Privacy Policy
This Privacy Policy explains how intHR ("we", "our", "us") collects, uses, stores, and protects personal data when you use our services. This document is designed for a global audience and follows a KVKK + GDPR compatible structure.
1. Scope
This policy applies to all users of the intHR platform, including recruiters, employers, and invited candidates who participate in assessments.
2. Data We Process
- Account data: email, username, user identifiers, authentication/session metadata.
- Social sign-in data: where you choose to sign in via Google or LinkedIn, we receive only your name and email address from that provider, used solely for account creation and identification.
- CV data: uploaded PDF files, extracted profile data, and derived candidate attributes.
- Assessment data: responses, interview/exam interactions, scoring details, and generated reports.
- Proctoring data: camera-based checks, violation signals, trust/distrust indicators, and related snapshots where applicable.
- Operational metadata: email delivery logs, message IDs, timestamps, and technical diagnostics.
3. Why We Process Data
- To create and manage user accounts.
- To run CV evaluation and candidate ranking workflows.
- To provide exam and interview modules, including proctoring integrity controls.
- To send transactional communications (verification, reset, invitations).
- To secure the platform and detect abuse or fraud.
4. Legal Basis
Depending on context, we process personal data under one or more legal bases:
- Contract performance for service delivery.
- Legitimate interests for platform security, quality, and fraud prevention.
- Consent where required by law, especially for camera-based proctoring.
- Legal obligations for record-keeping and lawful requests.
5. AI-Assisted Processing and Profiling
intHR uses AI-assisted processing to extract structured information from submitted content and to support scoring workflows. These outputs may contribute to automated profiling and ranking. Human review may be applied to validate outcomes where needed.
6. Third-Party Processors and International Transfers
We use third-party providers to operate key components of the service, including:
- Supabase (authentication and data infrastructure).
- Google (OAuth authentication, where selected by the user — data received is limited to name and email address).
- LinkedIn (OpenID Connect authentication, where selected by the user — data received is limited to name and email address, used solely for account identification).
- AWS SES (transactional email delivery).
- Google Gemini (AI inference for supported workflows).
Data may be processed in jurisdictions outside your country. We use contractual and organizational safeguards suitable for cross-border transfers.
7. Retention and Deletion
We retain personal data only as long as needed for operational, legal, and security purposes. When an account is deleted, a soft-delete period applies and permanent deletion follows according to our internal retention process.
8. Security Measures
We implement layered controls such as session protections, CSRF protection, endpoint rate limiting, upload validation, and security-focused HTTP headers. No system can guarantee absolute security, but we continuously improve technical and organizational safeguards.
9. Your Rights
Where applicable law provides, you may request:
- Access to your personal data.
- Correction of inaccurate data.
- Deletion or restriction of processing.
- Objection to certain processing activities.
- Data portability where technically feasible.
- Withdrawal of consent for consent-based processing.
10. Contact
For privacy requests, complaints, or questions, contact us at: [email protected].
11. Policy Changes
We may update this policy from time to time. Material updates will be reflected by changes to the effective date, last-updated date, and version number shown at the top of this page.