‍Effective Date: January 2026

Introduction

This Privacy Notice explains how THG Ventures Limited (trading as The Hacking Games) (“we”, “us”, “our”, “THG”) handles the personal data of individuals working for our Recruiters and Outreach Partners. 

It also outlines the "Joint Controller" arrangement that governs how we collectively handle candidate data (where applicable).

1. Who We Are & How to Contact Us

THG is the Data Controller of your personal data and owns the HAPTAI platform at https://haptai-admin.thehackinggames.com/admin (“HAPTAI”).

• Email: haptai.support@thg-v.com
  ‍
• Address: 298a Gray's Inn Road, London, England, WC1X 8DX

2. Where We Get Your Data

We use different methods to collect data from and about you, including:

• Directly From You: When you or your organisation sign a contract with us, create a Recruiter or Outreach Partner Profile, otherwise interact with us.
  ‍
• Professional Networking & Public Sources: To identify potential partners who may benefit from our platform, we research publicly available information on company websites and professional networking sites (such as LinkedIn). This helps us ensure we are contacting the right person for a specific hiring role.
  ‍
• Industry Events & Conferences: If we meet you at a cyber security or recruitment event, we may collect your business contact details (such as through a business card exchange or lead-scanning) to follow up on our conversation.
  ‍
• Your Organisation: Your colleagues or "Primary Admin" may provide your name and work email to set you up as a user on our platform.

3. How We Use Your Personal Data 

When you sign up to the platform as a professional user, we collect and process your personal data to provide the service.

‍Account Management
Purpose: Account Management
Type of Data: Company name, Company Logo, email address, password
Lawful Basis: Contractual Necessity
Why we need it: To set up your access to the recruiter or partner portal.

Platform Administration
Purpose: Platform Administration
Type of Data: List of vacancies you want to upload, email address, password
Lawful Basis: Contractual Necessity
Why we need it: To manage your account and ensure you have vacancies that are meaningfully measurable by our tool.

(For Recruiters only): Candidate Referral (Onboarding)
Purpose: (For Recruiters only): Candidate Referral (Onboarding)
Type of Data: Candidate name and email provided by you.
Lawful Basis: Joint Controllership / Legitimate Interests
Why we need it: To facilitate the invitation of your existing applicants to our platform.

Platform Support
Purpose: Platform Support
Type of Data: Email address and records of your support queries.
Lawful Basis: Contractual Necessity
Why we need it: To respond to your help requests and fix technical issues you encounter.

Technical Maintenance
Purpose: Technical Maintenance
Type of Data: IP address, device type, and usage logs.
Lawful Basis: Legitimate Interests
Why we need it: To find and fix bugs so the platform stays secure and works well.

(For Recruiters Only): Security & Auditing
Purpose: (For Recruiters Only): Security & Auditing
Type of Data: Logins, vacancy uploads, reports viewed
Lawful Basis: Legitimate Interests
Why we need it: To maintain security, prevent fraud, and audit how candidate reports are accessed.

B2B Marketing & Updates
Purpose: B2B Marketing & Updates
Type of Data: Work email and communication preferences.
Lawful Basis: Legitimate Interests
Why we need it: To keep you informed about new platform features, cyber-security insights, or industry events.

Platform Improvement
Purpose: Platform Improvement
Type of Data: Aggregated usage data (how you use the portal).
Lawful Basis: Legitimate Interests
Why we need it: To analyse how recruiters use our tools so we can make the interface more efficient.

Defending Legal Claims
Purpose: Defending Legal Claims
Type of Data: Records of contract history and platform interactions.
Lawful Basis: Legitimate Interests
Why we need it: To protect our legal rights or respond to disputes regarding the recruitment process.

What Happens if You Do Not Provide Your Data

In most cases, providing your personal data is a contractual requirement or a necessary step to enter into a business relationship with us.

If you choose not to provide the requested information, the following may occur:

• Account Access: We will be unable to create your Recruiter or Outreach Partner Profile or grant you access to the platform dashboard.
  ‍
• Candidate Interaction: If you are a Recruiter, you will not be able to view Aptitude Reports, invite candidates for assessment, or manage the recruitment process through our tools. If you are an Outreach Partner, you will not be able to receive the aggregated insights about your member base. 
  ‍
• Security & Verification: We cannot verify your identity or maintain the mandatory security audit trails required to protect candidate data.
  ‍
• Support: We will be unable to respond to your technical queries or provide platform assistance.

