Privacy Policy

Last updated: 2025-10-05

This Policy explains our privacy practices. It is not legal advice. Please review with counsel before publishing.

1. Who we are

RapidScreen, Inc. ("RapidScreen," "we," "us") provides AI-assisted interview and candidate screening tools (the "Services"). This Policy describes how we handle personal data.

2. Information we collect

  • Account & profile. Name, email, password hash, role, organization, and settings.
  • Content you provide. Job posts, prompts, candidate lists (names/emails), notes, and voice recordings from interview prompts and candidate responses.
  • Usage & device. Log data, IP address, device/browser info, pages viewed, referral URLs.
  • Payment info. Billing contact and transaction metadata (processed by our payment processor; we don't store full card numbers).

3. How we use information

  • Provide, operate, and improve the Services, including model quality, reliability, and UX.
  • Generate and score interview prompts and responses at your direction.
  • Communicate with you (support, product updates, security notices).
  • Detect, prevent, and investigate fraud, abuse, or security incidents.
  • Comply with law and enforce our Terms.

4. Voice recordings & storage (Supabase buckets)

Voice recordings that you or candidates create through the Services are stored as objects in Supabase object storage ("buckets") within our Supabase project. Key practices:

  • Encryption at rest. Supabase stores objects encrypted at rest.
  • Access control. Buckets are private. We enforce role-based access and signed URLs for serving audio.
  • Isolation. Separate environments (e.g., staging/production) use separate buckets/keys.
  • Retention. Unless your contract states otherwise, we retain raw voice recordings for [RETENTION_PERIOD e.g., 24 months] to support evaluations, audits, and replay. You may request early deletion at any time.
  • Deletion. When you delete a recording, we queue it for permanent removal from buckets and caches within [DELETION_WINDOW e.g., 30 days], subject to legal holds and backups.

5. Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we process personal data under: (i) contract necessity; (ii) legitimate interests (e.g., product improvement, security); (iii) consent (e.g., certain analytics/communications); and (iv) legal obligation.

6. Sharing & disclosure

  • Vendors. Cloud hosting, storage (Supabase), analytics, email, and payment providers under confidentiality and data processing agreements.
  • Team & collaborators. You control sharing with teammates and reviewers.
  • Legal & safety. To comply with law, enforce our Terms, or protect rights, safety, and security.
  • Business transfers. In a merger, acquisition, or asset sale, consistent with this Policy.

7. Data security

  • Transport encryption (HTTPS/TLS) for data in transit.
  • Supabase bucket encryption at rest; access enforced via RLS/policies and signed URLs.
  • Role-based access, least-privilege, audit logging on sensitive actions where available.
  • Vulnerability management and incident response procedures.

8. Your choices & rights

  • Access, correction, deletion. Request via [PRIVACY_EMAIL].
  • Export. You may export certain data or request a portable copy.
  • Marketing. Opt out of marketing emails via the unsubscribe link.
  • Consent. Where applicable, you can withdraw consent at any time.

9. Children

We do not knowingly collect personal data from children under 16. If you believe a child provided data, contact us to delete it.

10. International transfers

We may process data globally. Where required, we use appropriate safeguards (e.g., SCCs/UK IDTA) for international transfers.

11. Data retention

We keep personal data only as long as necessary for the purposes described in this Policy, our contractual commitments, and legal obligations. See Section 4 for voice recording specifics.

12. Your role as controller

For candidate data you upload, you act as the controller (or equivalent) and determine lawful basis and notice to candidates. We act as a processor in providing the Services and will enter into a DPA where required.

13. "Do Not Sell or Share" (U.S. state privacy laws)

We do not "sell" personal information as defined by the CCPA/CPRA. If we engage in targeted advertising or "sharing," we will provide mechanisms to opt out as required by law.

14. Changes to this Policy

We may update this Policy from time to time. If changes are material, we'll provide reasonable notice (e.g., email or in-product).

15. Contact us

Questions or requests? Email [PRIVACY_EMAIL] or write to:
RapidScreen, Inc. [COMPANY_ADDRESS_LINE_1] [CITY, STATE ZIP] [COUNTRY]