← Back to Home
Privacy Policy
Last Updated: January 8, 2026
TL;DR: We store minimal data (company info + hashed hiring records), use industry-standard encryption, comply with GDPR/CCPA, and NEVER sell your data.
1. Introduction
Institutional Memory API ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
2. Information We Collect
2.1 Account Information
| Data Type |
What We Collect |
Why We Need It |
| Company Details |
Company name, billing email |
Account management, billing |
| API Credentials |
API keys (hashed in database) |
Authentication and access control |
| Billing Information |
Credit card details (via Stripe) |
Payment processing (we don't store cards) |
2.2 Hiring Decision Metadata
What We Store:
- Candidate Identifiers (HASHED): We use SHA-256 to hash candidate IDs/emails. We NEVER store raw PII.
- Decision Data: Hiring decision type (hired/rejected), timestamps, human review flags
- AI System Records: Names of AI tools used, vendor information, bias audit dates
- Disclosure Logs: Timestamps and delivery methods of candidate disclosures
What We DON'T Store:
- ❌ Candidate names (hashed only)
- ❌ Candidate resumes or application materials
- ❌ Protected class information (race, gender, age, etc.)
- ❌ Interview notes or subjective assessments
2.3 Technical Data
- API Logs: Request timestamps, endpoint accessed, IP addresses, user agent
- Error Logs: System errors and debugging information (via Sentry.io)
- Analytics: Service usage patterns (aggregated, non-personal)
3. How We Use Your Information
We use collected data to:
- ✅ Provide the institutional memory service
- ✅ Generate audit packs and compliance reports
- ✅ Process payments and manage subscriptions
- ✅ Provide customer support
- ✅ Detect and prevent security breaches
- ✅ Improve service performance and reliability
We do NOT use your data to:
- ❌ Train machine learning models
- ❌ Sell or share with third parties for marketing
- ❌ Target advertising
- ❌ Make automated decisions about individuals
4. Data Sharing and Disclosure
4.1 Third-Party Service Providers
We share limited data with trusted partners:
| Service |
Provider |
Data Shared |
Purpose |
| Hosting |
Render.com |
All service data |
Infrastructure and database hosting |
| Payments |
Stripe |
Billing email, company name |
Payment processing |
| Error Tracking |
Sentry.io |
Error logs, stack traces |
Debugging and monitoring |
4.2 Legal Requirements
We may disclose data if required by:
- Court orders or subpoenas
- Government investigations
- Protection of our legal rights
- Prevention of fraud or illegal activity
4.3 Business Transfers
If we are acquired or merged, customer data may be transferred. We will notify you 30 days before any change in ownership.
5. Data Security
We implement industry-standard security measures:
- Encryption in Transit: TLS 1.3 for all API connections
- Encryption at Rest: AES-256 encryption for database storage
- Hashing: SHA-256 for candidate identifiers and API keys
- Access Controls: Role-based permissions, API key authentication
- Monitoring: 24/7 security monitoring and intrusion detection
- Audits: Regular security audits and penetration testing
Data Breach Notification: We will notify affected customers within 72 hours of discovering a breach, as required by GDPR.
6. Data Retention
Active Accounts: We retain data for 7 years from creation date (employment law standard).
Canceled Accounts: 30-day grace period for data export, then permanent deletion.
Legal Holds: Data flagged for litigation is retained until legal hold is released.
7. Your Privacy Rights
7.1 GDPR Rights (EU Residents)
You have the right to:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure ("Right to be Forgotten"): Request deletion (subject to legal retention requirements)
- Data Portability: Receive data in machine-readable format (JSON)
- Objection: Object to data processing
- Restriction: Limit how we use your data
7.2 CCPA Rights (California Residents)
California residents have the right to:
- Know what personal information is collected
- Know if personal information is sold (we DON'T sell data)
- Request deletion of personal information
- Opt-out of sale (N/A - we don't sell data)
- Non-discrimination for exercising privacy rights
7.3 How to Exercise Your Rights
Email us at privacy@defensiblehiringai.com with:
- Subject: "Privacy Rights Request"
- Your company name and account email
- Specific request (access, deletion, export, etc.)
We respond within 30 days.
8. International Data Transfers
Our servers are located in the United States. If you access the Service from the EU or other regions with data protection laws, your data will be transferred to the US.
EU-US Data Transfer Safeguards:
- Standard Contractual Clauses (SCCs) with service providers
- Encryption for data in transit and at rest
- Regular compliance audits
9. Cookies and Tracking
We do NOT use cookies for tracking or advertising.
We may use session cookies for:
- API authentication (temporary session management)
- Security (CSRF protection)
No third-party advertising cookies are used.
10. Children's Privacy
Our Service is NOT directed to individuals under 18. We do not knowingly collect data from children. If we discover such data, it will be deleted immediately.
11. Changes to This Privacy Policy
We may update this Privacy Policy with 30 days notice. Material changes will be communicated via email to your account address.
12. Contact Us
For privacy-related questions or requests:
Email: privacy@defensiblehiringai.com
Data Protection Officer: dpo@defensiblehiringai.com
Support: support@defensiblehiringai.com
13. Regulatory Compliance
We comply with:
- ✅ GDPR (General Data Protection Regulation) - EU
- ✅ CCPA (California Consumer Privacy Act) - California
- ✅ PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
- ✅ SOC 2 Type II controls (in progress for enterprise customers)
← Return to Home •
Terms of Service