Skip to content
ThinkATS

Privacy Policy

How ThinkATS collects, uses, and protects your data.

Last updated: May 2026 · ThinkATS Technology Solutions Limited (RC 9151027)

1. Introduction

ThinkATS Technology Solutions Limited ("ThinkATS", "we", "our", "us") is incorporated in Nigeria (RC 9151027) and headquartered in Lagos, Nigeria. We operate a hiring infrastructure platform accessible at thinkats.com and all associated subdomains.

This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the ThinkATS platform. It applies to:

  • Employers and workspace users — companies and individuals who create and operate a ThinkATS workspace ("Customers").
  • Candidates — individuals who apply for roles through careers sites powered by ThinkATS or browse roles at thinkats.com/jobs.
  • Visitors — anyone who visits thinkats.com or associated marketing pages.

This policy is governed primarily by the Nigeria Data Protection Act 2023 (NDPA) and is designed to be consistent with the EU General Data Protection Regulation (GDPR) and applicable data protection laws in the markets we serve, including Kenya (Data Protection Act 2019) and Ghana (Data Protection Act 2012).

2. Data controller and data processor

The roles of data controller and data processor differ depending on the context in which personal data is processed. It is important to understand this distinction.

Where ThinkATS is the data controller: When you visit thinkats.com, create a ThinkATS account, contact us, or subscribe to a plan, ThinkATS determines the purpose and means of processing your personal data. ThinkATS is the data controller for this data.

Where ThinkATS is the data processor: When a ThinkATS Customer uses the platform to manage candidates, publish roles, and operate a careers site, the Customer is the data controller and ThinkATS acts as the data processor on their behalf. ThinkATS processes candidate data strictly in accordance with Customer instructions and the terms of our Data Processing Agreement.

If you are a candidate who has applied for a role through a company's careers site powered by ThinkATS, the company you applied to is the data controller for your application data. Please contact that company directly to exercise your data rights in relation to your application. For questions about how ThinkATS processes data as a platform, contact us at privacy@thinkats.com.

3. Data we collect

3.1 Account and workspace data (Customers)

  • Name, work email address, job title, and company name on signup
  • Workspace configuration, branding settings, and plan information
  • Actions performed within the workspace including jobs published, candidates moved, and communications sent (audit log data)

3.2 Candidate data (processed on behalf of Customers)

  • Name, email address, phone number, location, and other contact details submitted via application forms
  • CV or resume, work history, education, certifications, and skills
  • Responses to screening questions defined by the hiring organisation
  • Application intelligence scores generated by ThinkATS against job requirements (skills match, experience, certifications, education, industry fit)
  • Pipeline stage history and recruiter notes added by the hiring organisation

3.3 Billing data

  • Subscription plan, billing currency, and payment history. Card and payment instrument data is processed directly by Paystack. ThinkATS does not store full card numbers or CVV codes.

3.4 Technical and usage data

  • IP addresses, browser type, device type, and access timestamps for security monitoring and platform stability purposes
  • Aggregated, anonymised usage analytics collected via Plausible Analytics. Plausible does not use cookies and does not collect personally identifiable information. No consent banner is required for Plausible Analytics.

3.5 Communications data

  • Messages you send us via email or contact forms, including the content of those messages and any attachments

4. Legal basis for processing

We process personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the ThinkATS service to Customers and to operate candidate application workflows.
  • Legitimate interests: Security monitoring, fraud prevention, platform abuse detection, and aggregated product analytics.
  • Legal obligation: Compliance with applicable law, tax obligations, and responses to lawful regulatory or law enforcement requests.
  • Consent: Where we rely on consent (for example, optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

5. How we use your data

  • To create, operate, and maintain your ThinkATS workspace
  • To score and rank candidates against structured job requirements using Application Intelligence
  • To deliver transactional communications including application confirmations, stage updates, interview invitations, and offer letters on behalf of hiring organisations
  • To maintain audit logs that allow hiring teams to track workflow actions
  • To process subscription billing and manage plan changes
  • To monitor platform security, detect abuse, and maintain system stability
  • To improve the platform using aggregated, anonymised usage data only
  • To respond to support requests and legal enquiries

6. Data storage and security

All ThinkATS data is stored on AWS infrastructure located in EU West 1 (Ireland). We have chosen EU-based data residency to align with international data protection standards and to provide enterprise customers with confidence in data handling.

