Privacy Policy

Last updated: December 2024

1. Introduction

Welcome to Petal (“we,” “our,” or “us”), where A-players bloom. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered CV screening service.

By using Petal, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name, and authentication credentials (managed by Clerk)
  • Job Screening Data: Job titles, role descriptions, and specific hiring criteria
  • CV Data: All information contained in uploaded CVs including names, contact details, work history, education, skills, and any other information candidates include

2.2 Automatically Collected Information

  • Usage Data: Information about how you access and use our service
  • Device Information: Browser type, IP address, and device identifiers
  • Error Monitoring: Technical errors and performance metrics via Sentry
  • Cookies: Essential cookies for authentication and security (see Section 9)

2.3 Special Category Data

CVs may contain special category data (e.g., photographs revealing ethnicity, disability accommodations, or other sensitive information). We process this data only with explicit consent or where permitted by employment law.

3. How We Use AI Technology

Important: Artificial Intelligence Screening Notice

We use Claude (by Anthropic) to assist in analyzing CVs. Here's how it works:

What Our AI Does:

  • Analyzes CVs for career progression patterns
  • Identifies quantifiable achievements
  • Evaluates employment stability
  • Matches qualifications against job requirements
  • Provides scoring and recommendations to recruiters

What Our AI Does NOT Do:

  • Make final hiring decisions
  • Automatically reject candidates without human review
  • Access external data about candidates
  • Store or learn from your data for other customers

Human Oversight: All AI recommendations are reviewed by human recruiters. Final decisions always involve meaningful human judgment.

4. Legal Basis for Processing

For EU/UK Users:

  • Legitimate Interest (Article 6(1)(f) GDPR): We process CV data based on the legitimate interest of facilitating efficient recruitment processes
  • Consent: For special category data and marketing communications
  • Legal Obligations: To comply with employment and data protection laws

For US Users:

We process personal information with your consent and as necessary to provide our services.

5. How We Share Your Information

5.1 Service Providers

We share data with trusted third-party services that help us operate Petal:

  • Clerk, Inc. (USA): Authentication and user management
  • Anthropic, PBC (USA): AI-powered CV analysis via Claude
  • Neon Database, Inc. (USA): Secure database storage
  • Vercel Inc. (USA): Application hosting
  • Modal Labs (USA): Serverless computing for CV processing
  • Sentry (USA): Error tracking and performance monitoring
  • Google Cloud Storage (UK): Secure document storage in UK data centers

All service providers are bound by data processing agreements ensuring your data is protected.

5.2 Other Disclosures

We may disclose your information:

  • To comply with legal obligations
  • To protect our rights and safety
  • With your explicit consent

6. International Data Transfers

Your data may be transferred to and processed in the United States. We ensure appropriate safeguards:

  • For EU Users: Standard Contractual Clauses approved by the European Commission
  • For UK Users: UK-approved transfer mechanisms including the UK-US Data Bridge
  • Security: All data is encrypted in transit and at rest

7. Data Retention

Important: When you delete a job in Petal, all associated CV data and analysis results are immediately deleted. The job record itself is retained for audit purposes but marked as deleted.

Retention Periods:

  • Active Jobs: Data retained until you delete the job
  • Completed Jobs: Data retained until you delete the job
  • Account Data: Retained for the duration of your account
  • Deleted Jobs: CV content deleted immediately, job metadata retained as deleted
  • Audit Logs: Retained for 7 years for compliance

8. Your Privacy Rights

8.1 EU/UK Residents (GDPR Rights)

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data (“right to be forgotten”)
  • Restrict processing
  • Data portability
  • Object to processing
  • Not be subject to solely automated decision-making
  • Withdraw consent at any time

8.2 California Residents (CCPA/CPRA Rights)

You have the right to:

  • Know what personal information we collect
  • Delete your personal information
  • Opt-out of sale/sharing (we do not sell your data)
  • Non-discrimination for exercising rights
  • Correct inaccurate information
  • Limit use of sensitive personal information

8.3 How to Exercise Your Rights

Contact us at: kamal@dove.ac

We will respond within 30 days (45 days for complex requests).

9. Cookies and Tracking

We only use essential cookies required for the service to function:

  • Authentication tokens (JWT) via Clerk
  • Security cookies (CSRF protection)
  • Session management

We do not use any tracking or analytics cookies. All cookies are essential for authentication and security purposes only.

10. Data Security

We implement appropriate technical and organizational measures:

  • JWT-secured API endpoints
  • Encrypted database storage (Neon)
  • TLS encryption for all data transfers
  • Regular security audits
  • Access controls and authentication

11. Children's Privacy

Petal is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn we have collected such information, we will delete it immediately.

12. Your California Privacy Rights

California residents have additional rights under the CCPA/CPRA:

  • We do not sell or share your personal information
  • We do not use sensitive personal information beyond what is necessary to provide our services
  • You may designate an authorized agent to make requests on your behalf

Notice at Collection: We collect CV data, account information, and usage data as described in Section 2. This information is used for recruitment services as described in Section 3.

13. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on this page
  • Updating the “Last updated” date

14. Contact Information

For privacy-related questions or to exercise your rights, please contact:

Email: kamal@dove.ac

Supervisory Authorities:

  • EU Users: You may lodge a complaint with your local data protection authority
  • UK Users: Information Commissioner's Office (ICO) - ico.org.uk
  • California Users: California Privacy Protection Agency - cppa.ca.gov
ContactBuilt by dovePrivacy policy