Effective date: May 19, 2026
This Privacy Policy describes how Sidekick Software Inc. (“HiringTest.ai”, “we”, “us”) collects, uses, and protects your information when you use our platform. For a buyer-facing summary of our security posture, see our Trust & Security page.
From recruiters and hiring managers: Name, email address, profile photo, and basic profile information obtained via LinkedIn or Google OAuth. Persona (recruiter or hiring manager), team role (admin, member, viewer, IT support), company association, optional job title, referral code, and email-notification preferences. Payment information processed by Stripe (we do not store card numbers; only payment-method metadata such as brand and last-four digits).
From candidates: Name, email address (verified), LinkedIn profile URL, LinkedIn headline, and profile photo obtained via LinkedIn or Google OAuth. Assessment data, including: text answers; audio recordings of the introduction and any voice-mode responses; video recordings on roles configured for video questions; AI sandbox conversation logs; self-reported AI proficiency, AI-tool selections, and candidate-described use cases; uploaded files (resume, portfolio, work samples); and structured intent, location, and language-profile responses where applicable. Integrity signals, including time spent per question, tab-switch events, paste events, browser fingerprint hash (for fraud-signal deduplication), and navigation patterns. When the recruiter has opted into identity verification, government ID and selfie data processed by our identity- verification subprocessor.
From endorsers (HiringCase): When a candidate invites a former colleague to endorse their work history, the endorser provides name, optional LinkedIn handle, working relationship, and either a short text or video reaction. Endorser identity is verified via LinkedIn or Google OAuth.
From waitlist signups: Email address only.
Automatically: IP address, user agent, basic device + browser metadata, authenticated session cookies, product-analytics events that describe how you use the application (page views, button clicks, funnel progression), and LLM call metadata (model name, token counts, latency) for cost attribution and observability. Product-analytics events do not include assessment response content, full names, or email addresses on the event payload; the underlying user account is referenced by an opaque identifier.
We request only basic profile scopes from LinkedIn: name, email, profile URL, headline, and profile photo. We do not access your LinkedIn connections, messages, activity feed, or full work history. LinkedIn data is used to authenticate you, to surface seniority-inference and gap-analysis signals on recruiter scorecards, and to enrich endorsement records for first-degree-connection verification. Identity verification (when enabled by the recruiter) is performed by a separate subprocessor with its own ID-and-selfie flow, not via LinkedIn.
Audio introductions and voice-mode responses are recorded during the assessment. Where the recruiter has configured video questions, video recordings are captured at the candidate's explicit consent step. All media is stored in Microsoft Azure Blob Storage with access controlled by short-lived signed URLs. Audio recordings are transcribed by Azure Speech Services; transcripts are analyzed by AI for communication-quality signal. Video recordings are analyzed for presentation synthesis; raw video is accessible only to the recruiter who activated the role and to internal engineering personnel responding to a named support incident. Retention is described in Section 9.
Your assessment responses, transcripts, and sandbox conversations are processed by AI models accessed through Microsoft Azure AI Foundry under enterprise terms. Foundation models we use today include Anthropic Claude, OpenAI GPT, Meta Llama, and Mistral variants. Your data is not used to train Microsoft, Anthropic, OpenAI, Meta, or Mistral foundation models. Anthropic calls run under zero-day retention; other providers have a 30-day abuse-detection retention with no human review unless legally required. AI-generated scores, syntheses, and recommendations are probabilistic outputs and are not definitive evaluations. A human recruiter or hiring manager makes the final hiring decision; we do not provide automated decision-making in the GDPR Article 22 sense.
All operational data is stored in Microsoft Azure (United States, East US 2 region) with AES-256 encryption at rest. Database connections, file storage, and all customer traffic use TLS 1.2+ in transit. ATS credentials carry an additional application-level AES-256-GCM wrap using a customer-managed master key in Azure Key Vault. Internal access to production systems requires Entra ID authentication with hardware-key multi-factor authentication; every production-data access by an internal user is logged. For additional detail on our security posture, see the Trust & Security page.
