Last updated: 27 April 2026 — Version 1.6 (V2.4c bidirectional Kombo sync + GDPR Art. 5.1.c minimisation clarifications)
This Privacy Policy describes how CareerToolbox.AI (hereinafter "we", "our" or "the Service") collects, uses and protects your personal data in accordance with the General Data Protection Regulation (GDPR) and Belgian law.
We are committed to protecting your privacy and to processing your data in a transparent, lawful and secure manner.
Identity: Sivel Labs SRL
Address: La Hulpe, Belgium
BCE No.: BE 1037.283.356
Email: privacy@careertoolbox.ai
DPO: dpo@careertoolbox.ai
| Data | Purpose | Legal basis |
|---|---|---|
| First name / Last name | Identification, personalisation | Contract |
| Authentication, communications | Contract | |
| Password (hashed) | Account security | Contract |
| Data | Purpose | Legal basis |
|---|---|---|
| Uploaded CVs | AI-powered CV optimisation | Contract |
| Uploaded documents (images) | Text extraction (OCR) for AI optimisation | Contract |
| Career history | Career coaching | Contract |
| Job applications | Job-search tracking | Contract |
| Data | Purpose | Legal basis |
|---|---|---|
| Audio files | Transcription | Contract |
| Uploaded documents (images) | Text extraction (OCR) for HR feedback | Contract |
| Job descriptions | Candidate matching | Contract |
| Interview notes | HR feedback | Contract |
| Data | Purpose | Legal basis |
|---|---|---|
| IP address | Security, logs | Legitimate interest |
| User-agent | Compatibility, debugging | Legitimate interest |
| Session cookies | Authentication | Contract |
| Data | Purpose | Legal basis |
|---|---|---|
| Webcam video stream (real time) | Body-language analysis (eye contact, posture) | Consent (Art. 6.1.a) |
| Single image capture (JPEG) | Interview environment assessment | Consent (Art. 6.1.a) |
Important:
Payment data (bank card) is processed directly by Stripe and is not stored on our servers.
When a recruiter sends you an invitation to a pre-screening interview:
Data collected: Your voice (real-time audio), the interview transcript, your CV (if available on the platform), and voice analytics (speaking duration, word count).
Processing: An assessment report is generated automatically by artificial intelligence (GPT-5.2). This report includes scores (0-100) on 6 dimensions, a recommendation, and quotes from the interview. This report is sent to the recruiter.
Processors: Your audio data is processed in real time by Google (Gemini Live service, United States). The report is generated by OpenAI (GPT-5.2, United States). These transfers are governed by Standard Contractual Clauses.
Your rights: You can access your assessment report and request rectification or deletion of your data. You have the right to contest a decision based on this report (Art. 22 GDPR).
Retention: Interview data is retained for 6 months after completion. The report is retained for 12 months.
Consent: Before starting the interview, you must accept the conditions for processing your data. You may refuse without consequence.
When a recruiter records an intake meeting (needs gathering with a hiring manager):
Data collected: Audio recording of the meeting (via browser tab capture, file upload, or microphone dictation), the full transcript with speaker identification, and job fields extracted automatically by AI.
Processing: The audio is transcribed by OpenAI (model gpt-4o-transcribe-diarize) with diarisation. Job fields (title, skills, salary, etc.) are extracted by GPT-5.2. The recruiter reviews and adjusts the data before creating the job description.
Processors: OpenAI (United States) for audio transcription and field extraction. These transfers are governed by the existing Standard Contractual Clauses.
Retention: Audio recordings are retained for 90 days or until deleted by the recruiter. Transcripts and extracted data are retained for the duration of the account.
Legal basis: Legitimate interest (Art. 6.1.f) — optimisation of the recruitment process. The recruiter is responsible for informing meeting participants that the meeting is being recorded.
When a recruiter uses email sequences to contact candidates automatically:
Data collected: Candidate's email address and name, current step in the sequence, tracking data (email opens via tracking pixel, link clicks, replies received).
Processing: Emails are sent automatically according to a schedule defined by the recruiter. A transparent tracking pixel (1x1 pixel) is embedded to detect opens. Links are wrapped for click tracking. IP addresses are not stored; only a hash is retained in the events.
Unsubscribe: Every email contains a mandatory unsubscribe link (GDPR). Unsubscribing immediately stops the sequence for that candidate.
Retention: Sequence data (enrolments, events) is retained for the duration of the account. Aggregated statistics are anonymised.
