Privacy Policy

1. Data controller

For candidate data, the data controller is the company using Hire Doris as a recruitment tool; Hire Doris acts as a data processor on its behalf in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679. For the account data of recruiters and other platform users (name, email, authentication, billing, and support records), Hire Doris (operated by LooneyDevs Limited) acts as the data controller, processing that data to provide, secure, and invoice the service.

2. Data we collect

• Candidate data: name, email, phone, city, work experience, education, skills, CV (PDF/DOCX)
• Interview data: written or voice responses, transcriptions, evaluations
• Psychological analysis (optional): projective drawings, handwriting samples -- only with explicit consent
• Technical data: IP address, user agent (for security and auditing)

3. Purpose of processing

• Evaluation of candidacies for selection processes
• Candidate-vacancy compatibility analysis using artificial intelligence
• Generation of interview questions and response evaluation
• Experimental psychological analysis (only with prior consent)

4. AI providers (sub-processors)

Candidate data may be processed by the following AI providers, depending on the recruiter's configuration:

• Anthropic (Claude) -- CV analysis, interviews, evaluations
• OpenAI (GPT) -- CV analysis, interviews, evaluations, voice
• Google (Gemini) -- CV analysis, interviews, evaluations
• Mistral AI -- interviews, vacancy generation
• Affinda / Textkernel -- CV parsing (optional)

5. Automated decisions (GDPR Art. 22)

Hire Doris uses artificial intelligence to generate compatibility scores and evaluations. These are advisory and require human review before any selection decision. Candidates have the right to:

• Obtain an explanation of the evaluation logic
• Request human intervention
• Express their point of view and contest the decision

6. Psychological analysis

The psychological analysis module is experimental and has not been psychometrically validated. It requires explicit candidate consent (GDPR Art. 22(2)(c)). Results should not be the sole basis for selection decisions.

7. Candidate rights

Under the GDPR, candidates may exercise the following rights:

• Access: request a copy of their personal data
• Rectification: correct inaccurate data
• Erasure: request the deletion of their data
• Objection: oppose automated processing
• Portability: receive their data in a structured format

To exercise these rights over candidate data, contact the HR department of the company responsible for the selection process — they are the data controller. For platform-level requests (or if you cannot reach the company), write to hello@looneydevs.com: we verify your identity through the email address associated with the account or candidacy, respond within 30 days, and where the company is the controller we forward your request to them and confirm to you that we did.

8. Data retention

Candidate data is retained for the period defined by the company's retention policy (configurable on the platform). Feedback links automatically expire 90 days after generation.

9. Legal basis for processing

• CV and candidacy data: legitimate interest of the controller (Art. 6(1)(f) GDPR)
• Interviews: performance of pre-contractual measures (Art. 6(1)(b) GDPR)
• Psychological analysis: explicit consent of the data subject (Art. 9(2)(a) and Art. 22(2)(c) GDPR)

10. International transfers

The AI providers listed in section 4 may transfer data outside the European Economic Area. Such transfers are covered by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.

11. Google user data (Google API Services)

If you sign in with Google or connect your Google Calendar, Hire Doris receives the following Google user data, used strictly for the purposes stated:

• Google Sign-In (openid, email, profile scopes): your name, email address, and profile picture -- used solely to authenticate you and create or link your account
• Google Calendar (calendar.events and calendar.events.freebusy scopes): creating interview events on your calendar and reading free/busy availability -- used solely to schedule interviews and avoid scheduling conflicts. We do not read the content of your existing calendar events.

Minimum necessary access: we deliberately request the narrowest Google scopes that support these features. We do NOT request full read access to your calendar (neither the calendar nor the calendar.readonly scope): calendar.events is required to create and update the interview events we schedule for you, and calendar.events.freebusy only tells us whether a time slot is busy or free — never the title, attendees, or content of your existing events. Google Sign-In uses only the basic openid, email, and profile identifiers. If a feature ever requires an additional scope, we will request it separately and explain why before you grant it.

We do not share, transfer, or disclose Google user data to any third party. Google user data is never sold, never used for advertising, never used to develop or train AI or machine-learning models (generalized or otherwise), and is never sent to the AI providers listed in section 4. It is accessible only to automated platform processes and, where strictly necessary for security or support, to authorized personnel of the platform operator.

Hire Doris's use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke Hire Doris's access to your Google data at any time from your Google Account security settings (myaccount.google.com/permissions) or by disconnecting your calendar inside the platform. When you disconnect, the stored OAuth tokens are deleted immediately. Free/busy availability is queried in real time and never stored on our servers; interview events we created remain on your calendar, where you can delete them yourself.

12. Security and data protection

We apply technical and organizational measures to protect personal and sensitive data, including Google user data:

• Encryption in transit: all communication between your browser, the platform, and third-party APIs uses HTTPS/TLS
• Encryption at rest: OAuth tokens (access and refresh tokens) are stored encrypted and are decrypted exclusively on the server at the moment of use -- they are never exposed to the browser or included in API responses
• Access control: role-based authorization (JWT plus signed sessions) and strict multi-tenant isolation, so each organization can only access its own data
• Audit logging: security-relevant actions are recorded in encrypted audit logs; logs never contain passwords, tokens, or sensitive content
• Retention and deletion: configurable retention policies and a GDPR erasure-request workflow that permanently removes personal data
• Incident response: if a breach affects personal data, we notify the data controller and the competent supervisory authority as required by GDPR Art. 33

13. EU AI Act

Hire Doris is classified as a high-risk AI system in the employment domain (Art. 6, Annex III). The platform implements transparency measures (Art. 13), human oversight (Art. 14), and traceability (Art. 12) in accordance with the Regulation.

14. Supervisory authority

If you believe your data has been processed unlawfully, you have the right to file a complaint with the competent data protection authority in your country of residence. The platform's data processor (LooneyDevs Limited) is based in New Zealand -- Office of the Privacy Commissioner: www.privacy.org.nz. EU residents may contact their national authority (Spain: AEPD, www.aepd.es).

15. Contact

To exercise your rights or make inquiries about data protection, contact the HR department of the company responsible for the selection process, or write to the address indicated in the job posting. For platform-level data inquiries, write to hello@looneydevs.com.