Privacy

Privacy policy.

Last updated: May 26, 2026

ShortlistTable is a resume screening tool used by recruiters and hiring teams. We process two distinct data streams: candidate data (resumes our customers upload) and customer data (the recruiters using the product, plus visitors to this website). This policy explains what we collect, why, where it sits, and what choices you have.

1. Who we are

“ShortlistTable”, “we”, or “us” refers to [ShortlistTable Inc. — legal entity name to be filled in], with its registered office at [address]. For data-protection purposes, we act as a data controller for customer/visitor data we collect about our users, and as a data processor for the candidate data our customers upload to the product.

2. What we collect

2.1 Candidate data (processed on behalf of our customers)

When a recruiter uses ShortlistTable, they upload resumes and related candidate materials. These typically contain:

  • Name, contact information, and links
  • Employment history, education, skills
  • Any other content the candidate chose to include in the resume

We act as a processorfor this data. The recruiter (our customer) decides what to upload, why, and for how long. We process the data only on the customer’s documented instructions and the terms of the Data Processing Addendum.

2.2 Customer / user account data

  • Account: name, email, workspace name, role
  • Authentication: magic-link tokens, session cookies (httpOnly, secure)
  • Billing: company name, billing email, plan, payment metadata (processed by our payments provider, not stored by us in cleartext)
  • Usage: feature events, run counts, error logs

2.3 Website visitor data

  • Marketing form submissions: name, email, optional company, message text
  • Newsletter subscriptions: email address, marketing consent state, source page
  • Resource downloads: email address, the specific resource requested
  • Browser-side tool usage: no server-side capture. The free tools (JD/CV matcher, JD critique, bulk parser, etc.) run entirely in the visitor’s browser; we do not see the inputs or outputs.
  • Outreach generator quota: IP address (hashed) used for rolling-24-hour rate limiting

2.4 What we do not collect

  • We do not place any tracking cookies before the visitor accepts non-essential cookies.
  • We do not sell customer or candidate data to any third party.
  • We do not train any AI model on customer or candidate data. Models we use are general-purpose foundation models accessed via API, with the provider’s training opt-out enabled (see Subprocessors).

3. Why we process it (lawful bases)

  • Performance of contract: account creation, running screening tables, delivering shortlists, billing.
  • Legitimate interests: security logging, abuse prevention (rate limiting, Turnstile), product analytics on aggregated usage.
  • Consent: non-essential cookies, marketing emails, newsletter. Withdrawable at any time via the unsubscribe link in any marketing email or by contacting us.
  • Legal obligation: retaining billing records for tax purposes.

4. Where data is stored

Customer and candidate data is stored in [region — fill in: US-East / EU-West before launch] and is encrypted at rest. Workspaces created with the EU region option keep data within the EU. Backups are stored in the same region as the primary database.

5. How long we keep it

  • Candidate data: per the workspace retention policy our customer configures. Default: archive after 90 days of inactivity, hard-delete after 365 days. Configurable per workspace.
  • Customer account data: for the lifetime of the account plus 90 days, after which it is hard-deleted.
  • Billing records: 7 years (tax obligation in most jurisdictions).
  • Marketing form submissions: 24 months unless you ask us to delete sooner.
  • Newsletter subscribers: until you unsubscribe, plus a 30-day grace period.
  • Outreach generator quota records: 24 hours (the rolling window itself).

6. Subprocessors

We use the following subprocessors. Each is contractually bound by a DPA equivalent to the EU Standard Contractual Clauses where applicable.

  • Database / hosting: [Neon / Supabase / AWS RDS — pick before launch], US or EU region per workspace.
  • Object storage (resume files): [AWS S3 / Cloudflare R2 — pick before launch], same region as the database.
  • Email delivery: Resend (transactional email, newsletter audience). resend.com.
  • Anti-abuse: Cloudflare Turnstile (challenge token verification).
  • Rate limiting: Upstash (Redis as a service, stores hashed IPs only).
  • Payments: [Lemon Squeezy / Stripe — confirm before launch].
  • LLM provider(s): [OpenAI and/or Google Gemini — list the ones actually wired before launch]. Training opt-out enabled. No customer data retention beyond inference call.
  • Error tracking: Sentry (when configured). Stack traces only; we redact PII before send.
  • Product analytics: [PostHog / Plausible — list once added].

7. International transfers

Where data is transferred outside the EEA or the UK, we rely on the EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, plus the relevant subprocessor’s adequacy or supplementary measures (e.g. EU-US Data Privacy Framework certification for US subprocessors that have one).

8. Your rights

If you’re in the EU/EEA, UK, or California, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Delete your data (subject to legal-retention obligations like billing)
  • Restrict or object to certain processing
  • Receive a copy of your data in a portable format
  • Withdraw consent for any processing based on consent (marketing, non-essential cookies)
  • Lodge a complaint with your local data-protection authority

For candidate data, these requests should go to the recruiter (our customer) first — they are the controller. If they cannot resolve it, contact us and we will route the request.

To exercise any of these rights, email privacy@shortlisttable.ai. We respond within 30 days.

9. AI-specific disclosures

  • The screening engine uses third-party large language models (see Subprocessors) plus our own evaluation and orchestration code.
  • We never use customer or candidate data to train models. Training opt-out is enabled at the provider level.
  • The product is designed for human-in-the-loop use. No verdict is final without recruiter action; there is no automated screen-out path.
  • Every AI verdict in the product carries the source sentence behind it and is overridable by the recruiter. A per-cell audit log is available to the workspace owner.
  • If you are a candidate and want to understand why a specific screening decision was made about you, contact the recruiter who screened you. We can provide them the per-cell audit log on request; we do not have a direct relationship with candidates.

10. Children

ShortlistTable is a B2B product not directed at children under 16. We do not knowingly process the personal data of anyone under 16. If you believe we hold such data, contact us and we will delete it.

11. Security

  • TLS 1.2+ for all network traffic
  • Encryption at rest for databases and object storage
  • Workspace-level access control, principle of least privilege internally
  • Regular security review and dependency-scan automation
  • SOC 2 Type 2 — [in progress / target date]

12. Changes to this policy

We update this policy as the product changes. Material changes will be announced by email to active customers at least 30 days before they take effect. The current version is the one published here with the “Last updated” date at the top.

13. Contact

Privacy questions: privacy@shortlisttable.ai
Data Protection Officer / EU representative: [appoint and fill in before launch in EU markets]
General inquiries: hello@shortlisttable.ai