Legal basis: Legitimate interest (Art. 6.1.f) — recruitment outreach, with right to object via unsubscribe.
When a recruiter uses the interview scheduling system:
Data collected: Candidate's name and email address, date and time of the interview, type of interview, video conference link, recruiter's notes, candidate's time zone.
Self-scheduling: When a self-scheduling link is sent, the candidate accesses a public page displaying available slots. Only the name and email are required for booking.
Calendar synchronisation: Interview data may be exported in ICS format or via Google Calendar/Outlook links. No bidirectional synchronisation is performed.
Reminders: Automatic reminders are sent 24 hours before the interview to both parties.
Retention: Interview data is retained for 1 year after the interview date, then anonymised.
Legal basis: Legitimate interest (Art. 6.1.f) — organising the recruitment process. Implicit consent of the candidate when booking a slot via the self-scheduling link.
We record the origin of each application in the recruitment pipeline (e.g. LinkedIn, careers page, referral, job board). This data allows recruiters to analyse the performance of their sourcing channels and optimise their recruitment budget.
Data collected: Origin channel, source detail (job board name, referrer name), cost associated with the channel.
Retention: Duration of the recruiter's account.
Legal basis: Legitimate interest (Art. 6.1.f) — optimisation of the recruitment process.
When a recruiter closes a placement (successful hire), we record the data necessary for invoicing and contract follow-up: fee amount, currency, calculation method, signing fees, guarantee fees, payment terms.
Data collected: Identity of the placed candidate, identity of the employer, job title, start date, fee amount excl. VAT, currency, calculation basis (% of annual salary or fixed amount), guarantee terms, collection status.
Retention: 10 years (Belgian accounting obligation — Code of Economic Law Art. III.86) then anonymised archiving for traffic analysis.
Legal basis: Performance of contract (Art. 6.1.b) + legal accounting obligation (Art. 6.1.c).
For placement agreements (tripartite contracts between recruiter / employer / candidate), CareerToolbox offers electronic signature via a third-party provider configured by the agency: Yousign, DocuSign or DocuSeal. CareerToolbox is not the publisher of these services — the recruitment agency contracts directly with the provider (the "BYOK" model, Bring Your Own Key) and supplies its own API key. Signed documents transit directly between CareerToolbox and the provider chosen by the agency, with no intermediary.
Data collected: Document to be signed (DOCX converted to PDF), identity of signatories (first name, last name, email), signing status, URL of the signed document, envelope identifier on the provider side.
Stored API key: Encrypted at rest using Fernet (cryptography lib) with a server-specific derived key. Full audit trail (creation / rotation / revocation) in org_credential_audit_log.
Third-party processors (chosen by the agency): Yousign SAS (FR), DocuSign Inc. (US — SCCs + DPF), DocuSeal Ltd. (UK — self-hosting available).
Retention: As long as the agreement remains active + retention period required by the provider (typically 10 years for Yousign / DocuSign for eIDAS compliance).
Legal basis: Performance of contract (Art. 6.1.b) — electronic signature compliant with EU eIDAS Regulation 910/2014.
By recruiter invitation, an employer contact can access a read-only portal to view their ongoing placements and invoices, without creating a CareerToolbox account. Access is managed via a unique magic link (256-bit token) sent by email.
Data collected: Email address of the invitation recipient, name (optional), access token, access timestamps (last_accessed_at, access_count) for audit purposes.
Data displayed to the recipient: List of ongoing placements and invoices for their employer organisation only — no access to the placements of other agency clients or to internal data (recruiter notes, margins).
Retention: Token active until expiry (90 days by default) or manual revocation. Audit trail retained for 10 years.
Legal basis: Legitimate interest (Art. 6.1.f) — transparency of the recruitment process toward the end client.
30, 60 and 90 days after a placed candidate's start date, CareerToolbox automatically sends both the candidate AND the line manager a feedback form accessible via a unique magic link (256-bit token, hashed server-side at rest using SHA-256). No CareerToolbox account creation is required — the token IS the authentication boundary ("magic link" model), valid for a single submission, automatically expiring and traceable per-IP + per-User-Agent for audit. The form is optional — the recipient can ignore the email without consequence.
Data collected: Ratings (0-10 scale), free-text comments, "is the candidate still in post?" status, recommendation. The submitter's IP address and User-Agent are recorded in the audit log for compliance (proof of identity for the response).
