Privacy Policy

This Privacy Policy describes how [ENTITY NAME] doing business as SourceHire (“SourceHire”, “we”) collects, uses, shares, and protects Personal Data when you use the SourceHire websites and Services (defined in our Terms of Service).

[ENTITY NAME], a [STATE OF FORMATION] limited liability company with a place of business at [BUSINESS ADDRESS], is the data controller for Personal Data processed through the candidate-facing Services. Where we provide the Services to a Customer (e.g., a posting employer or talent-acquisition team), we act as a data processor for that Customer in respect of the application data submitted to that Customer's jobs (see Section 4).

This Policy applies to the websites, web applications, and APIs of SourceHire, including the marketing site, the public job board at /jobs, the apply flow, the candidate self-service surface at /apply/me, and the operator console at /admin. It does not apply to any third- party site or service we link to, which has its own privacy policy.

For Personal Data of website visitors, prospective candidates, and unauthenticated users browsing the public surfaces, Source Unlimited acts as the data controller.

For Personal Data submitted by a Candidate as part of an application to a Customer's job, SourceHire acts as a processor on behalf of that Customer, who is the data controller for the processing of that application. For Personal Data submitted by a Candidate to the network for discoverability rather than a specific job, SourceHire acts as the data controller.

Customers and SourceHire are bound by the Data Processing Addendum which governs the controller-processor relationship.

Almost all Personal Data we hold about you was submitted by you directly through the apply form or through your authenticated /apply/me session. Operational metadata (IP, user agent, timestamps) is observed automatically when you interact with the Services. We do not purchase or otherwise acquire candidate Personal Data from third-party data brokers.

• To provide the candidate apply flow and the resulting record.
• To process your documents into a structured profile for hiring review (subject to your ai_extraction consent).
• To make you discoverable in the network-wide talent search (subject to your discoverability consent).
• To allow recruiters of jobs you applied to to evaluate your application.
• To operate the consent ledger, the audit log, and the demonstr- ability artifacts that allow us to prove lawful processing.
• To respond to your data-rights requests (access, correction, erasure, portability, restriction, objection).
• To send platform-related communications you have opted into (subject to your marketing consent).
• To enforce our Terms of Service and Acceptable Use Policy, and to comply with our legal obligations.

Where GDPR applies, we rely on the following legal bases:

• Consent (Article 6(1)(a)) — for ai_extraction, discoverability, sensitive_accommodations, marketing, and professional_enrichment. Withdrawable at any time.
• Contract (Article 6(1)(b)) — for the core_processing consent, which is required to perform the apply transaction you initiated.
• Legal obligation (Article 6(1)(c)) — for retention and disclosure obligations imposed on us by applicable law.
• Legitimate interests (Article 6(1)(f)) — for security, abuse prevention, audit logging, and the operational integrity of the Services. Where we rely on this basis, we have balanced our interests against your fundamental rights and freedoms; you may object as described in Section 16.

For Special Category Data (Article 9) — limited to optional accommodations and EEO survey responses — we rely on your explicit consent (Article 9(2)(a)).

We share Personal Data only with the following recipients and only for the specific purposes stated:

• Recruiters of jobs you specifically applied to. Each such Recruiter sees the application data tied to their job: your name, email, resume, cover letter, declared logistics, narratives, and (when you granted ai_extraction) the structured profile fields. They see this data only for evaluating your application.
• SourceHire operators with a business need. Reviewers see network-wide records with PII masked by default; unmask is single-click, audit-logged, and limited to legitimate review activity. Admins see records in clear with a banner noting the elevated view is audit-logged.
• Subprocessors (Section 12) acting on documented instructions from us solely to provide the Services.
• Authorities where required by valid legal process (subpoena, court order, regulatory request). We will notify you unless legally prohibited from doing so.
• Successors-in-interest in the event of a merger, acquisition, or sale of substantially all of our assets, subject to the same privacy commitments and applicable notification requirements.

11.1 Absolute commitments. The following apply under all circumstances, regardless of any consent flag:

• We will not include protected-class attributes (gender identity, race, ethnicity, veteran status, age, disability) in any recruiter-facing dashboard export, CSV download, or other operator-initiated export from the recruiter workflow that SourceHire's own employer customers use to view your profile. This commitment protects you from your prospective employer seeing your protected-class data through SourceHire's own surfaces. It does NOT prevent us from sharing this data with named third-party data partners under § 11.2 if you have affirmatively consented to a specific partner.
• We will not use the existence of any one consent as standing authorization for any operation that consent does not specifically describe.

11.2 Conditional on explicit per-partner opt-in. The activities below are off by default. They are permitted only if you have affirmatively opted in to a specific third-party partner we identify by name, for the specific purpose disclosed in the opt-in text. The current roster of named partners and the fields each receives is published at /legal/data-partners and updated within seven (7) days of any change.

• We may include your Personal Data, including direct identifiers, demographic characteristics (including protected-class attributes such as gender, ethnicity, age, marital status, household composition), and digital advertising identifiers (including IAB Transparency and Consent Framework strings and Unified ID 2.0 matched flags), in a data product, data feed, licensed dataset, or partner-facing API directed to a third-party data partner we identify by name. Without your opt-in to that specific partner, no such inclusion occurs.
• We may provide your Personal Data, including the categories above, to a named third-party partner for the training, fine-tuning, evaluation, benchmarking, or improvement of a machine-learning model. We acknowledge that such a model, if it produces matching scores subsequently used in hiring decisions, may be subject to disparate-impact scrutiny under Title VII of the Civil Rights Act of 1964, the Age Discrimination in Employment Act, the Americans with Disabilities Act, NY Local Law 144, the Colorado AI Act, and equivalent laws. We require each such partner to maintain a documented bias-audit process and to indemnify SourceHire and affected Candidates against discrimination claims traceable to such models. Anthropic Claude, which extracts your resume into structured fields, operates as a processor under our instructions and does not use your data to train its models — that processor relationship is unchanged and does not require an additional opt-in.
• We may transmit your Personal Data to authenticated external partner systems on a schedule, via webhook, or via a partner-facing API, to a partner we identify by name. Without your opt-in to that specific transfer, no such transmission occurs.
• We may “share” your Personal Data for cross-context behavioral advertising within the meaning of CCPA Cal. Civ. Code § 1798.140(ah) by transmitting profile attributes (which may include direct identifiers and demographic characteristics) to third-party advertising exchanges and talent-related ad networks. EEA / UK / Swiss residents require explicit opt-in regardless of opt-out signals.

11.3 Right to revoke. You may revoke any per-partner consent at any time. Revocation stops future transfers immediately, and we will forward the revocation to the partner for downstream deletion within seventy-two (72) hours where the partner agreement so requires.

We use a small set of subprocessors to provide the Services. Each subprocessor is bound by data protection terms at least as protective as this Policy. We update this list when we add or remove a subprocessor; material changes are notified per Section 21.

• Vercel Inc. — application hosting and edge delivery. United States.
• Neon Inc. — managed Postgres database. United States (with EU/UK regions available on request).
• Vercel Blob (storage) — file storage for uploaded resumes and cover letters. United States.
• Anthropic, PBC — AI extraction (Anthropic Claude). Subject to your ai_extraction consent. Anthropic processes your data only to provide the inference service for us; under our agreement with Anthropic and Anthropic's commercial terms, your data is not used to train Anthropic's models.
• Inngest Inc. — background job orchestration. United States.
• Resend, Inc. — transactional email delivery (magic links, notifications). United States.
• GitHub, Inc. — source-code hosting. Does not process Candidate Personal Data; listed for completeness as part of our development infrastructure.

SourceHire is incorporated in the United States and our primary processing infrastructure is located in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your Personal Data is transferred to the United States subject to appropriate safeguards, specifically the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) as supplemented by the UK International Data Transfer Addendum and the Swiss FADP adaptations, together with a Transfer Impact Assessment.

• Active candidate records and uploaded files: for as long as your record is active in the Services, plus a reasonable wind-down period not exceeding 180 days after revocation of core_processing consent or successful erasure request, whichever is earlier.
• Consent Ledger rows: retained as required for legal demonstrability under GDPR Article 7(1) and equivalent statutes, with tombstones replacing erased payload after the candidate record is erased.
• Audit Log entries: retained for a minimum of 24 months for security and compliance review.
• Backups: rolling daily backups retained for 30 days. Backup erasure is performed by aging-out rather than direct redaction of historical snapshots; we do not restore from backups in a way that resurrects an erased record.

We implement administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, loss, alteration, and destruction. Specific measures include encryption in transit (TLS 1.2+); encryption at rest; scoped role- based access control with the strict role hierarchy viewer < recruiter < reviewer < admin; PII masking by default in reviewer surfaces with audit-logged unmask; per-row consent re-checks at every export; hash-chained consent ledgers; append-only audit logging; secret rotation; least- privilege subprocessor configurations; and regular review of the security posture of every component.

In the event of a Personal Data breach affecting your data, we will notify you and, where required, the relevant supervisory authority, within the timeframes specified by applicable law (within 72 hours under GDPR Article 33; without unreasonable delay under U.S. state breach-notification statutes).

Subject to applicable law and any statutory exceptions, you have the right to:

• Access the Personal Data we hold about you and receive a copy.
• Correct inaccurate Personal Data.
• Erase your Personal Data (right to be forgotten).
• Restrict certain processing.
• Object to processing based on legitimate interests or for direct marketing.
• Port your data to another service in a structured, commonly used, machine-readable format.
• Withdraw consent at any time, with the same ease as it was given.
• Lodge a complaint with a supervisory authority in your jurisdiction.
• Not be subject to solely automated decisions with legal or similarly significant effects (GDPR Article 22). We do not make automated employment decisions on behalf of Customers; hiring decisions are made by human Operators after review.

