Privacy Policy

This Privacy Policy describes how [ENTITY NAME] doing business as SourceHire (“SourceHire”, “we”) collects, uses, shares, and protects Personal Data when you use the SourceHire websites and Services (defined in our Terms of Service).

[ENTITY NAME], a [STATE OF FORMATION] limited liability company with a place of business at [BUSINESS ADDRESS], is the data controller for Personal Data processed through the candidate-facing Services. Where we provide the Services to a Customer (e.g., a posting employer or talent-acquisition team), we act as a data processor for that Customer in respect of the application data submitted to that Customer's jobs (see Section 4).

This Policy applies to the websites, web applications, and APIs of SourceHire, including the marketing site, the public job board at /jobs, the apply flow, the candidate self-service surface at /apply/me, and the operator console at /admin. It does not apply to any third- party site or service we link to, which has its own privacy policy.

For Personal Data of website visitors, prospective candidates, and unauthenticated users browsing the public surfaces, Source Unlimited acts as the data controller.

For Personal Data submitted by a Candidate as part of an application to a Customer's job, SourceHire acts as a processor on behalf of that Customer, who is the data controller for the processing of that application. For Personal Data submitted by a Candidate to the network for discoverability rather than a specific job, SourceHire acts as the data controller.

Customers and SourceHire are bound by the Data Processing Addendum which governs the controller-processor relationship.

Almost all Personal Data we hold about you was submitted by you directly through the apply form or through your authenticated /apply/me session. Operational metadata (IP, user agent, timestamps) is observed automatically when you interact with the Services. We do not purchase or otherwise acquire candidate Personal Data from third-party data brokers.

• To provide the candidate apply flow and the resulting record.
• To process your documents into a structured profile for hiring review (subject to your ai_extraction consent).
• To make you discoverable in the network-wide talent search (subject to your discoverability consent).
• To allow recruiters of jobs you applied to to evaluate your application.
• To operate the consent ledger, the audit log, and the demonstr- ability artifacts that allow us to prove lawful processing.
• To respond to your data-rights requests (access, correction, erasure, portability, restriction, objection).
• To send platform-related communications you have opted into (subject to your marketing consent).
• To enforce our Terms of Service and Acceptable Use Policy, and to comply with our legal obligations.

Where GDPR applies, we rely on the following legal bases:

• Consent (Article 6(1)(a)) — for ai_extraction, discoverability, sensitive_accommodations, marketing, and professional_enrichment. Withdrawable at any time.
• Contract (Article 6(1)(b)) — for the core_processing consent, which is required to perform the apply transaction you initiated.
• Legal obligation (Article 6(1)(c)) — for retention and disclosure obligations imposed on us by applicable law.
• Legitimate interests (Article 6(1)(f)) — for security, abuse prevention, audit logging, and the operational integrity of the Services. Where we rely on this basis, we have balanced our interests against your fundamental rights and freedoms; you may object as described in Section 16.

For Special Category Data (Article 9) — limited to optional accommodations and EEO survey responses — we rely on your explicit consent (Article 9(2)(a)).

We share Personal Data only with the following recipients and only for the specific purposes stated:

• Recruiters of jobs you specifically applied to. Each such Recruiter sees the application data tied to their job: your name, email, resume, cover letter, declared logistics, narratives, and (when you granted ai_extraction) the structured profile fields. They see this data only for evaluating your application.
• SourceHire operators with a business need. Reviewers see network-wide records with PII masked by default; unmask is single-click, audit-logged, and limited to legitimate review activity. Admins see records in clear with a banner noting the elevated view is audit-logged.
• Subprocessors (Section 12) acting on documented instructions from us solely to provide the Services.
• Authorities where required by valid legal process (subpoena, court order, regulatory request). We will notify you unless legally prohibited from doing so.
• Successors-in-interest in the event of a merger, acquisition, or sale of substantially all of our assets, subject to the same privacy commitments and applicable notification requirements.

• We will not sell your Personal Data within the meaning of CCPA Cal. Civ. Code § 1798.140(ad) or equivalent terms in any other jurisdiction.
• We will not share your Personal Data for cross- context behavioral advertising within the meaning of CCPA Cal. Civ. Code § 1798.140(ah).
• We will not include your Personal Data in any bulk data product, data feed, licensed dataset, or marketplace listing for the consumption of third parties.
• We will not provide your Personal Data to any third party for the training, fine-tuning, evaluation, benchmarking, or improvement of any AI or machine-learning model.
• We will not transmit your Personal Data to authenticated external partner systems on a schedule, via webhook, or via a partner-facing API.
• We will not include protected-class attributes (gender identity, race, ethnicity, veteran status, age, disability) in any Operator export, regardless of any consent flag.
• We will not use the existence of any one consent as standing authorization for any operation that consent does not specifically describe.

We use a small set of subprocessors to provide the Services. Each subprocessor is bound by data protection terms at least as protective as this Policy. We update this list when we add or remove a subprocessor; material changes are notified per Section 21.

• Vercel Inc. — application hosting and edge delivery. United States.
• Neon Inc. — managed Postgres database. United States (with EU/UK regions available on request).
• Vercel Blob (storage) — file storage for uploaded resumes and cover letters. United States.
• Anthropic, PBC — AI extraction (Anthropic Claude). Subject to your ai_extraction consent. Anthropic processes your data only to provide the inference service for us; under our agreement with Anthropic and Anthropic's commercial terms, your data is not used to train Anthropic's models.
• Inngest Inc. — background job orchestration. United States.
• Resend, Inc. — transactional email delivery (magic links, notifications). United States.
• GitHub, Inc. — source-code hosting. Does not process Candidate Personal Data; listed for completeness as part of our development infrastructure.