Retention: All feedback-related data (qualitative responses + IP + User-Agent + submission timestamp) is purged 18 months after submission (or 18 months after token expiry for unanswered requests) by the daily cron POST /api/cron/feedback-purge — constant _RETENTION_DAYS = 540 in api/routes/placement_feedback.py. This duration applies the storage limitation principle (Art. 5(1)(e) GDPR): short enough to avoid indefinite accumulation, long enough to enable retroactive analysis of placement incidents (guarantee disputes, candidate challenges) which generally arise within 12 months of the start date. After purge, individual data is permanently and irreversibly deleted — the recruiter dashboard computes its indicators (NPS, 90-day retention rate, etc.) only on feedback still present within the 18-month retention window.
Phishing resilience: If the token is leaked (e.g. forwarded email), CareerToolbox applies two complementary protections: (a) feedback submission is single-shot — the token is automatically invalidated after the first valid submission (completed_at lock in the database), no overwriting of the legitimate response is possible; (b) a rate limit of 10 submissions per hour per token, plus 30 reads per hour per IP, mechanically limits abuse attempts in the event of a leak. The legitimate recipient may nevertheless contact privacy@careertoolbox.ai to request a new token in the event of a confirmed incident.
Legal basis: Legitimate interest (Art. 6.1.f) — improving placement quality, measuring retention. Explicit right to object via unsubscribe link in every email.
If the agency connects its applicant tracking system (ATS — Greenhouse, Lever, Workable, etc.) via Kombo, CareerToolbox synchronises candidates and job openings daily between the two systems to avoid double data entry. As with electronic signing, the agency holds the Kombo API key (BYOK model) — CareerToolbox does not store any candidate data inside Kombo, but can read the agency's ATS data.
Synchronised data (strict allowlist — minimisation Art. 5.1.c): For candidates: identity (name, email), pipeline status, job title, ATS-side update date. For job openings (V2.4c, since 2026-04-27): title, job description (max. 5,000 characters), status (open/closed), location. No compensation information, no internal notes, no sensitive data (GDPR Art. 9). Any other Kombo field is ignored by CareerToolbox.
Synchronisation direction (V2.4c bidirectional): (1) The daily cron POST /api/cron/kombo-sync triggers a pull Kombo → CareerToolbox for the candidates and job openings of every client organisation with active credentials. (2) The webhook POST /api/webhooks/kombo receives in real time the events candidate.created/updated and (V2.4c) job.created/updated and applies the configured conflict policy. No CareerToolbox data is automatically pushed to Kombo — the synchronisation direction is read-only from Kombo.
Conflict policy: Default manual_review — any discrepancy between the ATS and CareerToolbox is queued (kombo_sync_conflicts) for admin decision via the daily email digest (template kombo_conflicts_digest). Alternative policies: kombo_wins (UPDATE applied automatically on the CareerToolbox side — traceable via kombo_audit_log) or ct_wins (Kombo modification ignored). For new job openings (never seen on the CareerToolbox side), the rule is always kombo_wins (automatic creation — no overwrite risk).
Traceability: Every automatic update applies the suffix "system_kombo" in creator_id + an entry in kombo_audit_log with UTC timestamp, record identifier and a summary of changed fields. Manually resolved conflicts retain the identifier of the admin who decided.
Processor: Kombo SAS (FR) — https://kombo.dev/privacy.
Legal basis: Legitimate interest (Art. 6.1.f) — data consistency between recruitment tools used by the same team. Balancing test documented in the records of processing activities (Art. 30) — available to the supervisory authority.
For temporary or contracting placements, the recruiter records the candidate's hours, client billing rate and internal cost rate weekly. This data feeds weekly / monthly invoicing.
Data collected: Week start date, hours worked, hourly rate (charge / cost), calculated margin, status (draft / submitted / approved / invoiced / paid), reason for rejection where applicable.
Audit: Each state transition (submission, approval, rejection) writes an audit entry with timestamp, actor identity, IP address and User-Agent — compliance with Belgian temporary employment law (Belgian Act of 24 July 1987 on temporary employment).
Retention: 10 years (accounting obligation + employment law).
Legal basis: Performance of contract (Art. 6.1.b) + legal obligation (Art. 6.1.c).
When a temporary placement is converted to a permanent contract, CareerToolbox calculates an additional fee using a method negotiated with the client (five methods: prorated_months, hours_credit, margin_offset, flat_fee, free) and issues a placement_conversion invoice. A guarantee period restarts according to the configured basis (from the conversion date / from the original temp start / no guarantee).
