Hyr logoHyr.
HomePrivacyTerms

Hyr Legal

Privacy Policy

This policy explains how Hyr handles personal data across its hiring platform, including sourcing, matching, structured AI interviews, analytics, and verification workflows. Where consent is required for a specific product action, Hyr captures it in the relevant flow rather than on this public document page.

Effective date

April 9, 2026

Last updated

April 9, 2026

Version

2.0

Contact

recruiter@hyr.works

Jump to

IntroductionScope & DefinitionsData CollectionProcessing & Legal BasesSecuritySharingAI GovernanceYour RightsIncident ResponsePolicy AdministrationGrievancesWithdrawal of ConsentPhoto VerificationContact

01

Introduction

Hyr operates an AI-driven talent management platform designed to support recruitment through automated sourcing, dynamic AI interviews, bias mitigation, and end-to-end hiring workflow optimization.

This Privacy Policy outlines Hyr’s data practices in view of applicable privacy and data-protection obligations, including the General Data Protection Regulation (GDPR), Singapore’s Personal Data Protection Act 2012, India’s Digital Personal Data Protection Act 2023, and other relevant laws.

How consent is handled

This page is informational. When Hyr needs consent for a specific product action, such as an AI interview workflow, that consent is requested inside the relevant platform experience.

02

Scope & Definitions

Platform Services

AI-powered interviews, job postings, candidate matching, skill assessments, interview scheduling, analytics, and photo verification for identity authentication.

Data Subjects

Candidates, clients or employers, recruiters, platform administrators, and verification personnel.

Personal Data

Any information relating to an identifiable individual, directly or indirectly, including biometric identifiers used temporarily for verification purposes.

AI Processing

Automated analysis of data to generate insights, scores, or recommendations through machine-learning systems, including bias detection and mitigation.

Photo Verification Data

Photographic images captured solely for identity verification purposes that are processed in real time and deleted immediately after verification completes.

03

Data Collection Categories

The categories below are used only where relevant and necessary to support recruitment, screening, structured interviews, bias mitigation, and related product operations.

Candidate Data

  • Identification information such as full name, email address, phone number, physical address, and nationality.
  • Government-issued ID verification data processed temporarily for verification and not retained as a stored identity record.
  • Professional data including resumes or CVs, work history, educational background, skills, certifications, salary expectations, portfolio links, and references.
  • AI interview data such as transcripts, recordings where consented, competency scores, interview performance metrics, and related feedback.
  • Technical data such as IP addresses, device identifiers, browser type, operating system, session behavior, and platform usage analytics.
  • Photo verification data processed in real time for identity checks and immediately deleted after verification completion.

Client and Recruiter Data

  • Corporate information including company name, industry, size, and business verification details.
  • User account information such as admin credentials, role permissions, platform preferences, and activity logs.
  • Hiring process data including job descriptions, candidate requirements, interview feedback, hiring decisions, offer details, and recruitment analytics.

Derived and Anonymized Data

  • Aggregated hiring metrics and platform usage statistics.
  • Performance benchmarks and industry trend analysis.
  • De-identified or anonymized datasets used for AI model training, bias detection research, and platform improvement.

04

Data Processing Purposes & Legal Bases

PurposeProcessing ActivitiesLegal BasisRetention Period
Identity VerificationReal-time photo verification with immediate deletion after completion.Legitimate InterestNot stored (immediate deletion)
Recruitment AutomationAI-driven candidate screening and matching.Contractual Necessity24 months post-activity
Dynamic AI InterviewsReal-time adaptive questioning, transcript generation, and analysis.Explicit Consent12 months unless requested otherwise
Bias MitigationAlgorithmic fairness reviews, monitoring, and adjustments.Legitimate InterestAnonymized indefinitely
Platform SecurityFraud detection, abuse prevention, and security monitoring.Legal Obligation7 years
Service ImprovementAnonymized analytics, research, and AI training improvements.Legitimate InterestAnonymized indefinitely
Compliance & AuditRegulatory recordkeeping and audit support.Legal Obligation7 years

Identity Verification

Processing Activities
Real-time photo verification with immediate deletion after completion.
Legal Basis
Legitimate Interest
Retention Period
Not stored (immediate deletion)

Recruitment Automation

Processing Activities
AI-driven candidate screening and matching.
Legal Basis
Contractual Necessity
Retention Period
24 months post-activity

Dynamic AI Interviews

Processing Activities
Real-time adaptive questioning, transcript generation, and analysis.
Legal Basis
Explicit Consent
Retention Period
12 months unless requested otherwise

Bias Mitigation

Processing Activities
Algorithmic fairness reviews, monitoring, and adjustments.
Legal Basis
Legitimate Interest
Retention Period
Anonymized indefinitely

Platform Security

Processing Activities
Fraud detection, abuse prevention, and security monitoring.
Legal Basis
Legal Obligation
Retention Period
7 years

Service Improvement

Processing Activities
Anonymized analytics, research, and AI training improvements.
Legal Basis
Legitimate Interest
Retention Period
Anonymized indefinitely

Compliance & Audit

Processing Activities
Regulatory recordkeeping and audit support.
Legal Basis
Legal Obligation
Retention Period
7 years

05

Infrastructure & Data Security

Cloud Infrastructure

  • Microsoft Azure for GDPR-aligned hosting and ISO 27001-certified infrastructure.
  • DigitalOcean for AICPA SOC 2 Type II-certified compute infrastructure.
  • Supabase for managed PostgreSQL with row-level security controls.
  • MongoDB Atlas for SOC 2 Type II-aligned NoSQL workloads.
  • Cloudflare for enterprise DDoS protection, CDN coverage, and TLS 1.3 delivery.

