Privacy Policy

1. Introduction

This Privacy Policy explains how TalentSprout Inc. ("we", "our", or "us") collects, uses, discloses, and safeguards your personal information when you use our services, including our website and AI-powered interview platform. We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Canadian privacy legislation.

2. Who We Are

3. Scope and Application

This Privacy Policy applies to:

• Our website (www.talentsprout.ai)
• Our AI-powered interview platform and services
• Related communications and customer support

4. Information We Collect

4.1 Employer/Customer Data (We are Controller)

When you create an account or use our services as an employer:

• Account Information: Name, email address, password (encrypted), company name, job title
• Company Information: Company description, location, website URL, logo
• Billing Information: Processed securely by Stripe (we do not store full credit card details)
• Usage Data: Interview creation, candidate evaluations, dashboard activity, feature usage
• Communications: Support requests, feedback, email correspondence

4.2 Candidate Data (We are Processor)

When candidates participate in interviews created by employers:

• Contact Information: Name, email address, phone number (if provided)
• Professional Information: Resume/CV, work history, skills, education, portfolio links
• Interview Data: Audio and video recordings, interview responses, transcripts
• AI-Generated Evaluations: Automated scores, assessments, insights, and analysis
• Interviewer Notes: Comments, ratings, feedback, and tags added by hiring team members

4.3 Technical Data (We are Controller)

• Device Information: IP address, browser type, device type, operating system
• Cookies and Tracking: Session cookies, analytics cookies, marketing pixels (with consent)
• Usage Analytics: Page views, clicks, time spent, navigation patterns
• Performance Data: Load times, error logs, system diagnostics

5. Legal Basis for Processing

We process personal data under the following legal bases as required by GDPR and other privacy laws:

For Employer/Customer Data:

• Contract Performance: To provide our interview platform services pursuant to our Terms of Service
• Legitimate Interests: Business analytics, fraud prevention, service improvement, customer support
• Consent: Marketing communications (opt-in only), optional cookies and tracking
• Legal Obligation: Tax compliance, accounting requirements, responding to legal requests

For Candidate Data (on behalf of employers):

• Legitimate Interests: Pre-employment assessment at the employer's direction and pursuant to the employer's legitimate interest in hiring
• Consent: Where provided by the candidate for specific processing activities (e.g., recording interviews)
• Contract Performance: Where interview participation is part of a job application process

6. How We Use Your Information

Employer/Customer Data:

• Provide, maintain, and improve our platform services
• Process payments and manage subscriptions via Stripe
• Send service notifications, updates, and security alerts
• Provide customer support and respond to inquiries
• Analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues and fraud
• Send marketing communications (with explicit consent only)
• Comply with legal obligations and enforce our terms

Candidate Data (on behalf of employers):

• Conduct AI-powered interviews and assessments
• Generate automated evaluation reports and scores
• Store interview recordings, transcripts, and responses
• Provide analytics and insights to employers about candidate performance
• Enable hiring team collaboration and decision-making
• Facilitate communication between employers and candidates

7. AI and Automated Decision-Making

We use AI technology (OpenAI language models) to:

• Generate interview questions tailored to job roles
• Evaluate and score candidate responses based on relevance, clarity, and competency
• Analyze resumes and screen applicants
• Transcribe interview audio/video recordings into text
• Provide insights and recommendations about candidate performance
• Extract key information from candidate materials

Human Oversight and Your Rights:

AI evaluations are tools to assist employers, not replace human judgment. Final hiring decisions are made by humans (the employer). As a candidate, you have the right to:

• Request Human Review: Ask the employer to have a human reviewer assess your interview instead of relying solely on AI scores
• Explanation of AI Logic: Request information about how the AI scoring works and what factors are considered
• Object to Automated Decisions: Contest decisions based solely on automated processing
• Express Your View: Provide additional context or information that the AI may not have considered

The AI system evaluates responses based on factors including: relevance to the question, communication clarity, depth of knowledge, problem-solving approach, and alignment with job requirements. Scores are generated as recommendations and should be reviewed by human hiring managers.