Data collected: Conversion method, top-up rate, calculated amount, guarantee basis, identifier of the approving manager (if the dual-validation threshold is exceeded), transition history.
Retention: 10 years (accounting obligation).
Legal basis: Performance of contract (Art. 6.1.b) + legal obligation (Art. 6.1.c).
CareerToolbox enables two recruitment agencies to cooperate on the same placement via a fee split agreement. One agency (the Lead Agency) holds the contract with the end employer, the other (the Source Agency) provides the candidate. Fees are shared according to a negotiated percentage.
GDPR qualification — EDPB Article 26: Both agencies are qualified as joint controllers (Article 26 GDPR). There is no controller / processor relationship under Article 28 between the agencies. CareerToolbox.AI remains an Article 28 processor for each agency.
Transmission of candidate data — named consent: When the Source Agency transmits a candidate's data to the Lead Agency, the candidate must give explicit, named consent (Article 6(1)(a) GDPR). The notice mentions the name of the recipient Lead Agency and the specific position. Standard wording: "Your data will be transmitted to Lead Agency XYZ for the position ABC". The candidate may withdraw consent at any time via the dedicated portal.
Data collected: Partner agency identifier, VAT number, IBAN, primary contact, jurisdiction, share percentages, billing mode (strict NPA / flexible co-billing), guarantee mode, NDA cascade visibility mode, documented Article 26 arrangement between the two agencies.
Cross-tenant Cooperation Token: If both agencies are CareerToolbox customers, a UUID v4 Cooperation Token (30-day validity, single use) allows the second agency to mirror the agreement in its tenant. Strict anti-forge + anti-self-accept + anti-replay.
Intra-EU VAT invoicing: For inter-agency intra-EU invoices, the mandatory mention "Reverse charge VAT — Article 196 Directive 2006/112/EC" is added automatically (4 languages). Invoices are issued excluding VAT — the recipient (Lead Agency) reverse-charges the VAT in its own return.
Retention: 10 years (accounting obligation + employment law). Withdrawal of candidate consent cascades to delete consent_records.consent_type='fee_split_transmission' records.
Legal basis: Performance of contract (Art. 6.1.b) between the agencies + explicit named consent (Art. 6.1.a) for candidate data transmission. Dedicated Phase 14 DPIA validated by the internal DPO.
We process your data to:
| Legal basis | Application |
|---|---|
| Performance of contract (Art. 6.1.b) | Service provision, account management |
| Legitimate interest (Art. 6.1.f) | Security, Service improvement, analytics |
| Consent (Art. 6.1.a) | Marketing, non-essential cookies |
| Legal obligation (Art. 6.1.c) | Invoice retention, requests from authorities |
| Processor | Location | Purpose | Safeguards |
|---|---|---|---|
| OpenAI | United States | AI processing (CV, transcription, feedback, document OCR, AI Screening report) | Standard Contractual Clauses (SCCs) |
| Anthropic (Claude) | United States | Conversational AI coaching | Standard Contractual Clauses (SCCs) |
| Google (Gemini Live) | United States | AI Screening Interview (real-time audio) | SCCs, Google Cloud DPA |
| Stripe | United States | Payments | PCI-DSS certified, SCCs |
| Brevo (Sendinblue) | France | Transactional emails (legacy / SMTP fallback) | GDPR compliant |
| ActiveCampaign Postmark | United States | Transactional emails (Phase 12.2 main route) + DKIM Sender Signature | SCCs (transfer outside the EU), Postmark DPA, body retention max 45 days |
| OVH | France | Server hosting | GDPR compliant |
| Cloudflare | United States | CDN, security (Turnstile) | SCCs |
| Adzuna | United Kingdom | Aggregated salary data (benchmarks) | UK adequacy |
| Yousign | France | Electronic signing of placement agreements (BYOK — agency's key) | Native GDPR, eIDAS-compliant |
| DocuSign | United States | Electronic signing of placement agreements (BYOK — alternative) | SCCs + DPF, eIDAS-compliant |
| DocuSeal | United Kingdom / self-hosted | Open-source electronic signing (BYOK — alternative) | UK adequacy / self-hosted instance |
| Kombo | France | ATS synchronisation (Greenhouse, Lever, Workable, etc.) — BYOK — agency's key | Native GDPR |
| European Central Bank (ECB) | European Union | Exchange rates for multi-currency invoicing (public data) | Public source, no PII transmitted |
Internal self-hosted tools: CareerToolbox.AI may process usage, diagnostic or log data in internal tools operated by us on our OVH infrastructure. These tools are not third-party recipients: no data is sent to the software publishers when the instance is self-hosted. The relevant external processor for this hosting remains OVH, already listed above.
