AiHR Home

Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how AiHR ("we", "us", "our") collects, uses, stores and protects personal data when you use our AI-powered interview platform (the "Service"). It applies to two groups of data subjects: Recruiters (registered account holders) and Candidates(people who open an interview link). We act as a Data Controller for recruiter account data and as a Data Processor on behalf of the recruiter for candidate interview data.

1. Data we collect

From recruiters

  • Account: email, full name, hashed password or OAuth identifier.
  • Assistant configuration: company name, role descriptions, knowledge base, prompts.
  • Usage logs: sign-in timestamps, IP address, browser user-agent.

From candidates

  • Identity: name, optional email.
  • Resume content, securely extracted and sanitized before AI processing.
  • Interview transcript, including a recognition-quality marker for voice transcription.
  • Interview audio only when the candidate separately opts in to audio storage.
  • Technical metadata: timestamps, browser, locale.

2. Legal bases (GDPR Art. 6)

  • Contract — to provide the recruiter dashboard and the interview service.
  • Legitimate interest — structured, job-relevant assessment and security, balanced against candidate rights and a human-interview alternative.
  • Consent — only for optional storage of interview audio. It can be refused without losing access to the process.

3. Special categories & automated decisions

AiHR does not analyse appearance, emotions, voice characteristics, personality, or protected traits. Under GDPR Art. 22, candidates are not subject to a solely automated decision; the final hiring decision is always made and recorded by a human recruiter.

4. How we use the data

  • Run the interview and produce an evidence-cited advisory report for human review.
  • Operate, secure and improve the Service.
  • Comply with legal obligations.

We do not sell personal data, do not use candidate interview content to train third-party AI models, and do not use it for targeted advertising.

5. Sub-processors

  • Lovable Cloud / Supabase — managed Postgres, authentication, storage (EU region).
  • Google Gemini via Lovable AI Gateway — generates interviewer turns and the final report. Prompts and transcripts are sent for inference and are not retained by Google for model training.
  • Cloudflare — edge hosting and DDoS protection.

All sub-processors are bound by Data Processing Agreements with appropriate Standard Contractual Clauses for any transfer outside the EEA.

6. Retention

  • Candidate sessions are kept for the employer's disclosed configurable period (180 days by default), then anonymized.
  • Recruiters can delete any session at any time from the dashboard — deletion is immediate and irreversible.
  • Recruiter accounts are kept while active; deleted on request within 30 days.

7. Your rights (GDPR Art. 15–22)

You have the right to access, rectify, erase, restrict, port and object to processing, and to withdraw consent at any time. Contact us at privacy@aihr.app. We respond within 30 days. You may also lodge a complaint with your local supervisory authority.

8. Security

All data is encrypted in transit and at rest. Role-based access, row-level security, audit logs and least-privilege service credentials are enforced. Candidate content is normalized, boundary-sanitized and quarantined from trusted model instructions.

9. Cookies

We use strictly necessary cookies only (authentication session, CSRF protection). No advertising, no cross-site tracking. See our Cookie notice.

10. Children

The Service is intended for users aged 16+. We do not knowingly collect data from minors below this age.

11. Changes

Material changes are announced via the dashboard and by email at least 14 days before they take effect.

12. Contact

Data Controller: AiHR. Contact: privacy@aihr.app. Data Protection Officer requests: dpo@aihr.app.