Privacy Policy
Last updated: May 11, 2025
See also our Terms of Service and Data Processing Agreement.
1. Controller
HireNote is operated by Tomáš Stuchlý, IČO 06030033, with registered address in the Czech Republic (“HireNote”, “we”, “us”, “our”). Contact: info@hirenote.app
As a data controller, HireNote is responsible for the processing of personal data described in this Privacy Policy.
2. Who This Policy Covers
This policy applies to:
- Recruiters and HR professionals who register and use HireNote (“Users”).
- Job candidates whose personal data is processed during interviews conducted through HireNote (“Candidates”).
HireNote’s services are intended for business professionals only. We do not knowingly collect personal data from individuals under the age of 18.
3. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, optional phone number | Provided by User |
| Profile data | Bot name, preferred language, calendar settings, scorecard email | Provided by User |
| Interview data | Candidate names, temporary audio recordings, transcripts, AI-generated scorecards | Generated through use of Service |
| Calendar data | Google Calendar events, meeting URLs, event titles | Google Calendar integration |
| Payment data | Subscription status, billing period (payment details processed directly by Stripe — we do not store card data) | Stripe |
| Usage data | Login times, feature usage, session data | Automatically collected |
4. Legal Basis for Processing (GDPR)
All processing of personal data by HireNote is based on one of the following lawful bases under Article 6 of the GDPR:
| Processing Activity | Lawful Basis | GDPR Article | Notes |
|---|---|---|---|
| Account registration and management | Contract performance | Art. 6(1)(b) | Necessary to provide the Service |
| Providing transcription and scorecard generation | Contract performance | Art. 6(1)(b) | Core function of the Service |
| Sending scorecards by email | Contract performance | Art. 6(1)(b) | Agreed feature of the Service |
| Google Calendar integration | Contract performance | Art. 6(1)(b) | Required for bot scheduling |
| Customer support | Legitimate interests | Art. 6(1)(f) | Our interest in resolving user issues. Processing is based on legitimate interests pursued by HireNote. |
| Service improvement and analytics | Legitimate interests | Art. 6(1)(f) | Our interest in improving reliability and performance. Processing is based on legitimate interests pursued by HireNote. |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) | Tax records, regulatory requirements |
| Payment processing | Contract performance | Art. 6(1)(b) | Subscription billing via Stripe |
5. Automated Processing and AI-Generated Content
HireNote uses AI to generate transcripts and scorecards from interview recordings. This processing is automated.
However, HireNote does not make automated decisions with legal or similarly significant effects about candidates. Scorecards are delivered to the recruiter as a tool to assist — not replace — human judgment. All hiring decisions are made by the recruiter.
In accordance with Article 22 GDPR, candidates are not subject to decisions based solely on automated processing that produce legal effects or similarly significant impacts. Recruiters are responsible for reviewing all AI-generated content before acting on it.
6. Third-Party Processors
We engage the following sub-processors to provide the Service. All sub-processors are bound by data processing agreements and are required to protect personal data to at least the standard required by GDPR.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase | Database and authentication | EU (Ireland) | EU-based, no transfer |
| Vercel | Hosting and infrastructure | EU (Frankfurt) | EU-based, no transfer required |
| Recall.ai | Meeting bot and recording | EU-based | EU-based, no transfer |
| OpenAI | AI transcription and scorecard generation | US | Standard Contractual Clauses |
| Resend | Email delivery | US | Standard Contractual Clauses |
| Workflow automation provider | Workflow automation | EU | EU-based, no transfer required |
| Stripe | Payment processing | US | Standard Contractual Clauses |
| Calendar integration | US | Standard Contractual Clauses |
7. International Data Transfers
Where personal data is transferred to countries outside the European Economic Area (EEA) that are not subject to an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor) as the appropriate transfer safeguard under Article 46 GDPR.
This applies to transfers to the following sub-processors: OpenAI, Resend, Stripe, Vercel (US infrastructure), and Google.
A copy of the applicable Standard Contractual Clauses is available upon request by contacting info@hirenote.app.
8. AI Processors and Model Training
Personal data sent to our AI service providers via API is not used by those providers to train their models, in accordance with our data processing agreements with each provider. Interview content, transcripts, and candidate data are processed solely to generate outputs for the requesting User and are not retained by AI providers beyond the API request lifecycle.
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Profile and settings data | Until account deletion |
| Transcripts and scorecards | Until deleted by User or account deletion |
| Audio recordings | Deleted immediately after transcription is complete |
| Recall.ai meeting recordings | Auto-deleted within 7 days of recording |
| Payment records | As required by applicable law (typically 7 years) |
| Usage and log data | Up to 12 months |
After account deletion, residual copies in encrypted backups are deleted within 30 days.
10. Candidate Data and Recruiter Responsibilities
Job candidates whose interviews are recorded through HireNote are data subjects under GDPR. In this context:
- The recruiter (User) is the data controller for candidate personal data.
- HireNote is the data processor, processing candidate data solely on the recruiter’s instructions.
Recruiters are solely responsible for:
- Informing candidates that the interview will be recorded and processed by AI.
- Obtaining all necessary consents or establishing an appropriate legal basis for recording under applicable law.
- Complying with applicable data protection and employment laws in their jurisdiction.
HireNote does not verify whether recruiters have obtained the required consents. By activating the recording feature for any interview, you make a legally binding representation to HireNote that you have, prior to that specific recording, informed all participants and obtained all consents required by applicable law. HireNote’s liability is expressly excluded for any claims arising from your failure to comply with applicable recording consent or data protection laws. Recruiters’ indemnification obligations in respect of candidate data are set out in the Terms of Service.
11. Your Rights (GDPR)
As a data subject, you have the following rights under GDPR, which you may exercise at any time by contacting info@hirenote.app:
| Right | What it means |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your personal data |
| Restriction (Art. 18) | Request that we limit how we use your data |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interests |
We will respond to all requests within 30 days. In complex cases, we may extend this by a further 60 days and will notify you accordingly.
12. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include:
- TLS encryption for all data in transit.
- Encryption at rest for stored data.
- Access controls restricted to authorised personnel only.
- Regular review of security practices.
13. Cookies
HireNote uses cookies and similar technologies in the following categories:
- Necessary: authentication and session management (Supabase). These cookies are always active and are required for the Service to function.
- Analytics: traffic analysis tools such as Google Analytics. Active only with your consent.
- Marketing: advertising platforms including Google Ads, Meta, TikTok, and LinkedIn. Active only with your consent.
- Functional: user preferences and settings. Active only with your consent.
When you first visit HireNote, a cookie consent banner allows you to accept all cookies, reject non-essential cookies, or customize your preferences by category. Non-essential cookies are not set until you grant consent.
You can change your cookie preferences at any time by clearing your browser cookies or contacting info@hirenote.app.
14. Changes to This Policy
We will notify registered Users by email at least 14 days before any material changes to this Privacy Policy take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact and Complaints
For any privacy-related questions or to exercise your rights:
Email: info@hirenote.app
You have the right to lodge a complaint with the Czech Data Protection Authority:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Website: uoou.cz
Address: Pplk. Sochora 27, 170 00 Praha 7
If you are located in another EU member state, you may also contact your local supervisory authority.