Privacy Policy
Last updated: March 2026
1. Data Controller
CloudPeople Ltd ("CloudPeople", "we", "us"), a company registered in Ireland, is the data controller responsible for your personal data processed through the CloudPeople platform.
For any questions or concerns about how we handle your personal data, or to exercise your data protection rights, please visit our Contact page.
2. Data We Collect
2.1 Information you provide
- Account information: Full name, email address, password (hashed), account type (Candidate or Employer)
- Candidate profile data: Headline, biography, skills, years of experience, location, desired role, rate expectations, career goals, LinkedIn URL, portfolio URL
- Video recordings: Video introductions uploaded as part of your Candidate profile
- Resumes and documents: CVs, cover letters, and other documents you choose to upload
- Salary expectations: Reserve prices, minimum rates, and rate types
- Employer profile data: Company name, recruiter name, location, company description, job postings
- Payment information: Processed by Stripe — we do not store credit card numbers. We retain transaction records (amounts, dates, subscription status)
- Communications: Messages sent through the platform, support requests, feedback
2.2 Information collected automatically
- Usage data: Pages visited, features used, time spent on pages, click patterns
- Device information: Browser type, operating system, screen resolution, device identifiers
- Log data: IP address, access times, referring URLs, error logs
- Auction activity: Bids placed, auctions entered, auction outcomes, auto-bidder configurations
2.3 Information from third parties
- Google OAuth: If you sign in with Google, we receive your name, email, and profile picture from Google
- Stripe: Payment confirmation data and subscription status
3. Legal Basis for Processing
Under the GDPR, we process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Contract performance (Art. 6(1)(b)) |
| Displaying your profile to Employers | Contract performance (Art. 6(1)(b)) |
| Processing auction bids and transactions | Contract performance (Art. 6(1)(b)) |
| Processing payments | Contract performance (Art. 6(1)(b)) |
| Platform analytics and improvement | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance (tax, records) | Legal obligation (Art. 6(1)(c)) |
4. How We Use Your Data
- To operate the platform: Display Candidate profiles to Employers, facilitate auctions, process bids, manage subscriptions
- To match talent: Use profile data, skills, and preferences to surface relevant Candidates to Employers and relevant opportunities to Candidates
- To process payments: Handle subscription billing, auction entry fees, and platform commissions via Stripe
- To communicate: Send account notifications, auction updates, interview invitations, and service announcements
- To improve the Service: Analyse usage patterns, monitor platform performance, and develop new features
- To ensure security: Detect and prevent fraud, abuse, and unauthorised access
- To comply with law: Fulfil legal obligations including tax reporting and responding to lawful requests
5. Data Sharing
5.1 Sharing with Employers during auctions
When you participate as a Candidate, the following data is shared with Employers who view your profile or enter your auction:
- Your public profile information (name, headline, bio, skills, experience, location)
- Your video introduction
- Your desired role and salary expectations
- Auction activity (reserve price, bid history during live auctions)
Employers who win an auction may receive additional contact information to proceed with the hiring process, subject to your approval.
5.2 Service providers
We share data with trusted third-party service providers who assist in operating our platform:
- Supabase: Database hosting and authentication (EU region)
- Stripe: Payment processing
- Vercel: Application hosting
- OpenAI: AI-powered features (interview scoring, candidate matching)
- Google: OAuth authentication
All service providers are bound by data processing agreements and process data only on our instructions.
5.3 Other disclosures
We may disclose personal data when required by law, to protect our rights, or in connection with a merger, acquisition, or asset sale. We will notify affected users where legally permitted.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Duration of account + 30 days after deletion |
| Video recordings | Duration of account + deleted within 30 days of account closure |
| Auction and bidding records | 7 years (financial record-keeping obligations) |
| Payment and transaction records | 7 years (tax and accounting requirements) |
| Usage and analytics data | 26 months (anonymised after) |
| Interview responses and reports | 12 months after interview, or account deletion |
| Server logs | 90 days |
When data is no longer needed, it is securely deleted or anonymised. You may request earlier deletion by exercising your right to erasure (see Section 9).
7. Cookies and Tracking
We use the following types of cookies:
- Essential cookies: Required for authentication, security, and core platform functionality. These cannot be disabled
- Authentication cookies: Maintain your logged-in session (Supabase auth tokens)
- Preference cookies: Remember your settings (e.g., "remember me" on login)
- Analytics cookies: Help us understand how users interact with the platform. We use privacy-respecting analytics that do not track users across sites
We do not use third-party advertising cookies or sell data to advertisers.
8. International Data Transfers
Our primary data processing occurs within the European Economic Area (EEA). Where data is transferred outside the EEA (e.g., to US-based service providers), we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data processing agreements with all sub-processors
You may request information about the specific safeguards in place for any transfer by visiting our Contact page.
9. Your Rights Under GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data and information about how it is processed
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations
- Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances
- Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV)
- Right to object (Art. 21): Object to processing based on legitimate interest, including profiling
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing
- Right not to be subject to automated decision-making (Art. 22): AI-generated interview scores and matching are used as decision-support tools; final hiring decisions are made by humans
To exercise any of these rights, email us at info@cloudpeople.ai. We will respond within 30 days. If we need an extension, we will notify you within the initial 30-day period.
Request account or data deletion: Click here to send a deletion request
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission (DPC):
- Website: www.dataprotection.ie
- Phone: +353 (0)761 104 800
10. Security Measures
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Secure password hashing (bcrypt via Supabase Auth)
- Row-level security (RLS) policies on database tables ensuring users can only access their own data
- Regular security reviews and dependency updates
- Access controls limiting employee access to personal data on a need-to-know basis
- Secure payment processing via PCI DSS-compliant Stripe
- Rate limiting and bot protection on authentication endpoints
No system is perfectly secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the DPC within 72 hours and affected users without undue delay, in accordance with Articles 33 and 34 of the GDPR.
11. Children's Privacy
CloudPeople is designed for professional use and is not intended for individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.
If you believe a minor has provided us with personal data, please contact us immediately via our Contact page.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes:
- We will update the "Last updated" date at the top of this page
- We will notify registered users via email at least 14 days before changes take effect
- We will provide a summary of key changes
Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.
13. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
CloudPeople Ltd
Galway, Ireland
Contact: info@cloudpeople.ai