auditing, backups and incident management procedures). In the event of a personal data breach affecting processing carried out as Processor, StepsConnect will inform the client Controller in accordance with contractual timelines and procedures.

13. Data subject rights

13.1 Website users and commercial contacts (StepsConnect = Controller)

You may exercise your rights under the GDPR (access, rectification, erasure, restriction, objection and portability, where applicable) by contacting admin@stepsconnect.com or steps.edu@legalmail.it. We may request information to verify your identity before responding.

13.2 Candidates (Client = Controller)

If you applied to a job managed through a company using StepsConnect, you must exercise your rights with the client Controller (the company). If StepsConnect receives a request directly, it will forward it to the client and support it within the scope of its Processor role.

14. Complaint to the supervisory authority

If you believe the processing of your personal data violates applicable law, you may lodge a complaint with the competent supervisory authority. In Italy: Garante per la Protezione dei Dati Personali.

15. Updates to this Privacy Policy

We may update this Privacy Policy to reflect legal requirements or service changes. The latest version will always be available on this page with the “Last updated” date.