Candidate Data Privacy Notice

Our personal data processing practices for job applicants and candidates

1. Purpose and Scope of This Notice
2. Personal Data We Collect and Process
3. Legal Grounds for Our Processing of Your Personal Data
4. Our Disclosure of Your Personal Data
5. Data Retention
6. Data Security
7. International Data Transfers
8. Your Data Privacy Rights
9. California Privacy Rights
10. Changes to This Notice
11. Contact Us

1. Purpose and Scope of This Notice

Rivian respects your privacy and we are committed to protecting it. The purpose of this Candidate Data Privacy Notice (the “Notice”) is to inform you how we process your personal information or personal data (within the meaning of the applicable data protection laws) when you apply for employment and/or participate in our recruitment processes (“Candidate Personal Data”).

This Notice uses the Term “we”, “us” or “our”, which refers to the legal entity of the Rivian Automotive group of companies (“Rivian Group”) that you have sent an application to or communicated with related to our employment application and recruitment processes. This legal entity is the applicable Data Controller and may be found at the link in Section 11 (“Contact Us”) below.

2. Personal Data We Collect and Process

We may process the following categories of your Candidate Personal Data:

Contact information, such as your full name, home address, telephone number, and email address.*
Personal Information, such as gender, date of birth, signature, race, ethnic origin, current and past citizenship, marital status, disability, and veteran or military status, if you choose to provide this information.
Communications, such as email, text, or chat messages that we have exchanged with you.
Educational and professional background, such as your work history, academic and professional qualifications, educational records, references, interview notes, and criminal records.*
Employment details, such as your current employment information, including job title, position, hire dates, salary expectations, visa sponsorship needs, work authorization status, and the same information with respect to any previous employment you have held.*
Social media and website profiles, if you choose to provide this information, as well as and other information about you that is publicly available on the internet.
Network and device information, such as your IP address; computer or mobile phone make, model, operating system version, and screen size; MAC ID; operating system and platform; and browser type and version.
Recruiting system usage and interaction, such as your location, device/equipment, actions within the system(s), referring links to job postings (if any), and page visits, with your consent, where required by law.
Security information, such as passwords, security questions, and usernames if you create an account with us.
Preferences, such as your preferences for communication (e.g., language preferences) and positions of interest to you.

The Candidate Personal Data identified above with an (*) is mandatory in order to conduct our recruiting activities. Failure to provide or allow us to process mandatory Candidate Personal Data may affect our ability to consider you for employment.

We may collect Candidate Personal Data directly from you, as a job applicant, including when you submit an online or paper job application and any associated documents, such as a cover letter or resume, and in the course of subsequent communications and/or interviews following submission of your application. We may also collect Candidate Personal Data via automatic means, such network and device information and recruiting system usage and interaction information, as noted above, if you have not opted out of this collection. We may also receive Candidate Personal Data from third parties, with your consent, where required by law, such as through a background, employment, or reference check; from a staffing agency or equivalent; or from public sources such as LinkedIn.

3. Legal Grounds for our Processing of Your Personal Data

We process your Candidate Personal Data where necessary:

With your explicit consent (if applicable law requires consent), e.g., when allowing us to track certain interactions in our recruiting system and retain and use your application to inform you about and consider you for other positions that may be appropriate for you;
To carry out our application and recruitment process and take steps necessary to establish an employment relationship or enter into an employment contract with you at your request, e.g., communicating with you about the recruitment process and your application;
To comply with a legal obligation that applies to us, e.g., to create and submit reports as required by applicable laws or regulations, or to confirm your legal eligibility to work in a given jurisdiction; and
For our legitimate interests or the legitimate interests of third parties. We process your Candidate Personal Data based on the following legitimate interests:
- Identifying and evaluating job applicants, including assessing skills, qualifications, and interests for the purposes of determining eligibility and suitability for the position for which you have applied;
- Verifying your information and carrying out employment, background, and reference checks, where applicable, subject to your consent where required by applicable law;
- Keeping records related to our hiring processes, for only as long as required by law or other internal retention requirements;
- Complying with our legal, regulatory, or other corporate governance requirements;
- Analyzing and improving our application and recruitment process, including identifying from where candidates navigated to our job postings;
- Preventing fraud associated with our recruitment or employment processes;
- Ensuring network and Information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution; and
- As otherwise required or permitted by applicable law.

If you would like for us to consider you for positions other than the one for which you have applied, you may instruct us to do so and we will retain and use your Candidate Personal Data for that purpose.

