HireFlow
Privacy statement
Information for agencies and candidates about how HireFlow operates.
Who we are
HireFlow is recruitment software operated by Appollo Lab. We provide hosted infrastructure for agencies to manage vacancies, applications, CV intake, and recruiter workflows.
Controller and processor roles
For recruitment activity, the agency using HireFlow typically acts as the data controller: it decides purposes such as assessing applications and contacting candidates, and it must establish a lawful basis and provide appropriate privacy information to candidates.
Appollo Lab acts as a processor or infrastructure provider for platform operation—hosting, authentication, security controls, feature delivery, and configured integrations (including optional AI parsing). Exact contractual roles will be set out in counsel-approved terms and any data processing agreement.
Categories of data
- Candidate identity and contact details (name, email, phone)
- Application and profile information (motivation, skills, eligibility flags)
- CV and supporting files uploaded by candidates or received by email
- Inbound email content and attachment metadata
- Recruiter notes, communications, interview records, and workflow status
- Account and usage data for agency users and staff
Inbound email and attachments
Agencies may configure email intake so applications arrive via inbound messages. The platform stores message metadata, body text, and attachments within the agency’s tenant space. Attachments are not published publicly; downloads require authenticated agency access.
AI-assisted parsing (assistive only)
When enabled, offline processing may extract text from CV files and send a bounded portion to an AI provider (currently OpenAI via API) to suggest structured fields. Suggestions are shown to recruiters for human review.
The platform does not automatically merge AI output into candidate records without recruiter action. HireFlow does not autonomously hire, reject, or rank candidates for final decisions.
Parsed fields may be wrong or incomplete. Agencies and recruiters must verify information before relying on it.
Automated decision-making
HireFlow is not designed to make recruitment decisions about individuals without meaningful human involvement. AI features are drafting aids only. Agencies remain responsible for hiring outcomes and must not treat automated suggestions as sole grounds for rejection or selection.
Subprocessors
Depending on configuration, the service may use hosting providers, email delivery, Mailgun for inbound email handling, and OpenAI for optional AI parsing. A formal subprocessor list and contractual terms will be published after legal review.
International transfers
Infrastructure and subprocessors may process data in or from countries outside the candidate’s country of residence. Where required, appropriate safeguards (such as standard contractual clauses) will be described in the final privacy statement and commercial agreements—not in this draft.
Tenant isolation and security
Recruiter access is scoped to the signed-in agency. Standard product interfaces do not expose one agency’s candidate workspace to another agency.
We apply reasonable technical and organisational measures appropriate for a B2B SaaS product (access control, secure sessions, private file handling). No system is perfectly secure; agencies must also protect their accounts and exported data.
Retention and deletion
Data is retained while accounts are active and while agencies use related records for recruitment. Specific retention periods, erasure workflows, and backup handling will be defined in the final privacy statement and agency procedures. Product capabilities for retention and erasure are being extended—do not assume automatic deletion today.
Your rights and contact
If you are a candidate, contact the recruitment agency handling your application first—they control the recruitment relationship. For platform-related questions only, use the contact page. Formal data subject request processes will be described in the final policy.