Every careers page in 2026 carries the same legal load: a privacy policy that explains what candidate data you collect, a terms-of-service page, an explicit consent flow for sensitive categories of data, and a named national supervisory authority a candidate can complain to. Get any of it wrong and the consequences range from a CNIL letter in France to a six-figure ICO fine in the UK to a class-action exposure under California’s CCPA. Most SMBs either pay a lawyer €3,000–€8,000 per market to draft these policies, or they copy a generic template from the internet and hope the regulator never notices. Neither is a real answer when you’re hiring across five countries. This month Flowxtra shipped Auto-Generated Privacy Policies — a server-side policy generator that detects your company’s country, picks the correct compliance framework (GDPR, UK-GDPR, or CCPA), and produces a localized policy in 13 languages with the right national supervisory authority pre-filled. Included on every plan of our free recruiting software, no credit card required, no “legal add-on” SKU. Why this needed to exist The privacy-policy problem for recruiting is harder than for regular SaaS, for three reasons. First, recruiting collects categories of data that fall under GDPR Article 9 — health information from disability disclosures, biometric data from video interviews, sometimes religious affiliation from cover letters. Article 9 requires explicit consent and a separate legal basis. Second, recruiting is cross-border by default — a German company hires a Spanish candidate who applies from a Portuguese IP address. Whose law applies? The candidate’s, the company’s, both. Third, every EU member state has its own supervisory authority — the CNIL in France, the BfDI in Germany, the AEPD in Spain, the Garante in Italy — and the privacy policy must name the correct one for complaints. A copy-pasted template that says “contact the ICO” for a French candidate is technically non-compliant. The hand-rolled fix was to hire a privacy lawyer per market. That gates the entire feature behind “your company has a legal budget” — which excludes most SMBs we serve. What the generator actually does When a company sets up their Flowxtra tenant, the system already knows their country, their legal name, their registered address, and the markets where they post jobs. The privacy policy generator uses those signals to build a compliant document in four steps: Detect the framework. The company’s ISO 3166-1 alpha-2 country code maps to one of three regimes: GDPR (27 EU + EEA states), UK-GDPR (United Kingdom), or CCPA / state-level US privacy laws (California, Virginia, Colorado, Connecticut, Utah, with more being added). 30+ countries currently mapped explicitly; everything else falls back to GDPR by default with a manual override. Pick the language. Each Flowxtra-supported locale has a hand-drafted template: 13 languages currently — English, German, French, Spanish, Italian, Dutch, Portuguese, Polish, Swedish, Danish, Finnish, Hungarian, Czech (more coming). The system writes the policy in the company’s primary locale, not in English-by-default. Inject the supervisory authority. The right regulator name and URL are looked up from a country-to-authority map maintained inside Flowxtra. A French company gets CNIL; a German company gets BfDI; a Spanish company gets AEPD; a UK company gets ICO; a US-California company gets California Attorney General; and so on. Replace the placeholders. Eleven placeholders in each template get replaced from the company record — legal name, registered address, contact email, data protection contact (we deliberately say “Privacy Contact” rather than “DPO” for SMBs that don’t legally need a Data Protection Officer), supervisory authority name and URL, the framework name itself, and a few more. The output is a complete, framework-correct privacy policy and terms-of-service page that the recruiter can review, edit, and publish to their careers page in under five minutes — without ever opening a Word template or calling a lawyer. Side-by-side: how the three frameworks differ AspectGDPR (EU/EEA)UK-GDPRCCPA (California) Legal basis for candidate dataPre-contractual + consentPre-contractual + consentNotice at collection Special categories (Art. 9)Explicit consent requiredExplicit consent required“Sensitive PI” opt-out right Right to erasure30 days30 days45 days Data breach notification72 hours to supervisor72 hours to ICONotify affected residents “in the most expedient time” Supervisory authority exampleCNIL / BfDI / AEPD / GaranteICOCalifornia AG / CPPA Typical lawyer cost€3,000–€5,000£2,500–£4,500$3,500–$8,000 Flowxtra cost€0€0€0 The generator handles all three frameworks plus the per-country supervisory-authority injection, so a Flowxtra customer expanding from Germany to the UK doesn’t pay a second lawyer to redraft — the system regenerates the UK version when the British subsidiary record is added. What the templates actually say Each template covers the standard sections every privacy policy needs: What categories of data are collected from candidates (contact, CV, application form responses, optional demographic). Legal basis for processing — pre-contractual interest first (the candidate asked to be considered), explicit consent last (only for Article 9 special categories and marketing). How long data is retained (default 24 months post-application, configurable per tenant) and the automatic deletion mechanism. The candidate’s rights — access, rectification, erasure, restriction, portability, objection — with the email address to send the request to. Data breach notification commitments (the GDPR Art. 33–34 72-hour rule, with the carve-out for low-risk incidents). Cross-border transfers (Standard Contractual Clauses, adequacy decisions where applicable). Cookie and tracking technology disclosure for the careers page. The named supervisory authority and its complaint URL. The result is a document that’s defensible in front of any of the 27 EU supervisors or the ICO, and that gives a CCPA-compliant notice for California job posts. We had it reviewed by two privacy practitioners before shipping; what they flagged we fixed. Why this matters for the rest of the platform The auto-generated policies plug directly into the rest of the Flowxtra ATS recruiting software in three places: The careers page shows the right policy in the right language to the right candidate — a French applicant sees the French CNIL-compliant version even though the company itself is based in Germany. The application form includes the consent checkbox text drawn from the generated policy, so the legal basis recorded in the candidate record matches what the candidate actually agreed to. The AI screening agent uses the policy’s special-categories opt-in flag to decide whether to ignore disability or health information in the CV — a small but real compliance detail that the AI recruiting agent needs in order to operate within Article 9. Pricing — included on every plan The privacy policy generator is part of the platform’s core compliance layer. No per-policy fee, no per-language charge, no “legal automation add-on.” The same generator runs for the free tier and the Enterprise tier. We treat it as infrastructure, the same way we treat the careers page itself. How to use it If you already have a Flowxtra workspace, open Company → Privacy Policies, pick the language, click Generate, review the output, and publish it. Three minutes from open to live. If you operate in multiple countries, generate one per market — each gets the right framework, the right authority, and the right localized strings. If you don’t have a workspace yet, signup is the fastest path. Start free today — no credit card, no sales call, no €5,000 lawyer invoice for a privacy policy that should have always been a default.