Privacy Policy
Last updated: April 22, 2024
1. Who We Are
ShortlistKit ("Company," "we," "our," or "us") is a web-based platform that parses, scores, and manages résumés to help recruiters and hiring teams shortlist candidates quickly.
2. Scope
This Privacy Policy explains how we collect, use, disclose, and secure:
- "Customer Data" – information you, the subscriber, provide when you create an account (e-mail, name, company, billing details).
- "Candidate Data" – personal information contained in résumés or e-mails you upload or forward into the platform.
- "Usage Data" – log files, device information, cookies, and analytics relating to how you interact with our website and app.
3. What We Collect & Why
| Category | Examples | Purpose | Legal Basis (GDPR) |
|---|---|---|---|
| Account & Auth Data | Name, email, password hash, Google-OAuth ID | Create & secure your workspace | Contract (Art 6-1-b) |
| Billing Data | Billing address, last-4 of card, Stripe ID | Process payments & send invoices | Contract / Legitimate Interest |
| Candidate Data | Contact details, work history, education, skills, certifications contained in résumés or e-mails | Parse, score, rank, and export candidates per your instructions | Processor role – you supply lawful basis |
| Usage & Device Data | IP address, browser type, pages visited, résumé counts, error logs | Improve service, prevent abuse, analytics | Legitimate Interest |
| Cookies / Local Storage | Session token, feature flags | Keep you logged in, remember settings | Consent (where required) |
4. How We Use Information
- Provide, operate, and maintain the ShortlistKit service
- Authenticate users and secure accounts (SuperTokens)
- Parse and score résumés with AI models you trigger
- Send transactional e-mails (daily digests, usage alerts, security notices)
- Export candidate data to Google Sheets, CSV, or Excel when you request it
- Process subscription payments through Stripe
- Respond to support requests and improve the product
We do not use Candidate Data for advertising, profiling outside the scope of the service, or sell it to third parties.
5. Our Role Under GDPR
- Data Processor for Candidate Data – you are the Data Controller and must ensure you have lawful grounds (e.g., consent or legitimate interest) to process applicants' personal data.
- Data Controller for Customer and Usage Data – we control and are responsible for that information.
6. When We Share Information
| Recipient | Reason | Safeguards |
|---|---|---|
| Infrastructure Providers (e.g., AWS eu-central-1) | Hosting, databases, file storage | Standard contractual clauses, encryption at rest and in transit |
| AI Model/API Vendor (e.g., OpenAI or comparable LLM provider) | Resume parsing & scoring | Pseudonymised input where feasible; vendor DPA |
| Stripe, Inc. | Payment processing | PCI-DSS compliant; we never store full card details |
| Google APIs | Optional Sheet export | OAuth 2.0; limited-scope access |
| Email Service (Postmark / SES) | Transactional e-mails | Vendor DPA |
| Legal or law enforcement | Where required by law | We'll notify you unless legally prohibited |
We never allow sub-processors to use the data for their own purposes.
7. International Data Transfers
We store data in the European Union (Frankfurt, Germany). When we transfer data outside the EEA (e.g., to Stripe US), we rely on Standard Contractual Clauses or an equivalent lawful mechanism.
8. Security
- TLS 1.2+ encryption in transit
- AES-256 encryption at rest
- Role-based access controls, least-privilege keys
- Regular penetration tests and automated vulnerability scans
- Continuous backups with 30-day retention
9. Data Retention & Deletion
- Candidate Data – retained until you delete the candidate, job template, or workspace, or for 30 days after your subscription ends (whichever comes first).
- Account Data – retained for the life of your account and up to 6 years for tax/audit obligations.
- You may trigger "Delete All Candidate Data" in Settings → GDPR Delete at any time; we complete the wipe within 24 hours (including sub-processors).
- Archived database backups roll off after 30 days.
10. Your Rights
Depending on your jurisdiction, you may have rights to: access, correct, delete, restrict processing, port data, object to processing, or lodge a complaint with a supervisory authority.
Email privacy@shortlistkit.com to exercise any of these rights; we respond within 30 days.
11. Cookies & Analytics
We use first-party cookies for authentication and preference storage, and privacy-friendly analytics (Plausible IO, no cross-site tracking). You can disable non-essential cookies via the cookie banner.
12. Children's Privacy
The service is not directed to anyone under 16. We do not knowingly collect personal data from children.
13. Changes to This Policy
We may update this Policy from time to time. We will post the new version on this page and, if the changes are material, notify you by e-mail at least 14 days before they take effect.
14. Contact Us
ShortlistKit
Attn: Privacy Team
Email: privacy@shortlistkit.com