Privacy Policy

The Service is primarily offered to businesses and organizations (“Customers”) that use it to administer assessments, conduct interviews, and manage candidates (“Candidates”).

• When Customers submit, upload, or otherwise make available data about Candidates or other individuals, the Customer is the “controller,” “business,” or equivalent under applicable law, and ClarityHire acts as the Customer’s “processor” or “service provider.” In that case, the Customer is solely responsible for the lawfulness of the collection and use of such data, for establishing a lawful basis, for providing required notices, and for obtaining any necessary consents. Individuals seeking to exercise rights with respect to such data should direct their requests to the Customer; we will assist the Customer in responding as required under our agreement with the Customer and applicable law.
• When we collect information directly from you through our public website, marketing pages, trial sign-up, billing, or support channels, we act as a controller with respect to that information, and this Policy describes our practices.

Nothing in this Policy creates rights in favor of any third party, expands the scope of our obligations under a Customer agreement or data processing agreement, or waives any limitation of liability set out in our Terms of Service.

We may collect the following categories of Personal Information:

• Identifiers & Account Data: name, email address, organization, job title, user role, username, password (hashed), authentication tokens, and IP address.
• Candidate & Assessment Data: resumes, cover letters, application responses, assessment answers (including code, essays, multiple-choice), uploaded files, notes, scorecards, tags, and metadata submitted by or about Candidates.
• Interview Content: audio and video recordings of live interviews, automated transcripts, chat messages, shared documents, and related metadata.
• Integrity Signals (non-biometric): raw webcam snapshots (images for human reviewer inspection), face *presence* indicators (whether a face is in frame and how many — produced by OpenCV face detection, not face recognition), keystroke event streams used to detect paste/burst events, device and browser signals, environmental indicators, and tab/focus events generated during assessments or interviews. We do not extract, derive, store, or match biometric identifiers as defined by the Illinois Biometric Information Privacy Act (BIPA) or analogous laws — no face geometry templates, no face embeddings, no voiceprints, and no behavioral biometric fingerprints.
• Usage & Technical Data: device identifiers, operating system, browser type, referring URLs, pages viewed, actions taken, timestamps, diagnostic logs, and performance telemetry.
• Billing Data: billing address, tax identifiers, and subscription information. Payment card data is processed directly by our payment processor; we do not store full card numbers.
• Communications: support requests, correspondence, survey responses, and feedback.

We do not intentionally solicit sensitive or special-category data (such as race, religion, health, or trade-union membership) and request that you do not submit such data through the Service except where we or the Customer have an appropriate legal basis to process it.

We use Personal Information for the following purposes:

• To provide, operate, secure, and maintain the Service;
• To authenticate users, provision accounts, and manage subscriptions and billing;
• To administer assessments, conduct interviews, generate reports, and perform integrity analysis;
• To monitor, debug, and improve performance, reliability, and security;
• To communicate about the Service, including service announcements and transactional messages;
• To provide customer support and respond to inquiries;
• To develop, train, evaluate, and improve our products, algorithms, and models, including through aggregation, de-identification, and anonymization (we do not use Customer Data or Candidate content to train third-party foundation models without the Customer’s written instruction);
• To comply with law, enforce our agreements, and protect our rights, property, and safety;
• For any other purpose disclosed at the time of collection or for which you consent.

Where the EU/UK General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract to provide the Service to you or our Customer;
• Legitimate interests in operating, securing, and improving the Service, provided they are not overridden by your rights;
• Compliance with legal obligations to which we are subject;
• Consent, where required (for example, for optional communications), which you may withdraw at any time without affecting prior processing;
• Vital interests or public interest, in limited circumstances.

When integrity monitoring is enabled by our Customer, the Service collects and processes the following non-biometric signals during an assessment or interview:

• Webcam snapshots: periodic images (typically every 15–30 seconds) captured from the candidate’s webcam and stored as plain JPEG images for later human review by the Customer’s reviewers. Snapshots are not converted into face geometry templates and are not matched against any stored identifier.
• Face presence indicators: derived from each snapshot using OpenCV face detection: a yes/no indicator that a face is in frame and a count of the faces detected. No biometric identifier is extracted, derived, or stored.
• Keystroke events: the timing of key-down and key-up events and explicit paste events, captured to detect paste / burst anomalies. We do not build a per-candidate typing rhythm fingerprint, do not score “authenticity” of typing against any identity baseline, and do not use typing rhythm to identify or verify the candidate.
• Speech-to-text transcripts: when interview audio is enabled, audio is sent to a speech-to-text provider for transcription. We do not perform speaker identification, voice biometric matching, or voiceprint extraction.
• Tab/focus and edit-pattern events: tab switches, window blur/focus, fullscreen exits, and edit-pattern flags (e.g., large insertions with few keystrokes). These are environmental signals, not biometric identifiers.

No solely automated decisions. Integrity signals are informational tools for human reviewers. They are probabilistic indicators, not statements of fact, and ClarityHire does not produce hiring decisions, adverse actions, or final integrity verdicts. Customers are required by our Terms of Service to apply meaningful human review before any consequential decision based on these signals.

No sale or lease. We do not sell, lease, trade, or otherwise commercially exploit candidate integrity data.

The Service uses automated processing, machine learning, and large language models to, among other things, score assessments, generate summaries, extract structured information from candidate responses, and flag potential integrity anomalies.

