Legal

Privacy Policy

How we collect, use, store, and share your personal data — and the rights you have over it.

Last updated: 2026-06-20

1. Who we are

Pharmagen Recruit ("we", "us", "our") is a recruitment platform operated by Pharmagen, registered in Lebanon. We connect global healthcare employers with remote healthcare professionals. This policy describes how we handle personal data we receive from candidates, employers, recruiters, and website visitors.

Contact our data controller at [email protected].

2. What data we collect

We collect only the data necessary to deliver our service:

  • Identity and contact: name, email address, phone number, country of residence.
  • Professional information (candidates): CV, work history, qualifications, certifications, licences, language proficiencies, exam results, awards, and links to your LinkedIn / CV / video profile.
  • Company information (employers): company name, sector, hiring needs, contact people.
  • Application data: jobs you've applied to, cover notes, application status, interview scheduling, recruiter notes shared with you.
  • Account data: hashed password, two-factor authentication enrolment, account activity timestamps.
  • Communications: support tickets, contact-form submissions, in-platform messages.
  • Newsletter: if you subscribe, only your email address and the list type (candidate or employer); we hash your IP for spam-abuse audit purposes.
  • Technical: browser type, IP address (for rate limiting and security only — never stored in plaintext long-term), cookies / localStorage values that you have explicitly accepted.

3. How we use your data

  • To match candidates with relevant employer opportunities and vice versa.
  • To allow you to apply to roles, schedule interviews, and track applications.
  • To send transactional emails (account confirmation, password reset, interview notifications, application status changes). These are not optional while your account is active.
  • To send marketing emails (newsletter, occasional product updates) — only if you have opted in. You can opt out at any time via your profile settings or the unsubscribe link in any marketing email.
  • To verify professional credentials where the placement requires it.
  • To detect abuse (rate limiting, captcha verification, security monitoring).
  • To meet legal and regulatory obligations (e.g. payroll record retention).

4. Who we share your data with

We do not sell your personal data. We share it only in the following circumstances:

  • Prospective employers (candidates): your CV and profile are shared with prospective employers as part of the placement process. You will be notified before your profile is presented to any specific employer.
  • Recruiters and admins: Pharmagen Recruit staff have access to your profile data strictly to operate the platform.
  • Third-party processors:
    • Supabase — database and authentication, hosted in the EU.
    • Cloudflare — hosting, content delivery, captcha verification (Turnstile).
    • Resend — transactional and marketing email delivery.
    • Sentry — error reporting (server-side only; no user PII collected).
    Each provider operates under its own data protection commitments. Sub-processor list available on request.
  • Legal: we may disclose data when required by law, court order, or to protect rights, property, or safety.

5. International transfers and GDPR

Your data is stored within the European Union (Supabase EU region). When we send marketing or transactional email via Resend, the email body transits Resend's infrastructure (US-based). Cloudflare delivers content globally via its CDN. We rely on each processor's Standard Contractual Clauses (SCCs) or equivalent safeguards for any cross-border transfers — this is the legal basis under GDPR Article 46 for transferring personal data outside the EEA.

6. How long we keep your data

  • Active accounts: for the duration of your engagement with Pharmagen Recruit.
  • After account deletion: personal identifiers, CV, video submissions, and profile data are permanently purged within 30 calendar days.
  • Payroll and financial records: retained for a minimum of 7 years following the end of an engagement, as required by Lebanese tax and accounting law. Stored separately from the active profile.
  • Anonymised aggregate data: may be retained indefinitely for operational reporting (e.g. "applications by month").
  • Newsletter subscribers: email address retained until you unsubscribe; opt-out timestamp retained as proof of consent withdrawal.

7. Your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you, in JSON format. Use Account Manager → Data Management → Export my data, or email us.
  • Rectification — correct inaccurate data. Most fields are editable from your profile; locked fields can be updated via the "Request edit" workflow.
  • Erasure — delete your account at any time via Account Manager → Data Management → Delete account. We will purge identifiers within 30 days.
  • Restriction — ask us to stop processing your data for specific purposes (e.g. marketing-only opt-out).
  • Portability — receive your data in a structured, machine-readable format (JSON).
  • Objection — object to processing based on legitimate interest; we will reassess.
  • Withdraw consent — withdraw marketing email consent at any time. Withdrawal does not affect prior processing.
  • Lodge a complaint — if you are in the EEA, UK, or another jurisdiction with applicable data-protection legislation, you may complain to the relevant supervisory authority.

To exercise any right, email [email protected]. We will respond within 30 calendar days.

8. Cookies and local storage

Pharmagen Recruit uses cookies and browser localStorage only where strictly necessary:

  • Authentication session — Supabase issues a session token on login. Without it you cannot use the portal.
  • Preferences — your theme choice (light / dark), cookie banner acknowledgment, tutorial-seen flag, newsletter widget dismissal — all stored in your browser's localStorage. We never read them server-side.
  • Cloudflare Turnstile — captcha verification cookies set by Cloudflare to detect bots. See Cloudflare's cookie policy.
  • Analytics — none. Pharmagen Recruit does not use third-party analytics (no Google Analytics, no tracking pixels, no Facebook pixel).

9. Security

We protect your data through:

  • TLS/HTTPS for all data in transit.
  • Database row-level security: every sensitive table is gated; an authenticated user can only read their own data (or the records they are explicitly authorised to see).
  • Password hashing via bcrypt (handled by Supabase Auth).
  • Optional two-factor authentication for any account.
  • Rate limiting on public endpoints to prevent brute force, scraping, and spam.
  • Captcha verification (Cloudflare Turnstile) on all public forms.
  • Strict Content Security Policy enforced in the browser.
  • Audit logging of all privileged admin actions.
  • Continuous security monitoring with alerting on errors and uptime regressions.

10. Data breach notification

If we confirm a data breach that affects your personal data, we will notify you within 72 hours of becoming aware of the incident. The notification will describe the data affected, the likely consequences, the measures we have taken, and the steps you can take to protect yourself.

11. Children

Pharmagen Recruit is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this policy occasionally. Material changes will be announced via email to active account holders and posted at the top of this page. Continued use of the platform after a material change indicates acceptance of the revised policy.

13. Relationship to our Terms & Conditions

This Privacy Policy supplements our Terms & Conditions. The Terms & Conditions govern your overall relationship with Pharmagen Recruit (rights, obligations, liability, termination). This Privacy Policy specifically governs how we handle your personal data. Where the two documents address the same topic, the Privacy Policy takes precedence on data-handling matters.

14. Contact

For any data protection question, request, or complaint, contact us at [email protected].