VEYR Back home

Legal

Privacy Policy

Last updated: 15 May 2026

1. Introduction

This Privacy Policy explains how VEYR ("we", "us", "our") collects, uses, and protects personal data when you use our Recruiting Intelligence Platform available at getveyr.com (the "Service"). We are committed to protecting your privacy and processing your data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Spanish data protection law.

2. Data Controller

VEYR is an early-stage project operated by a private individual based in Spain.

Data Controller:
Ali Karim
Passeig de la Verneda 97
Barcelona, Spain
Email: contact@getveyr.com

For any questions regarding this Privacy Policy or your personal data, please contact us at the email address above.

3. Who This Policy Applies To

This Privacy Policy applies to two distinct groups:

  • Customers: Recruiters, hiring managers, and team members who sign up for and use the Service to manage their hiring activities.
  • Candidates: Individuals who interact with a Customer's Beacon page, complete Pulse assessments, or otherwise engage with the Service as part of a Customer's recruitment process.

For Candidate data uploaded or generated by Customers, we act as a data processor on behalf of the Customer, who acts as the data controller. For Customer account data, we act as the data controller directly.

4. Personal Data We Collect

From Customers (account holders):

  • Name and email address
  • Company name and role
  • Authentication credentials (encrypted)
  • Billing information (processed by Stripe; we do not store card details)
  • Usage data (login timestamps, feature usage, IP address)
  • Communications you send to us

From Candidates (via Customer use of the Service):

  • Name, email, and contact details
  • CV, resume, and any uploaded documents
  • Responses to AI screening questions
  • Pulse assessment responses
  • Conversations with the Beacon AI assistant
  • Booking and calendar data when scheduling interviews
  • Stage history and recruiter notes
  • Any other information voluntarily provided

5. Legal Bases for Processing

We process personal data on the following legal bases under GDPR Article 6:

  • Contract (Art. 6(1)(b)): To provide the Service to our Customers under our Terms of Service.
  • Legitimate interest (Art. 6(1)(f)): To operate, secure, and improve the Service, prevent abuse, and communicate with Customers.
  • Consent (Art. 6(1)(a)): For specific optional features, marketing communications, and Candidate interactions where consent is the appropriate basis.
  • Legal obligation (Art. 6(1)(c)): To comply with applicable laws, including tax, accounting, and security obligations.

6. How We Use Personal Data

We use personal data to:

  • Provide, operate, and maintain the Service
  • Authenticate users and secure accounts
  • Process payments and manage subscriptions
  • Generate AI-assisted candidate insights (dossiers, interview questions, content detection)
  • Communicate with Customers regarding their account, support, and product updates
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

7. AI Processing

The Service uses artificial intelligence to assist with candidate screening, scenario assessments, dossier synthesis, content generation, and interview question generation. AI processing is performed via the Lovable AI Gateway using Google Gemini 2.5 Flash, with EU routing to keep inference within the European Union.

Important: AI outputs are recommendations only. Final hiring decisions are made by the Customer (employer) and are their sole responsibility. The Service does not make automated decisions producing legal or similarly significant effects on Candidates within the meaning of GDPR Article 22.

8. Sub-Processors

We rely on the following sub-processors to operate the Service. All sub-processors are bound by contractual data protection obligations.

  • Supabase · Database, authentication, file storage · EU (Frankfurt)
  • Lovable · Hosting and deployment · EU
  • Stripe · Payment processing · EU / Global
  • Resend · Transactional email · EU
  • Google (Gemini via Lovable AI Gateway) · AI processing · EU-routed

We will notify Customers in advance of any material changes to our sub-processor list.

9. Data Storage and Security

All personal data is stored on infrastructure located within the European Union, specifically AWS Frankfurt (eu-central-1) via Supabase. We apply the following technical and organizational measures:

  • TLS 1.2+ encryption in transit (HTTPS everywhere)
  • AES-256 encryption at rest
  • Row-Level Security enforcing strict company-level data isolation
  • Daily automated backups with point-in-time recovery
  • Rate limiting on public-facing endpoints
  • Regular security reviews and vulnerability scanning

While we apply industry-standard security measures, no system is completely immune to risk. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority and affected individuals where required by law.

10. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy:

  • Active Customer accounts: for the duration of the subscription and reasonable period thereafter
  • Candidate data: for as long as the Customer maintains the data in the Service, subject to the Customer's own retention policies
  • Billing records: as required by Spanish tax law (typically 5 years)
  • Backups: rotated and deleted on a defined schedule
  • Account deletion: personal data is deleted within 30 days of account closure, except where retention is required by law

11. International Data Transfers

We prioritize EU-based processing. Where data transfers outside the European Economic Area (EEA) are necessary (for example, certain Stripe operations), they are protected by appropriate safeguards including Standard Contractual Clauses approved by the European Commission.

12. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Access · request a copy of the personal data we hold about you
  • Rectification · request correction of inaccurate or incomplete data
  • Erasure · request deletion of your personal data ("right to be forgotten")
  • Restriction · request that we limit how we use your data
  • Portability · receive your data in a structured, machine-readable format
  • Objection · object to processing based on legitimate interests
  • Withdraw consent · where processing is based on consent
  • Lodge a complaint · with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, www.aepd.es) or your local supervisory authority

To exercise any of these rights, contact us at contact@getveyr.com. We will respond within one month of receiving your request.

For Candidates: If you are a Candidate and wish to exercise your rights regarding data managed by an employer using the Service, please contact the employer directly. They are the data controller for your application data. We will assist them in fulfilling your request.

13. Cookies and Tracking

The Service uses essential cookies required for authentication and security. We do not use third-party advertising cookies or cross-site tracking. Where analytics cookies are used, they are configured to respect EU privacy requirements. For details, see our Cookie Policy.

14. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

15. Changes to This Policy

We may update this Privacy Policy as the Service evolves. Material changes will be announced via email or in-product notification at least 30 days before they take effect. The "Last updated" date at the top of this Policy reflects the most recent revision.

16. Contact

For any questions, requests, or complaints regarding this Privacy Policy or your personal data:

Ali Karim
Passeig de la Verneda 97
Barcelona, Spain
Email: contact@getveyr.com