Privacy Policy

When a Customer creates a job and invites Candidates, the Customer typically decides what information to collect, who may access it, and how long to retain it for hiring purposes. In that context, the Customer is generally the data controller (or equivalent) for Candidate personal information, and VettaHire acts as a service provider / processor that processes Candidate Data on the Customer's instructions to deliver the Service.

For account, billing, and Service-operation data relating to Customers, VettaHire is generally the controller. Questions about how a specific employer uses your interview data should be directed to that employer; questions about how we operate VettaHire may be sent to us using the contact details below.

Where GDPR, UK GDPR, or CCPA/CPRA applies, our Data Processing Addendum supplements these roles for Customers.

Customer account data. Name, email address, password (stored in hashed form), and, if you use Google sign-in, identifiers provided by Google OAuth. We maintain session tokens to keep you signed in.

Job and hiring data. Job titles, descriptions, experience requirements, screening questions, and Candidate contact details (email and optional name). Customers may upload Candidate emails individually or via CSV.

Interview and AI-generated data. When a Candidate completes a screening, we collect written messages exchanged during the interview (a text transcript), interview status and timestamps, consent records (timestamp and disclosure version), and AI-generated outputs such as summaries, strengths, concerns, highlights, scores, and hiring recommendations.

Integrity signals. During an interview, our system uses automated checks to detect signs that responses may not be the Candidate's own work — for example, content that appears to have been copied or generated externally. Signals detected are flagged to the Customer alongside the transcript. A flag is information for the Customer to consider; it does not automatically disqualify a Candidate, and the Customer decides how to weigh it.

Billing data. Subscription status, Stripe customer and subscription identifiers, and plan usage counts. Payment cards are processed by Stripe, not stored by us.

Technical data. IP address, browser type, request logs, and rate-limiting metadata needed to operate and secure the Service. Infrastructure is hosted on Cloudflare, including Cloudflare D1 for application data storage.

We use personal information to:

• Provide, maintain, and improve the Service;
• Authenticate users and manage workspaces;
• Send interview invitation emails to Candidates on behalf of Customers;
• Run AI-powered text screening conversations and generate review summaries;
• Process subscriptions, enforce plan limits, and prevent abuse;
• Respond to privacy and human-review requests;
• Comply with law and protect rights and safety.

We do not sell personal information.

VettaHire uses AI to conduct text-based screening conversations and generate summaries and scores for Customers. These outputs are provided to assist human review — not as automated sole decisions about employment. We design the Service to support, not replace, human review. We do not provide tooling that enables fully automated rejections.

• Customers agree in our Terms not to use AI outputs as the sole basis for hiring decisions and to maintain meaningful human review before any decision that significantly affects a Candidate.
• Candidates may request human review of automated processing related to their interview via our human review request form or by contacting the employer that invited them. We aim to respond within 30 days and will assist Customers in fulfilling applicable legal obligations.

Where GDPR Article 22 or similar laws apply, you may have the right not to be subject to a decision based solely on automated processing with legal or similarly significant effects.

Customers using the Service in jurisdictions with AEDT or similar laws (e.g. NYC Local Law 144, Illinois AIVIA, Colorado AI Act) remain responsible for their compliance programs. We provide information about our screening system and maintain records to support reasonable audit requests, as described in our Terms.

Before any AI screening begins, Candidates are shown an in-product notice explaining that:

• The conversation is conducted by AI (text chat, not video or voice);
• Responses are stored as a transcript and may be summarized for the Customer;
• Proceeding after accepting constitutes consent to this processing;
• Candidates may decline and end the session without submitting answers.

We log the consent event (timestamp and disclosure version) when a Candidate accepts.

The Service uses written text chat only. We do not capture voice or video, do not create voiceprints or faceprints, and do not perform emotion, tone, or biometric inference on Candidates.

Automated integrity signals (described in section 2) are generated from text patterns only and are shared with the Customer as informational flags alongside the transcript. They are not biometric data and do not involve audio or visual analysis.

We do not solicit special category or sensitive personal information (such as health, disability, religion, race, or precise demographic data). Interview questions are configured by the Customer and should be limited to role-relevant topics.

If a Candidate voluntarily discloses such information in a free-text response, it may appear in the transcript and AI-generated summary delivered to the Customer. We do not specifically prompt for, target, or weight sensitive characteristics in AI scoring. The Customer (as employer) is responsible for handling any protected-class information disclosed during the interview in accordance with applicable employment law.

We do not train or fine-tune foundation models or general-purpose AI on Customer Data or Candidate interview content. We do not use interview prompts, responses, transcripts, or AI outputs to train any AI model. We may use aggregated, de-identified usage data to improve security and reliability.

Third-party AI providers (see Sub-processors) process prompts and transcripts to deliver inference; their use of data is governed by their policies and our agreements with them.

