Privacy Policy

Employmee is operated by [Legal entity name], a company registered in [jurisdiction], with its registered address at [registered address].

For any privacy question, or to exercise your rights, contact us at [DPO / privacy contact email]. [If a Data Protection Officer (Encarregado) is appointed under the LGPD, name them and give their contact here.]

The hiring company that invited a candidate to apply is a separate organization and is the controller of that candidate's data. We are not able to decide, on our own, how that company uses candidate data.

Candidate data (provided by the candidate when applying through a hiring company's link):

• Identity and contact details: full name and email address, entered on the application form.
• CV / resume: the file you upload (PDF or DOCX, up to 10MB) and its text content. We use AI to turn that text into a structured profile (for example, experience and skills) tied to the job you applied to.
• Interview responses: your typed or spoken answers during the AI text interview. If you choose to answer by voice, speech-to-text runs in your own browser and only the resulting text is sent to us; we do not record or store your voice or camera video. The camera self-view shown during the interview stays on your device.
• Lightweight proctoring signals: simple counters captured during the interview, specifically the number of times you switched browser tabs, pasted text, moved focus away from the interview window, or left full-screen. These are counts only, kept as context for the human reviewer. They are never used to automatically reject anyone.

We do not ask candidates to create an account. Candidates apply through a private, tokenized link.

Recruiter and staff data:

• Account information used to sign in and identify staff of a hiring company's workspace, handled through our authentication provider, Clerk. This includes identifiers such as name and email associated with the staff account and the role assigned within the workspace.
• Records of staff actions in the product, including the written decisions and rationales recruiters enter, kept in an append-only audit trail attributed to the staff member who acted.

Technical and security data:

• When a candidate submits an application, we use Cloudflare Turnstile (an anti-bot check) to confirm the request is not from a bot. As part of that check, the request's IP address may be sent to Cloudflare for verification.
• Standard server and operational logs needed to run and secure the service.

We use candidate data to provide the pre-screening service to the hiring company that invited the candidate:

• To parse the CV into a structured profile and to run an AI text interview tailored to the job.
• To produce an evidence-cited, per-criterion assessment report for that specific job.
• To present that report, the interview transcript, and the proctoring signals to the hiring company's recruiters as context for their review.

The AI assists; a human decides. The final decision on each candidate is made by a recruiter or hiring manager, who must enter a written rationale. That decision is recorded against the report the human reviewed and is never derived automatically from any AI score. The decision and the rationale are stored in an append-only audit trail.

We use recruiter and staff data to authenticate staff, control what each role can access, attribute actions in the audit trail, and operate and secure the service.

We use technical and security data to prevent abuse (for example, blocking automated fake applications), to keep the service available, and to investigate problems.

For candidate data, where Employmee acts as processor, the legal basis is established by the hiring company (the controller). When a candidate applies, they are shown and must agree to a versioned data-and-AI consent before any processing. We store a record of exactly what was agreed and which policy version applied. Depending on the hiring company's own basis, processing may rely on consent and/or on other lawful bases under the LGPD, such as the steps prior to entering into a contract and the controller's legitimate interests in assessing candidates.

For recruiter and staff data, and for operating and securing the service, we rely on the performance of our contract with the hiring company, our legitimate interests in running and protecting the service, and compliance with legal obligations.

[Confirm the exact LGPD legal bases (Art. 7 / Art. 11) with counsel, in coordination with the hiring company's own basis for candidate data.]

The hiring company. Candidate data (the CV, structured profile, interview transcript, assessment report, and proctoring signals) is made available to the staff of the specific hiring company workspace the candidate applied to, scoped so that one company cannot see another company's candidates.

Sub-processors. We use trusted service providers to run the product. Each processes personal data only as needed to provide its service to us:

• Vercel: hosting of the web application.
• Railway: hosting of our API and background workers, the PostgreSQL database, and Redis.
• Clerk: authentication of recruiters and staff.
• Cloudflare R2: storage of uploaded CV files.
• Cloudflare Turnstile: the anti-bot check on the application form.
• Anthropic (Claude): the AI that parses CVs, runs the interview, and produces assessments.
• OpenAI: text-to-speech, used only to read interview questions aloud during the interview.
• Resend: sending transactional emails (such as workspace invitations).