8. Data Sharing and Third-Party Processors

We share personal data with the following categories of third-party service providers (sub-processors) who help us deliver our services. All processors are bound by data processing agreements and must comply with applicable privacy laws:

Marketing & Analytics (With Your Consent):

• Google Analytics (website analytics and usage insights)
• Meta/Facebook Pixel (advertising and retargeting)
• LinkedIn Insight Tag (B2B marketing and attribution)
• X (Twitter) Pixel (social media advertising)
• Reddit Pixel (advertising and audience targeting)

We Do Not Sell Your Data:

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. Data is only shared with service providers as necessary to deliver our services.

9. International Data Transfers

Our services are provided from Canada, and your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction.

When transferring personal data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our processors to ensure GDPR-level protection
• Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission recognizing certain countries as providing adequate protection
• Encryption and Security: All data transfers use encryption in transit (TLS/SSL) and at rest
• Contractual Protections: Our agreements with sub-processors include data protection obligations and audit rights

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law:

You can request earlier deletion of your data at any time using our Data Rights Portal. We will process deletion requests within 30 days, except where we have a legal obligation to retain certain information.

11. Your Rights Under GDPR and Privacy Laws

Under the GDPR, CCPA, and other privacy laws, you have the following rights regarding your personal data:

12. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze site usage, and deliver personalized content. You control your cookie preferences through our consent banner.

Types of Cookies We Use:

Manage your cookie preferences through the banner that appears on your first visit, or adjust settings in your browser. Note that blocking essential cookies may impact site functionality.

13. Data Security

We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage:

Technical Safeguards:

• Encryption: TLS/SSL for data in transit, AES-256 encryption for data at rest
• Access Controls: Multi-factor authentication (MFA), role-based access control, principle of least privilege
• Secure Infrastructure: Cloud hosting with AWS and Vercel, regular security patches and updates
• Password Security: Bcrypt hashing with salt, strong password requirements
• Network Security: Firewalls, DDoS protection, intrusion detection systems
• Monitoring: 24/7 security monitoring, log analysis, anomaly detection

Organizational Safeguards:

• Employee training on data protection and security best practices
• Confidentiality agreements with all staff and contractors
• Regular security audits and vulnerability assessments
• Incident response procedures and breach notification plans
• Data processing agreements with all third-party processors
• Regular backups with encrypted off-site storage

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We continuously update our security practices to address emerging threats.

14. Data Breach Notification

In the event of a data breach that affects your personal information, we have established procedures to respond promptly and transparently:

Our Response:

• Immediate Investigation: We will promptly investigate the breach, assess its scope, and take steps to contain it
• Authority Notification: We will notify relevant supervisory authorities within 72 hours of becoming aware of the breach (as required by GDPR)
• Individual Notification: If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay
• Remediation: We will take corrective actions to prevent future incidents

What We'll Tell You:

• The nature and extent of the data breach
• The types of personal data affected
• The likely consequences of the breach
• The measures we've taken to address the breach
• Recommended actions you should take to protect yourself
• Contact information for further inquiries

15. Children's Privacy

Our services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18.

If you are a parent or guardian and believe we have inadvertently collected information from your child, please contact us immediately at privacy@talentsprout.ai. We will promptly delete such information from our records.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Your California Rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the "sale" or "sharing" of your personal information (note: we do not sell personal information)
• Right to Limit: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise your California privacy rights, use our Data Rights Portal or contact privacy@talentsprout.ai. You may designate an authorized agent to make requests on your behalf.

17. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by:

• Email notification to registered account holders (for material changes)
• Prominent notice on our website homepage
• Update to the "Last Updated" date at the top of this policy

We encourage you to review this Privacy Policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy. If you disagree with the changes, please discontinue using our services and contact us to delete your account.

18. Contact Us & Exercise Your Rights

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how we handle your personal information, please contact us:

We will respond to all privacy inquiries and data rights requests within 30 days. For urgent security matters, please mark your email as "URGENT" in the subject line.