Hiribly
Try Hiribly

Privacy Policy

Last updated: 2026-05-15

This Privacy Policy explains how Hiribly ("we", "us") collects and processes personal data when you use our website, dashboard, or apply to a job posted by a Hiribly customer.

1. Who is the controller?

  • Customer (employer) data — Hiribly is the controller (or "business" under CCPA) of account, billing, and product-usage data of employers using the Service.
  • Candidate (applicant) data — the employer that posted the role is the controller. Hiribly acts as a processor (service provider) on the employer's behalf, governed by our Data Processing Addendum.

2. Data we collect

  • Account data: name, email, password hash, company name, sender email.
  • Job content: role descriptions, requirements, salary ranges, recruiter notes.
  • Applicant data: name, email, resume / CV text, optional cover note, AI-generated fit score and screening summary.
  • Billing data: handled by Stripe; we receive only customer ID, subscription status, and last-four card details.
  • Usage & device data: IP address, browser, pages visited, timestamps, error logs — used for security, debugging, and analytics.

3. Legal bases (GDPR / UK GDPR)

  • Contract — to provide the Service to you.
  • Legitimate interests — security, fraud prevention, product improvement, direct marketing to existing customers.
  • Consent — optional cookies, marketing emails to prospects, and (for candidates) the screening submission consent collected on the apply page.
  • Legal obligation — accounting, tax, responding to lawful requests.

Under CCPA / CPRA we do not "sell" personal information and do not "share" it for cross-context behavioural advertising.

4. AI screening & automated decision-making

Hiribly uses third-party large language models to generate screening summaries, fit scores, and interview questions. These outputs are decision-support only — every employer is contractually required to have a qualified human review them before any hiring decision. Candidates have the right to request human review, an explanation, and to contest any output that affects them.

5. Sub-processors

We use the following sub-processors. Current list available on request.

  • Supabase / Lovable Cloud — application database and authentication (EU and US regions)
  • Cloudflare — application hosting, DDoS protection, content delivery
  • Stripe — payment processing
  • OpenAI & Google — AI model inference for screening and content generation (zero-retention API tiers where available)
  • Resend / similar — transactional and digest email delivery

6. International transfers

Personal data may be transferred to the United States and other countries where our sub-processors operate. Where applicable, transfers from the EEA / UK / Switzerland rely on the EU Standard Contractual Clauses, the UK Addendum, and additional safeguards described in our DPA.

7. Retention

  • Account data: for the life of the workspace, then 30 days after deletion request.
  • Candidate applications: retained per the employer's instructions, with a default maximum of 24 months unless the employer or candidate requests earlier deletion.
  • Logs: 90 days.
  • Billing records: 7 years (legal obligation).

8. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, port, or restrict processing of your personal data, to object to processing based on legitimate interests, to withdraw consent, and to lodge a complaint with a supervisory authority. To exercise these rights:

  • If you are an employer (account holder): use the in-product settings or email privacy@hiribly.com.
  • If you are a candidate: contact the employer that posted the role first; they control your data. You may also email us and we will route the request.

We will respond within the timelines required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

9. Security

We use TLS 1.2+ in transit, AES-256 at rest, role-based access controls, audit logging, and least-privilege principles. We will notify affected users and authorities of personal-data breaches within the timelines required by law.

10. Children

The Service is not intended for individuals under 16 and we do not knowingly collect their personal data.

11. Changes

We will post updates here and, for material changes, notify you by email or in-product.

12. Contact

Privacy questions or rights requests: privacy@hiribly.com.

This document is a starting template provided for transparency. It is not legal advice. You should have an attorney qualified in your jurisdiction review and tailor it to your specific operations before relying on it.