Privacy Policy
Effective: April 2026 · Last updated: June 1, 2026
Also available in: Português · Español · Italiano
1. Who we are
Hiresling.ai is operated by 42labs OÜ, a company registered in Estonia (EU). In this policy, "hiresling," "we," "us," and "our" refer to 42labs OÜ.
Contact: hiresling@42labs.io
2. What data we collect
| Category | Examples | When |
|---|---|---|
| Account data | Name, email address | Sign-up (from Google profile) |
| Resume data | Work history, education, skills, accomplishments | Onboarding (you upload it) |
| Targeting preferences | Target roles, industries, organization traits, skills, signals, contact role preferences, company blacklist | Onboarding & settings |
| Email content | Drafted email subjects and bodies, email closing preferences | During outreach generation |
| Gmail credentials | OAuth refresh token (encrypted) | Gmail connection |
| Usage data | Daily/monthly email and AI call counts | Automatically |
| Decisions & feedback | Prospect approvals/rejections, email feedback | During pipeline use |
| Calibration data | Chat messages and extracted calibration notes | Onboarding chat |
3. How we use your data
- Resume parsing and tailoring — we use AI to parse your resume into structured data and deterministically reorder it for each target company. No text is added, changed, or fabricated.
- Email drafting — we use AI to draft personalized outreach emails based on your resume, preferences, and target company information.
- Email sending — we send approved emails from your Gmail account using your authorized credentials. We only request the
gmail.sendscope. We never read your inbox. - Company and contact discovery — we find potential target companies and their publicly available contact information using APIs and, as a last resort, publicly accessible web pages. Where no published individual contact is found, we may derive a generic role-based business address (e.g. contact@ or info@ the company's domain) and validate it via DNS before drafting to it.
- Semantic matching — we use AI embeddings (numeric representations of text) to pre-rank which companies to fit-score, retrieve relevant help-center answers in chat, and de-duplicate company records.
- Usage enforcement — we track daily and monthly counts to enforce your subscription tier limits.
- Platform statistics — we maintain anonymized aggregate counters (total emails sent, total resumes generated) for platform metrics. These are not linked to any user.
- Error monitoring — we use Sentry to capture application errors and improve reliability. Error reports may include technical identifiers but are scrubbed of personal content.
4. Google API Services — Limited Use
hiresling uses Google Workspace APIs (Gmail) solely to send emails on your behalf, using the gmail.send scope you authorize. We do not read, store, or transfer your inbox.
The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements. Specifically:
- We use Google user data only to provide the email-sending feature you requested.
- We do not transfer Google user data to others except as required to provide the service or comply with law.
- We do not use Google user data for advertising, audience-building, or sale.
- We do not allow humans to read Google user data unless you give us explicit consent for specific messages, it is necessary for security purposes (e.g., investigating abuse), to comply with applicable law, or for aggregated and anonymized usage statistics.
5. Legal basis (GDPR / LGPD)
| Processing | Legal basis |
|---|---|
| Resume parsing, tailoring, email drafting, sending | Performance of contract (GDPR Art. 6(1)(b) / LGPD Art. 7, V) — necessary to deliver the service you subscribed to |
| Resume upload and AI processing | Explicit consent (GDPR Art. 6(1)(a) / LGPD Art. 7, I) — provided at onboarding |
| Contact discovery from public sources | Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — the user has a legitimate interest in finding employment; contacting company representatives via publicly available information is a proportionate means |
| Usage tracking, error monitoring | Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — maintaining platform security, reliability, and fair usage |
| Aggregate platform statistics | Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7, IX) — anonymized, no personal data involved |
6. Who we share data with
We share your data only with the categories of service providers necessary to operate hiresling. All are bound by data processing agreements, and transfers outside the EU/EEA are covered by Standard Contractual Clauses and/or the EU-US Data Privacy Framework where applicable.
- Infrastructure, hosting and security — database, authentication, file storage, serverless hosting, background-job queue, the AI gateway, and error monitoring.
- AI processing — large-language-model and embedding providers used for resume parsing, email drafting, calibration, fit scoring, and semantic matching.
- Job-posting and company discovery — public job-listing and company-search APIs (search parameters only; no personal data of yours is sent).
