Privacy Policy

AI-powered interviews, job postings, candidate matching, skill assessments, interview scheduling, analytics, and photo verification for identity authentication.

Candidates, clients or employers, recruiters, platform administrators, and verification personnel.

Any information relating to an identifiable individual, directly or indirectly, including biometric identifiers used temporarily for verification purposes.

Automated analysis of data to generate insights, scores, or recommendations through machine-learning systems, including bias detection and mitigation.

Photographic images captured solely for identity verification purposes that are processed in real time and deleted immediately after verification completes.

• Identification information such as full name, email address, phone number, physical address, and nationality.
• Government-issued ID verification data processed temporarily for verification and not retained as a stored identity record.
• Professional data including resumes or CVs, work history, educational background, skills, certifications, salary expectations, portfolio links, and references.
• AI interview data such as transcripts, recordings where consented, competency scores, interview performance metrics, and related feedback.
• Technical data such as IP addresses, device identifiers, browser type, operating system, session behavior, and platform usage analytics.
• Photo verification data processed in real time for identity checks and immediately deleted after verification completion.

• Corporate information including company name, industry, size, and business verification details.
• User account information such as admin credentials, role permissions, platform preferences, and activity logs.
• Hiring process data including job descriptions, candidate requirements, interview feedback, hiring decisions, offer details, and recruitment analytics.

• Aggregated hiring metrics and platform usage statistics.
• Performance benchmarks and industry trend analysis.
• De-identified or anonymized datasets used for AI model training, bias detection research, and platform improvement.

• Microsoft Azure for GDPR-aligned hosting and ISO 27001-certified infrastructure.
• DigitalOcean for AICPA SOC 2 Type II-certified compute infrastructure.
• Supabase for managed PostgreSQL with row-level security controls.
• MongoDB Atlas for SOC 2 Type II-aligned NoSQL workloads.
• Cloudflare for enterprise DDoS protection, CDN coverage, and TLS 1.3 delivery.

• AES-256 encryption for data at rest and TLS 1.3 for data in transit.
• Role-based access control, privilege review, and multi-factor authentication enforcement.
• Continuous monitoring, threat detection, penetration testing, and vulnerability assessments.
• Immutable audit logs and formal incident response procedures.

• With client organizations for authorized hiring activity.
• With candidates regarding their own application status and interview outcomes.
• With service providers operating under data-processing agreements and appropriate access restrictions.

• Infrastructure and database providers may include Microsoft Azure, DigitalOcean, Supabase, MongoDB Atlas, and Cloudflare.
• Approved AI or ML vendors may receive anonymized data only for model-improvement use cases.
• Cross-border transfers rely on appropriate safeguards such as Standard Contractual Clauses, adequacy assessments, and other lawful transfer mechanisms where required.
• Photo verification data is processed locally for the verification action and is not retained for international transfer workflows.

• Continuous monitoring for discriminatory patterns and fairness drift.
• Human review in critical decision paths.
• Regular performance assessments across demographic cohorts where relevant and lawful.

• Version control and rollback procedures for production AI models.
• Monitoring for model drift, accuracy degradation, and operational instability.
• Explainability measures and user-readable explanations for AI-driven recommendations.
• Documented model logic, decision factors, and retraining practices.

• Access to personal data and related processing information.
• Portability of eligible personal data in commonly used formats.
• Rectification of inaccurate or incomplete data.
• Erasure, restriction, or objection where applicable.
• Human review and explanation for qualifying automated decisions.

Verified rights requests, privacy questions, and related grievances can be sent to recruiter@hyr.works. Hyr may use a secure verification step before fulfilling a request.

• Initial response target: within 30 days of a verified request.
• Complex requests may require an extension of up to 60 additional days.
• Status updates may be shared during extended handling windows.

• Notification to competent supervisory authorities within required legal timeframes, including 72 hours for qualifying GDPR incidents.
• Direct notification to affected individuals when a high-risk breach requires it.
• Documented scope, impact, and remediation records for applicable incidents.

• Automatic containment and isolation of affected systems where feasible.
• Emergency-response activation, forensic investigation, and root-cause analysis.
• System restoration, security hardening, and staff process updates after resolution.

• Quarterly privacy and compliance assessments.
• Annual third-party privacy or security reviews where appropriate.
• Ongoing monitoring of regulatory developments that affect Hyr’s practices.

• Material policy changes are documented and communicated with advance notice where required.
• Privacy documentation is maintained and updated through regular legal and operational review.

Photo verification is used solely for identity authentication during registration or interview workflows to help prevent fraud and preserve platform security.

• Capture in real time during the verification step.
• Immediate AI-powered identity verification.
• No storage in a persistent system or database.
• Immediate and permanent deletion after verification completion.

• You may refuse photo verification, though doing so may limit access to certain platform actions.
• Encrypted transmission is used during verification.
• Verification logs may record attempts without storing the image itself.
• Regular security reviews apply to verification systems and controls.