4. Our Disclosure of Your Personal Data

Candidate Personal Data may be accessed by or disclosed to Rivian employees who have a need to know such information in order to perform their duties and responsibilities. Such employees may include those in the People Team, Finance, Legal, and the team(s) to which the Candidate has applied, depending upon the information they each require in order to perform their job duties and responsibilities. This access or disclosure may include transfers of Candidate Personal Data to other members of the Rivian Group, who may use Candidate Personal Data for the same purposes described in Section 2 (“Personal Data We Collect and Process”) above.

Candidate Personal Data may be held at offices of Rivian, including in the United States, the United Kingdom, the European Union, and in the cloud, as well as shared with third party staffing agencies from which we may source candidates and service providers such as those providing background checks. We may also share Candidate Personal Data with other third parties if you authorize us to do so or where the sharing of Candidate Personal Data is otherwise permitted or required by applicable law.

Where legally required, we have entered into data processing agreements with external service providers and other members of the Rivian Group that meet the requirements of applicable data protection laws, including Art. 28(3) EU/UK GDPR (where applicable).

For example, all Candidate Personal Data will be shared with iCIMS, a cloud services provider located in the United States who is engaged by Rivian to help manage its recruitment and hiring process on Rivian’s behalf and may use Candidate Personal Data for this purpose. That transfer will be subject to appropriate safeguards, including, where applicable, under standard contractual clauses as described above. For more information on data transfers, please contact us as shown in Section 11 (“Contact Us”) below.

5. Data Retention

We will retain your Candidate Personal Data for a minimum of six months after we have informed you of the outcome of the recruitment process. We may keep the data longer if:

it is necessary for the purpose of fulfilling a legal obligation which includes the processing of personal data;
it is necessary for other accounting or reporting requirements;
we need to process the data for the establishment, exercise or defense of legal claims; and/or
you have provided your consent for us to retain the data for a longer period, consistent with our standard data retention practices.

To determine the appropriate retention period for Candidate Personal Data, we consider our legal obligations, the amount, nature, and sensitivity of the Candidate Personal Data, the potential risk of harm from unauthorized use or disclosure of your Candidate Personal Data, the purposes for which we process your Candidate Personal Data, and whether we can achieve those purposes through other means.

Under some circumstances we may anonymize or de-identify your Candidate Personal Data so that it can no longer be associated with or used to identify you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent, unless required by law.

If you are offered and accept employment with Rivian, the Candidate Personal Data we collected during the application and recruitment process will become part of your employment record, and we may use it in connection with your employment consistent with our internal policies and as described in our Workforce Personal Data Privacy Notice. If you do not become an employee, or, once you are no longer an employee of Rivian, we will retain and securely destroy your Candidate Personal Data in accordance with our record retention policies and applicable laws and regulations.

6. Data Security

We have in place appropriate security measures intended to prevent your Candidate Personal Data from being accidentally lost or used or accessed in an unauthorized way, including encryption of this information in transit and at rest and the implementation of controls designed to limit access to your Candidate Personal Data to those Rivian personnel who have a genuine business need to know it. Those Rivian personnel who process your Candidate Personal Data are required to do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and/or any applicable regulator of a suspected data security breach where we are legally required to do so in accordance with any legally prescribed timeframes.

Despite our implementation of these measures, posting or transmission of personal data via the internet, including using our recruiting system, by email or by other electronic means, is not completely secure. We cannot guarantee that personal data that is transmitted to us, particularly by electronic means, will be totally secure. It is possible that third parties may unlawfully intercept or access such data.

7. International Data Transfers

Candidate Personal Data may be transferred or stored internationally, including to or in countries that do not have data protection laws equivalent to those in the country where you reside or where your personal data is collected, for the purposes described in Section 2 (“Personal Data We Collect and Process”) above.

For transfers of Candidate Personal Data from the European Economic Area (“EEA”) Member States or UK to countries for which the EU Commission or the UK Information Commissioner’s Office has issued an adequacy decision saying the level of data protection is equivalent to the level within the UK or EU, we can rely on those adequacy decisions; this applies, inter alia, for data transfers between the UK and EEA Member States.
For transfers of Candidate Personal Data from Serbia to countries from the list of countries providing an adequate level of protection of personal data that is maintained by the Serbian Government, we can rely on that list.
For any transfers of Candidate Personal Data from the EEA, UK, or Serbia to countries not considered to provide an adequate level of protection of personal data by default, Rivian has implemented appropriate safeguards to provide the necessary level of data protection, primarily by entering into appropriate data transfer arrangements based on approved standard contractual clauses.
Candidate Personal Data about Canadians or that is collected in Canada may be transferred or stored outside of Canada, including to/in the United States, the United Kingdom, and the European Union, and may be subject to the laws and accessible to the courts, law enforcement and national security authorities of such jurisdictions. Please contact our Canadian Privacy Officer as listed in Section 11 (“Contact Us”) below if you wish to ask a question or obtain written information about our policies and practices with respect to service providers and other members of the Rivian Group outside of Canada who may process or store Candidate Personal Data.

9. Your Data Privacy Rights

It is important that the Candidate Personal Data we hold about you is accurate and current. Please keep us informed if your Candidate Personal Data changes during the recruitment process.

Depending on your location and applicable laws and regulations, you may have data privacy rights regarding Rivian’s processing of your personal data. Provided that the respective legal requirements are met, and based on the legal requirements applicable to your jurisdiction, subject to any legal restrictions or exceptions, you may have the right to:

Access/Know. Request confirmation from us as to whether or not your personal data is being processed by Rivian and, if so, access to such data and/or the more detailed circumstances of the data processing.
Correction/Rectification. Request that we correct any inaccurate personal data relating to you without undue delay. In this context, taking into account the purposes of the processing, you may also have the right to request the completion of incomplete personal data - also by means of a supplementary declaration. If you signed up for an account with Rivian, you may update the information associated with your account at any time by contacting us or logging into your account.
Deletion/Erasure. Request that your personal data be deleted without undue delay. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if the processing is necessary for the performance of a contract.
Portability. Request that we provide a copy of the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and transfer this data to another controller without hindrance from us, where feasible.
Restriction of Processing. Request that we restrict processing of your personal data. In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if we can demonstrate compelling legitimate grounds otherwise.
Object to Processing. Object, on grounds relating to your particular situation, to our processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) carried out in the exercise of official authority vested in us, or (iii) processed by us on the basis of our legitimate interest. In this case, where applicable, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise, or defend legal claims.
Consent Withdrawal. Withdraw your consent that you have previously provided for Rivian’s collection, use or disclosure of your personal data, subject to reasonable notice and any contractual or legal exceptions. Note that this will not affect the lawfulness of our processing of your personal data based on consent before its withdrawal.
Automated Individual Decision-Making. Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Note that this right shall not apply if such a decision is necessary as part of a contract we have with or want to conclude with you, we have your consent, or we are permitted by law to engage in such automated decision making. In these cases, we will implement measures to safeguard your rights and freedoms and legitimate interests and you may contest the decision by contacting us as set forth in Section 11 (“Contact Us”) below.
Complaints. Lodge a complaint with a supervisory authority at any time if you are of the opinion that the processing of personal data relating to you violates applicable law. If the complaint relates to provisions of the EU and UK GDPR, you can lodge such complaint with a supervisory authority in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement. You may identify the applicable supervisory authority based on your location on the European Data Protection Board website. If the complaint relates to provisions of the UK GDPR, you can lodge such complaint with the Information Commissioner’s Office. If the complaint relates to provisions of the Serbian Data Protection Act, you can lodge such complaint with the Commissioner for Information of Public Importance and Personal Data Protection.

Where you have been asked to give and have given consent to Rivian’s collection, use or disclosure of your Candidate Personal Data, you may change your mind and withdraw that consent at any time, subject to reasonable notice and any contractual or legal exceptions, without affecting the lawfulness of our processing of your Candidate Personal Data based on consent before its withdrawal. Please note, however, that varying or withdrawing your consent may affect our ability to communicate with you and/or consider you for employment, and we may still need to retain your Candidate Personal Data as noted in Section 5 (“Data Retention”) above.

To exercise the above privacy rights, please visit this web form.

We will acknowledge and coordinate these requests as timely as possible. Initially, we will respond to and fulfill any such requests within one month or in accordance with applicable laws, which may be slightly longer (e.g., 45 days for California). In case we cannot comply with a request or cannot respond within that timeframe, we will generally provide you with the reason for this. We may request specific information from you to help us confirm your identity and your rights. Applicable law may allow or require us to refuse to provide you with access to some or all of the Candidate Personal Data that we hold about you, or we may have destroyed, erased, or made your Candidate Personal Data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Candidate Personal Data, we will generally inform you of the reasons why, subject to any legal or regulatory restrictions. We will not discriminate against you for exercising any of your privacy rights.

9. CALIFORNIA PRIVACY RIGHTS

If you are a California consumer, you have additional privacy rights under the California Consumer Privacy Act, as amended (“CCPA”), as described below.

