Legal

Privacy policy

Effective July 12, 2026. This policy explains how OneNeural, Inc. collects, uses, shares, and protects personal data in connection with RecruitIQ, and the rights and choices available to you.

1. Overview and scope

OneNeural, Inc. (OneNeural, we, us) provides RecruitIQ, an agentic applicant tracking system (the Service). This policy applies to personal data we process through the Service, our websites, and our public careers pages. It does not apply to third-party sites or to a customer's own privacy practices. Where a customer uses the Service to process personal data, that customer's privacy notice governs its collection and use of candidate data.

2. Our role: controller and processor

Data-protection law distinguishes the party that decides why and how data is processed (the controller) from the party that processes data on the controller's behalf (the processor or service provider). Our role depends on the data:

  • For account, billing, website, and usage data, and for operating and securing the Service, we act as a controller.
  • For the hiring data a customer puts into its workspace (including candidate profiles, resumes, interview notes, and evaluations), we act as a processor or service provider that processes data on the customer's documented instructions. That customer is the controller of those records. Our Data Processing Addendum (available on request) governs this processing and includes the Standard Contractual Clauses where required.

3. Information we collect

Account and workspace data. Names, work email addresses, workspace and organization details, role and permission settings, and authentication identifiers provided through our identity provider.

Customer hiring data. The content a customer and its authorized users submit to the Service, including requisitions and screening kits, candidate profiles, resumes and attachments, structured data extracted from resumes, application records, interview schedules and notes, evaluations, scores, and pipeline history.

Candidate data from careers pages. When a person applies through a RecruitIQ careers page, we collect on the customer's behalf the information the application asks for, typically full name, email address, optional phone number, a resume, and the consents the candidate provides. We also collect limited technical data to prevent spam and abuse.

Usage, device, and log data. IP address, device and browser type, pages and features used, timestamps, and diagnostic and security logs.

Cookies and similar technologies. Strictly necessary cookies to run the Service and keep you signed in, and, where permitted, limited analytics to improve reliability. We do not use cookies for cross-context behavioral advertising.

4. How we use information

We use personal data to:

  • provide, maintain, secure, and support the Service, and authenticate users;
  • run the agentic features: reading a workspace's hiring data to draft roles, structure and score applicants against the customer's criteria with cited evidence, schedule interviews, draft evaluations, and propose pipeline moves, always within that workspace;
  • detect, prevent, and investigate fraud, abuse, security incidents, and violations of our terms;
  • communicate with you about the Service, including service and security notices;
  • improve and develop the Service using aggregated or de-identified data that does not identify you or any candidate; and
  • comply with legal obligations and enforce our agreements.

We do not sell personal data, we do not share it for cross-context behavioral advertising, and we do not use customer hiring data to train foundation models.

5. AI and automated processing

The Service uses automated systems, including large language models provided by sub-processors under terms that prohibit training on our data, to generate structured data, scores, summaries, recommendations, and drafts. These outputs are decision support with cited evidence, not decisions. The Service is designed to keep a human in the loop: consequential and outward-facing actions are held for human review and approval. We do not use the Service to make decisions that produce legal or similarly significant effects about a candidate without human involvement. Customers are responsible for the human oversight, notices, and assessments that applicable law may require for AI-assisted hiring tools.

6. Legal bases (EEA, UK, and similar laws)

Where the GDPR or UK GDPR applies, we rely on the following legal bases as a controller:

  • Performance of a contract, to provide the Service you or your organization requested;
  • Legitimate interests, to secure, operate, and improve the Service, prevent abuse, and communicate with you, balanced against your rights;
  • Consent, where we ask for it, such as for certain cookies or optional communications; and
  • Legal obligation, to comply with law.

For hiring data we process as a processor, the customer is responsible for establishing a lawful basis and for providing any required notices to candidates.

7. How we share information

We share personal data only as described here:

  • Within your workspace, with the authorized users of the customer's organization, according to its role and permission settings;
  • With sub-processors and service providers that host, store, process, or help us deliver the Service, under contracts that limit their use of the data to those purposes;
  • For legal reasons, to comply with law, respond to lawful requests, or protect the rights, safety, and property of OneNeural, our customers, or the public; and
  • In a business transfer, in connection with a merger, acquisition, financing, or sale of assets, subject to this policy.

