You know that feeling when you hit “submit” on a job application and it disappears into the void? I’ve been there too, more times than I can count. But one question kept nagging at me: What actually happens to my data after I apply? So, I went digging. And that journey led me deep into the hidden world of hiring tech, a world most job seekers never get to see.
Welcome to the Hidden World of ATS Platforms
Behind nearly every job application sits a quiet gatekeeper: the Applicant Tracking System (ATS). This is the software companies use to collect, sort, and rank resumes. They are convenient but not very transparent. These systems collect your personal data: your name, email, work history, education, phone number, and sometimes even sensitive details like disability disclosures or demographic information. But here’s what you likely won’t see in the process: how long they plan to keep your data. Not in the job posting. Not in the confirmation email. Often, not even in the company’s privacy policy.
Why This Should Concern You
That data you submitted two years ago could still be sitting in an ATS database somewhere. If the company didn’t set up rules for deletion or didn’t enforce them, your resume could be part of a massive archive no one has looked at in years. And the more data sitting idle, the bigger the risk of exposure. According to IBM’s 2023 Cost of a Data Breach Report, the average cost per breached record is $165. That adds up fast if thousands of candidate profiles are still sitting in old systems. You didn’t apply to be forgotten, but you didn’t agree to be archived forever either. With job scams on the rise, outdated or poorly secured applicant databases can become prime targets for phishing, impersonation, and fraud.
Who Decides When Your Data Gets Deleted
Here’s the surprising part: it’s not the ATS that makes the call. It’s the company you applied to.In data privacy terms, the hiring company is the data controller; they decide how long your data is kept and for what purpose. The ATS is the data processor; it follows the company’s instructions. So if the company says, “Delete after six months,” it gets deleted. But if they say nothing, your data could sit there indefinitely. Some ATS platforms offer automated deletion tools. But those tools only work if someone turns them on. That’s a big “if.”
What Standards Do ATS Platforms Follow?
This is where I really went deep. I reviewed the privacy policies and compliance claims of popular ATS platforms like Lever, Workday, Rippling, SmartRecruiters, and Greenhouse.
Most of them claim to follow:
- ISO/IEC 27001 (Information Security Management)
- SOC 2 (Security, Availability, Confidentiality)
- GDPR (European privacy law)
- CCPA (California privacy law)
These are strong data protection standards, but I didn’t see clear commitments to U.S. government-backed frameworks like:
- NIST SP 800-53 (Security Controls)
- NIST SP 800-61 (Incident Response)
- NIST 800-207 (Zero Trust Architecture)
Unless an ATS serves a government agency or federal contractor, it’s not required to comply with NIST. And when companies say they “align with best practices,” that often just means they’re borrowing ideas, not following regulated standards. Compliance means legal obligation. Alignment just means intention.
A Real Example: Greenhouse
Let’s look at Greenhouse, one of the most widely used ATS platforms. According to their privacy policy:
“We retain Personal Information only as long as there is an ongoing business need… Once that ends, we will either delete or anonymize it, or isolate it until deletion is possible.”
But what does “business need” actually mean? It could mean keeping your information to consider you for future roles, to defend against legal claims, or to analyze hiring data. Unless the company tells Greenhouse to delete your data or configures those settings, it may stay in the system indefinitely. Even when a company stops using Greenhouse altogether, deletion doesn’t happen immediately. Their Data Processing Addendum confirms a 90-day retention window after contract termination, plus a 30-day backup retention period. That’s months, possibly years, of your data hanging around unless someone takes action.
How to Protect Your Resume Data Right Now
While we wait for better standards, here are five steps you can take today:
- Ask the recruiter or HR contact how long your data will be stored.
- Look for a deletion or privacy option in the job application confirmation email.
- Use a separate email alias for job applications to track where your data goes.
- Limit metadata in your resume, especially unnecessary personal info.
- Keep a record of where you applied and follow up with deletion requests after 6–12 months.
Why Transparency Matters
This isn’t about dragging companies. It’s about raising the bar. If websites are required to tell us how long a cookie lives on our browser, shouldn’t job applications tell us how long our resumes live in their systems? Here’s what ethical hiring transparency could look like:
- A clear data retention policy posted on every application page
- An opt-out or deletion request link for candidates
- A personal data dashboard showing where your data lives and how long it’s kept
These aren’t wild ideas. They’re basic respect in the digital age.
A Better Way Forward
Imagine applying for a job and seeing this:
“We use Greenhouse ATS. Your application data will be stored for 12 months and deleted automatically after that. You may request deletion sooner.”
Simple. Transparent. Respectful.
Until that’s the norm, we have to be our own advocates. We need to ask questions, demand clarity, and push for data rights as job seekers. Because when your data is forgotten, you are, too. And we can’t let systems define our worth or our digital footprint without our consent.
Coming Soon: Hired, Tracked, Forgotten? My Data Rights as a Job Seeker
This article is just the beginning. In my next posts, I’ll cover:
- What to look for in a company’s privacy policy before submitting your application
- How to request deletion of your data from an ATS
- A sample Candidate’s Bill of Data Rights to share with employers
We’re not just submitting resumes. We’re reclaiming ownership over our digital identity.
Aqueelah is a Cybersecurity Analyst, digital ethics advocate, and co-author of a children’s cybersecurity book. She is also the creator of Project TRUSThire, a Zero Trust–aligned initiative that aims to protect job seekers from data exploitation, algorithmic profiling, and the hidden risks of digital hiring. The concept has since been acknowledged and forwarded to NIST’s Zero Trust team for review.
AQ'S Corner 
Leave a comment