ThinkATS uses a multi-tenant architecture with row-level security (RLS) enforced at the database layer via Supabase. This means one organisation's data is strictly isolated from another's at the database level, not just the application layer. No tenant can access another tenant's data under any circumstances.

Candidate data submitted through a tenant's careers site is bound to that tenant workspace and is never shared with, visible to, or accessible by any other tenant.

Communications follow an outbox-based delivery pattern. Candidate emails are queued and processed by a background worker rather than sent directly from the user interface. This reduces operational risk and creates a clear delivery audit trail.

7. Data sharing and sub-processors

ThinkATS does not sell personal data. We do not share personal data with third parties for their own marketing purposes. We share data only with the following sub-processors as necessary to operate the platform:

  • AWS (Amazon Web Services) — Cloud hosting infrastructure. Data stored in EU West 1 (Ireland). AWS is certified under ISO 27001, SOC 2, and complies with GDPR.
  • Supabase — Database, authentication, and storage infrastructure. Deployed on AWS EU West 1. Supabase processes data strictly as a sub-processor.
  • Resend — Transactional email delivery. Used to deliver candidate communications and system notifications on behalf of Customers.
  • Paystack — Payment processing. Paystack processes billing data directly. ThinkATS does not store payment instrument data.
  • Plausible Analytics — Privacy-first website analytics. No cookies. No personal data collected. EU-based infrastructure. GDPR compliant by design.

All sub-processors are subject to contractual data protection obligations consistent with applicable law. We review sub-processor compliance on an ongoing basis.

8. International data transfers

ThinkATS stores all data in the EU (AWS EU West 1, Ireland). Where personal data is transferred outside the country of origin, we ensure appropriate safeguards are in place including standard contractual clauses, adequacy decisions, or equivalent protections under applicable law.

9. Your rights

Under the NDPA 2023 and applicable data protection law, you have the following rights in relation to your personal data:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete personal data.
  • Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction: Request that we restrict processing of your data in certain circumstances.
  • Right to data portability: Receive your personal data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at privacy@thinkats.com. We will respond within 30 days. We may request verification of your identity before processing your request.

Note for candidates: If you are exercising rights in relation to a job application, please contact the company you applied to directly, as they are the data controller for your application data.

10. Data retention

We retain personal data for the following periods:

  • Account data: For the duration of your active subscription and for 12 months following account closure or termination.
  • Candidate data: For as long as the hiring organisation's workspace is active. Customers are responsible for managing retention of candidate data within their workspace in accordance with applicable law.
  • Audit log data: Retained for 24 months from the date of the logged action.
  • Billing data: Retained for 7 years to comply with financial record-keeping obligations under Nigerian law.
  • Technical logs: Retained for 90 days for security and stability monitoring purposes.

You may request deletion of your personal data at any time. Where deletion is not possible due to a legal retention obligation, we will inform you and restrict processing of the relevant data instead.

11. Cookies and tracking

ThinkATS uses Plausible Analytics for website analytics. Plausible does not use cookies and does not collect any personally identifiable information. No consent is required for Plausible Analytics under GDPR or NDPA.

We do not use advertising cookies, tracking pixels, or cross-site tracking technologies on thinkats.com. If this changes, this policy will be updated and a cookie consent mechanism will be implemented before any such technologies are deployed.

12. Children's data

ThinkATS is a business-to-business platform not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@thinkats.com.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active Customers via email or in-platform notification at least 14 days before taking effect. The date at the top of this page reflects the most recent update. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. Contact and complaints

For privacy enquiries, data access requests, or to exercise your rights, contact our privacy team:

Email: privacy@thinkats.com
ThinkATS Technology Solutions Limited
RC 9151027
18b Engineer Muali Subair Street, Lekki, Lagos, Nigeria

If you are not satisfied with our response, you have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpb.gov.ng, or with the relevant supervisory authority in your country of residence.