Legal · Privacy

Privacy Policy

Yezda is a BS7858 pre-employment screening bureau. This policy explains how we collect, use, share and protect personal data when we screen candidates on behalf of our customers, and when you use yezda.co.uk or the Yezda mobile app.

LAST UPDATED · 25 April 2026JURISDICTION · ENGLAND & WALESEN-GB

1. Who we are

Yezda Ltd ("Yezda", "we", "us") is a company registered in England and Wales (company no. 15234567), with registered office at 86 Jermyn Street, St James's, London, SW1Y 6AW. We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB789456.

Our screening operations are carried out in accordance with BS7858:2019 (Screening of individuals working in a secure environment — Code of practice), the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Our Data Protection Officer can be contacted at dpo@yezda.co.uk.

2. Scope of this policy

This policy applies to four groups of people:

  • Candidates — individuals being screened, who interact with us through the Yezda mobile app and screening journey.
  • Customer users — staff at organisations that engage Yezda to screen people on their behalf, who use the organisation portal.
  • Referees and previous employers — third parties whose details are provided to us as part of a candidate's history.
  • Public site visitors — anyone using yezda.co.uk, including the public certificate verification page.
Controller / processor split. When we screen candidates on behalf of an organisation, the organisation is the controller and Yezda is the processor. We act as controller for our own marketing site, customer-account data, payment records, and where a candidate uses the public app independently of any sponsoring organisation.

3. Personal data we collect

From candidates (BS7858 screening)

  • Identity: full name, date of birth, current and previous addresses (5-year minimum, per BS7858 §6.3), nationality, right-to-work status, photograph (selfie), passport / driving licence / national identity card images.
  • History: 5-year work history including periods of unemployment, education, self-employment, voluntary work, travel and caring; gap explanations; reasons for leaving previous roles.
  • References: contact details and responses from employers, educators and character referees; corroboration of dates, role, conduct and reason for leaving.
  • Financial: credit history check via licensed credit reference agency (where required by your sponsoring organisation), CCJs, IVAs, bankruptcies, sanctions and PEP screening.
  • Criminal record (where contracted): declared unspent convictions; basic DBS check results where the customer has a lawful basis to receive them.
  • Biometric & device: liveness check data and ID document forensics processed by our identity verification partner.
  • Communications: messages exchanged with your assigned screener, push notification tokens, support tickets.

From customer users

  • Name, work email, role, organisation, login credentials, IP address, user-agent, audit log of actions.

From site visitors

  • Pages viewed, approximate location (country / region from IP), device type, referring URL, cookie data (see our Cookies Policy).

4. Why we use your data

PurposeCategoriesLawful basis
Carry out BS7858 / BPSS / PSA screeningIdentity, history, references, financial, criminalContract (with sponsoring org); legal obligation; legitimate interests of the customer in workforce vetting
Verify identity & detect document fraudBiometric, ID document, livenessSubstantial public interest (preventing crime); explicit consent for biometrics
Issue and host screening certificatesOutcome, validity dates, candidate nameContract; legitimate interests
Provide the customer portal & mobile appAccount data, communicationsContract
Service emails (status updates, certificate ready)Email, statusContract; legitimate interests
Marketing to organisations (B2B)Work email, role, organisationLegitimate interests (with opt-out)
Comply with legal & regulatory obligationsAll categories as requiredLegal obligation
Defend legal claims & disputesAudit logs, screening fileLegitimate interests

Some data we process during screening is "special category" data under Article 9 UK GDPR (e.g. biometric data, data relating to criminal convictions under Article 10). For each special category, we rely on a specific Article 9 / Schedule 1 DPA 2018 condition:

  • Biometric (liveness): Article 9(2)(a) — explicit consent, given separately in-app and revocable.
  • Criminal disclosure: Article 10 + Schedule 1 Part 2 §11 DPA 2018 — preventing or detecting unlawful acts; combined with the customer's substantial-public-interest condition.
  • Health / disability data (only where volunteered to explain a history gap): Article 9(2)(h) where reasonable adjustment is needed; otherwise we discard.

6. Where we get data from

  • From you directly (mobile app, web portal, calls, email).
  • From your sponsoring organisation (your name, role applied for, contracted check level).
  • From third-party processors we appoint at bureau level: Our nominated IDV provider (identity & document verification), CreditSafe (credit, AML, PEP, sanctions), GBG (address verification), HMRC tax-year-overview validation.
  • From referees and previous employers you nominate.
  • From public registers (Companies House, electoral roll, insolvency register).

7. Who we share data with

  • Your sponsoring organisation — the screening outcome, certificate, and the structured report. We do not share your raw documents (e.g. passport scan) unless you have explicitly consented.
  • Our sub-processors — see the list maintained at our DPA. All sub-processors are bound by contractual data-protection terms equivalent to ours.
  • Regulators, law enforcement, courts — where compelled by valid legal process, or where disclosure is necessary to prevent or detect crime.
  • Professional advisers — auditors, lawyers, insurers under duties of confidentiality.
  • A successor in the event of a corporate restructure, merger or sale, subject to equivalent protections.

We do not sell personal data, and we do not share personal data for behavioural advertising.

8. International transfers

Yezda's primary infrastructure is hosted in the UK (London region). Limited transfers may occur to the EEA (data resilience), and to the US for support tooling. Where data leaves the UK, we rely on:

  • UK adequacy decisions (EEA, and the UK extension to the EU–US Data Privacy Framework where the recipient is certified); or
  • The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, plus a transfer risk assessment.

9. How long we keep data

DataRetentionReason
Active screening fileDuration of screeningOperational
Completed screening file (with passed certificate)7 years from certificate dateBS7858 §10.1 audit; defence of claims
Failed / withdrawn screening12 months from outcomeDispute window; statistical reporting
Biometric (liveness) raw data30 days from match decisionData minimisation
Criminal disclosure source documents6 months from outcome (then destroyed)DBS code of practice
Customer account & billing records7 years after contract endsCompanies Act / HMRC
Marketing prospect dataUntil opt-out + 30 daysPECR / suppression

10. Your rights

Under UK GDPR you have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase data, subject to our legal retention obligations.
  • Restrict or object to processing.
  • Data portability — receive a structured copy of data you provided to us.
  • Withdraw consent at any time where we rely on consent.
  • Not be subject to solely-automated decisions with legal or similarly significant effects. Yezda's screening outcomes are always reviewed by a qualified human screener and counter-signed before issue.
  • Complain to the ICO at ico.org.uk or 0303 123 1113.

Email dpo@yezda.co.uk to exercise any right. We will respond within one calendar month.

11. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Document storage uses object-level access tokens with short expiry. We are ISO/IEC 27001:2022 certified. Access is role-based and audit-logged; multi-factor authentication is mandatory for all Yezda staff and customer admins. Penetration testing is carried out annually by an independent CREST-accredited tester.

12. Children's data

Yezda's services are not directed at children. BS7858 screening is only carried out for individuals aged 16+; in practice, the population we screen is overwhelmingly adult. We do not knowingly collect data from anyone under 16 via our marketing site.

13. Changes to this policy

We will notify customers of material changes by email at least 30 days before they take effect. Candidates are notified in-app on next sign-in. The version date at the top of this page reflects the most recent revision.

14. Contact us

Yezda Ltd · Data Protection Officer · 86 Jermyn Street, St James's, London, SW1Y 6AW · dpo@yezda.co.uk