Demo
← Back to home

Privacy Notice for Candidates

Last updated: 21 June 2026

You are receiving or have received a message from us (for example through our assistant Emily) about a professional opportunity. This notice explains what data we process about you, where it comes from, why, and what your rights are. It is provided under Article 14 of the GDPR (Regulation (EU) 2016/679), which applies when personal data is not collected directly from the data subject.

1. Data controller

TRUECALLING AI, Corporation (Florida, United States), 5504 North Park Rd, Fort Lauderdale, FL 33312, United States. EIN: 39-4384470. Contact: contact@truecalling.ai.

Representative in the European Union (Art. 27 GDPR): designation in progress. In the meantime, you may exercise all your rights directly with TRUECALLING AI at the address above.

Our role: for the sourcing and talent-pool operations described here, TRUECALLING AI acts as the data controller. When we process an application on behalf of a client company, that company is the data controller and TRUECALLING AI acts as a processor.

2. Where your data comes from (source — Art. 14.2.f)

We did not collect your data directly from you. It comes from:

  • Publicly accessible professional sources (for example public professional profiles).
  • Providers specialising in professional data enrichment (data providers), with whom we have entered into a processing agreement governing such processing.

You may ask us at any time to tell you the precise source of the data concerning you, by writing to contact@truecalling.ai.

3. Categories of data processed

  • Identity: surname, first name.
  • Professional contact details: email, phone, professional profile identifier / URL.
  • Career data: job title, employer, work experience, education, skills, location.
  • Where applicable, profile photo and information contained in a CV that you send us.
  • Data generated by our analysis: compatibility score for a position, summary, matching points (see section 6).

We do not seek to collect sensitive data within the meaning of Article 9 GDPR (health, origin, opinions, etc.). If a CV that you send us contains any, we invite you to provide only the information relevant to the professional assessment.

4. Purposes

  • Identify profiles that may be relevant for professional opportunities (sourcing).
  • Assess the fit between your profile and a position, and inform you of it.
  • Put you in touch, at your request, with a recruiter or a client company.

5. Legal basis

Legitimate interest (Article 6.1.f GDPR): offering relevant professional opportunities. We have carried out a balancing test between this interest and your rights and freedoms. You may object to this processing at any time (see section 9); we will then stop processing your data for this purpose.

6. Automated analysis and profiling (Art. 14.2.g / Art. 22)

Your profile is subject to automated analysis: reading/structuring of your CV and calculation, by our AI assistant Emily, of a compatibility score for a position.

  • This score is a decision-support tool intended for recruiters. It does not constitute a decision producing legal effects or significantly affecting you taken solely by automated means.
  • Human intervention takes place before any selection or rejection decision.
  • In accordance with Article 22.3 GDPR, you have the right to obtain human intervention, to express your point of view and to contest an assessment, by writing to contact@truecalling.ai.

If you indicate by message that you are not interested, your follow-up status is updated automatically. This update is reversible: a recruiter can reactivate you and you can get back to us at any time.

7. Recipients and transfers outside the EU

Recipients: our authorized teams, recruiters from client companies involved in an opportunity, and our technical sub-processors (hosting, AI, messaging, contact enrichment, observability) acting on instructions and bound by a data-processing agreement (DPA).

Some sub-processors are established outside the European Union — mainly in the United States. The list below indicates the transfer mechanism applied to each recipient (Art. 46 GDPR). The up-to-date list of Data Privacy Framework certifications is available at dataprivacyframework.gov/list.

**EU sub-processors (no transfer outside the EU)**:

— Mistral AI (France) — LLM services (secondary scoring).

— France Travail / ROMEO (France) — job-title and skill reference.

— OCR.space — a9t9 software GmbH (Germany) — text extraction on incoming CVs.

— PDFMonkey (France) — PDF profile generation.

— Jooble — job-title aggregation (no candidate data sent).

**Non-EU sub-processors covered by the EU-U.S. Data Privacy Framework** (adequacy decision 2023/1795):

— Vercel, Inc. — front-end and edge function hosting.

— Cloudflare, Inc. — CDN, anti-bot protection (Turnstile).

— Google LLC — OAuth Calendar/Sheets.

— Microsoft Corporation — Azure (EU region pinned for psychometric services).

— Salesforce, Inc. (covering Slack Technologies, LLC) — internal alerting tools.

— Deel, Inc. — HRIS integration for client connection.

— Apollo.io, Inc. — professional profile enrichment.

— Postmark / ActiveCampaign — transactional emails (recruiter side).

**Non-EU sub-processors covered by Standard Contractual Clauses 2021 (Module 2) and subject to a Transfer Impact Assessment (TIA)**:

— Supabase, Inc. (United States) — database and file storage (hosted on Amazon Web Services, Inc., us-east-2 region). Onward sub-processor: Amazon Web Services, Inc.

— OpenAI, L.L.C. (United States) — LLM services for CV scoring, analysis and message generation. `no-training` option enabled.

— Anthropic PBC (United States) — LLM services (secondary model).

— Twilio Inc. (United States) — WhatsApp and SMS messaging (Emily assistant). HR-side complemented by SCCs (Twilio DPF does not cover HR Data).

— Twilio SendGrid (United States) — transactional emails.

— People Data Labs, Inc. (United States) — profile enrichment.

— FullEnrich Corp (United States) — email and phone enrichment.

— SerpAPI (United States) — title search on Google Jobs.

— QuickChart.io (United States) — chart image generation (aggregated scores).

— Functional Software, Inc. / Sentry (United States) — observability (traces may include candidate PII, HR coverage via SCC).

For each non-EU transfer not covered by the DPF, we will provide the list of signed Standard Contractual Clauses and a summary of the TIA on request to dpo@truecalling.ai.

8. Retention periods

  • Sourced profile with no interaction on your part: 1 year maximum, then deletion or anonymisation.
  • Profile with which an exchange has begun (application): 2 years from our last contact, in accordance with the period recommended by the CNIL for recruitment, unless you object.

9. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights at any time:

  • Right to object (Art. 21): object at any time to the processing of your data for sourcing purposes.
  • Right of access (Art. 15): obtain a copy of the data concerning you and find out its source.
  • Right to rectification (Art. 16).
  • Right to erasure (Art. 17).
  • Right to restriction (Art. 18) and to portability (Art. 20).

How to exercise your rights or object? The easiest way: reply STOP to the message you received, or write to contact@truecalling.ai. We respond within one month (Article 12.3 GDPR).

Complaint to the CNIL: you may at any time lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — https://www.cnil.fr

10. Security

  • HTTPS / TLS encryption of communications.
  • Strict access control and authorisations.
  • Subprocessors selected and bound by a processing agreement.

11. Changes to this notice

We may amend this notice to reflect a change in our processing activities. The date at the top of the page indicates the last update.