Privacy Policy

1. Who we are

sHRark ("we", "us") is a recruitment intelligence platform that uses AI to score and match candidates against open roles. The data controller for each organization's data is the organization itself. sHRark acts as a data processor on behalf of each organization.

The service is designed to support recruiting workflows. Nothing in this Privacy Policy should be read as legal advice to the customer or as a guarantee that the customer's own recruiting process satisfies all laws applicable to it.

If a separate pilot order form, approval email, or negotiated agreement identifies a specific contracting entity or controller/processor allocation for your organization, that written record controls over this public summary to the extent of any direct conflict.

2. What data we collect

Recruiter accounts

• Name, work email, company name (at signup)
• Password (hashed, never stored in plaintext)

Candidate data (uploaded by recruiters)

• CV / resume documents (PDF, DOCX, TXT)
• Extracted text content from CVs
• Name and profile information extracted from the CV or entered by recruiters
• Candidate contact details when available or entered by recruiters, including email address and phone number
• Email address hash (SHA-256) used for deduplication when an email address is available
• Expected salary, availability, public-application answers, consent scope, and candidate-source metadata where provided
• AI-generated scores, assessment reasoning, and interview questions
• Pipeline stage and recruiter notes

3. Legal basis for processing

Organizations using sHRark are responsible for determining and documenting their own lawful basis for candidate-data processing, including any required notices, retention choices, and candidate-facing disclosures regarding AI-assisted screening or employment decisions.

Recruiter account data is processed under contract (GDPR Art. 6.1b) — necessary for providing the service.

4. AI processing

CV text is processed through Azure OpenAI for candidate assessment, note analysis, and brief generation. When PDF text extraction needs OCR fallback, the document is processed through Azure Document Intelligence. Before sending:

• Personal identifiers in CV text are reduced before AI processing where practical
• The candidate profile may still store recruiter-visible contact, compensation, and availability fields where needed for the recruiting workflow
• AI is instructed to never factor in protected characteristics (age, gender, race, etc.)
• AI is instructed to ignore any instructions embedded in candidate documents

Azure AI services process data under Microsoft's Azure service terms. Data sent through these APIs is not used to train foundation models for other customers. The application keeps AI processing inside the Azure runtime used by the service.

5. Data storage & security

• Database: Azure PostgreSQL flexible server
• File storage: Azure Blob Storage
• Production application resources are currently operated in Azure Sweden Central unless a separate written agreement states otherwise
• Encryption in transit and encrypted managed cloud infrastructure at rest
• Row-level security (organization isolation — no cross-tenant access)
• Authenticated product routes and tenant-scoped access controls
• Strict Content Security Policy and security headers

These measures are intended to reduce risk, but no online service can guarantee absolute security.

6. Data retention

Organizations can configure a retention period (default: 24 months). After this period, candidate data is automatically anonymized — CV text, contact details, compensation/availability fields, and personal identifiers are removed, while aggregate scoring data is preserved for accuracy calibration.

Organizations can delete individual candidate records at any time. Deletion removes CV text, uploaded files, contact details, compensation/availability fields, and personal identifiers. Anonymized scoring aggregates may be retained.

7. Data subject rights

Under GDPR and other applicable privacy laws, candidates may have rights including:

• Access — request all data held about them
• Erasure — request deletion of their data
• Rectification — request correction of inaccurate data
• Object — object to AI-based profiling
• Portability — receive data in a structured format

To exercise these rights, candidates should contact the organization that uploaded their CV. Organizations can use the platform's data export and deletion tools to fulfill these requests.

8. International transfers

Production runtime and AI processing run on Microsoft Azure resources used by sHRark. Customer-facing recruiting data is intended to remain within the service's Azure-based runtime. The product runtime does not rely on third-party advertising or analytics scripts for authenticated application workflows.

For a current provider summary, see the public Subprocessors page.

9. EU AI Act compliance

Employment-related AI features may fall within high-risk or adjacent obligations under the EU AI Act and related laws depending on deployment context. sHRark is designed to support human oversight and logging and currently implements:

• Human oversight — all AI scores are recommendations, not automated decisions
• Transparency — candidates should be informed that AI screening is used
• Logging — each AI scoring event records model version, timestamp, and confidence level
• Bias mitigation — PII stripped before AI processing; protected characteristics excluded
• Accuracy monitoring — feedback loop tracks prediction accuracy over time

Customers remain responsible for determining whether additional impact assessments, candidate notices, works-council consultations, human-review procedures, or local employment-law steps are required in their jurisdiction.

10. Pilot and full-scope enterprise use

The current pilot is designed to keep onboarding low-friction and uses invited email-and-password access unless a separate written arrangement enables another sign-in path. For full-scope bank or enterprise rollout, the expected posture is a signed DPA or order form, a security annex, agreed retention and backup/restore terms, and Microsoft Entra-based identity controls such as SSO, MFA, and conditional-access policy alignment.

11. Contact

For privacy inquiries: privacy@shrark.com

For pilot legal or contracting questions: pilot@shrark.com