We take your privacy seriously
Here at HrFlow.ai SAS, have developed and we run a talent acquisition SaaS and API solution, that automates talent assessment, allowing recruiters, our “Clients”, to hire more, better, faster. Our unique technology qualifies non-discriminatory data of the career path of candidates, the “Applicants”, to assess them across jobs, backgrounds, countries, and languages.
At HrFlow.ai, we commit to working with our Clients and their Applicants to help them fully understand and be compliant with the General Data Protection Regulation (“GDPR”) as enacted by the European Parliament and Council on the 27th of April 2016. We believe new requirements from GDPR are crucial, and our team has been carefully adapting our products, operations and contractual commitments for our Clients to be compliant with the new EU regulation.
We pay close attention to protecting our Clients information and privacy. Because we are managing personal data like resumes and Applicants’ information, we have set ambitious and high safety standards that ensure that any information that may directly or indirectly identify our Users (i.e. Clients, Applicants or Visitors of our Websites), “personal information”, will be treated securely and confidentially, in compliance with applicable laws and regulations.
Scope of the policy
HrFlow.ai and all websites within that domain;
Our web-based SaaS or related services (our “Services”) directly by our Clients or by their Applicants, collected on behalf of our Clients;
Third-party data sources, such as publicly available sources and our partners; and
Individuals signing up for our marketing initiatives, such as events, webinars, and newsletters (“Marketing Initiatives”).
We process the personal information collected through these means on behalf of Clients. Thus Clients act as Data Controllers (according to Article 4 GDPR “‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”), and as such, are also responsible for ensuring that their collection and use of Applicants’ data complies with the GDPR, while we mainly act as a Data Processor on Client’s behalf (according to Article 4 GDPR “‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”).
The type of data HrFlow.ai collects and processes;
How we use and collect personal information;
How long we retain personal information;
How and when we share personal information;
How we protect personal information;
Choices and rights regarding the handling of personal information.
1. What type of information do we collect and how?
1.1. Information provided to us
1.1.1. Applicants Data
Applicants data is either directly submitted by the Client, or collected by the Client by any other means. Such data may include the following:
Or any other data that could be relevant for an Application.
All the data mentioned above may include personal information, such as: first and last name, picture, location, email address, phone number, date of birth, education, work experiences, projects, skills, interests.
This information will never be used in a discriminatory way. See section 2.3 about Fairness.
In the course of its hiring process, the Client may import, export or share the Applicants’ data. In the case of import, the Client can centralise all its Applicants data on its account through the following means, i.e. “Sources” provided by HrFlow.ai:
Email: automatically synchronising profiles from any mailbox with HrFlow.ai;
Folder: drag and dropping resumes from a computer into HrFlow.ai;
Page: customising a web page where Applicants can drop their resumes;
Marketplace; accessing Applicants data already shared by recruiters’ partners on HrFlow.ai;
API: uploading Applicants data to HrFlow.ai from any data channel;
Mobile; an app allowing recruiters to take pictures of the paper resumes they received;
Extension: a Chrome extension to import talents directly from Professional networks and online profiles into HrFlow.ai;
Facebook Tab: a “Jobs” tab added to the Client’s page on Facebook to collect Applications;
CVbot: a widget that can be set up to collect Applications on behalf of the Client, on any webpage of its choice, after the valid consent of the Applicant.
Messenger: a CVbot built in Facebook Messenger.
Other sources: any tool the Client uses to collect and manage resumes before sending them to HrFlow.ai.
Recipients of the Applicants data are only the Client to which the Applicant applied. It’s the Client’s responsibility, as Data Controller, to ensure that the rights and privacy of its Applicants are considered in any of those cases, especially in terms of obtaining a valid consent, if need be.
1.1.2. Clients Data
We may collect information that identifies our Clients in the frame of our contractual relationship, information about how our Clients use our Websites and Services, and information created while our Clients interact with our Websites.
This includes the following:
Information provided when signing up on our platform, contacting us for customer service or any other purposes, or filling forms on our Websites, i.e., name, company name, email address;
Transaction data when Clients carry out payments to purchase Services;
Data comprised in the Sources connected by the Clients, e.g. HrFlow.ai collects and processes the content of our Clients’ emails for the purpose of finding and collecting a Candidate’s information;
Job data, i.e., details of the positions Clients want to fill (geography, job titles, specific skills).
1.1.3. Visitors Data
Besides our Services portal, we collect data from Visitors on our various publicly accessible Websites (“Visitors Data”):
When they comment on a blog or social media post
When they request a demo or contact us
When they complete information forms
Visitors Data includes their name, email, any comment left on our media, and further automatically collected data (see below).
1.2. Information we collect automatically
1.2.1. Clients and Visitors Data
Like most websites, HrFlow.ai automatically collects information when Clients and Visitors navigate and interact with our Websites and Services. This information includes technical data such as IP address, Internet service provider, browser type, referring/exit pages, operating system, date/time stamp, and/or browsing actions and browsing patterns.
This helps us to improve and personalise our Websites and Services, as well as prevent abuse and fraud. This may also be made necessary for the good functioning of our Services.
2. How do we process your data?
2.1. Legal basis
We collect, process and store Applicants and Clients personal information subject to a valid consent given by the Applicant to our Clients, or on the basis of the Client guarantee of legitimate interest, or on the basis of our own legitimate interest for improving our Technology and Services. HrFlow.ai Services work together to help recruiters, talent managers, and managers, i.e. our Clients, to hire better, smarter, faster.
