Scope of this Policy
Counsel to define the Policy's coverage: hireroom.tech web app, browser extension, marketing site, transactional emails, mobile PWA. Specify what's NOT covered (linked third-party sites).
Categories of Personal Information we collect
Counsel to map our actual collected fields (profile + resume + applications + AI usage logs) onto CCPA categories A–K. Skeleton list to follow: identifiers (A), customer records (B), commercial info (D), internet activity (F), professional info (I), inferences (K).
Sources of information
Direct collection from user (profile entry, resume upload, application activity) vs derived (AI tailoring outputs cached locally) vs third-party (Clerk OAuth providers if used).
Why we process Personal Information
Service operation, AI tailoring, communications, billing, fraud prevention, product analytics, marketing (only if user opts in). Counsel to draft + map purposes to lawful bases (GDPR Art. 6).
How long we keep it
Default: while account active + 30-day grace post-deletion. Audit logs longer per legal-hold needs. Counsel to set definitive periods per category.
Third-party Processors
The processors below are wired into HireRoom in this release. New processors will appear in this table only when the code that uses them ships.
| Processor | Purpose | Data shared | DPA |
|---|---|---|---|
| Clerk | Authentication + Stripe billing wrapper | Email, name, plan tier, sign-in events | link |
| Stripe (via Clerk) | Payment processing | Name, billing address, card token, transaction IDs | link |
| Vercel | Hosting + Analytics + Speed Insights | Request logs, performance metrics (no PII by default) | link |
| Turso (libSQL) | Database hosting | Application data including resume content, applications, profile DPA availability to be confirmed by counsel before public launch. | link |
| Anthropic (via Vercel AI Gateway) | LLM inference (default per D-009) | Resume text + job posting text sent at request time Zero retention through Vercel AI Gateway. | link |
| OpenAI (via Vercel AI Gateway) | LLM fallback + Realtime voice for mock interviews | Resume text, job posting text, voice audio (only when voice mock used) | link |
| Resend | Transactional email (welcome, alerts, OPT countdown, etc.) | Email address, transactional content | link |
International transfers
HireRoom hosts in US (Vercel + Turso US regions). Counsel to draft SCC / DPF / Art. 49 derogation analysis if/when EU users are accepted (deferred per L3 design §3.4).
Sensitive Personal Information (GDPR Art. 9 carve-out)
Resumes can contain inferable sensitive data (religious affiliation via employer name, disability via accommodation history, sexual orientation via affinity-group employment). Counsel to draft (a) explicit consent language, (b) HireRoom's commitment to not derive features from inferred sensitive data, (c) user's right to redact.
Your CCPA / CPRA rights (California)
Standard list: right to know, delete, correct, limit use of sensitive PI, opt out of sale/sharing, non-discrimination. Counsel to draft each + reference DSR endpoint.
Your TDPSA rights (Texas)
Per Texas Data Privacy and Security Act (effective 2024-07-01). Counsel to draft access/correction/delete/portability/opt-out-of-sale-or-targeted-advertising rights for Texas residents.
Sale of Personal Information and Sharing of Personal Information (Talent Marketplace)
Per D-007 Talent Marketplace is gated on opt-in (≥ 500-1000 inventory threshold), and per D-008 the opt-in is unbundled. Counsel to draft what specifically is 'sold' or 'shared' (de-identified profile + outcomes vs raw resume), to whom (paying recruiters), and how to opt out (DNSMPI page + /consent toggle + GPC).
Global Privacy Control signals
Counsel to draft: 'HireRoom honors browser-sent Global Privacy Control signals as an opt-out of Sale and Sharing per CCPA §1798.135(b). The signal is detected via the Sec-GPC header and applied for the duration of the browsing session and persistently for authenticated users.'
Children's Privacy
HireRoom is not directed to children under 13 (COPPA) / 16 (GDPR). Counsel to draft minimum-age clause + deletion-on-discovery commitment.
Changes to this Policy
Material vs. non-material changes; notice cadence (email + in-app banner for material). Tie to LEGAL_DOC_VERSION.
Contact + Data Subject Requests
Submit requests via legal@hireroom.tech or the /consent dashboard. Counsel to add response SLA + identity-verification method.