GDPR Rights & Compliance
SpeakSights is committed to GDPR compliance. This page explains your rights and responsibilities depending on your role in our platform — whether you are an organisation (Data Controller) or a candidate (Data Subject).
Effective Date: February 22, 2026 · Contact: privacy@speaksights.com
For Organisations (Hiring Teams)
You are the Data Controller under GDPR. You decide why and how candidate data is processed. Jump to your section →
For Candidates (Assessment Takers)
You are the Data Subject under GDPR. Your voice data is collected by the hiring organisation, processed by SpeakSights. Jump to your section →
For Organisations — Data Controllers
When your organisation uses SpeakSights to screen candidates, you are the Data Controller under GDPR. SpeakSights acts as your Data Processor. This means you bear primary GDPR responsibility for how candidate data is collected and used.
Your Responsibilities as a Data Controller
Establish a Lawful Basis
You must have a valid legal basis for processing candidate data — typically legitimate interest for hiring purposes or, for EU candidates, explicit consent. You are responsible for documenting this basis.
Inform Candidates
You must inform candidates that their voice data will be recorded and processed by AI before they begin an assessment. SpeakSights provides an in-assessment consent screen; you should also include this in your job listing or invitation email.
No Special Category Data
Do not instruct candidates to discuss their health, ethnicity, religion, political views, or other special category data (GDPR Art. 9) in their responses. SpeakSights assesses communication skills only.
Handle Data Subject Requests
When candidates contact your organisation exercising GDPR rights (access, erasure, portability), you must act on them. SpeakSights will delete candidate data from our systems within 30 days of your written request.
Review Automated Analysis Responsibly
AI-generated scores must not be the sole basis for employment decisions. A human reviewer (your hiring team) must assess each candidate. SpeakSights scores are advisory, not determinative.
Your Rights as a SpeakSights Customer
As our customer and the Data Controller, you have the following rights regarding your organisation's data and your use of our platform:
Data Access
Request a full export of all candidate data your organisation has collected via SpeakSights.
Data Erasure
Request deletion of all candidate data for a specific role or your entire organisation within 30 days.
Data Portability
Export candidate assessment data (scores, transcripts) in JSON or CSV format from the dashboard.
DPA Access
Review your Data Processing Agreement with SpeakSights at any time. See our DPA for full terms.
Audit Rights
Request a compliance report or evidence of our security controls. Respond within 5 business days.
Breach Notification
We will notify you within 72 hours of discovering any breach involving your organisation's data.
How to Submit a Data Subject Request on Behalf of Candidates
If a candidate contacts you exercising their GDPR rights (e.g., requesting deletion of their assessment data), submit a request to SpeakSights and we will action it within 30 days:
Verify the candidate's identity
Confirm the request is from the actual candidate (name, email, role they applied to).
Email privacy@speaksights.com
Subject: "Data Subject Request — [Org Name]". Include: candidate email, request type (access/deletion/portability), and your org admin email.
Receive confirmation within 48 hours
We will acknowledge receipt and provide an expected completion date (within 30 days per GDPR Art. 12).
Inform the candidate
Once SpeakSights confirms the action, relay the outcome to the candidate. You remain responsible for your own copies of their data (e.g., emails, internal notes).
Organisation Contact
For GDPR queries, DPA matters, or data subject requests: privacy@speaksights.com. Response within 48 hours on business days.
For Candidates — Data Subjects
If you completed or were invited to complete a voice assessment via SpeakSights, this section explains what data was collected, why, and what rights you have under GDPR and applicable privacy laws.
What Data Was Collected About You
Your name and email
Provided by the hiring organisation when they invited you
Audio recordings
Your spoken responses to assessment questions (typically 60–120 seconds per question)
Voice transcripts
Automated text transcriptions of your audio responses
AI analysis scores
Communication metrics: pronunciation, pace, clarity, vocabulary, confidence, relevance
Assessment metadata
Timestamps, completion status, assessment token (no tracking beyond this)
Consent record
A timestamped record that you agreed to the data notice before starting
Your GDPR Rights
Under GDPR (and equivalent laws like India's DPDPA), you have the following rights regarding your assessment data:
Right of Access (Art. 15)
Request a copy of all data held about you including your audio recordings, transcripts, and AI scores.
