Privacy Policy
Effective: April 2026 · Last updated: April 5, 2026
Also available in: Português · Español
1. Who we are
Hiresling.ai is operated by 42labs OÜ, a company registered in Estonia (EU). In this policy, "Hiresling," "we," "us," and "our" refer to 42labs OÜ.
Contact: hiresling@42labs.io
2. What data we collect
| Category | Examples | When |
|---|---|---|
| Account data | Name, email address | Sign-up (from Google profile) |
| Resume data | Work history, education, skills, accomplishments | Onboarding (you upload it) |
| Targeting preferences | Target roles, industries, organization traits, skills, signals, contact role preferences, company blacklist | Onboarding & settings |
| Email content | Drafted email subjects and bodies, email closing preferences | During outreach generation |
| Gmail credentials | OAuth refresh token (encrypted) | Gmail connection |
| Usage data | Daily/monthly email and AI call counts | Automatically |
| Decisions & feedback | Prospect approvals/rejections, email feedback | During pipeline use |
| Calibration data | Chat messages and extracted calibration notes | Onboarding chat |
3. How we use your data
- Resume parsing and tailoring — we use AI to parse your resume into structured data and deterministically reorder it for each target company. No text is added, changed, or fabricated.
- Email drafting — we use AI to draft personalized outreach emails based on your resume, preferences, and target company information.
- Email sending — we send approved emails from your Gmail account using your authorized credentials. We only request the
gmail.sendscope. We never read your inbox. - Company and contact discovery — we find potential target companies and their publicly available contact information using APIs and, as a last resort, publicly accessible web pages.
- Usage enforcement — we track daily and monthly counts to enforce your subscription tier limits.
- Platform statistics — we maintain anonymized aggregate counters (total emails sent, total resumes generated) for platform metrics. These are not linked to any user.
- Error monitoring — we use Sentry to capture application errors and improve reliability. Error reports may include technical identifiers but are scrubbed of personal content.
4. Legal basis (GDPR)
| Processing | Legal basis |
|---|---|
| Resume parsing, tailoring, email drafting, sending | Performance of contract (Art. 6(1)(b)) — necessary to deliver the service you subscribed to |
| Resume upload and AI processing | Explicit consent (Art. 6(1)(a)) — provided at onboarding |
| Contact discovery from public sources | Legitimate interest (Art. 6(1)(f)) — the user has a legitimate interest in finding employment; contacting company representatives via publicly available information is a proportionate means |
| Usage tracking, error monitoring | Legitimate interest (Art. 6(1)(f)) — maintaining platform security, reliability, and fair usage |
| Aggregate platform statistics | Legitimate interest (Art. 6(1)(f)) — anonymized, no personal data involved |
5. Who we share data with
We share your data only with the service providers necessary to operate Hiresling. All providers are bound by data processing agreements.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | All application data | US |
| Anthropic (Claude API) | Resume parsing, email drafting, calibration | Resume content, preferences, company info | US |
| Google (Gmail API) | Authentication, email sending | Email subject, body, recipient addresses | US |
| Vercel | Hosting, serverless compute | Application code, request logs | US/EU |
| Sentry | Error monitoring | Error reports, technical identifiers | US |
| Brevo | Transactional notification emails | Your email address, batch summaries | EU |
| Polar | Payment processing (Merchant of Record) | Email, subscription tier, payment details | US |
Data transfers from the EU to the US are covered by Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework where applicable.
6. Shared and isolated data
Some data is shared across all authenticated users to avoid redundant lookups:
- Company records — name, website, industry, size
- Job postings — title, URL, company
- Contact records — name, role, email address
The following data is never shared between users and is strictly isolated via row-level security:
- Resumes, email drafts, feedback, decisions, preferences
- Gmail credentials, API keys, usage records
- Audit logs
7. Data retention
| Data | Retained | After account deletion |
|---|---|---|
| Account and profile | Until you delete your account | Purged immediately |
| Resumes (base and tailored) | Until you delete your account | Purged immediately |
| Sent email content | 90 days after last follow-up sent | Purged immediately |
| Usage tracking | 12 months | Purged immediately |
| Audit logs | 3 years (compliance) | Anonymized (user ID removed) |
| Aggregate counters (emails/resumes sent) | Indefinite | Not affected (no user association) |
8. Security
- Gmail refresh tokens and BYOK API keys are encrypted with AES-256-GCM before storage.
- All data in transit is encrypted via TLS (HTTPS).
- Authentication uses Google OAuth with PKCE. No passwords are stored.
- Database access is enforced by row-level security policies — users can only access their own data.
- Resume files are stored in a private storage bucket and served only via authenticated proxy endpoints.
9. Your rights
Depending on your location, you may have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Deletion — delete your account and all associated data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw consent for resume processing at any time (by deleting your resume or account)
- Complaint — lodge a complaint with your local data protection authority. For Estonia: Andmekaitse Inspektsioon (aki.ee)
To exercise any right, email hiresling@42labs.io. We respond within 30 days.
10. Cookies and tracking
Hiresling uses HTTP-only session cookies managed by Supabase Auth for authentication. We do not use analytics cookies, tracking pixels, or advertising cookies. If this changes, we will update this policy and request your consent where required.
11. Contact data from public sources
Hiresling discovers company contact information (names, roles, email addresses) from publicly available sources such as company websites and job listing APIs. This data is used to facilitate employment-related outreach on behalf of our users.
If you are a contact whose information appears in our system and wish to be removed, email hiresling@42labs.io and we will delete your record within 30 days.
12. Children's privacy
Hiresling is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we will delete the account.
13. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, ask you to re-consent on your next login. Continued use after notification constitutes acceptance.
14. Governing law
This policy is governed by the laws of the Republic of Estonia, without regard to conflict of law principles. The courts of Harju County, Estonia have exclusive jurisdiction.
15. Third-party data attribution
Hiresling uses the following third-party datasets to power its onboarding questionnaire:
- ESCO Occupations and Skills — European Commission, licensed under CC BY 4.0. Source: esco.ec.europa.eu.
- ISIC Rev.4 — United Nations Statistics Division. Source: unstats.un.org.
- GeoNames geographical data — GeoNames, licensed under CC BY 4.0. Source: geonames.org.