Privacy policy

1. Who we are

Calibr is operated by Syed Hasan (sole proprietor, registered legal entity name pending). We are a SaaS platform that helps recruiters screen candidates using AI-assisted CV scoring, an AI recruiter assistant, and AI voice screening calls. Privacy questions go to Syed.Hasan@Outlook.com.

2. What data we collect

Recruiter (user) data: name, email, hashed password (via Supabase Auth), OAuth tokens for Microsoft / Google when you connect a calendar or mailbox, your organisation membership and role, sign-in / sign-out audit trail, actions you take in the platform.

Candidate data (uploaded by your organisation): the CV files themselves (PDF, DOCX), structured data we parse from them, application data your recruiters add (portfolio URL, cover letter, salary expectation, notice period, screener Q&A), notes recruiters write, AI-generated scores and recommendations, and voice screening data when used (call recordings, transcripts, AI summaries, structured extractions).

Operational data: server logs (HTTP request paths, response codes, request IDs, redacted headers), product analytics (PostHog events — no marketing trackers, no third-party advertising pixels), and error reports (Sentry stack traces with PII redacted).

3. Why we collect it

To provide the service you signed up for: parse CVs, score candidates, run voice screening when you initiate it, draft outreach emails, suggest interview slots. Server logs and product analytics help us debug issues and improve the product. We do not sell data. We do not use your candidate data to train AI models — Anthropic's API tier does not train on API inputs.

4. Where we store it

• • Database + CV storage: Supabase (Mumbai, India)
• • Application servers: Render (Singapore)
• • Frontend hosting + edge cache: Vercel (Mumbai, bom1)
• • Voice provider: Vapi (US-hosted) + Twilio (US-hosted)
• • AI provider: Anthropic (US-hosted)
• • Error monitoring: Sentry (US-hosted)
• • Product analytics: PostHog Cloud (US instance)

Your data crosses borders. See §8 for international-transfer details.

5. Who we share it with (subprocessors)

We use the following third-party services to deliver Calibr. Each has access only to data necessary for their function:

• • Supabase — database, auth, file storage, secrets vault
• • Render — application hosting
• • Vercel — frontend hosting + edge
• • Anthropic — Claude models for scoring, parsing, voice scripts, assistant chat
• • Vapi — voice call orchestration
• • Twilio — voice carrier (used via Vapi)
• • Microsoft / Google — calendar + mail integration (when you connect)
• • Sentry — error monitoring with PII redacted
• • PostHog — product analytics, no advertising

We do not sell or share your data for advertising. We do not let subprocessors use your data to train their own models.

6. How long we keep it

• • CV data and scores: while your organisation is active
• • Voice recordings + transcripts: auto-purged after your org’s retention window (default 90 days, configurable 1-730 days in Settings → Voice screening). Deleted from both our database and Vapi
• • Candidate notes: while your organisation is active
• • Audit logs: while your organisation is active
• • Server logs: rotated on standard cycles (~30 days)

7. Your rights

If you are a recruiter or candidate whose data we process, you have the right to access, correct, delete, restrict processing of, receive a portable copy of, and withdraw consent for processing of your personal data. You can also lodge a complaint with your local data protection authority.

For candidate data: contact the recruiter organisation that uploaded your CV first — they are the data controller. If they’re unresponsive, contact us at Syed.Hasan@Outlook.com and we’ll help mediate.

8. International transfers

Your data is processed in India (Mumbai), Singapore, and the United States. For UAE PDPL, India DPDPA, and EU GDPR transfer safeguards we rely on each subprocessor’s Data Processing Addendum and Standard Contractual Clauses (or equivalent).

9. Children's data

Calibr is not intended for use by anyone under 18. We do not knowingly process data of minors. If you believe a candidate CV in our system relates to a minor, contact us and we’ll delete it.

10. Cookies and tracking

We use the minimum cookies necessary: authentication (Supabase session, Calibr locale preference), PostHog product analytics (no advertising), and Sentry error reporting (PII redacted). No Google Analytics, no Meta Pixel, no ad-retargeting.

11. Security

• • All data encrypted in transit (TLS 1.2+) and at rest
• • API keys, OAuth tokens, webhook secrets stored in Supabase Vault (pgsodium-backed encryption)
• • Row-level security enforced at database layer — every tenant query scoped by active organisation
• • OAuth integrations use minimum scopes needed
• • Audit log records every privileged write action

No system is perfectly secure. Responsible disclosure to Syed.Hasan@Outlook.com.

12. Voice recording consent

When Calibr makes outbound voice screening calls, the AI screening agent is required to: (a) identify itself as AI, (b) name your organisation, (c) disclose that the call is recorded, and (d) ask for verbal consent before proceeding with the screener. The standard script template ships with this compliance language. If your recruiters edit the intro template, they remain responsible for compliance with two-party-consent jurisdictions and local recording laws.

13. Contact

Privacy, security, and legal questions: Syed.Hasan@Outlook.com.

14. Changes to this policy

We’ll update this policy as Calibr evolves. Material changes (new subprocessors handling candidate PII, new data categories, changed retention windows) will be notified in-product at least 14 days before they take effect.