SourceHire is incorporated in the United States and our primary processing infrastructure is located in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your Personal Data is transferred to the United States subject to appropriate safeguards, specifically the Standard Contractual Clauses adopted by the European Commission (Decision (EU) 2021/914) as supplemented by the UK International Data Transfer Addendum and the Swiss FADP adaptations, together with a Transfer Impact Assessment.

• Active candidate records and uploaded files: for as long as your record is active in the Services, plus a reasonable wind-down period not exceeding 180 days after revocation of core_processing consent or successful erasure request, whichever is earlier.
• Consent Ledger rows: retained as required for legal demonstrability under GDPR Article 7(1) and equivalent statutes, with tombstones replacing erased payload after the candidate record is erased.
• Audit Log entries: retained for a minimum of 24 months for security and compliance review.
• Backups: rolling daily backups retained for 30 days. Backup erasure is performed by aging-out rather than direct redaction of historical snapshots; we do not restore from backups in a way that resurrects an erased record.

We implement administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, loss, alteration, and destruction. Specific measures include encryption in transit (TLS 1.2+); encryption at rest; scoped role- based access control with the strict role hierarchy viewer < recruiter < reviewer < admin; PII masking by default in reviewer surfaces with audit-logged unmask; per-row consent re-checks at every export; hash-chained consent ledgers; append-only audit logging; secret rotation; least- privilege subprocessor configurations; and regular review of the security posture of every component.

In the event of a Personal Data breach affecting your data, we will notify you and, where required, the relevant supervisory authority, within the timeframes specified by applicable law (within 72 hours under GDPR Article 33; without unreasonable delay under U.S. state breach-notification statutes).

Subject to applicable law and any statutory exceptions, you have the right to:

• Access the Personal Data we hold about you and receive a copy.
• Correct inaccurate Personal Data.
• Erase your Personal Data (right to be forgotten).
• Restrict certain processing.
• Object to processing based on legitimate interests or for direct marketing.
• Port your data to another service in a structured, commonly used, machine-readable format.
• Withdraw consent at any time, with the same ease as it was given.
• Lodge a complaint with a supervisory authority in your jurisdiction.
• Not be subject to solely automated decisions with legal or similarly significant effects (GDPR Article 22). We do not make automated employment decisions on behalf of Customers; hiring decisions are made by human Operators after review.

The most direct path to access is the self-service surface at /apply/me using a magic link sent to your email on file. The DSAR JSON download includes the full record, the complete Consent Ledger with chain hashes, and the audit-log entries that involve you as a subject. For all other rights, email privacy@sourceunlimited.co. We respond within statutory timeframes.

The Services are not directed to children under 16. We do not knowingly collect Personal Data from children under 16 without the verifiable consent of a parent or legal guardian, where such consent is required by applicable law. If we learn we have collected Personal Data from a child under 16 in violation of this Policy, we will delete it.

If you are a California resident, you have specific rights under the CCPA as amended by the CPRA. We do not “sell” or “share” (as those terms are defined in CCPA Cal. Civ. Code § 1798.140) your Personal Information. We honor Global Privacy Control signals as a request to opt out of any future sale or share, even though we don't engage in those activities.

Categories of Personal Information we collect (per CCPA Cal. Civ. Code § 1798.140(v)): identifiers; characteristics of protected classifications (only via the optional EEO survey); commercial information (limited to the application transaction); internet and other electronic network activity (limited operational metadata); professional and employment-related information; education information; and inferences (only structured-profile extraction with your ai_extraction consent).

You have the right to know, the right to delete, the right to correct, the right to limit use of sensitive Personal Information, the right to non-retaliation for exercising any right, and the right to designate an authorized agent. Submit requests to privacy@sourceunlimited.co.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 16 under GDPR, UK GDPR, and the Swiss Federal Act on Data Protection respectively. The legal bases on which we rely are described in Section 8.

Our representative for purposes of GDPR Article 27, where one is required, is [EU REPRESENTATIVE TO BE NAMED]. You may also lodge a complaint with the supervisory authority in your member state of residence, place of work, or place of the alleged infringement.

We honor data protection rights granted under the laws of other jurisdictions where applicable, including but not limited to: Canada (PIPEDA, Quebec Law 25); Brazil (LGPD); Australia (Privacy Act 1988); New Zealand (Privacy Act 2020); Japan (APPI); Korea (PIPA); India (DPDPA 2023); Singapore (PDPA); UAE (DIFC, ADGM, and federal PDPL); and South Africa (POPIA). Where the applicable law provides rights more protective than those described above, the more protective regime applies.

We may update this Policy from time to time. The version and effective date appear at the top of this page. Where the change is material, we will notify Customers by email and Candidates by a banner on the public site at least thirty (30) days before the change takes effect. Previous versions are preserved and available on request.

[ENTITY NAME] d/b/a SourceHire
[BUSINESS ADDRESS]
Privacy: privacy@sourceunlimited.co
Data Protection Officer (where applicable): dpo@sourceunlimited.co