Secure & Private

Privacy Policy

For organizations and their candidates using the SpeakSights hiring assessment platform.

Last Updated: February 22, 2026 | Applies to: Organizations & Candidates

Data Processor Role

We process on your behalf, you control the data

Auto Audio Deletion

Audio deleted after 30 days by default (org-configurable)

Per-Org Isolation

Your data is completely separated from other orgs

Who This Policy Covers

Organizations (Clients)

HR teams, hiring managers, and recruiters using the SpeakSights dashboard. You are the Data Controller for candidate data you process through our platform.

Candidates

Job applicants invited by organizations to complete voice assessments. You are a Data Subject. The organization that invited you is your primary data controller.

Part A: Candidate Data

SpeakSights as Data Processor — we process this data on behalf of the hiring organization

A1. What Candidate Data We Process

👤

Identity: Name, email address, phone number (if provided by the organization when inviting the candidate)

🎙️

Voice Recordings: Audio files captured during assessment questions. Stored securely in org-isolated Azure Blob Storage.

📝

Transcriptions: Text converted from candidate audio by AssemblyAI's speech recognition API.

📊

Assessment Scores: AI-generated scores across communication dimensions (clarity, vocabulary, pace, grammar, confidence, etc.) plus an overall score and shortlisting recommendation.

📸

Optional Media: Profile photo or video recording at assessment start, if enabled by the organization.

✅

Consent Record: Timestamp and version number of the candidate's explicit consent given before starting the assessment.

A2. How We Use Candidate Data

Transcribing audio responses using AssemblyAI
Scoring communication skills using OpenAI GPT-4o analysis
Generating hiring recommendations for recruiter review
Displaying structured results in the organization's dashboard

We never use candidate data for AI model training, marketing, or any purpose beyond providing the assessment service to the hiring organization.

A3. Candidate Data Retention Policy

Audio recordings

Retention: 30 days (default) — Automatically deleted from Azure Blob Storage. Organisation can configure 30–365 days via dashboard settings.

Transcriptions & AI analysis

Retention: 90 days (default) — Cleared from database records. Contains verbatim speech — GDPR personal data. Organisation can configure 30–365 days.

Assessment scores & recommendations

Retention: Indefinitely — Numeric scores only — no speech content. Kept forever for pipeline analytics. Not configurable. Deleted only on account closure.

Candidate PII (name, email, phone)

Retention: While org account is active — Deleted when organization account closes

Consent record

Retention: While org account is active — Legal record of candidate consent

A4. Candidate Rights (Data Subjects)

Candidates have rights under GDPR and equivalent laws. Because the organization is the Data Controller, the process is:

Contact the organization that invited you — they are the primary controller of your data.

If the organization doesn't respond within 30 days, or you cannot reach them, contact SpeakSights directly at privacy@speaksights.com.

SpeakSights will process your request (access, erasure, portability, correction) within 48 hours of receiving it.

→ View full GDPR rights for candidates and organizations

Part B: Organization Account Data

SpeakSights as Data Controller — we collect this data to operate your account

B1. What Org Data We Collect

Account details

Organization name, industry, company size, billing email

Team member data

Name, email address, password hash (bcrypt), role, last login timestamp

Usage data

Number of assessments run, team members added, login count — for trial conversion analysis

Billing data

Plan type, subscription dates — payment card details handled by our payment processor, never stored by us

B2. How We Use Org Data

Authenticating team members and maintaining session security
Managing trial status and plan billing
Sending transactional emails (invite confirmations, weekly summaries, billing notices)
Providing customer support

B3. Org Data Retention

Active account data

Retained while your organization account is active

Post-cancellation

Org user accounts deleted 90 days after account closure. You may request export before deletion.

B4. Org Admin Rights

Organization admins can exercise GDPR rights directly:

Access

Request all data we hold about your org

Erasure

Request deletion of your org account and all data

Portability

Export your assessment data in JSON or CSV

Correction

Update any inaccurate account information

Contact: privacy@speaksights.com — Response within 48 hours

Data Sharing & Sub-processors

We never sell candidate or organization data. Ever.

We share data only with the sub-processors necessary to deliver the assessment service:

AssemblyAI

Audio transcription

Data shared: Candidate audio files (deleted after transcription)

OpenAI

Communication analysis

Data shared: Text transcripts only — no audio. API data retained up to 30 days for safety monitoring, then automatically deleted. API data is never used to train OpenAI models.

Microsoft Azure

Cloud infrastructure, audio storage, pronunciation scoring

Data shared: Audio files in org-isolated containers (org-{orgId}/ prefix)

Neon PostgreSQL

Database

Data shared: Assessment scores, candidate names/emails, org data

ZeptoMail

Transactional email

Data shared: Candidate email, name, invite links — no marketing

Full sub-processor details, compliance certifications, and transfer mechanisms:See DPA Section 5 →

Security Measures

TLS 1.3 Encryption

All data in transit — HTTPS only, strong cipher suites

AES-256 At Rest

Database records and Azure Blob Storage encrypted at rest

Org Data Isolation

All audio blobs prefixed org-{orgId}/ — zero cross-org data access

JWT Authentication

Secure session tokens with bcrypt password hashing

SAS Token Access

2-hour expiry tokens for AI service access to audio — no permanent public URLs

Security Monitoring

24/7 infrastructure monitoring, rate limiting, anomaly detection

In case of a data breach affecting your organization, we will notify you within 72 hours per GDPR Article 33 requirements.

→ Full technical security details

Cookies & Analytics

Analytics only on public pages

We use Google Analytics 4 (GA4) exclusively on public-facing pages (landing page, login, signup). It is never active inside the authenticated dashboard or on any candidate assessment pages.

What GA4 collects

•Pages visited and session duration
•Geographic region (country / city)
•Device type and browser
•Referral source (how you found us)

What GA4 does NOT collect

•Names, emails, or any personal identifiers
•Candidate data or assessment results
•Dashboard activity or internal actions
•Payment or billing information

Consent required: Analytics only activate after an org team member clicks "Accept" on the cookie consent banner shown on public pages. Consent is stored in browser local storage and can be withdrawn at any time by clearing local storage or using Google's Analytics Opt-out Add-on.

Third-party processor: GA4 data is processed by Google LLC (USA) under Standard Contractual Clauses. Google's use of this data is governed by their Privacy Policy. We do not share any candidate or organisation account data with Google.

Questions About Privacy?

Privacy Team (Orgs & Candidates)

privacy@speaksights.com

48-hour response guaranteed

General Support

support@speaksights.com

We may update this policy with 30 days' notice for material changes. Continued use after the effective date constitutes acceptance.