Privacy Policy
At Interva we handle sensitive hiring data on behalf of our customers — job descriptions, candidate CVs, interview recordings, AI‑generated scores. This Privacy Policy explains what we collect, why, who we share it with, and your rights.
1. Who we are
Interva ("Interva", "we", "our") operates the AI‑powered hiring platform available at interva.io, app.interva.io, and tenant subdomains of the form *.interva.io.
For the account data of our direct customers (HR administrators, recruiters, hiring managers), we act as a data controller. For the candidate data our customers upload and generate through the platform, we act as a data processor on their behalf.
Privacy contact: privacy@interva.io
2. Data we collect
Account data (controller)
When an HR user creates a workspace we collect:
- name, email address, hashed password (bcrypt)
- workspace name, subdomain, brand color, logo, email sender settings
- role (Admin, Recruiter, Hiring Manager, Auditor), last‑login timestamps
- billing contact and invoice history (via Stripe — see subprocessors)
Candidate data (processor)
On behalf of our customers we process data about their job applicants:
- name, email, phone number
- CV/resume file, extracted CV text, portfolio links
- answers to the customer's application form
- interview audio recording and full transcript (voice interviews)
- AI‑generated summaries, scores, and analyses
- application stage, internal notes, timeline events
We only process this data to run our service for the customer. Candidates can request deletion from the customer directly, and we will delete it from our systems on the customer's instruction or once our retention period expires.
Usage and technical data
- IP address, user agent, pages visited, timestamps (server logs)
- Strictly necessary cookies for authentication and session
- Google Tag Manager events on the public landing page (page views, button clicks — no cross‑site tracking)
3. How we use the data
- Deliver the platform (authentication, processing interviews, generating AI analysis, sending notification emails)
- Bill the subscription through Stripe
- Troubleshoot issues and detect abuse
- Improve the service using aggregated, anonymized usage
- Meet legal obligations
We do not sell personal data, ever. We do not use candidate data or customer data to train general‑purpose AI models.
4. Legal basis (GDPR / UK GDPR / KVKK)
- Contract — running the platform for our paying customer (Art. 6(1)(b))
- Legitimate interest — security, fraud prevention, service improvement (Art. 6(1)(f))
- Consent — where a candidate explicitly consents in‑app before a recorded interview starts (Art. 6(1)(a))
- Legal obligation — tax, accounting, regulator requests (Art. 6(1)(c))
5. Subprocessors
We use vetted third parties to operate the service:
| Subprocessor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Server and database hosting | Germany |
| Bunny.net | CDN + encrypted storage for CVs and recordings | EU |
| OpenAI | LLM processing (transcripts, analyses, prompts) | USA |
| Vapi | Voice‑interview infrastructure | USA |
| Google Workspace (Gmail SMTP) | Transactional email | USA / EU |
| Stripe | Subscription billing | USA / EU |
| Google Tag Manager | First‑party analytics on the public landing page | USA / EU |
All transfers outside the EEA happen under the EU Standard Contractual Clauses (2021/914). Customers can request an up‑to‑date subprocessor list and sign our Data Processing Addendum at dpa@interva.io.
6. Where data is stored
Primary data storage is in Germany (Hetzner data centers in Frankfurt / Nuremberg). Interview recordings and CVs are stored on Bunny.net EU edge locations. AI processing takes place at OpenAI and Vapi in the United States under Standard Contractual Clauses.
7. Data retention
- Account data — for the life of the workspace, plus 12 months for legal and anti‑fraud purposes.
- Candidate data — the retention period is controlled by each workspace (default 365 days from the last activity).
- Interview recordings and transcripts — same as candidate data; the candidate can request deletion at any time.
- Server logs — 90 days.
- Encrypted backups — rolling 30 days.
8. Your rights
Under GDPR, UK GDPR, KVKK, and similar frameworks, you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Request deletion (right to be forgotten)
- Receive a machine‑readable copy (portability)
- Object to processing that relies on legitimate interest
- Withdraw consent at any time where processing is consent‑based
- Lodge a complaint with your national data protection authority
To exercise any of these rights, email privacy@interva.io. If you are a candidate and your data is held by one of our customers, we may forward your request to that customer as the data controller.
9. Cookies
The app uses strictly necessary cookies for authentication and CSRF protection. The public landing page loads Google Tag Manager for first‑party analytics. There are no advertising cookies or cross‑site trackers on interva.io.
10. International transfers
Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and supplementary measures including encryption in transit and at rest.
11. Security
For a technical description of our safeguards, see our Security page.
12. Children
Interva is a business tool designed for HR professionals. We do not knowingly collect data from anyone under 16. If you believe a minor's data has been uploaded, email privacy@interva.io and we will remove it.
13. Changes to this policy
Material updates to this Privacy Policy will be sent to workspace owners at least 30 days before they take effect. Minor clarifications are published here with an updated "Last updated" date.
14. Contact
Privacy Officer · privacy@interva.io
General support · support@interva.io
Data Processing Addendum · dpa@interva.io