Last Updated: July 6, 2025
StackedHR, Inc. ("StackedHR," "we," "us," or "our") is committed to protecting your privacy and ensuring transparency in how we collect, use, and protect your personal information. This Privacy Policy describes our practices regarding personal information we collect through our website, platform, mobile applications, and related services (collectively, the "Services").
Important Distinction: This Privacy Policy applies to personal information that we collect and process as a data controller. For personal information that our business customers process using our Services ("Customer Data"), our customers act as the data controller and their respective privacy policies govern such data. We process Customer Data only as a data processor or service provider under our agreements with customers and applicable Data Processing Agreements.
Business Use: Our Services are designed for business use in connection with hiring, recruitment, and employment-related activities, and are not intended for personal, family, or household purposes.
Global Operations: We operate globally and may transfer personal information across borders as described in this Privacy Policy. We maintain appropriate safeguards for international data transfers as required by applicable law.
Account Registration and Profile Information:
- Name, email address, phone number
- Professional information (job title, company, work experience)
- Authentication credentials and account preferences
- Profile information for candidate portfolios (when opted-in)
Communications with Us:
- Information you provide when contacting customer support
- Feedback, survey responses, and communications
- Information provided during sales inquiries or demos
- Newsletter subscriptions and marketing preferences
Candidate Information:
- Resumes, cover letters, and application materials
- Work samples, portfolios, and take-home assignment submissions
- Interview responses and assessment results
- Professional references and background information
- Compensation and salary expectations (when provided)
Company Customer Information:
- Job descriptions and requirements
- Hiring criteria and evaluation rubrics
- Company profiles and information
- Billing and payment information
- Usage preferences and settings
Website and Platform Usage:
- IP address, browser type, device information
- Pages visited, time spent, click patterns
- Referral sources and search terms
- Session recordings and user interactions (when consented)
Technical and Performance Data:
- Log files, error reports, and diagnostic information
- API usage and performance metrics
- Feature usage and engagement analytics
- Security monitoring and fraud prevention data
Cookies and Tracking Technologies:
We use cookies, web beacons, and similar technologies to enhance your experience and collect usage information. See Section 8 for detailed information about our cookie practices.
Integration Partners:
- Information from ATS systems (Ashby, LinkedIn, etc.) when integrated
- Authentication providers (Clerk) for account management
- Payment processors (Stripe) for billing information
- Analytics providers for usage insights
Public Sources:
- Publicly available professional information
- Social media profiles (when relevant to hiring)
- Professional networking platforms
- Public records (as permitted by law)
Core Platform Services:
- Facilitating take-home interviews and work sample evaluations
- Providing AI-powered candidate screening and assessment tools
- Generating job descriptions, projects, and evaluation rubrics
- Creating and maintaining candidate portfolios and profiles
- Processing payments and managing subscriptions
AI and Machine Learning:
- Training and improving our AI models for resume screening
- Automated evaluation of work samples and assignments
- Bias detection and mitigation in hiring processes
- Personalized recommendations for candidates and employers
- Natural language processing for job matching
Customer Support and Communication:
- Responding to inquiries and providing technical support
- Sending service-related notifications and updates
- Providing training and onboarding assistance
- Communicating about account status and billing
Analytics and Performance:
- Analyzing platform usage and user engagement
- Measuring effectiveness of hiring processes
- Identifying trends in recruitment and candidate success
- Improving our algorithms and AI models
- Conducting research and development
Marketing and Business Development:
- Sending promotional communications (with consent)
- Conducting market research and surveys
- Developing new features and services
- Building partnerships and integrations
- Lead generation and sales activities
Legal Obligations:
- Complying with applicable employment and privacy laws
- Responding to legal requests and court orders
- Conducting investigations and preventing fraud
- Maintaining records as required by law
- Ensuring platform security and integrity
Safety and Security:
- Detecting and preventing unauthorized access