We use the following third-party subprocessors to deliver our service. Your data is processed in accordance with each provider's data-processing agreements and our contractual obligations.
| Provider | Service | Data processed |
|---|---|---|
| Microsoft Azure | Compute, database, file storage, AI Foundry, Speech Services, Communication Services, Key Vault | All platform data — accounts, assessments, responses, audio + video, AI scoring, transactional emails |
| Vercel | Application hosting + edge network | HTTP requests, session cookies (no persistent customer data storage on Vercel infrastructure) |
| Stripe | Payment processing (PCI-DSS Level 1) | Recruiter payment information (card data never touches our servers); customer + payment-intent metadata |
| PostHog | Product analytics, LLM-cost analytics | Pseudonymous event data (opaque user IDs, no email or name on event payloads); recruiter Person records carry email and name for support and debugging; candidate Person records carry no PII beyond the opaque user ID |
| Langfuse (self-hosted on Azure) | LLM call tracing for engineering observability | LLM prompts, responses, model + latency metadata. Self-hosted means no third-party processor receives this data. |
| Veriff | Identity verification (only when recruiter opts in) | Government ID image, selfie image, liveness video, verification result |
| OAuth authentication | Name, email, profile photo (authentication only) | |
| LinkedIn (Microsoft) | OAuth authentication | Name, email, headline, profile URL, profile photo (authentication + scorecard context only) |
| Parallel, Firecrawl, Apify (URL-fetch fallback chain) | Public job-description page fetching for recruiter- pasted URLs | Public URLs only; no customer or candidate data sent to these providers |
| Greenhouse, Ashby, Lever, Gem, Getro, Merge | ATS integrations (only when recruiter connects an account) | Read access to job openings + candidate records the recruiter has access to in their own ATS; write-back of notes, stage moves, and tags scoped to the recruiter's configured permissions |
We will provide 30 days' notice to enterprise customers before adding a new subprocessor that processes customer data. The current list is also appended to our Data Processing Addendum.
We do not sell your personal data. Candidate assessment results are shared only with: (i) the recruiter who activated the role; (ii) hiring managers and team members the recruiter explicitly grants access to within their company; (iii) the recruiter's ATS when ATS write-back is enabled. Recruiters may generate read-only scorecard links (time-limited, token-based) to share results with collaborators outside the platform.
Candidates control publication of their own HiringCase living résumé. A candidate may choose to make their resume public, unlisted (link-only), or private. We never publish a candidate's résumé without that explicit choice.
We may share anonymized, aggregated data in market reports and benchmarks. We may disclose data when legally required (subpoena, court order) or to protect against fraud or abuse, in which case we will notify affected customers unless prohibited by law.
Under GDPR, CCPA, and similar laws, you may request:
Candidates may request that their assessment results be deleted, which removes the scorecard from the recruiter's dashboard and purges the underlying responses, recordings, and uploaded files (subject to backup-retention windows described above). To exercise any of these rights, email privacy@hiringtest.ai. We respond within 30 days.
We use cookies to maintain your authenticated session, to remember your interface preferences (sidebar state, dark mode, recently-viewed roles), and for product analytics. Product-analytics cookies (set by PostHog) capture pageviews and click events to help us understand how the product is used. They do not identify you to third parties and are not used for advertising. We do not run third-party advertising or social-media tracking pixels.
All customer data is stored in the United States (Microsoft Azure East US 2). If you access the service from outside the United States, your data is transferred to and processed in the United States. Where required by EU or UK data protection law, we rely on Standard Contractual Clauses for these transfers, available as part of our Data Processing Addendum.
Our service is intended for users 18 and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact privacy@hiringtest.ai and we will delete it.
Our AI scoring produces probabilistic outputs that inform — but do not determine — hiring decisions. A human recruiter or hiring manager reviews each scorecard and makes the final decision to advance, reject, or hold a candidate. We do not operate automated decision-making in the GDPR Article 22 sense. Candidates who believe they have been treated unfairly may contact privacy@hiringtest.ai to request human review of how their data was used.
We will update this policy as our product evolves. Material changes will be communicated to recruiter customers by email at least 30 days before they take effect. The “Effective date” at the top of this page reflects the most recent revision.
For privacy inquiries, contact privacy@hiringtest.ai. For security-incident reports, contact security@hiringtest.ai. Our legal entity is Sidekick Software Inc., a Delaware corporation.