• Outputs generated by AI features may contain errors, omissions, biases, or inaccuracies and should not be relied upon as the sole basis for any consequential decision, including any decision regarding employment, promotion, compensation, or discipline.
• ClarityHire enforces a human-in-the-loop posture: AI outputs and integrity signals are surfaced to reviewers; the Service does not produce solely automated employment decisions and does not rank, reject, or shortlist Candidates without human action. As a consequence, GDPR Article 22 is not engaged by ClarityHire’s processing.
• Customers using the Service to support hiring in jurisdictions with automated-employment-decision laws (such as the New York City Automated Employment Decision Tool Law / Local Law 144, the Illinois Artificial Intelligence Video Interview Act, the Colorado AI Act, or the EU AI Act) are still responsible for the disclosures, notices, audits, and alternatives required by those laws with respect to their own hiring decisions and processes; ClarityHire does not act as the regulated decision-maker because it does not make those decisions.

We retain Personal Information only as long as necessary for the purposes for which it was collected, to comply with legal, tax, accounting, and regulatory obligations, to resolve disputes, and to enforce our agreements. Indicative retention periods (which may be shorter or longer based on Customer configuration or applicable law) are:

Following account termination, we may retain aggregated, de-identified, or anonymized data indefinitely for analytics and product improvement purposes, in each case in a manner that cannot reasonably be used to identify any individual.

We share Personal Information only as described below:

• With our Customers and their authorized users, who access Candidate data they collect through the Service.
• With service providers and sub-processors that perform services on our behalf under written confidentiality and data protection obligations, including cloud hosting, database hosting, CDN and media storage, email delivery, payment processing, real-time video infrastructure, speech-to-text, AI model providers, logging, analytics, and customer support. Our full sub-processor register is published at /sub-processors and is updated whenever a sub-processor is added, removed, or materially changed.
• With professional advisors (lawyers, accountants, auditors, insurers) subject to confidentiality.
• In connection with a business transaction such as a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case Personal Information may be transferred to the counterparty, subject to this Policy or a successor policy with equivalent protections.
• For legal reasons, including to comply with laws, respond to lawful requests and legal process, enforce our agreements, and protect the rights, property, or safety of ClarityHire, our users, or the public.
• With your consent or at your direction.

We do not sell Personal Information for monetary consideration, and we do not “share” Personal Information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act, as amended (“CCPA/CPRA”).

RoboMiri is established in the Netherlands and primarily processes Personal Information within the European Economic Area (EEA). Where Personal Information is transferred outside the EEA or the United Kingdom to a country that has not been deemed by the European Commission or the UK Government to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (Module 1 or Module 3, as applicable), the UK International Data Transfer Addendum, or other valid transfer mechanisms, together with supplementary technical and organizational measures where necessary.

Depending on your jurisdiction, you may have the following rights with respect to your Personal Information: to access, correct, delete, restrict, or object to processing; to data portability; to withdraw consent; to opt out of certain disclosures or of processing for automated decision-making with legal or similarly significant effects; to non-discrimination for exercising rights; and to lodge a complaint with a supervisory authority.

If you are a Candidate or other individual whose data was submitted by a Customer, please direct your request in the first instance to the relevant Customer. We will cooperate with the Customer as required under our agreement with them and applicable law. You may also contact us at [email protected]; we will route requests appropriately. We will verify requests as required by law and respond within the timeframes prescribed by applicable law.

California residents: you may designate an authorized agent to submit requests on your behalf. We will require verification. EEA/UK residents: our designated representative (where appointed) and the contact details of your supervisory authority are available upon request.

We maintain technical, administrative, and physical safeguards designed to protect Personal Information, including encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, audit logging, vulnerability management, employee training, and vendor risk management.

We use essential cookies and equivalent technologies that are strictly necessary for authentication, security, and the basic functioning of the Service. We may also use a limited number of first-party analytics identifiers to measure aggregate usage. We do not use advertising cookies and do not participate in cross-site tracking. Where required, we will seek your consent before placing non-essential cookies. You can control cookies through your browser settings; blocking essential cookies may prevent the Service from functioning.

The Service is intended for business use and is not directed to children. We do not knowingly collect Personal Information from individuals under the age of 16 (or the applicable minimum age in your jurisdiction). If we learn that we have collected Personal Information from a child without required parental or guardian consent, we will delete it. Please contact us if you believe a child has provided us with Personal Information.

The Service may contain links to, or integrate with, third-party websites, applications, or services that are not owned or controlled by ClarityHire. This Policy does not apply to such third parties, and we are not responsible for their content, privacy practices, security, or availability. Your interactions with third parties are governed by their own terms and policies, and you are solely responsible for reviewing and accepting them.

California (CCPA/CPRA). In the preceding twelve (12) months we collected the categories of Personal Information described in Section 2, for the purposes described in Section 3, from the sources described in Sections 2 and 8, and disclosed them to the categories of recipients described in Section 8. We do not sell or share Personal Information as those terms are defined under the CCPA/CPRA. California residents have the rights described in Section 10.

Nevada, Virginia, Colorado, Connecticut, Utah, Texas & other U.S. states.Residents may have rights analogous to those in Section 10 under applicable state privacy laws. Requests may be submitted to the contact below.

EEA, UK & Switzerland. You have the rights described in Section 10 under the GDPR and UK GDPR. Our lawful bases are described in Section 4.

We may update this Policy from time to time to reflect changes to our practices, technology, legal requirements, or for other operational reasons. The “Last updated” date above indicates when this Policy was last revised. We will provide notice of material changes as required by applicable law. Your continued use of the Service after an updated Policy becomes effective constitutes your acceptance of the updated Policy.

If you have questions about this Policy or our privacy practices, or wish to exercise any rights, please contact us: