This Privacy Policy explains how Hirex HR, Inc. ("Hirex", "we", "us") collects, uses, shares, and protects personal data in connection with our websites (gethirex.com, including all subdomains other than tenant-specific application instances) and our applicant tracking and recruiting platform available at app.gethirex.com (together, the "Services").
1. Scope of this Policy
This Policy applies to:
- Visitors to our marketing website (gethirex.com)
- Customers that subscribe to and use the Hirex platform
- End users authorised by a Customer to use the Hirex platform (recruiters, hiring managers, admins)
- Prospects and contacts that interact with us via demos, forms, sales conversations, or events
This Policy does not apply to candidate data inside Customer tenants. When you apply for a job through a careers page powered by Hirex, the company you're applying to (the Hirex Customer) is the data controller for your application data. Hirex acts only as a data processor on that Customer's behalf and only on their documented instructions. Direct questions about candidate data to the company you applied to. The terms governing that relationship are set out in Hirex's Data Processing Addendum at gethirex.com/trust/dpa.
2. Data controller and contact
The data controller responsible for personal data covered by this Policy is:
Hirex HR, Inc. 8 The Green STE D Dover, Delaware 19901, USA [email protected]
Data Protection Officer: Burak Yılmaz, [email protected]
Article 27 EU Representative: Hirex is in the process of appointing an EU Representative under Article 27 of the GDPR. In the meantime, EU data subjects may contact our Data Protection Officer at [email protected] for all matters that an EU Representative would otherwise handle.
For UK enquiries, you may also contact us using the details above.
3. Personal data we collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity & contact | Name, email, phone, company, job title, postal address | You provide it (forms, signup, demo requests) |
| Account data | Username, hashed password credentials, account preferences, authentication tokens | You provide it; generated when you create an account |
| Billing data | Billing contact, payment method (handled by Stripe; we do not store full card numbers), VAT number, invoices | You provide it |
| Usage data | Pages visited, features used, clicks, session timestamps, referring URL | Automatically collected when you use the Services |
| Device & technical data | IP address, browser type, device type, operating system, language, time zone | Automatically collected |
| Marketing & preferences | Communication preferences, event registrations, marketing engagement (opens, clicks) | You provide it; collected via our email and analytics tools |
| Communications | Email correspondence, support chat messages, recordings of sales calls (where you have consented) | When you contact us |
| Public sources | Professional contact information from sources such as LinkedIn or business contact enrichment vendors | Third-party data sources |
We do not collect special categories of personal data (such as health, religion, ethnicity) about visitors or Customer personnel. If we receive such data inadvertently, we delete it without further processing.
4. Why we use personal data and our legal bases
We use personal data only for the purposes set out below, with the legal basis indicated.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide and maintain the Services | Identity & contact, account, usage, technical | Contract performance (Art. 6(1)(b)) |
| Authenticate users and secure accounts | Account, technical | Contract performance + Legitimate interests in securing the Services (Art. 6(1)(b), 6(1)(f)) |
| Process payments and manage subscriptions | Identity & contact, billing | Contract performance (Art. 6(1)(b)) |
| Provide customer support | Identity & contact, communications, account | Contract performance (Art. 6(1)(b)) |
| Improve and develop the Services (product analytics, feature usage analysis, debugging) | Usage, technical | Legitimate interests in improving our product (Art. 6(1)(f)) |
| Send service announcements, security alerts, and other transactional communications | Identity & contact | Contract performance (Art. 6(1)(b)) |
| Send marketing emails, newsletters, and product updates | Identity & contact, marketing | Consent (Art. 6(1)(a)) for prospects; Legitimate interests for existing customers, subject to the right to opt out (Art. 6(1)(f)) |
| Sales outreach to professional business contacts | Identity & contact, public sources | Legitimate interests in marketing our B2B software (Art. 6(1)(f)) |
| Comply with legal obligations (tax records, accounting, responding to lawful requests) | Identity & contact, billing, communications | Legal obligation (Art. 6(1)(c)) |
| Establish, exercise, or defend legal claims | All categories as relevant | Legitimate interests in protecting our legal rights (Art. 6(1)(f)) |
| Detect and prevent fraud, abuse, and security incidents | Account, technical, usage | Legitimate interests in protecting the Services (Art. 6(1)(f)) |
Where we rely on legitimate interests, you have the right to object. See Section 8.
5. How we share personal data
We share personal data only as described below. We do not sell personal data, and we do not share personal data for cross-context behavioural advertising as defined under CCPA/CPRA.
- Sub-processors. We engage trusted third-party service providers to help operate the Services (hosting, email delivery, payments, AI processing, monitoring, analytics, support tooling). The full list, updated as it changes, is at gethirex.com/trust/sub-processors. Each sub-processor is bound by a written data processing agreement.
- Hirex Affiliates. We may share personal data with our corporate affiliates for the purposes described in this Policy, under terms providing equivalent protection.
- Professional advisors. Lawyers, accountants, auditors, and similar advisors, where necessary and under confidentiality obligations.
- Business transfers. In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred. We will notify you of any such change and any choices you may have.
