Acticio

Legal

Privacy Policy

Last updated: April 28, 2026

Acticio ("we", "us") operates an AI-powered hiring platform that helps employers screen, score, and rank candidates. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have over it. It applies to our website, dashboard, and APIs (the "Service").

1. Roles: who is the controller?

For data we collect about customers (the people who sign up and pay for Acticio), we are the data controller.

For data about candidates (resumes, GitHub profiles, portfolios, contact details uploaded by our customers), our customer is the data controller and we act as the data processor on their behalf. Candidates who want to access, correct, or delete their data should first contact the employer that uploaded it; we will support that employer in fulfilling the request.

2. Data we collect

From customers

  • Account data: name, email, hashed password, organisation name, role.
  • Billing data: plan tier, billing email, transaction metadata from our payment processor (we do not store full card numbers).
  • Usage data: pages visited, jobs created, resumes uploaded, buttons clicked, error logs, IP address, browser, device.

From candidates (via customers)

  • Resume content (PDF/DOCX text) including name, contact details, employment history, education, links.
  • Public profile content from links the candidate included (GitHub, portfolio sites, LinkedIn URL). We crawl these only via their public pages.
  • AI-generated scores, summaries, and verdicts derived from the above.

3. Why we use your data

  • To provide the Service: parse, score, rank, and present candidates.
  • To bill, support, and communicate with our customers.
  • To improve reliability, performance, and accuracy of the Service.
  • To detect abuse, fraud, and security incidents.
  • To comply with legal obligations (tax, audit, lawful requests).

We do not sell personal data, and we do not use candidate data to train foundation models for third parties.

4. Legal bases (GDPR / UK GDPR)

We rely on the following legal bases: contract (to deliver the Service to our customer), legitimate interest (to operate, secure, and improve the Service), consent (where required, e.g. marketing emails), and legal obligation (where law requires retention or disclosure). For candidate data, our customer is responsible for establishing the legal basis to process and share the data with us.

5. AI processing and automated decisions

Acticio uses machine-learning models — including third-party large language models — to analyse candidate evidence and produce scores, summaries, and verdicts. These outputs are intended as decision-support, not as automated decisions. Customers are contractually required to apply human review before rejecting or advancing any candidate. Where applicable laws (e.g. NYC Local Law 144, Illinois AIVIA, EU AI Act) require notice, audit, or opt-outs, our customer is responsible for compliance and Acticio provides the supporting tooling.

6. Sharing your data

We share data only with:

  • Sub-processors that power the Service: hosting (Vercel), database and storage (Supabase), background jobs (Upstash QStash), AI inference providers (Anthropic, OpenAI), email (Resend), and analytics. A current list is available on request at hello@acticio.com.
  • Professional advisors (lawyers, auditors) under confidentiality.
  • Authorities, when required by valid legal process. We push back on overbroad requests where lawful.
  • A successor in interest, in the event of a merger, acquisition, or asset sale, subject to equivalent privacy commitments.

7. International transfers

Our infrastructure is hosted in regions selected for performance and reliability and may include the United States, the European Union, and India. Where we transfer personal data out of the EEA, UK, or other regulated regions, we rely on Standard Contractual Clauses or equivalent safeguards.

8. Retention

Customer account data is retained while the account is active and for up to 30 days after deletion (longer where law requires). Candidate data is retained until the customer deletes the candidate, deletes the parent job, or closes their account. Anonymised aggregate analytics may be retained indefinitely.

9. Security

We encrypt data in transit (TLS 1.2+) and at rest. Access is restricted to a small number of authorised personnel under least-privilege controls, with audit logs. We perform regular backups and maintain an incident-response procedure. No system is perfectly secure; we will notify affected customers without undue delay if a breach occurs.

10. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, India DPDP, CCPA, and similar), you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights:

  • Customers: use the dashboard, or email hello@acticio.com.
  • Candidates: contact the employer that uploaded your data; we will support them in responding. If you cannot reach the employer, contact us and we will help locate the controller.

11. Cookies and tracking

We use a minimal set of strictly-necessary cookies for authentication and session management. We do not use third-party advertising cookies. Analytics, where used, are configured to respect Do-Not-Track signals and to anonymise IP addresses.

12. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or via the dashboard at least 14 days before they take effect.

14. Contact

Questions, requests, or concerns? Email hello@acticio.com. See also our Terms of Service.