Note on the BYOK (Bring Your Own Key) model: for Yousign / DocuSign / DocuSeal / Kombo, the client agency contracts directly with the provider and supplies its API key to CareerToolbox. CareerToolbox stores this key encrypted at rest (Fernet) and uses it solely to transmit documents / synchronise data on behalf of the agency. CareerToolbox does not bill these providers and does not act as a commercial intermediary — the contractual relationship remains between the agency and the provider.
| Model | Publisher | Purpose |
|---|---|---|
| gpt-4o-transcribe-diarize | OpenAI (API) | Audio → text transcription + speaker detection (diarisation) |
Transcription and diarisation are performed via the OpenAI cloud API (model gpt-4o-transcribe-diarize). Audio data transits OpenAI's servers in the United States, under the existing DPA (Data Processing Agreement) with OpenAI. OpenAI does not retain audio data and does not use it to train its models (API usage policy).
| Model | Publisher | Licence | Purpose |
|---|---|---|---|
| MediaPipe Face Mesh | Apache 2.0 | Eye contact detection | |
| MediaPipe Pose | Apache 2.0 | Posture analysis |
These models run entirely on the user's device (browser). No video data is transmitted to our servers or to Google. Activation is optional (explicit opt-in).
Some processors are located in the United States. These transfers are governed by:
When a user uploads a document as an image (JPEG, PNG, WebP), the image is sent to the OpenAI Vision API for text extraction (OCR). This processing is identical to sending text extracted from PDF/DOCX files — the document content transits OpenAI under the existing DPA (Data Processing Agreement). The image is processed and not retained by OpenAI.
Texts (CVs, transcripts, job descriptions): Text extracted from your documents (PDF, DOCX) is processed before being sent to OpenAI — email addresses, phone numbers, LinkedIn and GitHub profile URLs, IBAN numbers, social security numbers and national ID numbers are automatically masked, then restored in the final result.
Documents uploaded as images (JPEG, PNG, WebP): When a document is uploaded as an image, the image is transmitted in full to the OpenAI Vision API for text extraction (OCR). The image is not anonymised before being sent — personal data visible on the document (name, contact details, photo, etc.) is transmitted as is. This transmission is necessary because text extraction can only be performed from the original image.
All these transmissions are governed by the DPA (Data Processing Agreement) signed with OpenAI. In accordance with OpenAI's API usage policy, data transmitted via the API is not retained by OpenAI and is not used to train its models.
| Data type | Duration |
|---|---|
| Account data | Subscription + 3 years |
| CVs and documents | Subscription + 30 days |
| Audio files | 90 days after transcription |
| Video capture (environment) | Immediately deleted after analysis (not stored) |
| Webcam video stream | Not transmitted to the server — local processing only |
| AI Screening transcript | 6 months after completion |
| AI Screening report (scores) | 12 months after completion |
| Connection logs | 18 months |
| Invoices | 10 years (legal obligation) |
| Audit logs (employer-clients) | 10 years by default, configurable 3/5/10 years per organisation (Art. 5(1)(e) justification: accounting obligations + legal defence) |
| Placements (invoicing data) | 10 years — Belgian accounting obligation Art. III.86 |
| Signed placement agreements | As long as active + eIDAS provider duration (typically 10 years) |
| Client portal tokens | 90 days by default (configurable 1-365), audit trail 10 years |
| Placement feedback (30/60/90 days) | 18 months after submission (responses + IP/UA audit), then automatic daily purge — Art. 5(1)(e) GDPR |
| Timesheets | 10 years — accounting obligation + Belgian employment law |
| Kombo sync (pending conflicts) | Resolved: 12 months — pending: permanent until admin decision |
| BYOK credentials audit (e-sig + Kombo) | 10 years — SOC 2 compliance + key rotation traceability |
| Deleted data | Erasure within 30 days |
At the end of these periods, data is deleted or anonymised irreversibly.
Integrity hash of deleted PII: to prove that an erasure request (Art. 17) has been executed, we retain a cryptographic hash (SHA-256) of the deleted data in our audit logs. The hash does not allow the original data to be reconstructed — it serves only as proof of integrity in case of a subsequent audit.