- Monitoring for suspicious or harmful activity
- Protecting against cyber threats and attacks
- Maintaining data integrity and availability
- Incident response and breach notification
For individuals in the European Economic Area, United Kingdom, and Switzerland, we process personal information based on the following legal bases:
Legitimate Interests:
- Providing and improving our Services
- Conducting business operations and analytics
- Marketing and business development (where not requiring consent)
- Security monitoring and fraud prevention
- Research and development activities
Contract Performance:
- Fulfilling our obligations under customer agreements
- Processing payments and managing accounts
- Providing customer support and services
- Delivering requested features and functionality
Consent:
- Marketing communications (where required)
- Optional features like session recording
- Candidate portfolio public visibility
- Non-essential cookies and tracking
Legal Obligations:
- Compliance with employment and privacy laws
- Responding to legal requests and investigations
- Maintaining required business records
- Reporting obligations to regulatory authorities
Technology Partners:
- Clerk: Authentication and user management services
- Stripe: Payment processing and billing management
- Cloudflare: Content delivery and security services
- Neon: Database hosting and management
- Resend: Email delivery services
- Inngest: Workflow automation and processing
AI and Analytics Providers:
- OpenAI, Google, Groq, Cerebras, Anthropic: AI model services
- Vercel: Hosting and analytics services
- Statsig: Feature flags and A/B testing
- PostHog: Analytics and user behavior tracking
Hiring Companies:
- Candidate resumes, work samples, and assessment results
- Interview responses and evaluation scores
- Portfolio information (when candidate opts-in)
- Communication history related to specific applications
Candidate Access:
- Company information and job descriptions
- Hiring process status and feedback
- Compensation information (when available)
- Interview scheduling and logistics
Legal Requirements:
- Law enforcement agencies (when legally required)
- Regulatory authorities and government agencies
- Courts and legal proceedings
- Tax authorities and auditors
Business Transactions:
- Potential buyers or investors in due diligence
- Successors in case of merger, acquisition, or sale
- Professional advisors (lawyers, accountants, consultants)
- Insurance providers for coverage purposes
We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you, including:
- Industry hiring trends and benchmarks
- Platform usage statistics and analytics
- Research findings and market insights
- Performance metrics and success rates
Account Information:
- Active accounts: Retained while account is active plus 7 years after closure
- Billing records: 7 years after final transaction for tax and legal compliance
- Support communications: 3 years after resolution
Candidate Data:
- Resumes and applications: 3 years after submission (or as required by customer)
- Work samples and assessments: 5 years for portfolio purposes (with consent)
- Interview recordings: 1 year after completion (with consent)
- Portfolio data: Retained until candidate requests deletion
Company Customer Data:
- Job descriptions and requirements: 5 years after posting closure
- Evaluation rubrics and criteria: 5 years for consistency and legal compliance
- Usage analytics: 2 years for service improvement
- Contract and billing information: 7 years after contract termination
Legal and Compliance Data:
- Security logs: 1 year for incident investigation
- Audit trails: 7 years for regulatory compliance
- Legal hold data: Until legal matter resolution
- Consent records: 7 years after withdrawal
Automatic Deletion:
- Expired session data and temporary files
- Outdated backup copies beyond retention periods
- Inactive account data after specified periods
- Marketing data after consent withdrawal
User-Requested Deletion:
- Account closure and data deletion requests
- Specific data category deletion (where technically feasible)
- Portfolio visibility removal
- Marketing opt-out and data removal
Anonymization Practices:
- Removal of direct identifiers from research data
- Aggregation of usage statistics and analytics
- Pseudonymization of historical records
- Secure deletion of personal identifiers
Adequacy Decisions:
- Transfers to countries with European Commission adequacy decisions
- UK adequacy decisions for post-Brexit transfers
- Swiss adequacy recognitions
Standard Contractual Clauses (SCCs):
- EU Standard Contractual Clauses for GDPR compliance
- UK International Data Transfer Agreement (IDTA)
- Swiss data protection law compliance mechanisms
Certification Programs:
- EU-US Data Privacy Framework participation (where applicable)
- ISO 27001 and SOC 2 compliance certifications
- Industry-specific privacy certifications
Technical Safeguards:
- Encryption in transit and at rest
- Access controls and authentication
- Regular security assessments and audits
