Privacy Policy
Last updated: February 2025
1. Who We Are
Cody AI Recruiter is operated by Cody AI Ltd (“we”, “us”, “our”). We are the data controller for the personal data processed through our platform. For questions, contact us at privacy@cody.ai.
2. Data We Collect
We collect the following categories of personal data:
Account Data
- Full name, email address, company name (employers)
- Profile photo (if signing in via Google OAuth)
- Authentication tokens and session data
Candidate Profile Data
- Professional skills, experience, and qualifications
- Desired role, seniority level, and career preferences
- Salary expectations and work mode preferences (remote/hybrid/onsite)
- Location and culture preferences
- AI-generated profile summaries
Voice Conversation Data
- Audio recordings of conversations with Cody and Harper voice agents
- Transcripts generated from voice conversations
- AI-extracted structured data from transcripts
- Conversation metadata (duration, timestamps)
Employer Data
- Job briefs (role title, skills, salary budget, location, culture description)
- Search history and candidate shortlists
3. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Providing the recruitment matching service | Contract performance |
| Processing voice conversations with AI | Consent (given when you initiate a call) |
| Building and updating candidate profiles | Legitimate interest |
| Matching candidates with employer job briefs | Legitimate interest |
| Sending service-related communications | Contract performance |
| Improving our AI models and service quality | Legitimate interest |
| Preventing fraud and abuse | Legitimate interest |
4. Third-Party Services
We use the following third-party services to deliver the platform:
- Supabase — Authentication and database hosting (EU/US servers)
- ElevenLabs — Voice conversation AI (Conversational AI platform)
- OpenAI — AI processing for profile extraction and candidate matching
- Vercel — Web application hosting
- Google OAuth — Optional sign-in authentication
Each third-party processor handles data in accordance with their own privacy policies and our data processing agreements.
5. Data Sharing
We share your data only in the following circumstances:
- Candidates → Employers: Your profile data (skills, experience, preferences, AI-generated summary) is visible to employers who search for candidates matching your profile. Your email and contact details are not shared until you consent to an introduction.
- Employers → Candidates: Job brief information may be shared with matched candidates.
- Service providers: We share data with the third-party services listed above, solely for the purpose of delivering the Service.
- Legal requirements: We may disclose data if required by law, regulation, or legal process.
6. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account deletion
- Candidate profiles: Retained while your account is active
- Voice recordings & transcripts: Retained for up to 12 months, then automatically deleted
- Employer job briefs & search results: Retained while your account is active
- Analytics data: Aggregated and anonymised data may be retained indefinitely
7. Your Rights (GDPR)
Under UK/EU data protection law, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate or incomplete data
- Erasure — Request deletion of your data (“right to be forgotten”)
- Restriction — Restrict processing in certain circumstances
- Portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interests
- Withdraw consent — Withdraw consent for voice recording at any time
To exercise any of these rights, contact privacy@cody.ai. We will respond within 30 days.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security on all database tables
- Secure authentication via Supabase Auth with OAuth 2.0
- Server-side API key management (never exposed to browsers)
- Regular security reviews of our infrastructure
9. Cookies
We use essential cookies only for authentication and session management. We do not use tracking cookies or third-party advertising cookies.
10. Children
The Service is not directed at individuals under 18 years of age. We do not knowingly collect data from children.
11. International Transfers
Your data may be processed in the UK, EU, and United States by our service providers. Where data is transferred outside the UK/EU, we ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
12. Changes to This Policy
We may update this privacy policy from time to time. We will notify you of material changes via email or a notice on the platform.
13. Contact & Complaints
For privacy questions or to exercise your rights: privacy@cody.ai
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.