HirelyLikely

Privacy Policy

Last updated: 2026-05-10

1. Who we are

HirelyLikely (“we”, “us”) is the data controller for personal data processed through this service. You can reach us at privacy@hirelylikely.com.

2. The data we process

If you apply to a job as a candidate, we process: your name, email, phone (optional), location (optional), LinkedIn or portfolio links (optional), current job title (optional), years of experience (optional), your CV file, the answers you submit on application forms, the messages you exchange with recruiters, and metadata about your application (when, to whom, current stage).

If you use HirelyLikely as a recruiter, we process: your name, email, the workspaces you belong to, your role, the scorecards, comments, decisions and messages you author, and basic usage metadata.

3. Why we process it (legal basis)

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for: matching candidates to jobs, running the hiring workflow, and maintaining recruiter accounts.
  • Legitimate interest (Art. 6(1)(f)) — to retain anonymised records of past hiring decisions inside each workspace (defence against discrimination claims, audit trail, fraud prevention). When a candidate deletes their account, identifying data is scrubbed but anonymised stage and decision history remains in the workspace where they applied.
  • Consent (Art. 6(1)(a))— for any optional processing you actively opt into (e.g., being saved to a recruiter's talent pool for future roles). Consent can be withdrawn at any time.

4. Where your data lives — sub-processors

We use the following sub-processors to operate the service. Each one has signed a Data Processing Agreement with us:

  • Supabase (database, authentication, file storage) — data is stored in the EU region (Ireland). No cross-border transfer of EU candidate data at the database layer.
  • Resend(transactional email — confirmation, password reset, rejection emails) — US-based. We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism. The only personal data sent is the recipient's email address plus the message body you authored.
  • Anthropic (Claude API — powers the optional AI scorecard summariser and AI rejection drafter, paid plans only) — US-based. SCCs in place. We never send raw candidate identifiers to Anthropic; rater names are anonymised before transmission and no data is used by Anthropic for model training.
  • Vercel (hosting / edge) — handles request routing only; no persistent storage of user data.

5. How long we keep it

  • Active candidate applications — for as long as the workspace keeps the job open, plus 24 months of legitimate-interest retention for anonymised audit trail.
  • Recruiter accounts — for the lifetime of the account.
  • CV files — deleted immediately when you delete your candidate account.
  • Backups — Supabase automatic backups are retained for 7 days then permanently destroyed.

6. Your rights under the GDPR

You can exercise these rights at any time without giving a reason:

  • Article 15 — Right of access. Download a copy of everything we hold about you. Available in-app from your Settings page as a JSON file.
  • Article 16 — Right to rectification. Correct inaccurate data from your profile / candidate edit screen, or email us.
  • Article 17 — Right to erasure. Delete your account. Identifying data is permanently scrubbed; anonymised records may be retained for legitimate-interest hiring audit. CV files are hard-deleted.
  • Article 18 — Restriction of processing. Email us and we will pause processing pending resolution.
  • Article 20 — Data portability. The Article 15 export is provided in machine-readable JSON.
  • Article 21 — Right to object to processing based on legitimate interest. Email us; we will assess each request on its merits.
  • Right to complain to your local supervisory authority. For users in the EU, the lead authority is determined by your country of residence.

7. Security

Data at rest is encrypted by Supabase. Connections use TLS 1.2+. Multi-tenant isolation is enforced by Postgres Row Level Security policies on every table. We rate-limit authentication, AI and public-form endpoints to bound abuse. We do not sell or share personal data with third parties for advertising.

8. Cookies

We only set cookies that are strictly necessary to operate the service (the session cookie issued at sign-in). These are exempt from consent under the EU ePrivacy Directive. We do not run advertising trackers, cross-site analytics, or third-party marketing pixels.

9. Children

HirelyLikely is not directed at children under 16 and we do not knowingly process their personal data.

10. Changes to this policy

We will update the “Last updated” date and notify registered users by email when changes are material.