Right to Erasure / "Right to be Forgotten" (Art. 17)
Request deletion of your assessment data. Audio is automatically deleted after 30 days by default; transcripts after 90 days by default. You can request earlier deletion at any time.
Right to Rectification (Art. 16)
Request correction of inaccurate personal data (such as your name or email if incorrectly entered by the organisation).
Right to Data Portability (Art. 20)
Request your data in a machine-readable format. We can provide your transcript and scores as a JSON file.
Right to Object (Art. 21)
Object to processing of your data if you believe the organisation did not have a lawful basis. This should be directed to the hiring organisation first.
Rights Related to Automated Decision-Making (Art. 22)
AI scores are not the sole basis for hiring decisions — a human reviewer (the hiring team) always reviews results. You have the right to request human review of any automated output.
How the AI Assessment Works (No Black Box)
SpeakSights does not make hiring decisions. Here is what happens to your voice data:
Your audio is sent to AssemblyAI for speech-to-text transcription. AssemblyAI is SOC 2 Type II certified and does not retain your audio after processing.
The transcript is sent to OpenAI for vocabulary and relevance analysis. OpenAI retains API inputs and outputs for up to 30 days for safety monitoring only, after which they are automatically deleted. OpenAI does not use API data to train its models.
Azure Cognitive Services analyses pronunciation, pace, and clarity patterns from the audio signal.
Scores are aggregated into a dashboard for the hiring organisation's review. No automated rejection — all scoring output is reviewed by a human.
Audio recordings are deleted automatically after 30 days by default (the hiring organisation may configure 30–365 days). Transcripts and analysis data are cleared after 90 days by default (org-configurable). Assessment scores (numbers only) are kept indefinitely for pipeline use.
Data Retention — How Long We Keep Your Data
| Data Type | Retention Period | Who Deletes |
|---|---|---|
| Audio recordings (Azure Blob) | 30 days by default — org can set 30–365 days | Automated cleanup (daily cron) |
| Voice transcripts | 90 days by default — org can set 30–365 days | Automated cleanup (daily cron) |
| AI analysis data (patterns, excerpts) | 90 days by default — org can set 30–365 days | Automated cleanup (daily cron) |
| Assessment scores (overall + dimensions) | Indefinitely — never auto-deleted | Org admin or account closure only |
| Name and email | Until org deletes candidate or account | Org admin or account closure |
| Consent record (timestamp) | Same as assessment record | Org admin or account closure |
How to Exercise Your Rights — Step by Step
Contact the organisation first
The organisation that invited you (the hiring company) is the Data Controller. Contact their HR or recruitment team. They are responsible for responding to your GDPR request within 1 month.
If the org doesn't respond within 30 days
Email privacy@speaksights.com with: your name, the email address used for the assessment, the organisation name, and your request type (access/deletion/portability). We will assist.
Escalate to your Data Protection Authority
If neither the organisation nor SpeakSights resolves your concern, you have the right to lodge a complaint with your national Data Protection Authority (e.g., ICO in the UK, DPC in Ireland, or EDPB for cross-border matters).
Candidate Privacy Contact
If you have questions about your data or need to exercise a right and the hiring org hasn't responded: privacy@speaksights.com
We aim to respond within 48 hours and resolve within 30 days.
Governing Law & Regulatory Compliance
SpeakSights operates under Indian law (Information Technology Act 2000, DPDPA 2023). For EU/EEA users, the General Data Protection Regulation (GDPR) applies to all processing of EU personal data, regardless of where SpeakSights is established.
International transfers from the EU to SpeakSights' infrastructure (Vercel, Azure, Neon, Google Analytics — primarily US-based) are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Art. 46. Google Analytics 4 is used solely on public marketing pages (landing, login, signup) and collects no candidate data or personal identifiers from authenticated users.
UK-based candidates and organisations are covered by UK GDPR (as retained in UK law post-Brexit) and the Data Protection Act 2018.
Last updated: February 22, 2026 · GDPR Rights — SpeakSights AI · Version 1.0
Questions? privacy@speaksights.com