Legal

Privacy Policy

Last updated: July 3, 2026

This Privacy Policy explains how AI-Powered Hiring Assistant (“Hiring Assistant”, “we”, “us”, or “our”) collects, uses, discloses, and retains personal information when you use our website, web application, and related services (collectively, the “Service”). It applies to both hiring teams that create workspaces on the Service (“Customers”) and to the job applicants those Customers choose to evaluate (“Candidates”).

1. What we collect

From Customers

  • Account information: full name, work email, hashed password (bcrypt), and any optional profile details.
  • Workspace content: job descriptions, custom apply-form schemas, company branding assets, and team-member invitations.
  • Payment & billing: subscription tier, billing contact, and the last four digits + brand of the card on file (full PAN is never stored on our servers — handled by our PCI-compliant payment processor).
  • Usage data: pages visited, feature toggles clicked, error messages, and coarse device / browser metadata for diagnostics.

From Candidates

  • Resume content: the file you upload, the text we extract from it, and the answers you provide on the Customer's apply form.
  • Contact details: name, email address, and (optionally) phone number or links you include in your application.
  • Application metadata: timestamps, IP address (for abuse prevention), and a per-application status that tracks your progress through the Customer's pipeline.

2. How we use the information

  • To operate the Service. Render the application, score resumes against job descriptions, send notifications, and persist your workspace across sessions.
  • To improve the product. Aggregate, de-identify, and analyze usage patterns. We never sell personal information.
  • To send service communications. Verification codes, password-reset links, security alerts, and transactional billing emails. Marketing email is opt-in.
  • To comply with law and enforce our Terms. Respond to lawful requests, prevent fraud, and protect the rights and safety of our users and others.

3. Candidate anonymization

Customers can enable per-tenant resume anonymization in their workspace settings. When enabled, every uploaded resume has identifying information (name, email, phone, postal address, school names, prior employer names, etc.) stripped from the text that is sent to our AI models for scoring. The original, unredacted text remains in our database for the recruiter's review and audit trail. Master administrators can reveal a Candidate's identity on a per-application basis; that action is recorded in the audit log.

4. Cookies and similar technologies

We use cookies and local storage for two purposes:

  • Strictly necessary — two httpOnly cookies that carry our access and refresh tokens. These never leave the server side and are required for you to stay signed in.
  • Preferences — a single localStorage entry that records your cookie-consent choice. This is set only after you click Accept or Reject on the consent banner.

We do not use third-party advertising cookies, cross-site tracking pixels, or analytics that follow you across other websites. If we ever change that, we'll ask for your consent again before any non-essential cookie is set.

5. Where your data lives

Production data is stored in PostgreSQL on managed cloud infrastructure (currently Aiven). Resume files are stored in ImageKit under a per-tenant prefix. Auth tokens and OTP verification codes live in Redis with TTLs that match the shortest operationally necessary window. Backups are encrypted at rest and retained for thirty (30) days. By using the Service you understand that your data may be transferred to, stored in, and processed in countries other than your country of residence.

6. Sharing and disclosure

We share information with the following categories of recipient, and only as described below:

  • Customer workspaces. A Candidate's application is visible to the Customer that posted the role. Customers are data controllers for the information they collect; we process it on their behalf under our Data Processing Addendum.
  • Service providers. We use subprocessors to send email (Gmail / SMTP), host files (ImageKit), and process payments (Stripe). Each is contractually required to protect your data with at least the standard we provide.
  • Legal and safety. We may disclose information when we believe in good faith that it is necessary to comply with a law, court order, or valid legal process; to protect the safety of any person; or to investigate violations of our Terms.

7. Data retention

  • Active Customer data. Retained for as long as the Customer's account is active. Customers may delete individual applications, jobs, or their entire workspace at any time.
  • Deleted Customer workspaces. Hard-deleted within thirty (30) days of the deletion request, with the exception of records we must retain for legal or compliance reasons (e.g. tax records).
  • Resume files. Stored on ImageKit. When a Customer or Candidate deletes an application we remove the corresponding file on a best-effort basis; the original may persist in encrypted backups for the remainder of the backup retention window.
  • OTP codes. Auto-expire from Redis after 5 minutes (register / reset) or after a successful verification. Staged registration data expires from Redis after 1 hour.

8. Your rights

Depending on where you live, you may have some or all of the following rights:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your data, subject to the retention rules above.
  • Restrict or object to certain processing (e.g. automated scoring).
  • Receive a portable copy of the data you provided to us, in a common machine-readable format.
  • Withdraw consent where processing is based on consent.

To exercise any of these rights, email us at the address at the bottom of this page. We respond within thirty (30) days.

9. Security

We protect your data with TLS in transit, encryption at rest on our managed databases, bcrypt-hashed passwords, httpOnly authentication cookies, short-lived access tokens with refresh-token rotation, rate-limited authentication endpoints, and per-tenant isolation in our database. No system is 100% secure — if you discover a vulnerability, please report it responsibly to the email below.

10. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top will always reflect the most recent change. If a change is material we'll notify active Customers by email at least fourteen (14) days before it takes effect.

12. Contact

Questions, complaints, or data requests: miyasajid19@gmail.com

See also our Terms & Conditions.