Privacy policy

Recluto operates as a data processor for the personal data of job candidates on behalf of our customers (the companies that license Recluto to run their hiring). For our recruiter customers' own account data, we operate as a data controller. This distinction matters under GDPR and similar laws — different obligations apply to each role.

1. What we collect

1.1 Recruiter accounts (controller role)

• Identity and contact: name, work email, password hash, profile photo (optional), timezone.
• Workspace data: company name, workspace slug, plan tier, billing contacts, integration tokens (encrypted at rest).
• Activity: pages viewed, actions taken, IP address and user-agent for the session, timestamps.
• Billing: company name, billing email, country, tax ID, last-4 of payment card (the full PAN never reaches our servers — see Security).

1.2 Job candidates (processor role, on behalf of the hiring company)

• Identity and contact: name, email, phone (optional), city/country, links you choose to share (LinkedIn, portfolio, GitHub).
• CV / résumé content uploaded by you, including parsed structured fields (experience, education, skills, languages, certifications).
• Application metadata: which role, when applied, source attribution (careers page, ATS sync, referral).
• Screening responses: written answers, voice-interview audio + AI-generated transcript, video-interview recording + transcript (where the company has enabled video).
• Agent-derived signals: scoring, recommendation labels, integrity flags. These are produced by automated processing — see Section 6.

1.3 Visitors to recluto.ai

We use first-party analytics and a small number of strictly necessary cookies to keep you signed in. We do not use third-party advertising trackers on our marketing or app surfaces.

2. How we use it

• To provide the service you requested (run a hiring process for the recruiter; submit an application for the candidate).
• To improve the service in aggregate — error rates, latency, conversion funnels. We do not profile individual recruiters or candidates for marketing.
• To send service emails (password resets, security alerts, billing receipts, screening invitations). We do not send marketing emails to candidates.
• To meet legal obligations (tax records, lawful subpoenas, fraud prevention).

3. Legal bases (GDPR Art. 6)

• Recruiter accounts: contract performance and our legitimate interest in running a SaaS business.
• Candidate data: the hiring company's legitimate interest in conducting a recruitment process under Art. 6(1)(f), supported by your decision to apply. You can withdraw at any time — see Section 7.
• Billing data: contract performance and legal obligation (tax records).

4. Sharing and sub-processors

We share personal data with a small number of vendors strictly to deliver the service. Each is contractually bound by data-processing terms equivalent to ours. Current sub-processors:

• Amazon Web Services — hosting and data storage (us-east-1, eu-west-1, ap-south-1).
• OpenRouter — large-language-model inference for screening and scoring.
• VAPI — voice telephony for AI voice interviews.
• LiveKit — real-time video infrastructure for live interviews.
• Deepgram, xAI, Cartesia — speech-to-text, LLM, and text-to-speech for the live video agent.
• Stripe, Paddle, Razorpay, PayPal — payment processing (recruiter customers only — candidates never interact with these).
• Postmark / Amazon SES — transactional email delivery.
• Slack, Google Workspace, Microsoft 365 — recruiter-side notification and calendar integrations (only when the recruiter installs them).

We do not sell personal data and we do not share data with ad networks. We update this list when sub-processors change; recruiter admins can subscribe to changes by emailing privacy@recluto.ai.

5. International transfers

We may transfer personal data outside the EU/EEA, the UK, India, or your country of residence to deliver the service. When we do so, we rely on Standard Contractual Clauses (EU 2021/914) with our sub-processors and equivalent safeguards under the UK IDTA and India's DPDP Act. Customers on the Pro tier can request EU-only or India-only data residency; contact enterprise@recluto.ai.

6. Automated decision-making

Recluto uses AI to evaluate candidates. Specifically: an LLM scores written-screening answers and voice/video transcripts, and produces a recommendation (HIRE / MAYBE / NO_HIRE) along with a 0–100 numeric score. This is decision-supporting, not decision-making — every hiring decision rests with the recruiter at the company you applied to.

Under GDPR Art. 22 you have the right not to be subject to a decision based solelyon automated processing. Recluto does not auto-reject any candidate without a recruiter's review by default; recruiters who choose to enable auto-rejection on a job opening must meet the company's internal compliance bar — Recluto records this as a workspace-level preference and surfaces an AI disclosure on the candidate's rejection notice.

If you'd like a human review of an automated screening decision, you can request one at any time by replying to the email the company sent you, or by writing to privacy@recluto.ai and we will route the request.

See also our AI disclosure for a plain-English explanation.

7. Your rights

Depending on your jurisdiction (EU/EEA, UK, California, India, Brazil, Canada, and others with similar laws), you have rights to access, correct, delete, restrict, object to, or port your personal data. To exercise any of these:

• Email privacy@recluto.ai with the company name, the email you applied with, and which right you're invoking.
• We respond within 30 days (typically within 5 business days). No fee unless your request is manifestly unfounded or excessive.
• If you'd like to skip the email, the candidate self-service portal lets you withdraw or request deletion in two clicks: open the link in any email the company sent you and click "Manage my data".

We may need to verify your identity before fulfilling sensitive requests (typically by asking you to reply from the same email you applied with).

8. Retention

• Recruiter accounts: retained for as long as the workspace is active. Deleted within 30 days of workspace deletion, except for billing records we are legally required to keep (typically 7 years for tax purposes in the US/EU).
• Candidate applications: retained per the hiring company's policy. Recluto's default is 24 months from last application activity, after which the row is anonymised. Candidates can request earlier deletion as in Section 7.
• Backups: rotated on a 30-day window. A deletion request is honoured immediately in production and within 30 days for backups.

9. Security

We protect your data with TLS in transit, AES-256 at rest, role-based access controls, immutable audit logs, and least-privilege engineering. Full details are on the security page. To report a vulnerability: security@recluto.ai.

10. Children

Recluto is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, please email privacy@recluto.ai and we will delete the data immediately.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email to recruiter admins at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Syntrex Software Solutions LLP (operating Recluto.ai)
Vill + P.O. Dasturhat, Murshidabad, 742122, India
General: support@recluto.ai
Privacy: privacy@recluto.ai
Data Protection Officer: dpo@recluto.ai
EU representative (Art. 27 GDPR): eu-rep@recluto.ai

If you are not satisfied with our response, you may complain to your local data-protection authority. For the EU, find yours at edpb.europa.eu.