The most direct path to access is the self-service surface at /apply/me using a magic link sent to your email on file. The DSAR JSON download includes the full record, the complete Consent Ledger with chain hashes, and the audit-log entries that involve you as a subject. For all other rights, email privacy@sourceunlimited.co. We respond within statutory timeframes.

The Services are not directed to children under 16. We do not knowingly collect Personal Data from children under 16 without the verifiable consent of a parent or legal guardian, where such consent is required by applicable law. If we learn we have collected Personal Data from a child under 16 in violation of this Policy, we will delete it.

If you are a California resident, you have specific rights under the CCPA as amended by the CPRA. We honor Global Privacy Control signals as a valid opt-out of any sale or share of your Personal Information, and we provide a clear and conspicuous Do Not Sell or Share My Personal Information link in the footer of every page on this site.

Categories of Personal Information we collect (per CCPA Cal. Civ. Code § 1798.140(v)): identifiers; characteristics of protected classifications (only via the optional EEO survey); commercial information (limited to the application transaction); internet and other electronic network activity (limited operational metadata); professional and employment-related information; education information; and inferences (only structured-profile extraction with your ai_extraction consent).

Sharing and selling of your Personal Information. We “share” and may “sell” (as those terms are defined in CCPA § 1798.140) Personal Information to specific third-party data partners listed at /legal/data-partners, only with your prior opt-in to each named partner. The categories of Personal Information shared, the categories of recipients, the business purpose of each transfer, and the partner-level retention period are disclosed in the consent text at the time of opt-in and recorded verbatim in your consent ledger. Categories of recipients include third-party data partners, advertising exchanges, talent-related ad networks, and machine-learning model vendors.

How to opt out. You can exercise the right to opt out of sale or share in any of the following ways, and we will honor whichever signal arrives first. None of them requires you to have a SourceHire account:

• Submit the form at /privacy-choices. Optional email field — submitting it makes the opt-out follow you across devices.
• Enable Global Privacy Control in your browser. We honor aSec-GPC: 1 request header as a valid opt-out under CPRA regulation § 7025.
• Revoke the ad_audience_share consent option at /apply/me if you have a SourceHire account.
• Designate an authorized agent under CCPA § 1798.135(c) by emailing privacy@sourceunlimited.co with the consumer's written authorization attached.

You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive Personal Information, the right to non-retaliation for exercising any right, and the right to designate an authorized agent. Submit requests to privacy@sourceunlimited.co.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 16 under GDPR, UK GDPR, and the Swiss Federal Act on Data Protection respectively. The legal bases on which we rely are described in Section 8.

Cross-context behavioral advertising and data-partner transfers require explicit opt-in. For visitors located in the EEA, the United Kingdom, or Switzerland, the “sharing” and “sale” activities described in Section 18 (transferring profile attributes to third-party data partners, advertising exchanges, talent-related ad networks, and machine-learning model vendors) are off by default and are permitted only with your explicit prior consent via the relevant data_partner_<slug> or ad_audience_share consent option. We determine your location from the IP address at the time of collection plus the locale you select. You may revoke that consent at any time and we will stop sharing immediately.

Special category data (GDPR Article 9). Where you grant consent to share data with a third-party data partner that includes any special category data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation), your consent serves as the lawful basis under Article 9(2)(a). The consent text identifies the specific categories of special category data being shared and the specific purposes for each transfer. The categories listed in our consent options are exhaustive — we do not transfer special category data outside the categories you have specifically consented to.

Our representative for purposes of GDPR Article 27, where one is required, is [EU REPRESENTATIVE TO BE NAMED]. You may also lodge a complaint with the supervisory authority in your member state of residence, place of work, or place of the alleged infringement.

We honor data protection rights granted under the laws of other jurisdictions where applicable, including but not limited to: Canada (PIPEDA, Quebec Law 25); Brazil (LGPD); Australia (Privacy Act 1988); New Zealand (Privacy Act 2020); Japan (APPI); Korea (PIPA); India (DPDPA 2023); Singapore (PDPA); UAE (DIFC, ADGM, and federal PDPL); and South Africa (POPIA). Where the applicable law provides rights more protective than those described above, the more protective regime applies.

We may update this Policy from time to time. The version and effective date appear at the top of this page. Where the change is material, we will notify Customers by email and Candidates by a banner on the public site at least thirty (30) days before the change takes effect. Previous versions are preserved and available on request.

[ENTITY NAME] d/b/a SourceHire
[BUSINESS ADDRESS]
Privacy: privacy@sourceunlimited.co
Data Protection Officer (where applicable): dpo@sourceunlimited.co