Privacy Policy

1. Introduction

TalentBrief (“we”, “our”, or “us”) operates the TalentBrief platform (“Service”), a GDPR-compliant SaaS application for interview analysis and candidate assessment. We are committed to protecting your personal data and processing it in accordance with the General Data Protection Regulation (GDPR) and all applicable data protection legislation.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights as a data subject. If you have questions about this policy, please contact us at the address provided at the end of this document.

2. Data We Collect

We collect the following categories of personal data:

• Account data — Your email address, full name, and profile information provided during registration.
• Interview data — Audio recordings you upload, AI-generated transcripts, candidate profiles, interview scores, competency assessments, and generated PDF reports.
• Candidate data — Names, roles, departments, and any additional profile data you enter for interview candidates. This data is entered by you and relates to individuals you are assessing.
• Team data — Team member email addresses, roles, and access permissions for collaborative use of the platform.
• Payment data — Billing is handled by Stripe. We do not store card numbers, CVV codes, or full payment card data. We receive billing status and subscription information from Stripe.
• Usage and error data — Application error events are captured by Sentry for debugging purposes. sendDefaultPii: false is configured — no personally identifiable information is included in error reports.

3. How We Use Your Data

We use your data solely for the following purposes:

• Service delivery — Processing interview audio, generating transcripts, producing AI-powered assessments, and generating PDF reports.
• Platform improvement — Diagnosing errors and improving the reliability and quality of the Service.
• Billing and account management — Managing subscription plans, processing payments via Stripe, and sending invoices.
• Transactional communications — Sending account confirmation, password reset, and team invitation emails via Resend. We do not send marketing emails without your explicit consent.

The legal basis for processing is the performance of the contract between you and TalentBrief (Article 6(1)(b) GDPR) and our legitimate interests in operating and improving the Service (Article 6(1)(f) GDPR).

4. AI Processing Disclosure

TalentBrief uses artificial intelligence to analyse interview content. Specifically:

• Audio transcription — Interview audio files you upload are sent to third-party AI transcription providers for transcription and speaker diarisation.
• Interview analysis and scoring — Transcripts and candidate data are sent to third-party AI model providers for AI-powered analysis, competency scoring, and assessment generation.

Candidate data is processed by these sub-processors solely to provide the Service. Per the terms of our AI sub-processors, data submitted via their APIs is not used to train their models. See the Sub-Processors table below for the current list of providers.

You are responsible for ensuring you have appropriate legal basis (e.g. consent from interview candidates) to process their data through these AI systems.

5. Sub-Processors

We use the following third-party sub-processors to deliver the Service:

6. Cookies

We use only strictly necessary cookies — no analytics cookies, no tracking cookies, and no advertising cookies. No cookie consent banner is required under GDPR because we do not use non-essential cookies.

The cookies we use are:

• Supabase authentication cookies — Set by Supabase to maintain your authenticated session. These are strictly necessary for the Service to function.
• Share link unlock cookies (shr_*) — Set when you unlock a password-protected shared PDF report. These persist your access to the specific shared report without requiring you to re-enter the password.

Cookieless analytics — We use Google Analytics 4 in cookieless mode to collect anonymous usage data such as page views and feature adoption. This mode does not store any cookies on your device and does not track you across websites. The data collected is aggregated and cannot be used to identify individual users. Because no personal data is collected and no cookies are stored, this processing falls outside the scope of cookie consent requirements under the ePrivacy Directive and GDPR.

7. Data Retention

We retain your data for as long as your account is active and as necessary to provide the Service. Specifically:

• Account data and interview data are retained for the lifetime of your account.
• Upon a deletion request (see Your Rights below), we remove your data within 30 days in accordance with GDPR Article 17 (right to erasure).
• Billing records may be retained for longer periods to comply with legal financial record-keeping obligations.
• Backups may contain data for a period of up to 30 days after deletion before they are overwritten.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access (Article 15) — You may request a copy of the personal data we hold about you.
• Right to rectification (Article 16) — You may request correction of inaccurate personal data.
• Right to erasure (Article 17) — You may request deletion of your personal data. Upon a valid erasure request, we will process it within 30 days. Contact us at the email below to submit a request.
• Right to restrict processing (Article 18) — You may request that we limit how we process your data in certain circumstances.
• Right to data portability (Article 20) — You may request your data in a structured, machine-readable format.
• Right to object (Article 21) — You may object to processing based on our legitimate interests.

To exercise any of these rights, please contact us at support@talentbrief.io. We will respond within 30 days. If you believe your rights have not been respected, you have the right to lodge a complaint with your local supervisory authority.

9. Data Security

We implement appropriate technical and organisational measures to protect your data:

• Encryption in transit — All data is transmitted over TLS (HTTPS).
• Data isolation — Supabase Row Level Security (RLS) policies ensure that each team can only access their own data. Your data is never accessible to other users or teams.
• Authentication — All data access requires authenticated sessions. Unauthenticated requests are blocked by middleware.
• Error monitoring — Application errors are monitored via Sentry with PII disabled to enable proactive security issue detection.

10. International Data Transfers

Primary data storage is handled by Supabase in the EU region. However, some of our sub-processors (as listed in the Sub-Processors table above) may process data outside the European Economic Area (EEA).

Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) as approved by the European Commission, or we transfer to countries recognised as providing adequate protection under GDPR Article 45. By using the Service, you acknowledge these transfers are necessary to provide the features described in this policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will update the “Last updated” date at the top of this page. Where changes are material, we will notify you via email or a prominent notice on the Service. Continued use of the Service after the effective date of any change constitutes your acceptance of the updated policy.

12. Contact

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us: