Privacy Policy
Last updated: March 2026
1. Data Controller
S&C Holding GmbH
Halbgasse 1a, 1070 Vienna, Austria
VAT ID: ATU70341613
Managing Director: Mag. Markus Höfinger
Email: hello@hiresift.ai
2. Data We Collect
2.1 Account Data
- Email address, name
- Authentication data (via Clerk)
- Usage behavior within the platform
2.2 Applicant Data (uploaded by customers)
- CV / resume documents (PDF, Word)
- Data extracted from CVs: name, contact details, work experience, education, qualifications
- AI-generated matching scores and explanations
2.3 Technical Data
- IP address, browser type, device information
- Log data, error reports
3. Legal Basis for Processing
| Purpose | Legal Basis |
|---|---|
| CV screening service delivery | Art. 6(1)(b) GDPR — Contract performance |
| Security and fraud prevention | Art. 6(1)(f) GDPR — Legitimate interest |
| Product improvement (anonymized) | Art. 6(1)(f) GDPR — Legitimate interest |
| Marketing / newsletter | Art. 6(1)(a) GDPR — Consent |
4. AI Processing and Sub-Processors
We use AI language models to analyze CVs. Applicant data is transmitted in a pseudonymized form and used exclusively for analysis — no storage or model training by the providers.
| Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Supabase (Frankfurt) | Data storage | EU (Germany) | GDPR-compliant, no transfer |
| Anthropic (Claude API) | CV analysis | USA | DPA + Standard Contractual Clauses (SCCs) |
| Google (Gemini API) | CV analysis | USA | DPA + SCCs (Cloud Data Processing Addendum) |
| OpenAI | CV analysis | USA | DPA + SCCs |
| Clerk | Authentication | USA | DPA + SCCs |
| Resend | Transactional emails | USA | DPA + SCCs |
All providers are bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR.
5. Controller / Processor Relationship
HireSift as Data Controller:
S&C Holding GmbH is the data controller for platform user data (recruiters, HR staff).
HireSift as Data Processor:
For applicant data uploaded by customers, S&C Holding GmbH acts as a data processor on behalf of the respective customer (employer). The customer remains the data controller for applicant data and is responsible for lawful collection (consent, employment application).
A Data Processing Agreement (DPA) can be requested at hello@hiresift.ai.
6. Data Retention
- Applicant data is retained for the duration of the customer contract
- After termination: deletion within 30 days
- Backups: deletion within 90 days
- On request: immediate deletion possible
7. Your Rights (GDPR Art. 15–22)
Under the GDPR, you have the right to:
- Access (Art. 15) your stored data
- Rectification (Art. 16) of inaccurate data
- Erasure (Art. 17) — “right to be forgotten”
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection to processing (Art. 21)
Contact: hello@hiresift.ai
Right to complain: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna, www.dsb.gv.at
8. Cookies
We use only technically necessary cookies (session, authentication). No tracking or advertising cookies.