Privacy Notice

Job Flir provides an AI-assisted recruitment platform that helps hiring teams import jobs and candidates and review explainable matches. When you use the platform as a recruiter or hiring manager, Job Flir is the controller of your account data. When you import candidate data into your workspace, you (the customer) are the controller and Job Flir acts as your processor under a Data Processing Addendum (DPA).

This notice covers our website, marketing pages, account registration, and the Job Flir application. It does not cover third-party services you choose to integrate, which are governed by their own privacy notices.

• Account data: name, work email, password hash, workspace, role, locale, and profile picture (if provided).
• Usage & device data: IP address, browser, OS, pages viewed, feature events, timestamps, and diagnostic logs.
• Customer content: job descriptions, candidate profiles, resumes, notes, scores, and explanations you import or generate.
• Communications: messages you send to support, survey responses, and newsletter preferences.
• Billing data: name, billing address, VAT/Tax ID, and the last four digits of payment cards (full card data is handled by our PCI-DSS compliant payment processor).

When customers import candidate information, Job Flir processes that data only on documented instructions to provide the matching service. Customers are responsible for the lawful basis of processing candidate data and must provide candidates with the required transparency information. Our DPA, including the EU Standard Contractual Clauses and the UK Addendum, is available on request and forms part of the Terms.

We use AI to parse resumes, enhance job descriptions, score matches, and generate written explanations. Scoring is deterministic and reviewable and is presented as decision support — it does not by itself produce legal or similarly significant effects on candidates within the meaning of GDPR Art. 22. A human recruiter must make the final decision. Customers may turn off AI explanations per workspace.

Prompts and content sent to AI providers via our gateway are not used to train third-party models, and we contractually prohibit such training.

We do not sell personal data and we do not "share" it for cross-context behavioural advertising as defined by the CPRA. We disclose data to vetted sub-processors that help us run the service: cloud hosting, database, authentication, email delivery, error monitoring, analytics, AI inference, and payment processing. A current list of sub-processors is available on request and we provide notice of material changes.

Personal data may be processed in the United States, the European Economic Area, the United Kingdom, and other regions where our sub-processors operate. Where data leaves the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable, together with supplementary technical and organisational measures.

We retain account data for the life of your subscription plus up to 90 days after termination to allow recovery, then delete or anonymise it. Customer content is deleted within 30 days of workspace deletion, except where law requires longer retention (for example, invoicing records kept for 7 years). Backups are cycled out within 35 days.

We apply administrative, technical, and physical safeguards appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access, row-level security, audit logging, regular vulnerability scans, and annual penetration tests. See the Security page for details and how to report a vulnerability.

Subject to applicable law, you may:

• access, correct, or delete your personal data;
• port your data in a structured, machine-readable format;
• restrict or object to certain processing;
• withdraw consent without affecting prior processing;
• lodge a complaint with your supervisory authority.

To exercise these rights, email privacy@jobflir.com. We respond within 30 days (extendable by 60 days for complex requests). Candidates whose data is held in a customer workspace should contact that customer first; we will assist on request.

California (CCPA/CPRA): in the past 12 months we have collected the categories above for the business purposes described. We do not sell or share personal information. You have the right to know, delete, correct, limit use of sensitive information, and to non-discrimination.

EU/UK/Switzerland: our EU representative under GDPR Art. 27 and our UK representative are listed on request. Swiss residents may complain to the FDPIC.

Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act): equivalent rights apply and we honour them on request.

Job Flir is not directed to anyone under 16 and we do not knowingly collect personal data from children. If you believe a child has provided data, contact us and we will delete it.

We will update this notice when our practices change. Material changes will be announced in-app or by email at least 14 days before they take effect.

Privacy questions or rights requests: privacy@jobflir.com. Postal address available on request. Our DPO can be reached at the same address.