1. Scope
This Privacy Policy describes how CreamyHire (“CreamyHire”, “we”) processes personal data via the website at creamyhire.com, the web app at app.creamyhire.com, the API at api.creamyhire.com, our browser extension, and any related services (collectively, the “Service”).
Two audiences interact with the Service:
- Recruiters who sign up, create jobs, upload resumes, and receive AI scoring outputs.
- Candidateswhose resumes recruiters upload, import via ATS, or capture via the browser extension. We process your data on the recruiter's instructions; see “Notes for candidates” below.
For B2B contracts, refer also to our Data Processing Addendum.
2. What we collect
2.1 From recruiters (Controllers in GDPR terms)
- Account: email, hashed password (bcrypt), full name, company, phone, location.
- Plan, billing identifiers (Razorpay/Stripe customer IDs — we never store card numbers).
- Notification preferences and webhook URLs (Slack, Teams) you configure in Settings.
- API keys for the Service (hashed at rest) and encrypted credentials for any ATS integration you connect.
- Audit log of in-product actions (uploads, stage transitions, admin actions).
2.2 About candidates (Data subjects)
- Resume content uploaded as PDF/DOCX, captured from LinkedIn via the extension, or imported from your ATS.
- Parsed structured fields: name, email, phone, location, skills, education, work history, language signals.
- AI outputs we generate from the above: overall + sub-scores, strengths/weaknesses, red flags, recommendations, deep analysis, interview kit, draft emails.
- Public-source enrichment links (LinkedIn URL, GitHub username where present in the resume) — link-only, never scraped.
2.3 Automatically
- IP address, user-agent, device type, request paths, and request IDs for security and rate-limiting.
- Anonymous product analytics (aggregated counts only — no per-user behaviour profiles).
3. Why we collect it
| Purpose | Lawful basis (GDPR) |
|---|---|
| Provide the Service to recruiters (account, scoring, pipeline, integrations). | Contract performance (Art. 6(1)(b)). |
| Process candidate data on the recruiter's instructions. | Recruiter's legitimate interest in evaluating applicants (Art. 6(1)(f)); recruiter is the Controller for this purpose. |
| Security monitoring, fraud detection, abuse prevention. | Legitimate interest (Art. 6(1)(f)). |
| Billing and tax compliance. | Legal obligation (Art. 6(1)(c)). |
| Product analytics (aggregated). | Legitimate interest (Art. 6(1)(f)). |
| Marketing emails to recruiters who opted in. | Consent (Art. 6(1)(a)) — withdrawable any time. |
4. AI processing
Resume text and job descriptions are sent to OpenAI for parsing, scoring, deep analysis, interview-kit generation, and email drafting. We use the OpenAI API with the data-sharing opt-out enabled at the organisation level: your data is not used to train OpenAI models, and OpenAI's zero-day retention policy applies to the prompts and completions we send.
CreamyHire never uploads the original PDF or DOCX file to a third party. Only the extracted text travels to the LLM. AI outputs (scores, summaries) are stored in our database, scoped to your account.
5. Who we share it with
We share data only with the sub-processors listed at /sub-processors, each contractually bound to use the data only for the purposes we instruct. We do not sell data, do not run third-party ad tech, and do not run cross-customer profiling.
We share data with law-enforcement authorities only when required by valid legal process and, where permitted, will notify the affected customer first.
6. International transfers
CreamyHire infrastructure is hosted in the United States by default. For transfers outside the EEA / UK / India we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and DPDP-aligned contractual safeguards. EU data residency is on the 2026 roadmap for Enterprise tenants on request.
7. Retention
- Active accounts: data is retained for the life of the subscription.
- Account erasure (recruiter-initiated): requesting deletion in Settings starts a 30-day grace window; after that, jobs, candidates, notes, integrations, and credentials are hard-deleted. Audit logs are preserved (with the user reference replaced by a non-identifying token) for one year for security and compliance purposes.
- Backups: encrypted point-in-time backups roll off after the retention window (default 7 days, 30 days for paid tenants on request).
- Logs and Sentry events: 30 days.
8. Your rights
You have the right to:
- Access the data we hold —
GET /me/data/exportdownloads a complete ZIP, or email privacy@creamyhire.com. - Rectify incorrect data — Settings → Profile, or candidate detail page for candidate fields.
- Erase — Settings → Privacy → Delete account (30-day grace) or
POST /me/data/erasure. - Restrict processing — pause your account or email us.
- Object to processing based on legitimate interest — write to privacy@creamyhire.com.
- Port your data — the export ZIP contains JSON + CSV designed for re-import elsewhere.
- Withdraw consent for marketing emails — every marketing email has a one-click unsubscribe.
- Lodge a complaint with your supervisory authority (e.g. ICO in the UK, CNIL in France, DPB in India).
9. Notes for candidates
If your data is in CreamyHire because a recruiter uploaded your resume, the recruiter is the Controller under GDPR. We act as their Processor: we cannot delete or modify your record without their instruction. To exercise your rights, contact the recruiter first; if they don't respond within 30 days you may write to privacy@creamyhire.com and we'll facilitate.
CreamyHire never sells your resume, never trains AI on it, and never uses it to target you with ads on third-party platforms.
10. Children
The Service is not directed to anyone under 16. If you believe we have inadvertently collected data on a child, email privacy@creamyhire.com and we will delete it.
11. Changes
We update this Policy when our practices change. Material changes are announced 30 days in advance via email to the primary account contact and an in-app banner.
12. Contact
Privacy questions: privacy@creamyhire.com
Security disclosures: security@creamyhire.com
Legal & DPA: legal@creamyhire.com