- Incident response and breach notification procedures
Organizational Safeguards:
- Data processing agreements with all vendors
- Regular compliance training and awareness
- Privacy impact assessments for new transfers
- Ongoing monitoring and compliance reviews
Essential Cookies:
- Authentication and session management
- Security and fraud prevention
- Basic platform functionality
- Load balancing and performance
Analytics Cookies:
- Usage statistics and user behavior (Vercel Analytics, Statsig)
- Performance monitoring and optimization
- Feature usage and engagement tracking
- A/B testing and experimentation (Statsig)
Marketing Cookies:
- Advertising and promotional targeting
- Social media integration and sharing
- Lead generation and conversion tracking
- Personalized content delivery
Your Choices:
- Browser settings to block or delete cookies
- Opt-out mechanisms for analytics and marketing
- Cookie preference center (where available)
- Third-party opt-out tools and services
Third-Party Cookies:
- Google Analytics opt-out: Google Analytics Opt-out
- Statsig privacy controls: Statsig Privacy
- Social media cookie controls through platform settings
Access and Transparency:
- Right to know what personal information we collect and how we use it
- Right to access your personal information and obtain copies
- Right to receive information about our privacy practices
- Right to contact us with privacy questions and concerns
Control and Choice:
- Right to update and correct your personal information
- Right to opt-out of marketing communications
- Right to control cookie and tracking preferences
- Right to deactivate your account and request data deletion
European Economic Area, UK, and Switzerland (GDPR):
- Right of Access: Obtain confirmation of processing and copies of your data
- Right to Rectification: Correct inaccurate or incomplete personal information
- Right to Erasure: Request deletion of your personal information (with exceptions)
- Right to Restrict Processing: Limit how we process your personal information
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests or for marketing
- Rights Related to Automated Decision-Making: Information about and protection from solely automated decisions
California Residents (CCPA/CPRA):
- Right to Know: Categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information (with exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out: Opt-out of sale or sharing of personal information
- Right to Limit: Limit use and disclosure of sensitive personal information
- Right to Non-Discrimination: Protection from discriminatory treatment for exercising rights
How to Submit Requests:
- Email: derek@stackedhr.ai
- Online form: [Privacy Request Portal] (when available)
- Written request to our business address
- Through your account settings (for certain requests)
Verification Requirements:
- Identity verification may be required for security purposes
- Additional information may be requested to locate your data
- Authorized agent requests require proper documentation
- Response timeframes as required by applicable law (typically 30-45 days)
Limitations and Exceptions:
- Legal obligations may prevent certain deletions
- Technical limitations may affect some requests
- Business necessity may require retention of certain data
- Third-party rights may limit our ability to fulfill requests
Encryption and Access Controls:
- End-to-end encryption for data in transit using TLS 1.3
- AES-256 encryption for data at rest
- Multi-factor authentication for administrative access
- Role-based access controls and principle of least privilege
- Regular access reviews and deprovisioning procedures
Infrastructure Security:
- Secure cloud hosting with enterprise-grade providers
- Network segmentation and firewall protection
- Intrusion detection and prevention systems
- Regular vulnerability assessments and penetration testing
- Automated security monitoring and alerting
Application Security:
- Secure coding practices and code reviews
- Regular security testing and vulnerability scanning
- Input validation and output encoding
- SQL injection and XSS prevention
- Secure session management and authentication
Personnel Security:
- Background checks for employees with data access
- Regular security training and awareness programs
- Confidentiality agreements and data handling policies
- Incident response training and procedures
- Clear data governance and accountability structures
Vendor Management:
- Due diligence and security assessments for all vendors
- Data processing agreements with security requirements
- Regular vendor security reviews and audits
- Incident notification and response coordination
- Contractual liability and indemnification provisions
Incident Response Process:
- 24/7 security monitoring and incident detection
- Rapid response team activation and containment procedures
- Forensic investigation and root cause analysis
- Remediation and recovery planning
- Lessons learned and process improvement
Breach Notification:
- Regulatory notification within 72 hours (GDPR) or as required by law
- Individual notification without undue delay when required
- Clear communication about the nature and scope of the breach
- Steps taken to address the breach and prevent recurrence
- Contact information for questions and assistance
AI-Powered Features:
- Resume screening and candidate matching algorithms
- Automated evaluation of work samples and coding assessments
- Natural language processing for job description generation
- Bias detection and mitigation tools
- Predictive analytics for hiring success
AI Training and Improvement:
- Machine learning models trained on aggregated, anonymized data
- Continuous improvement based on user feedback and outcomes
- Regular bias testing and algorithmic auditing
- Human oversight and intervention capabilities
- Transparency reporting on AI performance and fairness
Solely Automated Decisions:
- We do not make solely automated decisions that significantly affect individuals
- Human review and oversight are incorporated into all AI-assisted processes
- Candidates and customers can request human review of AI recommendations
- Clear appeals and correction processes for disputed decisions
Transparency and Explainability:
- Information about AI use provided in job postings and candidate communications
- Explanation of factors considered in AI evaluations
- Ability to request information about automated processing
- Regular algorithmic impact assessments and bias audits
Bias Prevention and Mitigation:
- Regular testing for discriminatory bias in AI models
- Diverse training data and inclusive algorithm development
- Ongoing monitoring for disparate impact on protected groups
- Corrective measures and model retraining when bias is detected
- Collaboration with external experts and researchers on AI fairness
Ethical AI Principles:
- Transparency and accountability in AI development and deployment
- Respect for human dignity and individual rights
- Fairness and non-discrimination in automated systems
- Privacy by design in AI model development
- Continuous improvement and responsible innovation
Age Restrictions:
Our Services are not intended for individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly.
Parental Rights:
If you believe that we have collected personal information from a child under 18, please contact us immediately at derek@stackedhr.ai. We will investigate and take appropriate action, including deletion of the information if confirmed.
Educational Use:
In limited circumstances, our Services may be used in educational or training contexts involving individuals under 18. In such cases, we require appropriate consent from parents or guardians and implement additional safeguards for the protection of minors' personal information.
External Links:
Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by StackedHR. This Privacy Policy does not apply to such third-party services, and we are not responsible for their privacy practices.
Integration Partners:
When you choose to integrate our Services with third-party platforms (such as ATS systems or professional networks), your use of those services is governed by their respective privacy policies and terms of service.
Recommendation:
We encourage you to review the privacy policies of any third-party services you access through or in connection with our Services.
Updates and Modifications:
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes through:
- Email notification to your registered email address
- Prominent notice on our website and platform
- In-app notifications for significant changes
- Updated "Last Updated" date at the top of this policy
Continued Use:
Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of our Services and may request deletion of your personal information.
Previous Versions:
We maintain records of previous versions of this Privacy Policy for reference and compliance purposes. You may request access to previous versions by contacting us at derek@stackedhr.ai.
Privacy Inquiries:
For questions, concerns, or requests related to this Privacy Policy or our privacy practices, please contact us:
Email: derek@stackedhr.ai
Address:
StackedHR, Inc.
920 Jefferson Street
Hoboken, NJ 07030 US
Data Protection Officer:
For individuals in the European Economic Area, United Kingdom, or Switzerland, you may contact our Data Protection Officer:
Email: derek@stackedhr.ai
Address:
StackedHR, Inc.
920 Jefferson Street
Hoboken, NJ 07030 US
Supervisory Authority:
If you are located in the EEA, UK, or Switzerland and believe that our processing of your personal information violates applicable law, you have the right to lodge a complaint with your local supervisory authority.
Response Time:
We will respond to privacy inquiries and requests within the timeframes required by applicable law, typically within 30-45 days of receipt.
Effective Date: July 6, 2025
Document Version: 1.0
This Privacy Policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant privacy regulations. For specific legal advice regarding your rights or our obligations, please consult with qualified legal counsel.