- Compliance and protection. Where required by law, in response to lawful requests from authorities, or where necessary to protect our rights, safety, or property, or those of others.
- With your consent. Other disclosures with your explicit consent.
6. International data transfers
Hirex is established in the United States. Our production hosting is in the European Union (AWS, Ireland region). Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision (including the United States), we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914) and, where applicable, the UK Addendum issued by the UK Information Commissioner.
Where personal data is processed by AI providers (OpenAI, Anthropic, Google, Deepgram) located outside the EEA, the transfer is covered by the SCCs and supplementary safeguards documented in our Transfer Impact Assessments, available on request via [email protected].
7. How long we keep personal data
We keep personal data only for as long as needed for the purposes described in this Policy, then delete or anonymise it. Indicative retention periods:
| Data | Retention |
|---|---|
| Customer account data | Duration of subscription + 90 days after termination, unless longer retention is required by law |
| Billing and tax records | 7 years from the date of the relevant transaction (US tax law) |
| Marketing prospect data | Until you unsubscribe or 24 months without engagement, whichever is sooner |
| Support communications | 24 months from the date of the conversation |
| Server logs | 90 days |
| Cookies | As set out in our Cookie Policy at gethirex.com/trust/cookie-policy |
Backups containing personal data are purged within 45 days of deletion from production.
For Customer Personal Data (candidate data inside Customer tenants), retention is configured by the Customer in accordance with our Data Processing Addendum.
8. Your rights
Subject to applicable law, you have the following rights with respect to your personal data:
- Access, request a copy of the personal data we hold about you
- Rectification, ask us to correct inaccurate or incomplete data
- Erasure, ask us to delete your personal data (the "right to be forgotten"), subject to legal retention obligations
- Restriction, ask us to limit how we use your data
- Portability, receive your data in a portable, machine-readable format
- Objection, object to processing based on legitimate interests, including direct marketing
- Withdraw consent, where we rely on consent, you can withdraw it at any time (this does not affect the lawfulness of prior processing)
- Automated decision-making, we do not make decisions about you based solely on automated processing producing legal or similarly significant effects
- Lodge a complaint, you may complain to a data protection supervisory authority in your country. EU data subjects may lodge a complaint with the supervisory authority in the EU Member State where they reside, where they work, or where the alleged infringement took place
To exercise any of these rights, email [email protected]. We will respond within 30 days (or 45 days for CCPA/CPRA requests, extendable by another 45 days with notice). We may need to verify your identity before fulfilling the request.
Additional rights for California residents (CCPA / CPRA)
California residents have the rights above and the following additional rights:
- Right to know what personal information we collect, the sources, the purposes, and the categories of third parties we share with
- Right to delete personal information, subject to exceptions
- Right to correct inaccurate personal information
- Right to opt out of the Sale or Sharing of personal information (we do not Sell or Share personal information)
- Right to limit the use and disclosure of Sensitive Personal Information (we do not use Sensitive Personal Information for purposes beyond those permitted without your consent)
- Right to non-discrimination for exercising your rights
To exercise CCPA/CPRA rights, email [email protected]. Authorised agents may submit requests on your behalf with verifiable authorisation.
Additional rights for residents of Virginia, Colorado, Connecticut, Utah, and Texas
Residents of these states have rights similar to those above, including the right to access, correct, delete, and obtain a portable copy of personal data, and the right to opt out of targeted advertising, sale of personal data, and certain profiling. We do not engage in targeted advertising or sale of personal data. To exercise these rights, email [email protected].
Additional rights for Nevada residents
Nevada residents may opt out of the future sale of personal information by emailing [email protected], although we do not currently engage in such sales.
9. Cookies and similar technologies
We use cookies and similar technologies on our websites. Strictly necessary cookies are set automatically; analytics, marketing, and other non-essential cookies are set only with your consent, captured via our cookie consent banner. Full details, including the list of cookies and how to change your preferences, are in our Cookie Policy at gethirex.com/trust/cookie-policy.
10. Security
We maintain technical and organisational measures designed to protect personal data, including TLS encryption in transit, AES-256 encryption at rest, multi-factor authentication for personnel, least-privilege access, network protection via Cloudflare WAF, and continuous monitoring. More detail is at gethirex.com/trust/security. For enterprise tenants, we offer per-customer isolated deployment and IP allowlisting.
No system is perfectly secure. If you believe your account has been compromised, contact [email protected].
11. Children's data
The Services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact [email protected] and we will delete it.
12. Third-party links and integrations
The Services may link to third-party websites or include third-party integrations (for example, calendar providers, job boards, assessment platforms). This Policy does not apply to those third parties. Their use of your data is governed by their own privacy policies.
13. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest revision. Material changes will be communicated by email to account holders and via a notice on our website at least 30 days before they take effect. Previous versions are available on request via [email protected].
14. How to contact us
- General privacy questions: [email protected]
- Data Protection Officer: [email protected], Burak Yılmaz
- Security concerns: [email protected]
- Vulnerability reports: [email protected]
- Mail: Hirex HR, Inc., 8 The Green STE D, Dover, Delaware 19901, USA
- EU matters: until our Article 27 EU Representative is appointed, contact [email protected]
