Privacy Policy

1. Who We Are

TalentSift is a recruitment screening service operated at talentsift.co.uk. We act as a data controller for account data and as a data processor on behalf of recruiters for candidate data uploaded to the platform.

2. What Data We Collect

• Account data: email address, password (hashed and stored securely by Supabase)
• Uploaded CVs: PDF or DOCX files containing candidate personal data (names, contact details, work history, education, skills)
• Job descriptions: text content you provide describing roles and requirements
• Usage data: pages visited, features used, timestamps of actions (for service improvement)
• Payment data: processed and stored by Stripe; we do not store card numbers

3. Why We Collect It (Legal Basis)

• Contract performance: to provide the screening service you signed up for
• Legitimate interest: to improve the Service, prevent abuse, and ensure security
• Consent: where required (e.g., marketing communications, if any)

4. How We Process CVs

When you upload a CV, we extract the text content from the document. This extracted text is sent to OpenAI's API for AI analysis (ranking, skill extraction, and candidate assessment). The extracted text and AI outputs are stored in our database (hosted by Supabase) to provide the Service. Original files are stored in Supabase Storage.

5. Third-Party Processors

We use the following third-party services to operate TalentSift:

• Supabase — database, authentication, and file storage
• OpenAI — AI processing of CV text and job descriptions
• Stripe — payment processing and subscription management
• Vercel — application hosting and deployment

6. Data Retention

Account data is retained while your account is active. Uploaded CVs and job data are retained until you delete them or close your account. Upon account deletion request, all associated data (account details, uploaded files, AI outputs) will be permanently deleted within 30 days.

7. Your Rights Under GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate data
• Erasure: request deletion of your data (“right to be forgotten”)
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interest
• Restriction: request that we limit how we process your data

8. How to Exercise Your Rights

To exercise any of the above rights, please email us at support@talentsift.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your rights have been infringed.

9. Cookies

We use only essential cookies required for authentication (Supabase session cookies). We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. International Data Transfers

Your data may be processed outside the UK and EEA. Specifically, OpenAI processes data on servers in the United States, and Supabase infrastructure may be located outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or adequacy decisions) to protect your data.

11. Security Measures

• Encryption in transit (HTTPS/TLS for all connections)
• Encryption at rest (Supabase database and storage)
• Access controls (row-level security ensuring users can only access their own data)
• Password hashing (handled by Supabase Auth using bcrypt)
• Regular security updates and monitoring of infrastructure

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you via email. The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact

For any privacy-related questions or requests, please contact us at support@talentsift.co.uk.