Privacy policy

Our two roles

We act as a data processor for candidate data on behalf of the hiring company. We act as a data controller for the hiring company's own account data.

What we collect

• Candidate name, email, phone, location, resume.
• LinkedIn profile data, if the candidate authorizes the OAuth import.
• Public GitHub metadata, if the candidate supplies a URL.
• Application responses and AI generated evaluations.
• Hashed IP and user agent for rate limiting and fraud detection.

Where data lives

Primary database: AWS RDS Postgres in us-east-1, encryption at rest. Files: AWS S3 in us-east-1, customer managed KMS keys. Logical isolation per hiring company via Row Level Security. Data is not shared between hiring companies.

Your rights

Subject to your local law (GDPR, CCPA, or other), you have rights to access, rectify, delete, restrict, and port your data. Candidates should direct requests to the hiring company first. If they cannot be reached, email privacy@vettai.example.

Retention

Default retention is 24 months after a role closes. Employers can shorten this in Settings. Candidate deletion requests cascade through all of our tables.

Subprocessors

AWS (hosting, storage, KMS), Vercel (app hosting), Clerk (auth), Anthropic (AI), Resend (email), Upstash (rate limiting), Sentry (error tracking). Each has a signed DPA.

Contact

privacy@vettai.example