← Back to HRHandle

Privacy Policy

Last updated: June 2, 2026

1. Who We Are

HRHandle is operated by Aleksandre Merabishvili, Individual Entrepreneur, registration number 01019062001, Tbilisi, Georgia ("we", "us", "our").

We are the data controller for the personal data of our customers (account holders and their team members). For candidate data that you enter into the Service, you are the data controller and we act as a data processor on your behalf.

Contact: hrhandle26@gmail.com

2. What Data We Collect

2.1 Account and Organization Data

  • Name and email address of account holders and team members
  • Organization name and configuration settings
  • Subscription and billing information (processed by our payment provider — we do not store card details)
  • Usage activity within the Service (e.g. actions taken, features used)
  • If you sign in with Google: your Google account name, email address, and profile picture, provided via Google OAuth. We do not store your Google password.

2.2 Integration Data

  • If you connect LinkedIn: your LinkedIn OAuth access token, used solely to post vacancies on your behalf. We do not access your LinkedIn connections or personal feed.
  • If you connect Google Calendar: your Google OAuth access token and refresh token, used solely to create and manage interview calendar events on your behalf.
  • If you connect Zoom: your Zoom OAuth access token and refresh token, used solely to create Zoom meetings when scheduling video interviews on your behalf.
  • If you connect Microsoft: your Microsoft OAuth access token and refresh token, used solely to create Teams meetings and Outlook Calendar events when scheduling video interviews on your behalf. We do not access your emails, contacts, or any other Microsoft data.

2.3 Vacancy Data

  • Job titles, descriptions, responsibilities, departments, locations, and requirements
  • Salary information and hiring timelines
  • Evaluation criteria and scores entered by your team

2.4 Candidate Data

You enter candidate data into HRHandle as part of your recruitment process, or candidates submit it themselves through your public application page. This may include:

  • Full name, email address, and phone number
  • Current company and position, years of experience
  • LinkedIn profile URL
  • CVs, resumes, cover letters, and other uploaded documents
  • Information automatically extracted from uploaded CVs (work experience, education) — see Section 5 for details on how this extraction works
  • Recruiter notes and interview records
  • Application status and history
  • For candidates who apply through the public application page: the IP address from which the application was submitted. We use this to prevent abuse (rate-limiting and duplicate-submission detection). It is stored alongside the application record and deleted together with it.

Some of this data may be imported by your recruiters directly from LinkedIn. You are responsible for ensuring you have a lawful basis to collect and store this data under applicable law.

3. How We Use Your Data

  • To provide, operate, and improve the Service
  • To manage your subscription and process payments
  • To send transactional emails (account invitations, password resets)
  • To monitor for errors and technical issues (via Sentry)
  • To comply with legal obligations

We do not use your data or your candidates' data for advertising or marketing purposes, and we do not sell data to third parties.

4. Legal Basis for Processing

  • Contract performance: processing necessary to deliver the Service under our Terms
  • Legitimate interests: monitoring service health, preventing abuse
  • Legal obligation: complying with applicable laws
  • Consent: where you have explicitly provided it (e.g. marketing communications, if any)

5. Third-Party Services

We use the following sub-processors to provide the Service:

ProviderPurposeLocation
Supabase (AWS us-east-1)Database and file storageUSA
ResendTransactional email deliveryUSA
SentryError monitoringUSA
VercelHosting and deploymentUSA / Global CDN
Google (optional)Authentication (OAuth) and Google Calendar integrationUSA / Global
Google Generative AI (Gemini API)Automated extraction of structured fields from uploaded CVs (name, email, work experience, education) — see "AI features" belowUSA / Global
LinkedIn (optional)Vacancy posting via LinkedIn APIUSA / Global
Zoom (optional)Video meeting creation via Zoom APIUSA / Global
Microsoft (optional)Teams meeting and Outlook Calendar integration via Microsoft Graph APIUSA / Global

All sub-processors are contractually obligated to process data only as instructed and to maintain appropriate security measures.

5.1 AI features (CV parsing)

When you or a candidate uploads a CV (PDF or Word document), the file is sent to Google's Gemini API to extract structured fields — name, contact details, work experience, and education — so they can be pre-filled into the candidate record. This is the only purpose for which CVs are sent to Google.

The extraction is informational only. It does not make any automated decision about a candidate. Every hiring decision (advancing, rejecting, hiring) is taken by a human recruiter on your team. Article 22 GDPR (automated decision-making with legal or similarly significant effect) therefore does not apply to this feature.

We use Google's paid Gemini API, under terms which prohibit Google from using customer prompt content to train their models. If the extraction fails or is unavailable, the application still proceeds and the recruiter (or candidate) can fill in the fields manually.

6. International Data Transfers

Your data is stored on servers located in the United States (AWS us-east-1, North Virginia). If you are located in the European Economic Area or Georgia, this constitutes a transfer of personal data outside your jurisdiction. We rely on standard contractual clauses and the data processing agreements of our sub-processors to ensure an adequate level of protection.

7. Data Retention

We retain your account, organization, and candidate data for as long as your account is active.

After your account is terminated (by you or by us), you have 30 days to request an export of your data. During this 30-day window the data remains recoverable. After the 30-day window, your account, organization, and all associated candidate data, documents, and application records are permanently deleted, except where we are required by law to retain specific records longer (for example, invoicing records under Georgian tax law).

Within the active life of your account, when you delete a candidate or document from within the Service, the record is marked for deletion immediately and permanently removed within 30 days. Backup snapshots taken before deletion are kept under Supabase's backup-retention policy and are not used for selective restoration of deleted records.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict certain processing
  • Receive your data in a portable format
  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at hrhandle26@gmail.com. We will respond within 30 days.

9. Cookies and analytics

We use cookies and browser storage in two categories:

9.1 Essential

Cookies and storage required for authentication, session management, CSRF protection, and remembering your sign-in preference. These are set by Supabase Auth and our own application code, and cannot be disabled without breaking the Service. We do not use advertising or cross-site tracking cookies.

9.2 Product analytics

In production we use the following analytics tools to understand how the Service is used and to improve it:

  • PostHog (hosted in the EU, eu.i.posthog.com) — captures page views, clicks, and product events. Person profiles are created only for signed-in users (configured as identified_only). Anonymous visitors to the landing page and public application pages do not receive a PostHog person profile.
  • Vercel Analytics — counts page views and basic traffic signals (referrer, country, device type) on production deployments. Vercel Analytics is privacy-friendly and does not use cross-site tracking cookies.

We do not run PostHog or Vercel Analytics on the candidate apply pages in a way that captures candidate-entered content, and we do not send candidate personal data (name, email, CV content) to either tool.

9.3 Error monitoring

Sentry collects technical error details (stack traces, browser/OS, request metadata) when something fails in the Service. Before any error is sent to Sentry, we run a server-side scrubbing step that removes known personal-data fields (names, emails, phone numbers, CV content, dates of birth, and similar) from the payload, so error reports do not contain candidate personal data.

10. Security

We implement appropriate technical and organizational measures to protect your data, including encrypted data transmission (TLS), row-level security on all database tables, role-based access controls, and signed URLs for document access.

11. Children

The Service is not directed at persons under 18. We do not knowingly collect personal data from anyone under 18.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice within the Service. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact

Data controller: Aleksandre Merabishvili, Individual Entrepreneur
Tbilisi, Georgia
hrhandle26@gmail.com

Terms and ConditionsRefund Policy