8. Sub-processors

We use a limited set of vetted sub-processors to run the Service. They currently include cloud hosting and storage and document extraction (Google Cloud, including Cloud Storage and Document AI), authentication and identity (WorkOS), model inference (Anthropic, OpenAI, and Google Gemini, under terms that prohibit training on our data), and an email delivery provider. Each is bound by data protection terms consistent with this policy and our Data Processing Addendum. A current list of sub-processors is available on request, and we will give customers a way to be notified of material changes so they can object where their agreement allows.

9. International data transfers

We may process and store data in the United States and other countries. Where we transfer personal data from the EEA, the UK, or Switzerland to a country without an adequacy decision, we use appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with a transfer risk assessment where required. A copy of the relevant safeguards is available on request.

10. Security

We maintain technical and organizational measures designed to protect personal data, including encryption in transit and at rest, strict tenant isolation so every record is bound to its organization and every agent action is checked against that scope, role-based access controls, least-privilege administrative access, malware scanning of uploaded files, network and application safeguards, and access logging and monitoring. No method of transmission or storage is completely secure, but we work to protect data and to improve our safeguards over time, including pursuing recognized security certifications as the product matures. If we become aware of a personal-data breach, we will notify affected customers without undue delay and cooperate as the law and our agreements require.

11. Data retention

We keep personal data for as long as needed to provide the Service, and afterward only as needed for legitimate business or legal purposes. Customer hiring data is retained according to the customer's configuration and instructions; the customer controls retention and deletion of candidate records in its workspace. When an account is closed or on a verified deletion request, we make data available for export for 30 days and then delete or de-identify it in the ordinary course, typically purging it from active systems within 30 days and from routine backups within 90 days, unless a longer period is required by law or a legal hold.

12. Candidate and applicant privacy

When you apply to a role through a RecruitIQ careers page, your information is submitted into the workspace of the organization you applied to. That organization is the controller of your data and decides how it is used and how long it is kept. We process it on that organization's behalf. If you want to access, correct, or delete your application data, or to exercise other rights, please contact that organization directly; we will assist it in responding to your request. You can also contact us using the details below and we will route your request appropriately.

13. Your privacy rights

Depending on where you live, you may have some or all of the following rights: to access the personal data we hold about you; to correct inaccurate data; to delete data; to obtain a portable copy; to restrict or object to certain processing; to withdraw consent; and, for California and similar US state laws, to opt out of any sale or sharing of personal data and to limit the use of sensitive personal data. We do not sell personal data or share it for cross-context behavioral advertising, and we will not discriminate against you for exercising your rights.

To exercise a right, contact us at legal@recruitiq.ai. We will verify your request and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits. If we decline a request, you may appeal by replying to our response, and, where the GDPR or UK GDPR applies, you may lodge a complaint with your local supervisory authority. If your data was submitted to a customer's workspace, we will refer your request to that customer as the controller.

14. US state privacy disclosures

For residents of California and other US states with comprehensive privacy laws: over the past twelve months we have collected the categories of personal data described in this policy, for the business purposes described here, and disclosed them only to the sub-processors and recipients described here. We do not sell personal data and do not share it for cross-context behavioral advertising, and we do not knowingly process the sensitive personal data of a consumer for purposes that require an opt-out or opt-in beyond providing the Service. California residents may also request information about disclosures for direct marketing; we do not disclose personal data for third-party direct marketing.

15. Children's privacy

The Service is intended for use by businesses and their authorized users and is not directed to children. We do not knowingly collect personal data from children under 16. Careers pages are intended for applicants who are old enough to work lawfully in the relevant jurisdiction. If you believe a child provided us personal data, contact us and we will delete it.

16. Changes to this policy

We may update this policy from time to time. If we make material changes, we will post the updated policy with a new effective date and, where appropriate, provide additional notice. Your continued use of the Service after changes take effect means you accept the updated policy.

17. Contact us

For privacy questions or requests, contact OneNeural, Inc. at legal@recruitiq.ai, or by mail at OneNeural, Inc., [company mailing address]. If you are in the EEA or the UK and wish to reach our representative, contact us and we will provide the relevant details.