Security Measures

  • AES-256 encryption for data at rest and TLS 1.3 for data in transit.
  • Role-based access control, privilege review, and multi-factor authentication enforcement.
  • Continuous monitoring, threat detection, penetration testing, and vulnerability assessments.
  • Immutable audit logs and formal incident response procedures.

Photo verification security

Verification photos are processed in real time, transmitted over encrypted channels, restricted to automated verification systems, and deleted immediately after the verification step ends.

06

Data Sharing & Third Parties

Controlled Sharing

  • With client organizations for authorized hiring activity.
  • With candidates regarding their own application status and interview outcomes.
  • With service providers operating under data-processing agreements and appropriate access restrictions.

Service Providers & International Transfers

  • Infrastructure and database providers may include Microsoft Azure, DigitalOcean, Supabase, MongoDB Atlas, and Cloudflare.
  • Approved AI or ML vendors may receive anonymized data only for model-improvement use cases.
  • Cross-border transfers rely on appropriate safeguards such as Standard Contractual Clauses, adequacy assessments, and other lawful transfer mechanisms where required.
  • Photo verification data is processed locally for the verification action and is not retained for international transfer workflows.

07

AI Ethics & Governance

Algorithmic Accountability

  • Continuous monitoring for discriminatory patterns and fairness drift.
  • Human review in critical decision paths.
  • Regular performance assessments across demographic cohorts where relevant and lawful.

Model Management

  • Version control and rollback procedures for production AI models.
  • Monitoring for model drift, accuracy degradation, and operational instability.
  • Explainability measures and user-readable explanations for AI-driven recommendations.
  • Documented model logic, decision factors, and retraining practices.

08

Data Subject Rights

Available Rights

  • Access to personal data and related processing information.
  • Portability of eligible personal data in commonly used formats.
  • Rectification of inaccurate or incomplete data.
  • Erasure, restriction, or objection where applicable.
  • Human review and explanation for qualifying automated decisions.

Request Process

Verified rights requests, privacy questions, and related grievances can be sent to recruiter@hyr.works. Hyr may use a secure verification step before fulfilling a request.

  • Initial response target: within 30 days of a verified request.
  • Complex requests may require an extension of up to 60 additional days.
  • Status updates may be shared during extended handling windows.

09

Incident Response

Breach Notification

  • Notification to competent supervisory authorities within required legal timeframes, including 72 hours for qualifying GDPR incidents.
  • Direct notification to affected individuals when a high-risk breach requires it.
  • Documented scope, impact, and remediation records for applicable incidents.

Response Protocol

  • Automatic containment and isolation of affected systems where feasible.
  • Emergency-response activation, forensic investigation, and root-cause analysis.
  • System restoration, security hardening, and staff process updates after resolution.

10

Policy Administration

Governance Structure

  • Quarterly privacy and compliance assessments.
  • Annual third-party privacy or security reviews where appropriate.
  • Ongoing monitoring of regulatory developments that affect Hyr’s practices.

Version Control

  • Material policy changes are documented and communicated with advance notice where required.
  • Privacy documentation is maintained and updated through regular legal and operational review.

11

Grievance Redressal Mechanism

Privacy-related complaints, grievances, and general privacy inquiries may be sent to recruiter@hyr.works.

  • Initial acknowledgement target: within 48 hours.
  • Preliminary response target: within 30 days.
  • Final resolution target: within 60 days, subject to lawful extensions where necessary.

12

Withdrawal of Consent

Where Hyr relies on consent, you may withdraw that consent by contacting recruiter@hyr.works.

  • Withdrawal does not affect the lawfulness of processing completed before withdrawal.
  • Certain records may still be retained where required for legal compliance, security, or dispute handling.
  • Withdrawal from specific product workflows may affect service availability for those workflows.

13

Photo Verification Data - Special Provisions

Processing Purpose

Photo verification is used solely for identity authentication during registration or interview workflows to help prevent fraud and preserve platform security.

Data Handling

  • Capture in real time during the verification step.
  • Immediate AI-powered identity verification.
  • No storage in a persistent system or database.
  • Immediate and permanent deletion after verification completion.

User Rights & Technical Safeguards

  • You may refuse photo verification, though doing so may limit access to certain platform actions.
  • Encrypted transmission is used during verification.
  • Verification logs may record attempts without storing the image itself.
  • Regular security reviews apply to verification systems and controls.

14

Contact Information

For privacy questions, grievances, data-rights requests, or consent-related issues, contact recruiter@hyr.works. Additional company-identification details may be published here as Hyr finalizes its current legal-public information set.

Privacy & legal contact

recruiter@hyr.works
Return to home