HireBoost Logo
HireBoost

GDPR Compliance Statement

Last updated: January 6th, 2026

1. Introduction

HireBoost is committed to protecting personal data and complying with the General Data Protection Regulation (GDPR) (EU) 2016/679.

This GDPR Compliance Statement explains how we meet GDPR requirements and describes your rights as a data subject, particularly for users located in the European Economic Area (EEA).

This document supplements our Privacy Policy and should be read together with it. In the event of any conflict, the Privacy Policy prevails.

2. Legal Basis for Processing (Article 6)

We process personal data only where a valid legal basis exists.

2.1 Consent (Article 6(1)(a))

We process personal data based on your explicit consent for specific purposes, including:

  • Enabling optional human supporter collaboration
  • Sending marketing communications (opt-in only)
  • Optional analytics and performance tracking

You may withdraw your consent at any time.

2.2 Performance of a Contract (Article 6(1)(b))

We process personal data where necessary to perform our contract with you, including:

  • Providing real-time interview transcription services
  • Generating AI-assisted answer suggestions
  • Managing user accounts, subscriptions, and credit balances
  • Processing payments and transaction records

2.3 Legitimate Interests (Article 6(1)(f))

We may process limited personal data to pursue legitimate business interests, provided these interests do not override your rights and freedoms, including:

  • Improving service reliability, accuracy, and performance
  • Ensuring platform security and fraud prevention
  • Internal service analytics and optimization

We do not use personal interview content to train general-purpose AI models. Any service improvements are based on aggregated, anonymized, or non-identifiable data where possible.

2.4 Legal Obligations (Article 6(1)(c))

We process personal data where required to comply with legal obligations, such as accounting, tax, and regulatory requirements.

3. Your Rights Under GDPR (Chapter III)

As a data subject, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether we process your personal data and to access that data, including:

  • The categories of personal data processed
  • The purposes of processing
  • The recipients or categories of recipients
  • The retention period

You may request a copy of your data via your account settings or by contacting us.

3.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. Most account information can be updated directly through your account settings.

3.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You may request deletion of your personal data where:

  • The data is no longer necessary for its original purpose
  • You withdraw consent and no other legal basis applies
  • You object to processing and no overriding legitimate grounds exist
  • The data has been unlawfully processed

You may delete your account and associated data through your account settings, subject to legal retention requirements.

3.4 Right to Restrict Processing (Article 18)

You may request restriction of processing in certain situations, including:

  • While the accuracy of data is contested
  • Where processing is unlawful but erasure is not desired
  • Where we no longer need the data but you require it for legal claims

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This includes:

  • Exporting interview sessions and transcriptions
  • Downloading account-related data

3.6 Right to Object (Article 21)

You have the right to object to processing of your personal data:

  • For direct marketing purposes (opt-out at any time)
  • Where processing is based on legitimate interests

3.7 Automated Decision-Making (Article 22)

HireBoost does not engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

Our AI features provide assistive suggestions only. All decisions remain under your control, and you may review, modify, or ignore any AI-generated output.

4. Data Protection Measures (Article 32)

4.1 Technical Safeguards

We implement appropriate technical measures, including:

  • Encryption of sensitive data in transit and at rest
  • Secure authentication and access controls
  • Regular security assessments and audits
  • Backup and disaster recovery procedures
  • Network security monitoring

4.2 Organizational Safeguards

We apply organizational measures such as:

  • Data protection training for staff
  • Confidentiality obligations for personnel
  • Periodic review of data processing activities
  • Data protection impact assessments where required

5. International Data Transfers (Chapter V)

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs)
  • Contractual data protection obligations
  • Transfers only to countries with adequate protection or approved safeguards

6. Data Retention (Article 5(1)(e))

We retain personal data only as long as necessary:

  • Account Data: Until account deletion
  • Interview Sessions: Until deleted by the user or account closure
  • Transaction Records: As required by law (typically up to 7 years)
  • Analytics Data: Aggregated or anonymized after a defined retention period

7. Data Breach Notification (Articles 33 & 34)

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Inform affected users without undue delay
  • Provide information on mitigation measures and protective steps

8. Data Protection Contact

If you have questions about data protection or GDPR compliance, you may contact our privacy contact point:

9. Supervisory Authority

If you are located in the EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.

A list of authorities is available via the European Data Protection Board.

10. Exercising Your Rights

You may exercise your GDPR rights by:

We will respond within one month, extendable by up to two additional months for complex requests, in accordance with GDPR.

11. Updates to This Statement

We may update this GDPR Compliance Statement to reflect legal or operational changes. Material changes will be communicated appropriately.

12. Contact Us

For GDPR-related questions: