Privacy Policy & Compliance

Last updated: March 23, 2026

1. Who We Are

CandiScan LLC ("CandiScan", "we", "our", or "us") operates the candidate screening platform available at candiscan.com. We are the data controller for personal data collected through our website and, where applicable, a data processor for candidate data processed on behalf of our clients.

2. Data We Collect

2.1 From Recruiters and Employers (Our Clients)

  • Account information: Name, work email address, phone number, and company name provided during registration
  • Billing information: Payment details processed by our third-party payment provider — we do not store full card numbers
  • Usage data: Features accessed, actions taken within the platform, timestamps, and browser/device information
  • Communications: Messages sent through our contact form or support channels

2.2 From Candidates

  • CV/resume content: Uploaded by the recruiting client — includes work history, education, skills, and contact details contained in the document
  • Pre-interview recordings: Video and audio recordings of the candidate's pre-interview session
  • Interview responses: Transcribed answers to interview questions
  • Screening results: Evidence-based flags, severity assessments, and supporting reasoning generated by the platform
  • Technical metadata: Browser type, device information, IP address, and session timestamps collected during the pre-interview

2.3 From Website Visitors

  • Analytics data: Pages visited, referral source, session duration, browser type, device information, and approximate location — collected via Google Analytics (GA4) and Contentsquare with your consent
  • Form submissions: Name, email, company, and phone number submitted through the trial signup form

3. How We Use Your Data

  • Service delivery: Parsing CVs, generating interview questions, conducting pre-interviews, producing evidence reports, and managing candidate pipelines
  • Account management: Creating and maintaining your account, processing payments, and providing customer support
  • Platform improvement: Analyzing aggregate usage patterns to improve accuracy, performance, and user experience
  • Communication: Sending transactional emails (account confirmations, interview notifications, reports), and responding to support requests
  • Legal compliance: Meeting obligations under GDPR, the EU AI Act, and other applicable regulations

We do not sell personal data. We do not use candidate data to train AI models. We do not profile candidates based on accent, facial expressions, communication style, or personality traits.

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance: Processing necessary to deliver our services to clients who have signed up for the platform
  • Legitimate interest: Platform security, fraud prevention, and aggregate analytics that do not override individual rights
  • Consent: Candidates are informed about the screening process before participating and consent to the pre-interview. Marketing communications are sent only with opt-in consent
  • Legal obligation: Where required by law, such as tax record-keeping or responding to lawful data access requests

5. Candidate Rights and Transparency

Candidates are informed about CandiScan's involvement in the screening process before their pre-interview begins. Specifically:

  • Candidates are told their pre-interview will be recorded and analyzed
  • Candidates are told that AI is used to generate questions and assess responses
  • Participation in the pre-interview is voluntary — candidates may decline without affecting their application status
  • Candidates may request access to their screening data, correction of inaccuracies, or deletion of their data at any time by contacting hello@candiscan.com

6. Data Sharing

We share personal data only with:

  • The recruiting client: Screening results, evidence reports, and flag data for the candidates they submitted
  • Infrastructure providers: Cloud hosting, database, and storage services necessary to operate the platform — bound by data processing agreements
  • Payment processor: Billing information necessary to process payments — we do not have access to full card details
  • AI processing services: CV content and interview transcripts sent to our AI provider for analysis — processed under a data processing agreement with no data retention for model training

We do not share data with advertisers, data brokers, or any party not directly involved in delivering the service.

7. Data Retention

  • Client account data: Retained for the duration of the account plus 12 months after closure, unless earlier deletion is requested
  • Candidate screening data: Retained for 12 months from the date of the screening, then automatically deleted. Clients may delete individual candidate records at any time
  • Pre-interview recordings: Retained for 6 months from the interview date, then automatically deleted
  • Billing records: Retained for 7 years as required by Estonian tax law
  • Website analytics: Retained for 12 months in aggregate form only

Candidates may request immediate deletion of their data at any time. Upon receiving a valid deletion request, we remove the candidate's data within 30 days.

8. Security

We protect your data with the following measures:

  • All data is encrypted in transit using TLS 1.2+
  • Passwords are hashed using industry-standard algorithms and are never stored in plaintext
  • Access to candidate data is restricted to the recruiting client's authorized team members
  • Platform access requires authentication with strong password requirements
  • Infrastructure is hosted within the European Union
  • Regular security assessments and dependency monitoring

9. International Data Transfers

CandiScan is based in Estonia and our primary infrastructure is hosted within the European Union. Where data is transferred outside the EU (for example, to AI processing services), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Cookies

Our website uses the following categories of cookies:

  • Essential cookies: Required for the platform to function — session management and CSRF protection. These are always active.
  • Analytics cookies: We use Google Analytics (GA4) to understand how visitors use our website. GA4 sets cookies to identify unique visitors, track sessions, and measure page interactions. These cookies are only set with your consent.
  • Experience cookies: We use Contentsquare to analyze how visitors interact with our pages (clicks, scrolls, navigation patterns) so we can improve the user experience. Contentsquare sets cookies to identify sessions and measure interactions. These cookies are only set with your consent.

You can manage your cookie preferences at any time. Rejecting optional cookies does not affect your ability to use the platform.

11. EU AI Act Disclosure

CandiScan's candidate screening service is classified as a high-risk AI system under the EU AI Act (Regulation 2024/1689), as it is used in the context of recruitment and selection of candidates. In compliance with this regulation:

  • All AI-generated assessments are presented as evidence-based flags with full reasoning — not opaque scores
  • Every flag can be reviewed, challenged, and overridden by a human recruiter
  • The system does not make autonomous hiring decisions
  • Candidates are informed that AI is involved in the assessment process
  • The system is designed to minimize bias by verifying factual claims rather than profiling communication styles or personal characteristics

12. Your Rights Under GDPR

If you are located in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time where processing is based on consent
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at hello@candiscan.com. We will respond within 30 days.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and posted on this page. The "Last updated" date at the top reflects the most recent revision.

14. Contact

For privacy-related questions or requests: