Privacy Policy

Last updated: February 18, 2025  ·  Effective: February 18, 2025

HeyTalent is a B2B recruiting platform powered by AI. We collect data necessary to provide our service, improve the product, and support you when things go wrong. We use tools like PostHog (analytics and session replays) and Sentry (error tracking) to do this.

We never sell your data. We only share it with trusted sub-processors who help us run the platform. You can opt out of analytics at any time from your account settings.

1. Who We Are

HeyTalent ("we", "us", "our") is a B2B recruiting platform that helps recruiters and agencies manage their talent pipeline using AI-powered tools. This Privacy Policy explains how we collect, use, and protect your personal data when you use our platform.

This policy applies to our platform users — recruiters, hiring managers, and agency professionals who have a direct contractual relationship with us. It does not cover candidates whose data is processed through the platform on your behalf (see Section 6 for details on candidate data).

2. What Data We Collect

Account Data

When you create an account, we collect your name, email address, and organization name. This is necessary to provide you with access to the platform.

Usage Data (Analytics)

We use PostHog to understand how you interact with HeyTalent. This includes page views, navigation paths, clicks, and form submissions. We also collect your User ID and display name (but not your email) for analytics purposes. This helps us identify patterns and improve the product.

Session Recordings

We record screen sessions of your interactions with HeyTalent using PostHog. These recordings capture what you see on screen, including clicks, scrolling, and page content. Session recordings may include candidate data visible on the page at the time of recording. See Section 5 for full details.

Error & Performance Data

We use Sentry to detect and diagnose bugs. When an error occurs, we collect the error stack trace, the URL where the error happened, your User ID and email, and a Request ID for log correlation. Sensitive data such as passwords, tokens, and authentication headers are automatically filtered out before being sent to Sentry.

Console & Network Data

PostHog may capture browser console errors/warnings and API request/response bodies to help us debug issues you report. Authentication endpoints (/auth/*) are excluded, and auth tokens in headers are filtered.

3. Why We Collect It

Provide the service
Data Used: Account data, candidate data
Example: Managing your talent pipeline, running AI-powered searches

Improve the product
Data Used: Analytics, session recordings
Example: Understanding which features are used most so we can prioritize development

Technical support
Data Used: Session recordings, error logs
Example: When you report a bug, we review your session recording to see exactly what happened

Security & stability
Data Used: Error data, performance metrics
Example: Detecting and fixing crashes before they affect more users

4. Legal Basis for Processing

Under the GDPR, we process your data based on the following legal grounds:

• Contract performance (Art. 6(1)(b)) — Processing your account data and candidate data is necessary to provide the recruiting service you've contracted with us for.

• Legitimate interest (Art. 6(1)(f)) — We use analytics, session recordings, and error tracking to improve our product and provide effective technical support. Given our B2B relationship and the direct professional context of your usage, we believe this is a reasonable and expected use of your data. You can opt out of analytics and session recordings at any time (see Section 12).

We have conducted a Legitimate Interest Assessment (LIA) and concluded that the benefits of product analytics and debugging capabilities — both for us and for you as a user — outweigh any potential impact on your privacy, particularly given the professional B2B context and the availability of opt-out controls.

5. Session Recordings & Analytics

We want to be transparent about how session recordings work, since this is the most privacy-sensitive feature we use.

What gets recorded

When you use HeyTalent in production, PostHog records your screen interactions: what pages you visit, what you click, where you scroll, and the content visible on screen.

What is filtered out

• Password inputs are masked automatically

• Authentication tokens in request headers are stripped

• All authentication endpoints (/auth/*) are excluded from recording

• Recordings only happen in the production environment — never in development

Who can access recordings

Session recordings are accessible only to authorized HeyTalent team members for the purposes of product improvement and technical support. We review recordings when investigating bugs you report or when analyzing feature usage patterns.

How to opt out

You can request to disable session recordings and analytics from your user settings at any time through contact@heytalent.app. When disabled, no analytics events or session recordings will be captured for your account.

6. Candidate Data

HeyTalent processes candidate profile data (sourced from public LinkedIn profiles and other sources) as part of the recruiting service. In most cases, you (our client) are the data controller for candidate data, and HeyTalent acts as a data processor on your behalf.

Candidate data is stored in our database. We process this data solely to provide the service you've contracted for.

Candidate data retention is governed by your account configuration and our Data Processing Agreement (DPA). If you need a signed DPA, please contact us.

7. Sub-Processors & Third Parties

We share your data only with the following trusted sub-processors that help us run the platform. We do not sell, rent, or trade your data to anyone.

PostHog

• Purpose: Product analytics and session replay

• Data Shared: Usage data, session recordings, User ID, display name

• Location: US / EU

• Compliance: SOC 2, GDPR

Sentry

• Purpose: Error monitoring

• Data Shared: Error data, User ID, email, page URL

• Location: US

• Compliance: SOC 2 Type II, GDPR

Supabase

• Purpose: Database hosting

• Data Shared: Account data, candidate data

• Location: EU available

• Compliance: SOC 2, GDPR

We do not share candidate data with any parties beyond these sub-processors. All sub-processors are bound by data processing agreements that require them to protect your data in accordance with the GDPR.

8. International Data Transfers

Some of our sub-processors (Sentry) may process data in the United States. When data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) — Our sub-processors utilize EU-approved SCCs for international data transfers.

• EU hosting options — Supabase offers EU-based hosting, and PostHog provides EU data residency where available.

We regularly review our sub-processors' data protection practices to ensure ongoing compliance.

9. Data Retention

Account data
Retained while your account is active, plus 30 days after account closure.

Session recordings
Retained for 90 days (automatically deleted by PostHog).

Error logs
Retained for 90 days (automatically deleted by Sentry).

Candidate data
Retained according to your account configuration and applicable DPA terms.

After the retention period, data is automatically deleted from the respective systems.

10. Security

We take the security of your data seriously and implement the following measures:

• Encryption in transit — All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.

• Encryption at rest — Data stored in our database (Supabase) is encrypted at rest.

• Access control — Platform access is protected by authentication, and internal access to tools like PostHog and Sentry is restricted to authorized team members.

• Data filtering — Sensitive data (passwords, authentication tokens, auth headers) is automatically stripped before being sent to any analytics or error-tracking service.

• Production-only recording — Session recordings are enabled only in the production environment.

11. Cookies

• Cookie: ph_*
  Provider: PostHog
  Purpose/Type: Analytics & session replay identification
  Category: Functional / Analytics

• Cookie: Sentry cookies
  Provider: Sentry
  Purpose/Type: Error tracking & session identification
  Category: Functionall

These cookies are used for the functional operation of our analytics and error-tracking systems. They are not used for advertising. You can opt out of analytics cookies through your user settings within HeyTalent.

12. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.

• Rectification — Ask us to correct any inaccurate data.

• Erasure — Request deletion of your account and associated data.

• Data portability — Receive your data in a structured, machine-readable format.

• Objection — Object to processing based on legitimate interest. You can also opt out of analytics and session recordings directly from your account settings.

• Restriction — Request that we limit how we process your data while a complaint is being resolved.

• Complaint — Lodge a complaint with your local Data Protection Authority.

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal and regulatory reasons. If we make material changes, we will notify you by email before the changes take effect.

We encourage you to review this page periodically. The "Last updated" date at the top of this policy indicates when it was most recently revised.

14. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have any concerns about how we handle your data:

Email: contact@heytalent.app

Subject line: "Privacy Request — [Your Name]"

We aim to respond to all privacy-related inquiries within 30 days.