Our platform uses artificial intelligence models (OpenAI, Anthropic) to assist recruiters in certain decisions:
In accordance with EU Regulation 2024/1689 on AI (effective 2026), we inform you that:
Purpose: to allow agencies subscribed to the Enterprise Premium plan to pre-fill employer-client contact records (HR managers, hiring managers) from a public professional database.
Processor: Apollo.io, Inc. (United States) — provider of automated AI-driven enrichment services (identity-match search, aggregation of public professional data). In accordance with EU AI Act 2024/1689 Article 13 (transparency), we inform you that this operation constitutes AI-assisted processing; see /legal/subprocessors.html for the DPA and Standard Contractual Clauses (SCCs) governing the transfer outside the EU.
Enriched data (from the contact's name + company):
Data explicitly EXCLUDED (data minimisation Art. 5.1.c): no government identifier, no biometric data, no inferable health data, no private non-professional data.
Legal basis: legitimate interest (Art. 6.1.f GDPR) for regulated B2B outreach (professional recruitment). The contact has a right to object (Art. 21 GDPR) exercisable at any time via dpo@careertoolbox.ai — withdrawal triggers immediate anonymisation of the record.
Information to the contact (Art. 14 GDPR): on the first transactional email sent to the contact (job assignment notification, interview request, etc.), a link to this policy is included, mentioning the source of the data (Apollo.io) and the right to object.
Reserved for Enterprise Premium subscribers: the feature is not enabled on other plans (Freelance, Business). No credit charge is applied — usage is included in the subscription, within the Apollo quotas (free tier 1,000 requests/month, admin monitor at 80% / 90%).
Impact assessment (DPIA, Art. 35 GDPR): a dedicated impact assessment is documented in /docs/audits/2026-04-26-ws024-dpia-apollo.md — available on request from the DPO.
Retention: Apollo data is stored in the enrichment_data_json field of the contact record. Upon an erasure request (Art. 17), this field is cleared together with the other PII (GDPR cascade on employer_client_contacts).
Online: From your account, "My data" section
By email: privacy@careertoolbox.ai
By post: Sivel Labs SRL, Avenue du Bois d'Hennessy 30, 1310 La Hulpe, Belgium
Response time: 30 days. For complex requests, this period may be extended by 60 days.
You have the right to lodge a complaint with the Belgian Data Protection Authority (APD):
These cookies are necessary for the operation of the Service (GDPR legal basis: contract performance — Art. 6.1.b):
ct_session: Authentication (legacy cookie; expiry: 7 days)ct_access_token: OAuth 2.1 authentication (HttpOnly, SameSite=Lax; expiry: 7 days during transition)ct_refresh_token: Authentication token rotation (HttpOnly, SameSite=Strict, scope: /api/auth/; expiry: 30 days)csrf_token: CSRF protection (expiry: 24 hours)To improve account security, CareerToolbox.AI uses the OAuth 2.1 protocol with automatic access token rotation. Concretely:
No analytics cookies are currently used.
You can manage your cookie preferences from your browser settings. Note: deleting essential cookies signs you out immediately.
In the event of a data breach likely to result in a high risk, we will inform you within 72 hours in accordance with Article 34 GDPR.
The Service is not intended for persons under 16 years of age. We do not knowingly collect data from minors.
We may modify this policy at any time. Material changes will be notified by email or via the interface. The date of the last update is shown at the top of this document.
Data Protection Officer
Email: dpo@careertoolbox.ai
Address: Sivel Labs SRL, Avenue du Bois d'Hennessy 30, 1310 La Hulpe, Belgium
| Processing | Purpose | Legal basis | Duration | Recipients |
|---|---|---|---|---|
| Account management | Service | Contract | Subscription + 3 years | Internal |
| CV optimisation | Service | Contract | Subscription | OpenAI |
| Transcription | Service | Contract | 90 days | OpenAI |
| Payments | Invoicing | Contract | 10 years | Stripe |
| Emails | Communication | Contract | Subscription | Brevo |
| Security logs | Security | Legitimate interest | 1 year | Internal |
| Body-language analysis | Interview feedback | Consent | Not stored (real time) | MediaPipe (local), OpenAI (1 image) |
| Document OCR | Text extraction | Contract | Subscription duration | OpenAI |
| AI Screening | Candidate pre-screening | Consent | 6-12 months | Google, OpenAI |
| AI coaching | Candidate support | Contract | Subscription duration | Anthropic (Claude) |
Document version 1.6 — 27 April 2026