Privacy Policy

1. Introduction

Noesis Hiring Ltd ("NH", "we", "us", or "our") operates the NoesisHiring.ai platform. This Privacy Policy explains how we collect, use, share, and protect personal data when you interact with our Services.

This policy applies to two categories of individuals:

• Employers (also called Tenants): organisations that use our platform to manage applicant relationships
• Applicants: individuals who submit CVs, complete assessments, or otherwise provide information through the platform

We are committed to transparency about how personal data is processed, particularly given our use of artificial intelligence in assessment generation.

2. Who We Are

Noesis Hiring Ltd is a company registered in England and Wales.

3. Data Controller and Processor Roles

Under the UK General Data Protection Regulation (UK GDPR), different parties may be responsible for personal data depending on the type of processing:

Data Type	Controller	Explanation
CV Data (storage)	Employer	The Employer determines why they collect CVs. NH stores and transmits this data as a processor on their behalf.
Assessment Data (AI-generated scores)	Joint: NH + Employer	NH is responsible for the technical integrity and logic of the AI assessments, while the Employer is responsible for the final hiring decision and providing the privacy notice at the point of collection.
TRIAGE™ questions	Employer	Employers create custom screening questions. They are responsible for question content.
TRIAGE™ response storage	Processor: NH (Controller: Employer)	NH stores responses; the Employer uses them directly. NH does not perform AI analysis on TRIAGE™ responses (this may change in future under amendment notice).
Employer account data	NH	NH collects Employer registration and billing data to provide the service.

For Applicants: Your primary data protection relationship is with the Employer you are applying to. However, because NH jointly controls assessment processing, you may also exercise certain rights directly with us (see Section 9).

4. What Data We Collect

4.1 Applicant Data

When you apply through an Employer's application page, we may collect:

• Identity information: name, contact details
• CV/resume content: employment history, education, qualifications, skills (we encourage anonymisation — see Section 6)
• Assessment responses: answers to COB, EQ, LAA and TRIAGE™ questionnaires
• Assessment outputs: AI-generated insights from the CVs' AI Assessment, and deterministic scores from COB, EQ, LAA, and TRIO™ aggregation
• Technical data: IP address, browser type, timestamps (for security and fraud prevention)

4.2 Employer Data

When Employers register and use the platform:

• Account information: company name, contact persons, email addresses
• Billing information: payment details (processed by our payment provider)
• Usage data: how the platform is used, feature engagement
• Custom content: job descriptions, branding, TRIAGE™ questions

5. How We Use Your Data

5.1 Purposes and Legal Bases

Purpose	Legal Basis	Applies To
Providing the platform and services	Contract performance	Employers
Processing applications on behalf of Employers	Consent (Article 6(1)(a) UK GDPR)	Applicants
Generating AI assessments	Consent (Article 6(1)(a) UK GDPR)	Applicants
Security, fraud prevention, abuse detection	Legitimate interests	All users
Legal compliance and dispute resolution	Legal obligation	All users

5.2 What We Do NOT Use Your Data For

We do not:

• Sell personal data to third parties
• Share Applicant data across different Employers
• Use Applicant data to train our AI models or improve our algorithms
• Allow our AI service providers to use your data for their model training
• Build profiles of Applicants across multiple applications to different Employers
• Use your data for marketing purposes without explicit consent

6. Artificial Intelligence and Automated Processing

6.1 What AI Systems We Use

The platform uses artificial intelligence to generate assessment insights from Applicant-provided information. Our AI processing is performed by third-party AI services (currently Anthropic Claude and Google Gemini) under commercial API agreements that prohibit these providers from using your data to train their AI models.

6.2 Assessment Types

Our platform supports the following assessments:

• CVs' AI Assessment (AI-powered): CV parsing, semantic comprehension, and evaluation of Knowledge, Skill, Competence, and Experience (KSCE). Performed via third-party AI sub-processors under the no-training warranty in Section 7.2.
• COB (Conscientiousness-Openness Balance) — deterministic: evaluates work style preferences along dimensions of structure versus flexibility. No AI involved.
• EQ (Emotional Intelligence) — deterministic: assesses self-awareness, self-regulation, empathy, and interpersonal skills. No AI involved.
• LAA (Learning Agility Assessment) — deterministic: assesses agility in learning and adapting to new environments and new responsibilities. No AI involved.
• TRIAGE™ — Employer-designed screening questions; responses stored by NH and used directly by the Employer. NH does not perform AI analysis on TRIAGE™ responses (this may change in future under amendment notice).

