Contents
1. Scope and Who We Are
This Privacy Policy describes how AI Recruiting Assistant ("we", "us", "the Service") collects, uses, discloses, and protects personal information when you or your employer use our AI-powered recruiting and interview platform, available at www.recruitabilityai.com and related applications.
The Service operates in two modes:
- As a Data Processor — when a company (our "Customer") uses the Service to interview and evaluate its job applicants. In this mode, the Customer is the Data Controller for candidate data and is responsible for its own privacy obligations to those candidates.
- As a Data Controller — for data we collect directly, including Customer account information, billing details, and our own marketing website visitors.
2. Data We Collect
From Candidates
When a candidate participates in an interview, assessment, coding challenge, reference check, or skills matrix, we collect:
| Category | Examples | Source |
|---|---|---|
| Identity | Name, email, phone, profile photo | Candidate, invite link, OAuth provider |
| Professional | Resume, work history, education, skills, certifications | Candidate upload, parsed by AI |
| Interview content | Video and audio recordings, transcripts, screen recordings during coding challenges | Candidate, recorded during sessions |
| Biometric (in some deployments) | Voice characteristics used by AI interviewer; facial features during ID verification | Candidate, with explicit consent |
| Assessment responses | Answers to questions, code submissions, test results, scores | Candidate during session |
| Device and technical | IP address, browser, OS, session identifiers | Automatically on access |
| Identity verification | Driver's license or passport image, extracted document fields | Candidate upload (optional) |
From Customers (Company Admins, Managers, Interviewers)
- Account details: name, email, role, company, password hash
- Organization information: company name, domain, industry, size, logo
- Billing information: plan, trial codes, payment tokens (we do not store full card numbers — Stripe and other gateways hold those)
- Usage data: pages visited, features used, API calls made, audit logs
From Website Visitors
- Device and browser information
- Pages visited and time on page (Google Analytics, if enabled)
- Information submitted through contact or trial request forms
3. How We Use Your Data
We use the data listed above to:
- Deliver the interview, assessment, and hiring-workflow features you or your employer requested
- Run AI analysis — resume parsing, fit scoring, interview response evaluation, speech analytics, code review
- Generate summaries, scorecards, and hiring recommendations for authorized Customer users
- Verify candidate identity where that feature is used
- Detect bias in aggregate hiring outcomes (EEOC 4/5ths rule) and surface findings to Customers for audit
- Communicate with you about interviews, invitations, account activity, and service updates
- Operate, secure, troubleshoot, and improve the Service
- Meet legal, accounting, and tax obligations
We rely on the following legal bases under GDPR: (a) performance of a contract, (b) our legitimate interests in operating and improving the Service, (c) your or the Customer's explicit consent for recording and biometric processing, and (d) compliance with legal obligations.
4. AI and Automated Decision-Making
The Service uses AI models (including large language models, computer vision, and speech-to-text) to analyze candidate submissions. Outputs include fit scores, ranked recommendations, auto-generated questions, flagged fraud signals, and interview summaries.
AI outputs are decision-support, not final hiring decisions. Customer employees (hiring managers and recruiters) review AI outputs and make the actual hiring decision. Customers are contractually required to keep a human in the loop for every advance/reject decision.
Under Article 22 of the GDPR and similar laws, candidates in applicable jurisdictions have the right to:
- Know that automated processing is being used in their evaluation
- Obtain a human review of any decision that significantly affects them
- Contest an AI-assisted decision and request correction
To exercise these rights, contact us at privacy@recruitabilityai.com or the Customer that invited you.
5. When We Share Data
We share data only in the following circumstances:
- With the Customer that invited you — company admins, hiring managers, and interviewers at the company you applied to will see your resume, interview recordings, scores, and any responses you submit.
- With third-party processors — listed in Section 6 below, under contractual confidentiality and data-protection terms.
- With integrated services — ATS systems (Greenhouse, Lever, Workday, BambooHR, iCIMS) if the Customer has enabled that integration; calendar providers (Google, Microsoft) for scheduling.
- To comply with law — court orders, subpoenas, regulatory requests, or to protect rights, safety, or property.
- In a business transfer — if we are acquired, merged, or reorganized, data may be transferred, subject to the protections of this Policy.
We do not sell personal data. We do not share candidate data with advertisers.
6. Third-Party Processors
The Service depends on the following subprocessors. All are bound by written data-processing agreements:
| Purpose | Processor | Location |
|---|---|---|
| Infrastructure hosting | IONOS | US / EU |
| AI language models | OpenAI, Anthropic, Google (Gemini), Groq, DeepSeek, Mistral, Perplexity | US |
| Speech-to-text | OpenAI Whisper | US |
| Text-to-speech | OpenAI, ElevenLabs | US |
| Embeddings and ML models | OpenAI, HuggingFace | US |
| Email delivery | Self-hosted Postfix SMTP | US |
| SMS and voice | Twilio | US |
| Payment processing | Stripe, PayPal, Square, Braintree, Authorize.net | US |
| Code execution sandbox | Piston (self-hosted) | US |
| Identity verification | ID Analyzer, in-house AI vision (GPT-4o / Gemini) | US |
| Teams/calendar integration | Microsoft Graph, Google Calendar | US / EU |
| Analytics (optional) | Google Analytics 4 | US |
| Error tracking (optional) | Sentry | US |
A current list of subprocessors is maintained and can be provided to Customers under a Data Processing Addendum (DPA) upon request.
7. Data Retention
- Candidate interview data — retained while the Customer's account is active and the Customer's configured retention period applies (default: 2 years after last activity). The Customer can shorten this period or delete candidate records at any time.
- Customer account data — retained for the life of the account plus 90 days after termination, except where law requires longer retention (e.g., tax records: 7 years).
- Billing records — 7 years, per US tax and accounting requirements.
- Audit logs — 1 year, for security investigations.
- Marketing website analytics — 14 months (Google Analytics default).
You or the Customer may request earlier deletion at any time, subject to legal-retention obligations.
8. Your Rights
Depending on your location, you have the following rights regarding your personal data:
- Access — obtain a copy of the data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — request deletion, subject to legal exceptions
- Restriction — limit how we process your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests or for direct marketing
- Human review — request that a human review any automated decision that significantly affects you
- Withdraw consent — where processing is based on consent, you can withdraw it at any time
- Lodge a complaint — with your local data-protection authority (e.g., ICO in the UK, CNIL in France, state Attorney General in the US)
Candidates can exercise these rights through the candidate portal at /candidate/privacy after logging in, or by contacting the Customer that invited them. Customer admins have admin-panel tools to handle candidate requests.
California residents have additional rights under the CCPA/CPRA, including the right to know categories of information collected and to request deletion. To submit a CCPA request, email privacy@recruitabilityai.com with "CCPA Request" in the subject line.
9. Security Measures
We implement technical and organizational measures designed to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest for sensitive fields
- Password hashing with bcrypt (10 rounds)
- JWT-based session tokens with expiration
- Role-based access control (5-tier RBAC) with tenant isolation
- Per-company rate limiting and abuse monitoring
- Audit logging of admin actions and data access
- Regular dependency scanning and security patching
- Least-privilege principle for employee access to production systems
No system is fully secure. In the event of a breach affecting personal data, we will notify affected Customers and, where required, regulators within 72 hours of becoming aware.
10. Cookies and Tracking
We use a small number of cookies, categorized as:
- Strictly necessary — authentication (
authToken), session management, CSRF protection. These cannot be disabled. - Functional — theme preferences, language selection. Set only when you change a preference.
- Analytics (optional) — Google Analytics (
_ga,_gid). Disabled by default and only loaded if the Customer has enabled analytics in their branding settings.
We do not use advertising cookies or third-party ad trackers on this Service.
11. Children's Data
The Service is intended for use by adults (16+) in professional hiring contexts. We do not knowingly collect data from children under 16. If you believe we have inadvertently collected data from a minor, contact us and we will delete it.
12. International Data Transfers
We process data primarily in the United States. If you are located in the EEA, UK, or Switzerland, data transferred to us is protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, and by supplementary technical measures. A copy of the SCCs is available on request.
13. Changes to This Policy
We may update this Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be announced at least 30 days in advance by email to Customers and through a banner on the Service. The "Last updated" date at the top of this page always reflects the current version.
14. Contact Us
For privacy questions, data requests, or to reach our Data Protection Officer:
- Email: privacy@recruitabilityai.com
- Postal mail: RecruitAbility AI Privacy, Go Green Paperless Initiative, LLC, 5904 Locust Ln, Harrisburg, PA 17109, USA
EU/EEA residents may also contact their local supervisory authority. UK residents may contact the ICO at ico.org.uk.