Privacy Policy

Candio plays two distinct roles depending on the data being processed:

• Data Controller — for account and login information, billing contacts, website visitor data, and support communications. For this data, Candio decides the purposes and means of processing.
• Data Processor — for candidate and applicant data our customers collect or generate through the Service. For this data, the customer (the employer) is the Controller and Candio processes the data on their documented instructions, under a Data Processing Agreement.

If you are a candidate and have questions about how your application data is used, please contact the organisation you applied to. They are the Controller of that data; we will assist them in responding to your request.

Account & identity data. When you sign up or sign in, we process your name, work email address, company, role within the Service, authentication tokens and session identifiers. You may authenticate using a magic-link one-time code, Google OAuth, Microsoft OAuth, or by installing Candio via the HubSpot App Marketplace.

Billing data. If you subscribe to a paid plan, payment is processed by Stripe. We receive the Stripe customer identifier, plan, trial status, billing country and invoice history. We do not receive or store full payment card numbers.

Candidate & application data (processed on your behalf). Candidate records, including names, contact details, resumes/CVs, cover letters, application form responses, pipeline stage, interview notes, scorecard feedback and offer details, are stored in your HubSpot portal as native CRM records. Candio reads from and writes to HubSpot via authorised API calls. A limited operational subset — such as structured fields extracted from resumes and AI-generated insights — is stored within Candio’s application environment to power the Service.

AI-generated insights (processed on your behalf). We generate structured summaries, extracted resume fields, job-fit analyses, interview round summaries and candidate assessments by sending candidate data to our AI sub-processor (see Section 4). Outputs are stored alongside the relevant candidate record.

Usage & diagnostic data. We log API requests, feature usage, error traces, and session activity to operate, secure and improve the Service.

Website & marketing data. On candio.io we collect limited analytics if you consent (see Section 8). If you join our waitlist or request a demo, we process the contact details you submit.

We process personal data only where we have a lawful basis under Article 6 GDPR:

• Performance of a contract (Art. 6(1)(b)): providing the Service to customers, authenticating users, processing payments, sending transactional emails, and supporting integrations.
• Legitimate interests (Art. 6(1)(f)): product analytics, abuse prevention, security monitoring, logging, diagnosing errors, and limited outreach to business contacts.
• Consent (Art. 6(1)(a)): website analytics cookies, marketing emails, and other optional communications. Consent can be withdrawn at any time.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and compliance with lawful requests from authorities.

When Candio acts as a Processor on behalf of a customer, the legal basis for processing candidate data is determined by that customer (the Controller).

Candio uses large language models provided by Anthropic via Amazon Bedrock to extract structured data from resumes, produce job-fit analyses, summarise interview rounds and generate candidate assessments. AI inference is performed in the United States. Customer data submitted to these models is not used to train them.

Not a solely automated decision. AI outputs in Candio are advisory. They do not reject, shortlist, or rank candidates without a human decision-maker. A recruiter or hiring manager must review AI-generated content before it informs an outcome that produces legal or similarly significant effects on a candidate. Our customers remain responsible for the lawfulness of their hiring decisions, including compliance with anti-discrimination law and Article 22 GDPR.

Candidates have the right, via the organisation they applied to, to request human review of any AI-assisted output, to contest it, and to obtain an explanation of the logic involved.

The master copy of candidate, job and application records — including resume files, application responses, notes and pipeline data — lives in your HubSpot portal and is governed by HubSpot’s own terms, data-centre configuration and security practices. Candio does not maintain an independent canonical copy of those records.

Candio’s application infrastructure runs on Amazon Web Services in the United States. It hosts the operational data required to run the Service, such as account information, session data, configuration, AI-generated outputs and transactional logs.

All data is encrypted in transit and at rest using industry-standard encryption. Access to production systems is restricted to authorised personnel, requires multi-factor authentication, and is logged.

If you access Candio from the European Economic Area, the United Kingdom or Switzerland, personal data will be transferred to and processed in the United States by some of our sub-processors. We rely on the following transfer mechanisms:

• EU–U.S. Data Privacy Framework (DPF), together with the UK Extension and the Swiss–U.S. DPF, for transfers to sub-processors that are self-certified under the framework.
• Standard Contractual Clauses (SCCs) approved by the European Commission, together with the UK International Data Transfer Addendum, where the DPF does not apply.
• Supplementary technical and organisational measures including encryption, access controls and logging, as required following the Schrems II ruling.

You can request a copy of the transfer mechanism applicable to a specific sub-processor by emailing privacy@candio.io.

We engage the following sub-processors to provide the Service. Each is bound by a written data processing agreement and appropriate transfer mechanisms.

We will provide prior notice of material changes to this list so that Controllers may object under their Data Processing Agreement with us.

Strictly necessary cookies. We set a session cookie on app.candio.io to keep you signed in. We may also store a cookie-consent preference on candio.io. These cookies are essential to operate the Service and do not require consent.

Analytics cookies. On candio.io, if you consent via the cookie banner, we load HubSpot analytics to understand how visitors use the site. You can decline or withdraw consent at any time; declining loads no analytics scripts and sets no analytics cookies.

We do not use advertising cookies, retargeting pixels, or third-party trackers for cross-site profiling.

Candidate data in your HubSpot portal. This data is under your control at all times. Uninstalling Candio does not delete records from HubSpot; your HubSpot retention policy applies, and only you can remove or export the data from your portal.

Operational data in Candio’s environment. Account information, configuration, AI-generated insights and other operational records associated with your account are retained for as long as your account exists and may be retained thereafter for legitimate business purposes including service reactivation, security, fraud prevention, dispute resolution and compliance. Uninstalling the HubSpot app or cancelling a subscription does not automatically trigger deletion of this data.

Deletion on request. You may request deletion of personal data Candio holds as Controller, or instruct us to delete data we process on your behalf as Processor, by emailing privacy@candio.io. We will action verified requests within a reasonable period (and in any event within the timelines required by GDPR), subject to exceptions where retention is necessary to comply with law, to establish, exercise or defend legal claims, or where the data has been anonymised.

Billing records. Retained for the period required by applicable tax and accounting law.

Backups. Operational data may persist in rolling encrypted backups for a limited period after live deletion and will be overwritten in the normal course of backup rotation.

If the GDPR or UK GDPR applies to the processing of your personal data, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (“right to be forgotten”) where applicable.
• Restrict or object to processing based on legitimate interests or for direct marketing.
• Portability: receive your data in a structured, machine-readable format.
• Withdraw consent at any time where processing relies on consent.
• Not be subject to a decision based solely on automated processing (see Section 4).
• Lodge a complaint with a supervisory authority. In Slovenia this is the Information Commissioner (Informacijski pooblašçenec, ip-rs.si). Residents of other EEA states may contact their local Data Protection Authority; UK residents may contact the ICO (ico.org.uk).

To exercise any of these rights where Candio is the Controller, email privacy@candio.io. We will respond within one month. Where Candio is the Processor (candidate data), please direct requests to the organisation that collected the data; we will assist them promptly.

We apply industry-standard technical and organisational measures, including encryption in transit and at rest, network isolation, the principle of least privilege, multi-factor authentication for administrative access, audit logging, dependency monitoring, and routine backups. No security programme can guarantee absolute security.

In the event of a personal data breach likely to result in a risk to rights and freedoms, we will notify affected Controllers without undue delay and no later than 72 hours after becoming aware, consistent with Article 33 GDPR.

The Service is intended for use by businesses and their authorised representatives over the age of 18. We do not knowingly collect personal data from children.

We may update this Privacy Policy from time to time. Material changes will be notified by email to administrators of active accounts and posted on candio.io at least 30 days before taking effect. Non-material changes will be reflected by updating the “Last updated” date above. Continued use of the Service after the effective date constitutes acceptance of the updated policy.