Rowpa
How it worksFeaturesTrustPricingBlogSign inStart free trial
For UK recruitment agencies

CVs come in. GDPR questions follow them.

Your business runs on candidate PII you didn't ask their permission to keep. The legitimate-interest balance is questioned by every other candidate. EU clients want SCC paperwork. The DUAA deadline on 19 June 2026 adds a mandatory complaints procedure. Rowpa builds all of it from your stack in 15 minutes.

Start free. 14 days of everything.Book a 20-minute walkthrough

Why recruitment GDPR is harder

The data subject isn't your customer. Your customer is the hiring company; the data subject is the candidate. Your legal basis for holding CVs is legitimate interest, which means the candidate can object at any time, and every objection has to be handled. CV retention is bounded by purpose, not your storage capacity. EU-based candidates and EU-based clients add cross-border transfer questions on top.

You knew most of this. The REC and APSCo have said it. Your ATS handles part of it. But the ATS doesn't handle your ROPA, your vendor DPA register, your DSR workflow for candidate access requests, or your DUAA complaints procedure.

What Rowpa builds for you

ROPA for a recruitment agency
AI classifies your candidate, client, and supplier flows. Special-category data (where you collect it for diversity reporting) gets separate treatment.
Vendor DPA register for the recruitment stack
Bullhorn, Vincere, JobAdder, Jobylon, Greenhouse, Workable, RingCentral, LinkedIn Recruiter, all in the vendor library with verified DPA URLs, sub-processor lists, transfer mechanisms.
Privacy notice with the legitimate-interest balance written down
The kind of notice a candidate can read in two minutes and the kind an ICO investigator wouldn't pull apart.
DSR public intake form
Candidates who want their data removed have a form. AI drafts the response with legal reasoning from your ROPA. 30-day deadline tracked.
DUAA complaints procedure live in 5 minutes
Public intake form, 30-day acknowledgement, audit trail. Ready for the 19 June 2026 deadline.
Public Trust Center URL
One link to send to enterprise clients during a tender or vendor onboarding. ROPA summary, sub-processors, security overview, privacy notice, DSR submission.

Pricing

Starter £49/mo for small agencies, 1-5 consultants. Growth £149/mo for typical agencies (includes site scanner, DPIA tool, breach response planner). Agency tier (£299) is generally not needed unless you're a parent group managing multiple agency brands.

Start free trial See all plans

Common questions

Does this work with our ATS?
Yes. Our vendor library includes Bullhorn, Vincere, JobAdder, Jobylon, Greenhouse, Workable, and more, each with verified DPA URLs, sub-processor lists, and transfer mechanisms. Add yours if missing and the AI enriches it.
What about candidate consent vs legitimate interest?
Both are valid bases. Rowpa documents which you use for each processing activity. Most agencies rely on legitimate interest for candidate sourcing; consent for some marketing activities. Rowpa makes the distinction explicit and defensible.
How does this handle 'right to be forgotten' requests from candidates?
A public DSR intake form collects the request. AI drafts a response, citing your ROPA. You confirm and send. 30-day deadline tracked. The candidate gets a clear answer; you get an audit trail.
Can we hide candidate data when responding to a client compliance questionnaire?
Yes. The Trust Center URL summarises your posture without disclosing any candidate or client data.
Do you handle SCCs for EU candidates and EU clients?
Yes. Vendor library entries include UK and EU transfer mechanisms, IDTA / SCC status, and adequacy notes.
DUAA hits 19 June. Your candidates and clients both want answers.

Build your compliance in 15 minutes. Share it in one link.

Start free. 14 days of everything.