Privacy Policy
Last updated: April 2026
1. Data Controller
S&C Holding GmbH
Halbgasse 1a, 1070 Vienna, Austria
Commercial Register Number: FN 366123t (Commercial Court Vienna)
VAT ID: ATU70341613
Managing Director: Mag. Markus Höfinger
Email: hello@hiresift.ai
2. Data We Collect
2.1 Account Data
- Email address, name
- Authentication data (via Clerk)
- Usage behavior within the platform
2.2 Applicant Data (uploaded by customers)
- CV / resume documents (PDF, Word)
- Data extracted from CVs: name, contact details, work experience, education, qualifications
- AI-generated matching scores and explanations
2.3 Technical Data
- IP address, browser type, device information
- Log data, error reports
3. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| CV screening service delivery | Art. 6(1)(b) GDPR — Contract performance |
| Security and fraud prevention | Art. 6(1)(f) GDPR — Legitimate interest |
| Product improvement (anonymized) | Art. 6(1)(f) GDPR — Legitimate interest |
| Marketing / newsletter | Art. 6(1)(a) GDPR — Consent |
4. AI Processing and Sub-Processors
The default provider for AI-based CV analysis is Mistral AI (Document AI / OCR, hosted in Paris, France) — Europe’s leading AI company. Alternatively we use Vertex AI in the EU region europe-west4 (Belgium) for higher-tier Gemini and Claude models (e.g. re-extraction). Applicant data stays within the EU data boundary in both cases. Neither Mistral AI nor Google Cloud retains the transmitted data or uses it for model training (contractually specified in each provider’s service terms).
| Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Supabase | Database & file storage (including CVs) | EU — Frankfurt (AWS eu-central-1) | GDPR-compliant, no third-country transfer |
| Vercel | Web application hosting & serverless functions | EU — Frankfurt (fra1) | GDPR-compliant, no third-country transfer |
| Mistral AI | Default AI for CV extraction (Document AI / OCR) | EU — Paris, France | GDPR-compliant, no third-country transfer |
| Vertex AI | Alternative AI models (Gemini, Claude) for scoring & re-extraction | EU — Belgium (europe-west4) | GDPR-compliant, no third-country transfer |
| Mailgun | Inbound parsing and outbound sending of application and transactional emails | EU — Ireland (api.eu.mailgun.net) | GDPR-compliant, no third-country transfer |
| Mixpanel | Product analytics for service improvement | EU — Frankfurt (eu.mixpanel.com) | GDPR-compliant, no third-country transfer |
| Stripe | Payment processing & subscription management | EU — Ireland (Stripe Technology Company, Ltd.) | DPA with EU contracting party; internal cross-border flows under SCCs |
| Clerk, Inc. | No applicant data, only account login for HireSift | USA | EU-US Data Privacy Framework (DPF-certified) + DPA + SCCs |
All providers are bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR. Applicant data (CVs, extracted profiles, match scores, application emails and their attachments) is processed and stored exclusively within the EU. Clerk is used solely for account login in HireSift and processes no applicant data.
5. Controller / Processor Relationship
HireSift as Data Controller:
S&C Holding GmbH is the data controller for platform user data (recruiters, HR staff).
HireSift as Data Processor:
For applicant data uploaded by customers, S&C Holding GmbH acts as a data processor on behalf of the respective customer (employer). The customer remains the data controller for applicant data and is responsible for lawful collection (consent, employment application).
A Data Processing Agreement (DPA) can be requested at hello@hiresift.ai.
6. Data Retention
- Applicant data is retained for the duration of the customer contract
- After termination: deletion within 30 days
- Backups: deletion within 90 days
- On request: immediate deletion possible
7. Your Rights (GDPR Art. 15–22)
Under the GDPR, you have the right to:
- Access (Art. 15) your stored data
- Rectification (Art. 16) of inaccurate data
- Erasure (Art. 17) — “right to be forgotten”
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
Contact: hello@hiresift.ai
Right to complain: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna, www.dsb.gv.at
8. Cookies
We use technically necessary cookies (session, authentication) as well as product-analytics cookies from Mixpanel (EU region, eu.mixpanel.com) to improve the service. No advertising cookies, no cross-site tracking.