Personal Information Collection, Use, and Disclosure

We have collected the following categories of personal information specified within the CCPA from or about California consumers and disclosed such personal data for a business purpose within the last twelve (12) months as described in Section 4 ("Our Disclosure of Your Personal Data") above, depending on the nature of your relationship with us (for example, whether you have purchased a vehicle and/or financing or insurance products from us):

Category	Examples	Collected	Disclosed for a Business Purpose
Identifiers	A real name, alias, postal address, unique personal identifier (e.g., employee ID), online identifier, Internet Protocol address, email address, driver's license number, passport number or other similar identifiers.	✔	✔
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	A name, signature, Social Security number, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	✔	✔
Protected classification characteristics under California or federal law	Age (40 years or older), citizenship	✔	✔
Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Biometric information	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data
Internet or other similar network activity	Browsing history, information on a consumer's interaction with a website, application, or advertisement.	✔	✔
Geolocation data	Physical location or movement. Does not include precise geolocation.	✔	✔
Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information	Current or past job history or performance evaluations.	✔	✔
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Inferences drawn from other personal information	Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	✔	✔
Sensitive Information	Government identifiers (social security, driver's license, state identification card, or passport number); complete account access credentials (usernames, account numbers, or card numbers combined with required access/security code or password); precise geolocation; racial or ethnic origin; mail, email, or text message contents	✔	✔

Use of Personal Information. We use the categories of personal information listed above as described in Section 2 (“Personal Data We Collect and Process").
Disclosure of Personal Information. We may disclose your personal information as set forth in Section 4 (“Our Disclosure of Your Personal Data”). In the preceding twelve (12) months, Rivian has disclosed each of the personal information categories as shown in the table above for a business purpose.
Access to Personal Information. You can request, up to two times each year, that we disclose the categories and/or specific pieces of personal information that we collect, use, disclose, and may sell.
Correction of Personal Information. You have the right to have inaccurate personal information corrected.
Deletion of Personal Information. You can ask us to delete the personal information that we have collected from you, subject to certain exceptions such as to complete a transaction for you, to exercise our rights, or to comply with a legal obligation.
Sales and Sharing of Personal Information. In the preceding twelve (12) months, Rivian has not “sold” or “shared” Candidate Personal Data as the terms “sell” and “share” are defined in the CCPA.
Right to Limit Use and Disclosure of Sensitive Personal Information. You have the right to direct us to limit our use of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer.
No Retaliation. You are entitled to exercise the rights described above free from retaliation as prohibited by the CCPA.

To exercise your California privacy rights, please visit this web form. If you cannot access the web form, would like assistance with exercising the privacy settings within your vehicle, or have any questions on your California privacy rights, you may contact us using the information in Section 11 (“Contact Us”) below.

Additional Information for California Residents

Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information. You can designate an authorized agent to make a request under the CCPA on your behalf if: (1) the authorized agent is a natural person or a business entity registered with the Secretary of State of California; and (2) you sign a written declaration that you authorize the authorized agent to act on your behalf.

If you use an authorized agent to submit a request to exercise your rights, please have the authorized agent take the following steps in addition to the steps described above:
- Mail a copy of your signed written declaration authorizing the authorized agent to act on your behalf to privacy@rivian.com; and
- Provide any information we request in our response to your email to verify your identity. The information requested will depend on your prior interactions with us and the sensitivity of the personal information at issue.
  
  If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.
Identity Verification. You may only submit a request to know twice within a 12-month period. Your request must provide sufficient information about you (which may include personal data such as your name and other personal identifiers) and your relationship, if any, with us that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. We will only use personal information provided in the request to verify the requestor's identity or authority to make it.

10. Changes to This Notice

We reserve the right to update this Notice at any time, and we will provide you with a new Notice when we make any material updates. If we would like to use your previously collected Candidate Personal Data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your Candidate Personal Data for a new or unrelated purpose. We may process your Candidate Personal Data without your knowledge or consent only where permitted or required by applicable law or regulation.

Last Revised: October 13, 2023

11. Contact Us

If you have any questions or concerns about our processing of your Candidate Personal Data, this Notice or would like to alter or withdraw your consent or exercise your privacy rights, please contact us as specified below based on your location:

US/Other: By email at privacy@rivian.com or by mail at Attn: Privacy Officer, 14600 Myford Road, Irvine, CA 92606.
Canada: Attn: Privacy Officer, by email at privacy@rivian.com, by telephone at (844) 748-4261 or by mail at 1038 Homer Street, Vancouver, BC V6B 2W9.
EU/UK: By email at dpo@rivian.com or by writing to Herengracht 433, Unit 2.01 and 2.02, 1017 BR Amsterdam, The Netherlands.
Serbia: By email at dpo@rivian.com or by writing to Rivian SE Europe d.o.o. Beograd, c/o Petrikić & Partneri AOD, in cooperation with CMS Reich-Rohrwig Hainz, Krunska 73, 11000 Belgrade, Serbia

To exercise your privacy rights, please visit this web form.

You may view the list of Rivian Data Controllers within the meaning of applicable privacy laws at this webpage.