2.2. Processes purposes
We use the information listed above (see 1.1 and 1.2) to provide, improve and personalise Services for our Clients.
2.2.1 Applicants’ data
Applicants’ data are at the core of the Services that we provide and that we continuously improve. Those Services revolve around the main purposes listed below:
Parsing is a process allowing to automatically extract information from any free form “Resume” and turn it into a and structured data, “Profile”.
Enrichment is a process of augmenting a Profile with relevant and non-discriminatory information for the purpose of the Scoring, information such as skills not mentioned and predicted levels of expertise.
Scoring is the process through which each enriched Profile is assessed according to all open position, called “Filters”.
Justification is the process that gives to the Client the evidence lying behind every Scoring to make hiring more transparent and fair.
2.2.2 Visitors & Clients’ data
Visitors and Clients’ information may be used in the following ways:
Process inquiries and deliver customer support;
Send promotional and informative information;
Notify changes and updates;
Enforce our terms, policies or agreements;
Manage our Clients’ access to the Services;
Clients and Visitors can always indicate their preference in the frame of our Marketing Initiatives by opting out via the links provided in the emails or by contacting us directly, if they do not want to receive communications from us.
Finally, we use the information collected (such as Clients and Visitors’ use of our Websites and/or Services) and/or provided by Clients in order to improve our Services and Websites. In doing so, on the basis of our legitimate interest and in some cases provided a valid consent of our Clients, we create personalised Services that are unique and relevant, such as giving tailored recommendations and customised scoring results.
With regard to fairness in hiring, we never use discriminatory data to run and personalise our Services.
According to international Convention, European Charta of Fundamental Rights and EU Directive and their transposition into French national law (Law n° 2001-1066 of 16 november 2001 fighting discriminations in employment and Article 1132-1 Labour Code), HrFlow.ai guarantees that no criteria such as origins, gender, sexual orientation, etc, are used to create a disadvantage for a candidate, directly or indirectly.
HrFlow.ai algorithms are fair by design. We train our algorithms while ensuring that all data used into the Technology are genuine and determining occupational requirements for the particular occupational activities or for the context in which said activities are carried out. Please take a look at « Fairness by Design and Overcoming recruitment Biases ».
HrFlow.ai guarantees to apply all required principles of transparency and loyalty in the conception of models, for carrying out equal treatment of candidates through fair learning of the models, as recommended by the French supervisory Authority (CNIL).
As a result, HrFlow.ai Services offer an objective suggestion of candidates, in respect of diversity, with no discrimination of any kind, with the sole aim at best matching the candidate with the job.
In any case, it is possible to demonstrate that the information used in the models are criteria in relation to the performance for the job. In this respect, the Client is offered an explanation why such candidate has been suggested following to the the scoring process.
HrFlow.ai is not responsible of the way Clients may use the data collected from the CV transmitted by Candidates. And it is always the Client's responsibility to take the decision to recruit or not to recruit, according to its practice of selection, to interviews and to the case to case human judgment of preference of the person in charge of hiring.
However, HrFlow.ai is responsible to guarantee that its Services and in particular its Technology respect all applicable laws regarding nondiscrimination in hiring.
3. How long do we keep your data?
We may keep personal information for a period consistent with the original purpose of information collection and processing, and as long as the Client has an account to use our Services. We may then keep personal information for a reasonable period of time (for a maximum of five years), in order to pursue our legitimate business interests, resolve disputes, comply with our legal obligations, and enforce our agreements.
4. When and how do we disclose your data?
We may share personal information with some specific third-parties though. This sharing is based on our relationship with said third-parties, consent, or legal or contractual obligations that may require us to share such information in order to:
Detect, prevent, or address fraud, security or technical issues;
If we become involved in a merger, acquisition, bankruptcy, or any form of sale of some or all of our assets;
If a specific valid consent to do so was given.
All sub-processors are required to be compliant with applicable data protection laws and safeguard the privacy and security of any personal information they could process.
5. How do we secure information?
HrFlow.ai has taken technical and organisational measures to be private by design and ensure the highest level of security, regarding the Technology and the Data processed. In compliance with applicable laws and regulations, we host our servers in Europe.
Please note, that no website or Internet transmission is completely secure though. While we strive to protect personal information, we cannot guarantee that unauthorised access, hacking, data breach or a data loss will never occur. For any question regarding our security policy please consult: HrFlow.ai commitment to privacy.
6. Choices and rights
As a Client or an Applicant, you have important rights on your data, that you can exercise as follow:
The right to access and correct personal information;
In the case which correcting personal information implies additional processing, i.e., Parsing and Scoring new information, extra costs might be generated for the Data Controller, i.e., Client.
The right to request the deletion of Data according to Article 17 GDPR;
The right to limit or restrict the process of Data, if relevant.
Applicants should get in touch with Clients as Data Controllers, for any request regarding the exercise of their above-mentioned rights, according to their instructions and procedures.
If the Client is not in the capacity to proceed, such request for access, opposition, limitation or deletion of personal information shall be sent to the following address firstname.lastname@example.org, subject to providing a proof of identity.
Regarding data automatically collected by us, you may decide to set up your browser so that no such data is collected, however, some information on our Websites or Services may not be available or running properly then.
In any case, for any inquiries regarding the way you can exercise your rights, you may get in touch with our data protection officer (DPO): email@example.com
Should you not obtain satisfaction, you may lodge a complaint with the relevant supervisory authority as defined by the GDPR. Its competence depends on where you live, work or where any alleged infringement of data protection regulation occurred. The competent supervisory authorities are listed on the following website:
8. Contact us