TRIO™ is a deterministic aggregation that combines COB, EQ, LAA (and, where applicable, the Employer's TRIAGE™ evaluation) into a unified profile. TRIO™ is not an AI-generated output.

6.3 How Assessments Are Used

Assessment scores are provided to Employers as decision-support information. They are designed to help Employers understand Applicant attributes, not to make hiring decisions automatically. Employers are required to maintain meaningful human oversight of all hiring decisions.

6.4 Your Right to See Your Scores

We believe Applicants should understand how they are being evaluated. You have the right to request a copy of your assessment scores and a general explanation of what they mean. To request this, contact the Employer you applied to, or contact us directly at privacy@noesishiring.ai.

6.5 No Solely Automated Decisions

Under Article 22 of the UK GDPR, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our platform is designed to support, not replace, human decision-making. Employers using our platform are contractually required to ensure human review of hiring decisions. If you believe a decision affecting you was made without appropriate human oversight, you may contact us to request a review.

6.6 CV Anonymisation

We encourage Applicants to anonymise their CVs before submission by removing names, photos, dates of birth, and other identifying information not relevant to job qualifications. This helps reduce potential bias and protects your privacy. The platform's AI focuses on skills, experience, and responses rather than personal identifiers.

7. Who We Share Data With

7.1 Employers

Applicant data is shared with the specific Employer whose application page you used. Your data is never shared with other Employers or across tenants.

7.2 Sub-Processors

We use the following categories of service providers to deliver our platform:

Category	Provider	Data Handling
Cloud Infrastructure	Google Cloud Platform (Firebase/Firestore)	Data stored in EU/UK regions. Not used for training.
AI Processing	Anthropic (Claude API)	Commercial API terms. Data retained up to 30 days for abuse monitoring only. Not used for model training.
AI Processing	Google (Gemini API)	Commercial API terms. Data retained up to 55 days for abuse monitoring only. Not used for model training.

7.3 Legal Disclosures

We may disclose personal data if required by law, court order, or regulatory authority, or to protect our legal rights.

7.4 Business Transfers

If Noesis Hiring is acquired or merged with another company, personal data may be transferred as part of that transaction. We will notify affected users of any change in data controller.

8. Data Retention

Data Type	Retention Period
Applicant CV and assessment data	24 months from last activity, or until deleted by Employer, or upon Applicant request
Employer account data	Duration of contract plus 6 years (legal requirement)
AI processing logs (at sub-processors)	Up to 55 days (for security/abuse monitoring only)
Security and audit logs	12 months

After the retention period, data is securely deleted or anonymised.

9. Your Rights

Under the UK GDPR, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restrict processing: Request limitation of how your data is used
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests (e.g., security, fraud prevention)
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal
• Rights related to automated decision-making: Request human review of significant automated decisions

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

How to exercise your rights

• Applicants: Contact the Employer you applied to (as the primary controller for your CV data), or contact NH directly for assessment-related requests
• Employers: Contact us at privacy@noesishiring.ai

We will respond to valid requests within one month, as required by law.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS) and at rest
• Access controls and authentication
• Tenant data isolation (multi-tenancy with logical separation)
• Regular security reviews
• Incident response procedures

No system is completely secure. We cannot guarantee absolute security but will notify affected users and relevant authorities of any data breach as required by law.

11. International Data Transfers

Some of our sub-processors (particularly AI providers) may process data outside the UK.

When data is transferred outside the UK to a country without a UK Adequacy Decision, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses are utilised to ensure the same level of data protection as in the UK.

12. Children's Data

Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Cookies

Our website and platform use cookies and similar technologies to ensure proper functionality, remember your preferences, and understand how our services are used.

For detailed information about the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the platform or by email. The "Effective Date" at the top indicates when this version became effective. Continued use of the Services after changes constitutes acceptance of the updated policy.

15. Complaints

If you are unhappy with how we handle your personal data, please contact us first at privacy@noesishiring.ai.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

16. Contact Us

For any questions about this Privacy Policy or our data practices: