Skip to main content

Privacy Policy

Last updated: May 1, 2026

Google API Services User Data Policy Compliant

PlacementFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

1. Introduction

PlacementFlow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI recruiter platform (the "Service").

By using PlacementFlow, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, job title, password
  • Professional Information: Candidate resumes and profiles, client company information, interview schedules and feedback, communication templates and email campaigns
  • Payment Information: Billing address, payment method details (processed securely via Stripe)

2.2 Information Collected Automatically

  • Usage Data: IP address, browser type, operating system, pages visited, time spent
  • Cookies: Session cookies (authentication), analytics cookies (Vercel Analytics), preference cookies

Email Tracking Technologies

We use tracking technologies to measure email campaign performance:

  • Open Tracking: 1x1 transparent tracking pixels embedded in campaign emails. Records timestamp, approximate location, device type.
  • Click Tracking: Links wrapped through our servers to record clicks. Records timestamp, IP address, link clicked.
  • Reply Detection: Scans for replies to PlacementFlow campaign emails only. Only reads metadata (sender, subject, timestamp). Full email body is NOT read or stored.
  • Submission Interest Tracking: IP address logged when clients click "Schedule Interview" or "Decline" for audit trail and duplicate click prevention.
  • Unsubscribe Tracking: IP address and timestamp logged for CAN-SPAM/GDPR compliance.

2.3 Information from Third Parties

  • OAuth Integrations: Google Calendar events and availability, Microsoft Outlook calendar data, Zoom meeting details, Bullhorn ATS candidate/client records (coming soon)

2.4 Google API Services User Data Policy Compliance

PlacementFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

  • We only use Gmail data to send emails you create and detect replies to auto-pause sequences
  • We do NOT use Gmail data for advertising, market research, or credit assessment
  • We do NOT transfer Gmail data to third parties except as necessary to provide the Service
  • We do NOT allow humans to read Gmail data unless required for security or legal compliance

Google OAuth Scopes We Request

Gmail operates in send-only mode to minimize permissions. Reply detection and contact import are available with Microsoft 365/Outlook.

ScopePurpose
gmail.sendSend CV submissions and follow-up emails from your mailbox
userinfo.emailVerify your email for account linking
calendar.eventsRead/write calendar for interview scheduling

2.5 Email Integration Permissions (Gmail/Outlook)

When you connect your Gmail or Microsoft 365 account for email campaigns, we request specific permissions. Note that Gmail and Outlook have different capabilities:

Send Email Permission (All Providers)

  • What we do: Send CV submission emails and follow-up sequences from YOUR email address
  • What we don't do: Send emails without your explicit campaign creation; spam or promotional emails

Read Email Permission (Microsoft 365/Outlook Only)

Gmail operates in send-only mode. Reply detection is available for Outlook accounts only.

  • What we do: Check if clients have replied to emails YOU sent via PlacementFlow campaigns
  • Why: Auto-pause follow-up sequences when a client responds (prevents duplicate emails)
  • How it works: We only scan for replies to threads YOU initiated via PlacementFlow
  • What we DON'T read: Your personal emails, other conversations, attachments, or any emails not related to PlacementFlow campaigns

Technical Details of Email Reading (Outlook Only)

  • We match replies using Outlook "Conversation ID"
  • We only read: sender address, subject line, and a short snippet (first ~100 characters)
  • We do NOT read: full email body, attachments, or metadata of unrelated emails
  • Scanning occurs every 15 minutes for active campaigns only
  • Data retention: Reply records are deleted 30 days after campaign completion

Gmail Send-Only Mode

  • Gmail accounts can send emails but cannot detect replies automatically
  • Clients can use the "Schedule Interview" or "Not Interested" buttons in emails to respond
  • Button clicks automatically pause follow-up sequences
  • For automatic reply detection, consider using Microsoft 365/Outlook

Contacts Access (Microsoft 365/Outlook Only)