We use sub-processors including Cloudflare (hosting and database), DeepInfra (AI inference), Resend (transactional email), Google (OAuth identity), and Stripe (billing). A current list with purposes, data categories, and certifications is maintained at Sub-processors. We will notify Customers at least 30 days before adding or replacing a sub-processor that materially affects Candidate or Customer personal data processing.

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Contract performance — providing the Service to Customers, account management, and billing;
• Legitimate interests — sending interview invitations on behalf of Customers (the Customer's legitimate interest in running a hiring process); security, fraud prevention, and abuse detection; product reliability improvements using aggregated data;
• Consent — Candidate consent is collected via in-product disclosure before each interview begins;
• Legal obligation — compliance with applicable law, including responding to lawful authority requests.

Customers are responsible for establishing a lawful basis for inviting Candidates to complete a screening as part of their hiring process.

• With the Customer workspace that created the job;
• With sub-processors under contractual safeguards;
• With advisers or authorities when required by law;
• With a successor entity in a merger or acquisition, with notice.

All Candidate Data and Customer account data is stored and processed exclusively in the United States (Cloudflare D1 and R2, DeepInfra inference infrastructure, Resend email delivery). We do not transfer Candidate Data outside the United States.

Where Customers based in the EEA, UK, or Switzerland use the Service, personal data is transferred to the US under the Standard Contractual Clauses (Module Two, controller to processor, European Commission Decision 2021/914), the UK International Data Transfer Addendum (ICO), and the Swiss SCCs as applicable. These are incorporated into our Data Processing Addendum.

Unless a Customer or law requires otherwise, our default retention periods are:

• Interview transcripts and AI outputs: deleted when the Customer deletes the job in the Service;
• Stale invitations: Candidate records that were never started are deleted 12 months after the invite date;
• Customer account data: deleted within 30 days after a confirmed account deletion request;
• Backups: infrastructure backups containing personal data are purged within 90 days in line with our hosting provider's practices.

Customers may delete jobs and associated Candidate data sooner through the Service. Shorter retention may be agreed in a Customer contract.

We implement technical and organizational measures including:

• TLS 1.2 or higher for all data in transit;
• Encryption at rest for the production database and object storage;
• Hashed passwords (Argon2) and HMAC-signed session tokens;
• Role-based access controls and principle of least privilege;
• Multi-factor authentication required for administrative access to production systems;
• No public-facing database endpoints; WAF and DDoS protection via Cloudflare;
• Secure software development practices including code review and dependency scanning;
• Regular automated backups with documented recovery procedures.

No system is perfectly secure.

If we become aware of a personal data breach affecting Customer or Candidate data we process, we will notify affected Customers without undue delay and within 72 hours where feasible, consistent with GDPR Article 33, and cooperate on required notices to Candidates and authorities.

We use essential cookies and similar technologies only:

• __Host-hs_session — keeps Customers signed in; HttpOnly, Secure, SameSite=Lax;
• hs_oauth_state — short-lived CSRF token securing the Google OAuth flow; expires after 10 minutes;
• sidebar_state — stores your dashboard sidebar open/closed preference; non-sensitive UI preference.

We do not use third-party advertising or analytics cookies on the Service at this time. If we add non-essential cookies, we will update this policy and, where required, obtain consent.

Depending on your location, you may have rights to access, correct, delete, restrict, object to, or port personal information, and to lodge a complaint with a supervisory authority. We aim to respond to all data subject requests within 30 days, with extensions where permitted by law.

Candidates should contact the inviting employer first, as the employer is typically the data controller for interview data. We assist Customers as their processor. You may also contact us at info@vettahire.com or use our privacy request form, and we will either help directly or forward your request to the employer and confirm what we have done.

We honor Global Privacy Control (GPC) signals as opt-out requests where applicable. Because we do not sell or share personal information, no additional action is required to opt out of those activities.

We do not sell or share personal information for cross-context behavioral advertising.

If the Privacy Act 1988 (Cth) and Australian Privacy Principles apply, we handle personal information in accordance with this policy. You may contact us to access or correct personal information or to make a complaint; we will respond within a reasonable period. If unresolved, you may contact the Office of the Australian Information Commissioner (OAIC).

The Service is not intended for Candidates under 16. We do not knowingly collect personal information from anyone under 16. Contact us if you believe a minor under 16 has provided data and we will delete it promptly. Some jurisdictions require parental consent for processing data of minors; Customers (as employers) are responsible for meeting those requirements for any Candidates they invite.

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict-of-law rules, except where mandatory local privacy laws apply.

We may update this policy with a new "Last updated" date and additional notice where required. We review this policy at least annually.

Privacy lead: Vincent Zheng, Owner, VettaHire
Email: info@vettahire.com

This document is informational and does not constitute legal advice. Consult qualified counsel for your organization and jurisdiction.