We do not sell personal data. We may also disclose data where required by law or to protect our rights and the safety of our users.

[Maintain a current sub-processor list and confirm a data processing agreement with each provider above.]

Some of our sub-processors process data outside Brazil. In particular, our AI provider (Anthropic), our text-to-speech provider (OpenAI), our CV storage (Cloudflare R2), our authentication provider (Clerk), and our hosting providers may process or store data in other countries, including the United States.

Where data is transferred internationally, we rely on the transfer mechanisms permitted under the LGPD and put appropriate contractual safeguards in place with each provider.

[Confirm the specific LGPD transfer mechanism relied on (e.g., standard contractual clauses / cláusulas-padrão) and each provider's processing locations.]

Candidate personal data is kept for the period needed for the selection process. By default, each candidate record carries a retention window set when the application is submitted; the current default is 180 days, and the hiring company may configure a different period. A background process runs regularly and automatically erases candidate data once its retention window has passed.

LGPD erasure (right to be forgotten) is built into the product. When erasure is carried out, it is irreversible and removes the candidate's personal data, specifically:

• the candidate's name and email are cleared;
• the structured CV profile and the assessment report are redacted so no personal content remains;
• the interview transcript content is redacted;
• the original CV file is deleted from storage.

For integrity and accountability, certain records are kept in redacted form rather than deleted outright: the underlying rows, the audit trail, the consent record (showing that and when consent was given and under which policy version), and non-personal provenance such as which model and prompt version were used. These no longer contain the candidate's personal content after erasure.

Recruiter and staff account data is retained while the workspace is active and for as long as needed for our legitimate and legal purposes thereafter.

We apply technical and organizational measures to protect personal data, including:

• Tenant isolation, so each hiring company can only access its own workspace's candidates and data.
• Role-based access controls for staff, enforced on the server, with sensitive actions (such as candidate erasure) restricted to administrators.
• Authentication of staff through Clerk, and an internal gate protecting staff-facing routes.
• CV files stored in object storage rather than exposed publicly; private, expiring application links instead of candidate accounts.
• An append-only, immutable audit trail of key actions and decisions.
• An anti-bot check on the public application form to limit abuse.

When candidate-supplied text (such as a CV or interview answer) is sent to the AI, it is treated as untrusted input and processed within boundaries designed to prevent it from manipulating the AI's instructions.

No system is perfectly secure, but we work to protect personal data against unauthorized access, loss, or misuse.

Candidates do not have an Employmee account. They apply through a private link, agree to a versioned consent, and provide a CV and interview answers. For this data, the hiring company is the controller and we are the processor. Candidates can direct rights requests to the hiring company they applied to, and may also contact us; we will assist the hiring company in responding.

Recruiters and staff have accounts within a hiring company's workspace, managed through Clerk, with a role that governs what they can see and do. Their account information and the actions they take in the product are processed so we can provide, secure, and account for the service.

We use cookies and similar technologies that are necessary to operate the service, primarily to keep recruiters and staff signed in through our authentication provider. The anti-bot check on the application form may also set technology required for it to function.

[If you add product analytics or any non-essential/marketing cookies, disclose each tool and purpose here and, where required, obtain consent before setting them. As of the last update, confirm with engineering whether any analytics are in use; if none, state that plainly.]

Under the LGPD, data subjects have rights over their personal data, including to:

• confirm that processing exists and access the data;
• correct incomplete, inaccurate, or outdated data;
• request anonymization, blocking, or deletion of unnecessary or excessively processed data;
• request portability, subject to legal limits;
• request deletion of data processed with consent (subject to legally required retention);
• obtain information about the entities with which we share data;
• be informed about the possibility of refusing consent and the consequences; and
• withdraw consent.

Decisions about candidates are made by a human reviewer, not automated. Candidates also retain the right under the LGPD to request review of decisions taken solely on the basis of automated processing.

Because the hiring company is the controller of candidate data, candidate requests are generally fulfilled by, or in coordination with, that company. We support these requests, including the irreversible erasure described above. To exercise any right, contact us or the relevant hiring company. We may need to verify your identity before acting on a request.

We may update this policy from time to time. When we do, we will revise the "Last updated" date above. The consent that candidates agree to is versioned, so each consent record reflects the exact policy version in force at the time it was given. Material changes will be communicated as required by law.