  • Import contacts from your sent emails for quick recipient selection
  • Contact data is not shared with third parties

Your Control

  • You can disconnect your email account at any time from Settings > Email Accounts
  • Disconnecting immediately stops all email access
  • OAuth tokens are securely deleted upon disconnection
  • We cannot access your email without an active OAuth connection

2.6 Calendar Integration Permissions

When you connect your Google or Microsoft calendar for interview scheduling:

What We Access

  • Event times (start/end) to detect conflicts
  • Event titles (to show busy/free status)
  • Your primary calendar only (not shared calendars unless you specify)

What We DON'T Access

  • Event descriptions or attendee details (privacy preserved)
  • Personal appointments beyond availability checking
  • Calendars from other accounts unless explicitly connected

2.7 Understanding OAuth: Sign-In vs. Integration

PlacementFlow uses OAuth for two different purposes:

1. Sign-In (Authentication Only)

  • When you click "Sign in with Google" or "Sign in with LinkedIn"
  • This ONLY verifies your identity—we don't access your Google/LinkedIn data
  • Permissions: Basic profile (name, email, profile picture)
  • No access to: Gmail, Calendar, Contacts, LinkedIn connections, or any other data

2. Integration (Data Access)

  • When you explicitly connect Calendar or Email in Settings > Integrations
  • This grants access to specific data for specific features
  • Each integration requires separate consent with clear permission scopes
  • You can revoke access at any time without affecting your login

Key Point: Signing in with Google does NOT give us access to your Gmail or Calendar. Those are separate, optional integrations you must explicitly authorize.

2.8 Email Enrichment Services

When candidates lack email addresses, we automatically attempt to find business emails using third-party providers:

Third-Party Providers

  • Hunter.io — Email finder and verification
  • SmartProspect (SmartLead) — LinkedIn contact enrichment
  • Trykitt — Email finder
  • Bounceban — Catch-all email specialist
  • Findymail — Email verification
  • Snov.io — Email finder

Data We Send: First name, last name, company name/domain, LinkedIn URL

Data We Receive: Business email address, confidence score

Retention: Results cached 30 days to avoid redundant lookups

2.9 Interview Recording and AI Analysis

MeetingBaas Recording

When you enable interview recording, a MeetingBaas bot joins Zoom meetings and captures:

  • Full audio/video recording
  • Complete text transcript
  • Participant names and speaking times

AI Analysis (Z.AI)

Transcripts are analyzed by AI to generate:

  • Hiring recommendation (strong hire, hire, maybe, no hire)
  • Candidate score (1-10)
  • Strengths, concerns, and red flags
  • Key moments with timestamps
  • Skills assessment with confidence levels

Your Control: You can disable recording per interview and delete transcripts anytime.

2.10 AI-Powered Search

We generate vector embeddings from candidate profiles for semantic search:

  • Enables "Find similar candidates" functionality
  • Powers intelligent candidate-job matching
  • Stored locally using pgvector (PostgreSQL)
  • No personal data shared externally for this feature

3. How We Use Your Information

We use collected information to:

  • Provide the Service: Schedule interviews, send email campaigns, analyze interview transcripts
  • Process Payments: Manage subscriptions via Stripe
  • Improve the Service: Analyze usage patterns, fix bugs, develop new features
  • Communicate: Send transactional emails, product updates, support responses
  • Ensure Security: Detect fraud, prevent abuse, enforce Terms of Service
  • Comply with Legal Obligations: Respond to legal requests, protect rights

4. How We Share Your Information

We do NOT sell your personal information. We share data only in these limited circumstances:

4.1 With Your Consent

When you authorize third-party integrations (Google, Microsoft, Zoom, Bullhorn)

4.2 Service Providers

  • Vercel: Hosting and deployment
  • Supabase: Database hosting (PostgreSQL)
  • Resend: Email delivery and tracking
  • Stripe: Payment processing
  • Z.AI: AI analysis and recruitment processing
  • MeetingBaas: Interview recording and transcription
  • Zoom: Video meeting creation
  • Hunter.io, SmartProspect, Trykitt, Bounceban, Findymail, Snov.io: Email enrichment
  • Sentry: Error tracking and monitoring

All service providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Legal Requirements

  • To comply with legal obligations (subpoenas, court orders)
  • To protect rights, property, or safety of PlacementFlow, users, or public
  • In connection with business transfers (mergers, acquisitions)

5. Data Security

We implement industry-standard security measures:

  • Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based permissions, least privilege principle
  • Authentication: Auth.js with JWT tokens, httpOnly cookies
  • Monitoring: Sentry error tracking, audit logs for sensitive actions
  • HMAC Verification: Webhook signatures to prevent tampering

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

6. Your Data Rights

6.1 Access and Portability (GDPR/CCPA)

  • Request a copy of your personal data
  • Export data in machine-readable format (CSV, JSON)

6.2 Correction and Deletion

  • Correct inaccurate or incomplete data
  • Request deletion of your account and associated data

6.3 Opt-Out

  • Unsubscribe from marketing emails (one-click unsubscribe)
  • Disable non-essential cookies
  • Withdraw consent for data processing

6.4 Data Retention

  • Active accounts: Data retained for duration of subscription
  • Canceled accounts: Data deleted within 30 days unless legal retention required
  • Backups: Deleted from backups within 90 days

To exercise these rights, contact us at hello@placementflow.com.

6a. Automated Processing and AI Decision-Making

PlacementFlow uses artificial intelligence and automated processing to assist recruitment agencies in their candidate placement activities. This section explains how automated processing works and what rights you have, in accordance with GDPR Articles 13(1)(f), 15, and 22, and Article 86 of the EU AI Act.

What AI processing we perform

When a recruitment agency uses PlacementFlow, the platform may process your personal data in the following automated ways:

  • Candidate shortlist generation: Semantic embedding models compare your professional profile against active job briefs to generate a ranked shortlist presented to a recruiter for consideration. This determines whether you are surfaced as a candidate for a given role.
  • AI qualification scoring: Responses to screening questionnaires are scored and classified by AI to assess your suitability for specific roles. Scores are presented alongside your profile for recruiter review.
  • Outreach content generation: AI assists in drafting personalised outreach messages sent to candidates on behalf of recruitment agencies. The final content is reviewed and approved by a human recruiter before sending.
  • Interview transcript analysis: Where you consent to interview recording, AI analyses the transcript to generate a structured hiring recommendation (strong hire, hire, maybe, or no hire), a candidate score, and a summary of strengths and concerns.

Logic involved

Candidate shortlist generation uses vector similarity (cosine distance) between embedding representations of your professional experience and the job brief. Candidates whose embeddings fall within a configurable similarity threshold are surfaced to the recruiter. Qualification scoring uses a large-language model to classify open-text responses against recruiter-defined criteria and assign a numerical score. Interview analysis applies a large-language model to transcript text to extract structured signals aligned with recruiter-defined competencies.

These scores inform — but do not replace — recruiter judgment. A human recruiter reviews all shortlists and scoring outputs before any interview invitation is extended or any candidate is rejected.

Right to human review (GDPR Article 22(3))

Where automated processing produces decisions that significantly affect you — for example, whether you are shortlisted for a role or progressed following a screening assessment — you have the right under GDPR Article 22(3) to request that a human recruiter reviews that decision without relying solely on the automated output. To exercise this right, contact us at privacy@placementflow.com with subject “Human Review Request”. We will coordinate with the relevant agency to arrange a manual review.

Right to explanation (GDPR Article 15 and EU AI Act Article 86)

Under GDPR Article 15, you have the right to obtain meaningful information about the logic involved in automated processing that significantly affects you. Under EU AI Act Article 86, you have the right to request an explanation of an AI-assisted decision that affects you.

To exercise either right, contact us at privacy@placementflow.com with subject “AI Decision Explanation Request”. Please include the name of the recruitment agency that contacted you and the approximate date of contact. We will provide a written explanation of the logic applied, the main factors that influenced the outcome, and the significance of those factors within 30 days.

How to exercise these rights

  • Request human review of any AI-assisted shortlisting or scoring decision under GDPR Article 22(3) — email privacy@placementflow.com with subject “Human Review Request”.
  • Request an explanation of the AI logic and contributing factors under GDPR Article 15 or EU AI Act Article 86 — email privacy@placementflow.com with subject “AI Decision Explanation Request”.
  • Contest the decision and have a human recruiter re-evaluate your application without reliance on the automated score — include “Contest” in the subject line of your email.

We respond to all AI rights requests within 30 days.

Third-party AI provider

AI processing is performed using Z.AI (GLM model family). A Data Processing Agreement governs this relationship. Your personal data is processed only for the stated recruitment purpose and is not used to train the provider's models. For questions about cross-border data transfers arising from AI processing, contact us at privacy@placementflow.com.

7. Cookies and Tracking

7.1 Essential Cookies (Cannot be Disabled)

  • __Secure-next-auth.session-token: Authentication session
  • __Host-next-auth.csrf-token: CSRF protection

7.2 Analytics Cookies (Can be Disabled)

  • Vercel Analytics: Page views, performance metrics

7.3 Managing Cookies

8. International Data Transfers

PlacementFlow is operated from the United Kingdom. If you access the Service from outside the UK, your information may be transferred to, stored, and processed in the UK or other countries where our service providers operate.

International Data Transfers: We comply with GDPR requirements for international transfers, including:

  • Standard Contractual Clauses (SCCs) with service providers
  • Adequate safeguards for data protection

9. Children's Privacy

PlacementFlow is NOT intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children.

If you believe a child has provided us with personal information, contact us immediately at hello@placementflow.com.

10. Third-Party Links

The Service may contain links to third-party websites (e.g., Google Calendar, Zoom). We are not responsible for the privacy practices of these websites. Please review their privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last Updated" date
  • Sending an email notification (for significant changes)

Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

13. GDPR-Specific Information (EU Users)

Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract Performance: To provide the Service per our Terms of Service
  • Legitimate Interests: To improve the Service, prevent fraud
  • Consent: For marketing communications, non-essential cookies
  • Legal Obligation: To comply with tax, accounting, legal requirements

Data Controller

PlacementFlow Inc. is the data controller for personal information collected through the Service.

Supervisory Authority

EU users have the right to lodge a complaint with their local data protection authority.

13b. UK GDPR — UK Residents

UK residents are protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which apply separately from EU GDPR following the UK's departure from the European Union. UK residents have the same rights as EU data subjects, including:

  • Right of access to your personal data (Subject Access Request)
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing based on legitimate interests
  • Rights related to automated decision-making and profiling (UK GDPR Article 22)

UK Representative

PlacementFlow Inc. is operated from the United Kingdom (14 Western Gateway, London, E16 1BP). As our primary operations are UK-based, a separate UK Article 27 representative is not currently required. If we relocate principal operations outside the UK, we will appoint a UK representative and update this policy.

UK Supervisory Authority

UK residents have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

14. CCPA-Specific Information (California Residents)

Categories of Personal Information Collected

  • Identifiers (name, email, IP address)
  • Professional information (job title, company)
  • Internet activity (usage data, cookies)
  • Financial information (payment method via Stripe)

Sale of Personal Information

We do NOT sell personal information.

California Privacy Rights

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale (N/A - we don't sell data)
  • Right to non-discrimination for exercising privacy rights

To exercise your rights, email hello@placementflow.com with subject "CCPA Request".

Return HomeView Terms of Service