Privacy Policy

Last updated: February 2025

1. Who We Are

Cody AI Recruiter is operated by Cody AI Ltd (“we”, “us”, “our”). We are the data controller for the personal data processed through our platform. For questions, contact us at privacy@cody.ai.

2. Data We Collect

We collect the following categories of personal data:

Account Data

  • Full name, email address, company name (employers)
  • Profile photo (if signing in via Google OAuth)
  • Authentication tokens and session data

Candidate Profile Data

  • Professional skills, experience, and qualifications
  • Desired role, seniority level, and career preferences
  • Salary expectations and work mode preferences (remote/hybrid/onsite)
  • Location and culture preferences
  • AI-generated profile summaries

Voice Conversation Data

  • Audio recordings of conversations with Cody and Harper voice agents
  • Transcripts generated from voice conversations
  • AI-extracted structured data from transcripts
  • Conversation metadata (duration, timestamps)

Employer Data

  • Job briefs (role title, skills, salary budget, location, culture description)
  • Search history and candidate shortlists

3. How We Use Your Data

PurposeLegal Basis
Providing the recruitment matching serviceContract performance
Processing voice conversations with AIConsent (given when you initiate a call)
Building and updating candidate profilesLegitimate interest
Matching candidates with employer job briefsLegitimate interest
Sending service-related communicationsContract performance
Improving our AI models and service qualityLegitimate interest
Preventing fraud and abuseLegitimate interest

4. Third-Party Services

We use the following third-party services to deliver the platform:

  • Supabase — Authentication and database hosting (EU/US servers)
  • ElevenLabs — Voice conversation AI (Conversational AI platform)
  • OpenAI — AI processing for profile extraction and candidate matching
  • Vercel — Web application hosting
  • Google OAuth — Optional sign-in authentication

Each third-party processor handles data in accordance with their own privacy policies and our data processing agreements.

5. Data Sharing

We share your data only in the following circumstances:

  • Candidates → Employers: Your profile data (skills, experience, preferences, AI-generated summary) is visible to employers who search for candidates matching your profile. Your email and contact details are not shared until you consent to an introduction.
  • Employers → Candidates: Job brief information may be shared with matched candidates.
  • Service providers: We share data with the third-party services listed above, solely for the purpose of delivering the Service.
  • Legal requirements: We may disclose data if required by law, regulation, or legal process.

6. Data Retention

  • Account data: Retained while your account is active, deleted within 30 days of account deletion
  • Candidate profiles: Retained while your account is active
  • Voice recordings & transcripts: Retained for up to 12 months, then automatically deleted
  • Employer job briefs & search results: Retained while your account is active
  • Analytics data: Aggregated and anonymised data may be retained indefinitely

7. Your Rights (GDPR)

Under UK/EU data protection law, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate or incomplete data
  • Erasure — Request deletion of your data (“right to be forgotten”)
  • Restriction — Restrict processing in certain circumstances
  • Portability — Receive your data in a structured, machine-readable format
  • Object — Object to processing based on legitimate interests
  • Withdraw consent — Withdraw consent for voice recording at any time

To exercise any of these rights, contact privacy@cody.ai. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Row-level security on all database tables
  • Secure authentication via Supabase Auth with OAuth 2.0
  • Server-side API key management (never exposed to browsers)
  • Regular security reviews of our infrastructure

9. Cookies

We use essential cookies only for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

10. Children

The Service is not directed at individuals under 18 years of age. We do not knowingly collect data from children.

11. International Transfers

Your data may be processed in the UK, EU, and United States by our service providers. Where data is transferred outside the UK/EU, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

12. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes via email or a notice on the platform.

13. Contact & Complaints

For privacy questions or to exercise your rights: privacy@cody.ai

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Made with