- Contact discovery — providers that return work email addresses at the companies you target.
- Email delivery and support — your Gmail account (for sending), transactional-email delivery, and customer-support ticketing.
- Payments — our Merchant of Record, who handles billing, tax, and payment data.
- Analytics and operational notifications — cookieless web analytics and internal operational alerting.
We do not sell your data or share it for advertising. We can provide the current list of the specific providers behind each category on request — email hiresling@42labs.io.
7. Shared and isolated data
Some data is shared across all authenticated users to avoid redundant lookups:
- Company records — name, website, industry, size
- Job postings — title, URL, company
- Contact records — name, role, email address
The following data is never shared between users and is strictly isolated via row-level security:
- Resumes, email drafts, feedback, decisions, preferences
- Gmail credentials, API keys, usage records
- Audit logs
Fit scoring. When we draft outreach to a company, we compute a fit score (0–100) using your profile and the company's signal. This processing is necessary to perform our contract with you (GDPR Art. 6(1)(b)). The score is a triage aid that only you see — it never filters or hides companies, and the recipient never sees it. Users in Brazil may request review of an automated score under LGPD Art. 20 via the in-app support chat.
8. Data retention
| Data | Retained | After account deletion |
|---|---|---|
| Account and profile | Until you delete your account | Purged immediately |
| Resumes (base and tailored) | Until you delete your account | Purged immediately |
| Sent email content | 90 days after last follow-up sent | Purged immediately |
| Contact-discovery data (names, roles, business emails) | 90 days if never used for outreach; otherwise kept with the related outreach record | Purged immediately |
| Usage tracking | 12 months | Purged immediately |
| Audit logs | 3 years (compliance) | Email pseudonymized — your email is replaced with a one-way salted hash that cannot be reversed to identify you, while preserving the audit trail's integrity for fraud and dispute investigation. |
| Aggregate counters (emails/resumes sent) | Indefinite | Not affected (no user association) |
9. Security
- Gmail refresh tokens and BYOK API keys are encrypted with AES-256-GCM before storage.
- All data in transit is encrypted via TLS (HTTPS).
- Authentication uses Google OAuth with PKCE. No passwords are stored.
- Database access is enforced by row-level security policies — users can only access their own data.
- Resume files are stored in a private storage bucket and served only via authenticated proxy endpoints.
10. Your rights
Depending on your location, you may have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Deletion — delete your account and all associated data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw consent for resume processing at any time (by deleting your resume or account)
- Complaint — lodge a complaint with your local data protection authority. Our lead authority is Estonia's Andmekaitse Inspektsioon (aki.ee); if you are in the EEA you may also contact your local authority, and in Brazil the ANPD (gov.br/anpd)
To exercise any right, email hiresling@42labs.io. We respond within 30 days.
11. Cookies and tracking
hiresling uses HTTP-only session cookies managed by Supabase Auth for authentication. We do not use analytics cookies, tracking pixels, or advertising cookies. If this changes, we will update this policy and request your consent where required.
12. Contact data from public sources
hiresling discovers company contact information (names, roles, email addresses) from publicly available sources such as company websites and job listing APIs. Where no published individual contact is found, a generic role-based business address (e.g. contact@ or info@ the company's domain) may be derived and validated via DNS. This data is used to facilitate employment-related outreach on behalf of our users.
If you are a contact whose information appears in our system and wish to be removed, email hiresling@42labs.io and we will delete your record within 30 days.
13. Children's privacy
hiresling is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we will delete the account.
14. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, ask you to re-consent on your next login. Continued use after notification constitutes acceptance.
15. Governing law
This policy is governed by the laws of the Republic of Estonia, without regard to conflict of law principles. The courts of Harju County, Estonia have exclusive jurisdiction.
16. Third-party data attribution
hiresling uses the following third-party datasets to power its onboarding questionnaire:
- ESCO Occupations and Skills — European Commission, licensed under CC BY 4.0. Source: esco.ec.europa.eu.
- ISIC Rev.4 — United Nations Statistics Division. Source: unstats.un.org.
- GeoNames geographical data — GeoNames, licensed under CC BY 4.0. Source: geonames.org.