Where certain information is optional (such as a profile photo or optional professional bio, if applicable), we will make this clear at the point of collection.

4. Who We Share Your Information With

We do not sell your personal data. We share your information only with the following recipients:

• Candidates: Your company name and company logo are shared with candidates when you invite them to an assessment or match with them for a role.
  ‍
• Your Organisation: The "Primary Account Holder" or "Admin" at your company can view logs of your activity (e.g., which reports you have accessed) for internal audit purposes.
  ‍
• Our Service Providers (Processors): We use trusted technical partners to help us run the platform, such as OpenAI (for AI analysis) and Google Cloud (for secure storage).
  ‍
• Professional Advisors, Legal Authorities, and Business Transfers: We may share your data with other third parties in specific circumstances:
  ‍

- Professional Advisors: Such as our lawyers, auditors, or insurers, when necessary for legal or professional advice.

- Legal Authorities: We will share data if we are legally required to do so by the police, a court, or regulators (like the ICO).

- Business Changes: If we sell, transfer, or merge parts of our business, the new owners may use your data in the same way as set out in this Privacy Notice.

5. How Long We Keep Your Data

We retain your personal data for as long as your organisation has an active commercial relationship with us.

• Account Deletion: If you leave your company or no longer require access, we will deactivate your account upon request from your organisation’s Admin.
  ‍
• Audit Records: We may retain "logs" of your actions on the platform (such as which candidate reports you viewed) and account details for up to 6 years after the end of the contract to comply with legal record-keeping and to defend against potential legal claims.
  ‍
• Marketing: If we have collected your data for business development, we will keep it until you "unsubscribe" or until we determine it is no longer required.

6. Security

We take technical and organisational measures to protect your information:

• Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  ‍
• Access Control: Only authorised staff with a specific business need can access the backend of the platform. 
  ‍
• Vendor Due Diligence: We check all third parties (like OpenAI and Google Cloud) to ensure they meet UK security standards.

7. International Data Transfers

Where personal data is shared and disclosed as set out above, these parties may be established outside the United Kingdom. For example, some of the service providers we use to support our services are based in the United States, and this involves a transfer of your personal data to the USA. 

Whenever we transfer your personal data outside the United Kingdom, we ensure that a similar degree of protection is afforded to it by ensuring appropriate safeguards are implemented. This may include, where appropriate, relying on an adequacy decision or signing up to an International Data Transfer Agreement or Standard Contractual Clauses. To find out more information regarding the specific mechanism used by us when transferring your personal data outside the United Kingdom, please contact us using the details set out in this Privacy Notice. 

8. Cookies and Similar Technologies

We use "cookies" - small text files stored on your device - to help our platform work and to understand how you interact with it.

• Strictly Necessary Cookies: These are essential for you to move around the platform and use its features, such as logging into secure areas. Without these, the assessment and report generation cannot function. We do not need your consent for these.
  ‍
• How to Control Cookies: You can set your browser to block cookies, but please note that some parts of the platform may stop working if you do.

9. Marketing and Service Updates

• Service Updates: We will send you essential emails regarding platform maintenance, security updates, or changes to our terms. You cannot opt-out of these.
  ‍
• Business Development: Under UK e-Privacy rules for "corporate subscribers," we may contact you at your work email with cyber-recruitment insights or platform news if you have not opted out of receiving marketing communications from us. 
  ‍
• Your Right to Stop: You can ask us to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us at haptai.support@thg-v.com.

10. Your Legal Rights

Subject to any exemptions provided by law, you may have the right to:  

• Request access to your personal data (commonly known as a “data subject access request”) and to certain other supplementary information that this Privacy Notice is already designed to address. 
  ‍
• Request correction of the personal data we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. 
  ‍
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below). 
  ‍
• Receive the personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations.
  ‍
• Object to processing of your personal data at any time for direct marketing purposes. 
  ‍
• Object to decisions being taken by automated means which produce legal effects concerning you or significantly affect you. 
  ‍
• Object in certain other situations to our continued processing of your personal data. 
  ‍
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. 
  ‍
• Withdraw your consent to our processing of your personal data, where we have collected and processed it with your consent. 
  
  

To exercise these rights, or if you have a complaint, please contact us at haptai.support@thg-v.com and let us have enough information to identify you. We may need to ask for extra information from you to help us identify you before we can process your request. We may also ask you to clarify the scope of your request. 

We will try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex. In this case, we’ll notify you and keep you updated. 

You also have the right to contact your supervisory authority. In the UK, this is the Information Commissioner’s Office (www.ico.org.uk).

11. Your Duty to Inform Us of Changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data (such as your email address) changes during your relationship with us. You can update your details at any time through your Profile Settings.

Sections 12 and 13 only apply to Recruiters:

12. Our Joint Controller Relationship 

In certain parts of the recruitment journey, THG and your organisation act as Joint Controllers. This means we both play a role in deciding how and why candidate data is processed.  

When we are Joint Controllers

• Candidate Referral & Onboarding: When you invite your own candidates to use the HAPTAI platform, we jointly determine the process for their initial registration and assessment setup.
  ‍
• Transparency: We are both responsible for ensuring candidates understand that their data is being used for recruitment purposes. THG provides the primary Privacy Policy, but you are responsible for ensuring candidates know why you have invited them to our platform.

When we act independently

• THG as Sole Controller: We remain the sole controller of the underlying AI algorithms, raw gameplay data, and the proprietary scoring logic. You do not have access to or control over these internal mechanisms.
  ‍
• Recruiter as Independent Controller: Once an Aptitude Report is shared with you, you become an independent controller of your copy of that report. 
  ‍
• Hiring Decisions: You are solely responsible for (a) how you use that data to make hiring decisions, (b) how you store it in your own internal HR or Applicant Tracking Systems (ATS), and (c) for ensuring a human reviews the Aptitude Report before a candidate is rejected or progressed.

Handling Data Subject Requests

Under our arrangement, THG acts as the lead contact point for candidates who wish to exercise their data protection rights (such as data access or deletion) regarding their platform profile.

• If you receive a request from a candidate regarding their HAPTAI assessment, you should forward it to us at haptai.support@thg-v.com as soon as possible.
  ‍
• Note: Candidates may legally exercise their rights against either of us, and we are both required to cooperate to fulfill these requests within the legal timeframe.
  ‍
• Candidate Outreach: The Partner (you) is responsible for the legal basis of the initial email list shared with [Client].
  ‍
• The Assessment Platform: [Client] is solely responsible for the security of the gaming environment and the accuracy of the scoring logic.
  ‍
• Hiring Decisions: The Partner (you) is solely responsible for ensuring a human reviews the Aptitude Report before a candidate is rejected or progressed.

13. AI Transparency & Decision Support

Our platform uses AI to assist you in evaluating candidate aptitudes. This is provided as Decision Support only.

• The Logic: Our models analyse behavioral data from games and transcripts to generate Persona scores. We provide you with the "rationale" behind these scores in each candidate report.
  ‍
• Fairness & Bias: We conduct regular internal audits to ensure our models are statistically accurate and do not produce discriminatory outcomes. We use prompt-based and interim technical measures to ensure protected characteristics (like age or neurodiversity) do not influence a candidate's aptitude score. Further details on our testing protocols and bias mitigation warranties are set out in our Partnership Agreement.
  ‍
• No Raw Data Access: You will not be provided with the candidate's raw interview text or specific game strategies. You receive only the Aptitude Report to ensure privacy by design. 
  ‍
• Your Role: You agree that final hiring decisions are made by your human staff. You should use our reports as one of many factors in your selection process.

14. Changes to this Privacy Notice

We keep our Privacy Notice under regular review. If we make significant changes to how we handle your data, we will notify you by:

• Sending an email to the address associated with your account; and/or
  ‍
• Placing a prominent notice on our platform login page.

This version was last updated in January 2026. Historical versions can be obtained by contacting us.