1. Purpose of This Policy

This policy explains how we collect, use, store, transfer, and protect your data when you participate in an automated audio interview as part of our hiring process.

It combines global privacy standards and is designed to comply with GDPR (EU/UK), CPRA/CCPA (USA – California), other U.S. state privacy laws (Virginia, Colorado, etc.), PIPEDA (Canada), the Australian Privacy Act APPs, Singapore PDPA, Hong Kong PDPO, Taiwan PDPA, and common APAC recruitment and labor regulations.

2. What Data We Collect

Interview Data

• Audio recording of your responses
• An automatically generated transcript
• AI-assisted analysis (e.g., summaries, keyword extraction, skill indicators)
• Voice-derived expression features. During a voice interview, our voice-AI provider derives signals about expression and tone from your voice. These are generated for, and stored as part of, your interview record. They are not used for identity matching or biometric identification. You may opt out of expression analysis (see Section 13).
• Interview metadata (time, duration, technical logs)

Profile Data

• Name, email, phone number
• Resume/CV and application details
• Any information you voluntarily provide during the interview

No biometric identification

We do not perform facial recognition, voiceprint identity matching, or other biometric identification. The expression features described above are derived signals, not identity biometrics.

3. Why We Collect Your Data

We process your data to evaluate your suitability for the position you applied for; support fair and consistent hiring; maintain legally required recruitment records; conduct audit, compliance, and dispute-resolution; consider you for future roles for up to 3 years; and ensure the functionality and security of our interview platform. We do not use your data for marketing or advertising.

4. Legal Basis for Processing

Depending on your jurisdiction, we rely on:

EU/UK (GDPR & UK GDPR)

• Consent — for interview recording, AI analysis (including voice-derived expression features), and 3-year retention
• Legitimate interest — fair evaluation, record-keeping, and security
• Legal obligation — required retention (e.g., anti-discrimination record-keeping)

Other regions

• United States (CPRA/CCPA + other states): notice at collection; legitimate business purpose; consent for recording where required (e.g., two-party-consent states)
• Canada (PIPEDA): meaningful consent; reasonable business purpose
• Australia (APPs): consent for audio recording; recruitment and reasonable business purposes
• Singapore / Hong Kong / Taiwan (PDPA/PDPO): notified purpose + consent; reasonable necessity for recruitment

5. How Long We Keep Your Data

Default retention: up to 3 years. Your audio, transcript, AI-generated analysis, and derived features are retained for up to three (3) years to support future opportunities, compliance and audit needs, and defense against potential discrimination claims.

Early deletion. You may request deletion at any time. We will delete your data unless we are legally required to retain it (e.g., an ongoing investigation or regulatory requirement).

6. Your Rights

Your rights depend on your location, but generally include:

• Access — request a copy of the data we hold about you, including your audio, transcript, and report
• Correction / Rectification — fix errors in your transcript or personal information
• Deletion (Erasure) — request that your data be deleted
• Restriction of Processing (GDPR Art. 18) — ask us to temporarily pause processing without deleting your data
• Withdraw Consent — stop processing that relies on consent (e.g., extended retention, future-role matching, voice analysis)
• Data Portability — receive the data you provided in a machine-readable format (AI-generated reports and derived features are available under Access)
• Object (GDPR/UK GDPR Art. 21) — object to legitimate-interest processing
• Rights regarding Automated Decision-Making (GDPR Art. 22) — the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects, and the right to obtain human intervention, express your view, and contest the decision (see Section 9)
• Lodge a Complaint (GDPR Art. 77) — complain to your local data protection authority (e.g., CNIL, ICO, BfDI)
• Do Not Sell or Share (CPRA) — we do not sell or share your data for advertising

To exercise your rights, contact privacy@verahire.ai.

7. Who We Share Data With

Internal recipients. The hiring company's recruiting team, hiring managers, and authorized VeraHire personnel (for support and operations), with access scoped to each organization.

Infrastructure sub-processors we engage. Each operates under a binding Data Processing Agreement. Changes to this list follow our sub-processor change-notification process, with advance notice to customers:

• Supabase — hosting, database, storage, authentication
• Vercel — application hosting
• Cloudflare — intermediate audio storage
• ElevenLabs — speech-to-text
• OpenAI / OpenRouter — AI analysis and interview conversation
• Hume — voice AI and expression features
• Twilio — voice and SMS
• Postmark — email delivery
• Sentry — error monitoring
• PostHog — product analytics (recruiter-facing only; see Section 11)
• Axiom — logging and observability

Applicant Tracking Systems (ATS) you connect. Where a customer connects a third-party ATS, candidate data is shared with that platform at the customer's direction, under the customer's own instructions and integrations. The customer is the controller of data in their own ATS.

We do not sell or monetize your personal data.

8. International Transfers of Data

Our primary systems and most sub-processors are located in the United States, so data from the EU/UK and other regions is transferred to the US. Where we transfer data internationally, we rely on:

• the EU-US / UK-US Data Privacy Framework (DPF) for sub-processors that are DPF-certified;
• the 2021 EU Standard Contractual Clauses (the post–Schrems II modular SCCs) and the UK International Data Transfer Addendum (IDTA) for sub-processors not covered by DPF; and
• supplementary technical and organizational measures.

You may request details of the safeguards that apply at privacy@verahire.ai.

9. Automated Decision-Making

Our automated systems assist with transcription, summarizing, highlighting skills and keywords, resume match-scoring, and generating structured reports. On the default workflow, these outputs are advisory and are reviewed by a person before any hiring decision.

Some optional workflows, when a customer chooses to enable them, may act on the automated score without a person in the loop (for example, automatically inviting candidates above a score threshold, or advancing or declining at the resume stage). Where such a decision produces a legal or similarly significant effect for you, your GDPR Article 22 rights apply, including the right to obtain human intervention and to contest the decision (see Section 6).

10. Security Measures

We use industry-standard security practices, including encryption in transit (TLS) and at rest (AES-256), role-based access controls and per-organization data isolation, signed time-limited URLs for stored files, audit logging of recruiter actions, data minimization, and vendor risk management.

11. Cookies & Analytics

• Candidate interview and application pages: we do not run product-analytics or advertising trackers on these pages.
• Recruiter / customer application: we use PostHog for product analytics, limited to logged-in recruiter users, to understand and improve how the product is used. This is not tied to candidates.
• We use strictly necessary cookies for authentication and session management.

12. Children's Data

Our service is intended for professional recruitment and is not directed to individuals under 18 (or under 16 where a lower age of digital consent applies). We do not knowingly collect personal data from children. If you believe a minor has provided us data, contact privacy@verahire.ai and we will delete it.

13. Your Choices

You may participate in the automated interview, request an alternative interview format, opt out of voice-derived expression analysis, withdraw extended-retention consent, and request deletion at any time. Withdrawing consent will not affect your application.

14. How to Contact Us

For questions, concerns, or rights requests, email privacy@verahire.ai. You may also contact your local data protection authority.