Skip to main content
TuraHire

Privacy Policy

Last updated: March 20, 2026

1. Information We Collect

We collect information that you provide directly to us, including:

  • Account Information: Name, email address, and password when you register.
  • Candidate Data: Resumes (PDF/DOCX), biographical details, and professional history uploaded to the platform. Please note that we do not intentionally collect sensitive personal data (such as health, race, or religion), but such information may be included in documents you choose to upload. Protected Health Information (PHI) governed by HIPAA is strictly prohibited from being uploaded to the Service.
  • Payment Information: If you purchase a subscription, our third-party payment processors (e.g., Stripe) will collect your billing information. We do not store full credit card numbers on our servers.
  • Usage Data: Interactions with our dashboard, job postings, and search queries.
  • Communications: Support requests and feedback you send to us.

2. Our Role (Data Controller vs. Data Processor)

Under applicable data protection laws (such as GDPR and CCPA), TuraHire acts in two different capacities depending on the type of data:

  • Data Controller: We act as the Data Controller for your Account Information, Usage Data, and Billing Information. We determine the purposes and means of processing this data to manage your account and improve our Service.
  • Data Processor: We act as a Data Processor for the Candidate Data (resumes, profiles, interview notes) you upload or connect to our platform. You (the employer) act as the Data Controller for Candidate Data. We process Candidate Data strictly according to your instructions and our Terms of Service (including our Data Processing Agreement).

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your personal data:

Data TypeLegal Basis (GDPR Art. 6)
Account InformationContractual necessity (Art. 6(1)(b))
Candidate DataLegitimate interest of the employer (Art. 6(1)(f)) / Consent where required
Payment InformationContractual necessity (Art. 6(1)(b))
Usage DataLegitimate interest (Art. 6(1)(f))
CommunicationsLegitimate interest (Art. 6(1)(f))
Connected Account Data (Google, Outlook, Box)Consent (Art. 6(1)(a))

For details on how we process data on your behalf, please see our Data Processing Agreement.

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our recruitment services
  • Parse resumes and match candidates to job requirements using algorithms
  • Process transactions and send related information
  • Send you technical notices, updates, and support messages
  • Respond to your comments and questions
  • Analyze trends and usage of our services

5. AI and Automated Processing

TuraHire utilizes advanced Artificial Intelligence (AI) and Large Language Model (LLM) technologies to provide core features such as resume parsing, candidate summarization, and job matching.

  • AI Provider: We use Google Gemini API for resume parsing, candidate analysis, and job matching. Resume content inherently contains personally identifiable information (names, emails, phone numbers, work history). While we configure our integration to prevent training on your data, the content is transmitted to Google for processing. For details on Google's data handling practices, please see Google Cloud Privacy Notice.
  • No Training on Your Data: We configure our integrations to ensure that your private data is not used by our AI providers to train their general public models.
  • Decision Making: While our AI provides rankings and recommendations, it does not make automated legal or hiring decisions. The Service provides recommendations only. The final hiring decision is always made by a human user. All hiring decisions remain the sole responsibility of the user.
  • Fairness and Opt-Out: We are committed to fairness. If you believe an AI-generated recommendation has unfairly impacted your application, you may request a manual review by contacting us.

6. Third-Party Integrations and Connected Accounts

TuraHire allows you to connect third-party accounts (such as Google Workspace, Gmail, or Box) via our integration partner, Composio, to facilitate seamless recruitment workflows, such as importing candidate resumes directly from your email or cloud storage.

  • Data Access & Usage: When you connect a third-party account, we only access the specific data you authorize (e.g., reading emails with resume attachments or specific files) necessary to provide the service. We do not use this data for any other purpose.
  • Integration Partner (Composio): We use Composio to securely manage these connections. Your authentication tokens and connected account data are processed securely in accordance with Composio's Privacy Policy.
  • Google API Services Usage Disclosure: TuraHire's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
  • Revoking Access: You may disconnect these accounts and revoke access at any time through your TuraHire account settings or directly through the third-party provider's security settings.
  • Data Retention for Connected Accounts: Data imported from connected third-party accounts (such as Google Drive files or Gmail attachments) is retained only for the duration of the active connection. When you disconnect a third-party account, all imported data from that source is queued for deletion and permanently removed from our production systems within 30 days. You may also request immediate deletion by contacting us.
  • Detailed Google API Disclosure: For a detailed explanation of what Google APIs TuraHire uses, what data we access, and how we handle it, see our Google API Services Disclosure.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track the activity on our Service and hold certain information.

  • Essential Cookies: Required for the operation of the Service, such as secure login and session management.
  • Analytics Cookies: Help us understand how you use our Service so we can improve it.
  • Cookie Management: You can manage your cookie preferences by adjusting your browser settings. Note that disabling essential cookies may impact the functionality of the Service. Most web browsers allow you to control cookies through their settings. We provide a cookie consent banner on first visit that allows you to accept or decline non-essential cookies.

8. Data Storage and Security

We use industry-standard security measures to protect your personal information. Your data is stored on secure cloud infrastructure providers and encrypted both in transit (TLS/SSL) and at rest. We proudly partner with vendors and integration platforms (such as Supabase, Pinecone, and Composio) that maintain industry-leading security posture, including compliance with SOC 2 Type II and ISO 27001:2022 standards.

Data Retention: We retain your information for the duration of your active account. Upon account closure, all personally identifiable information (PII) is permanently deleted from our production systems within 30 days, and from backup systems within 90 days. Data transmitted to third-party AI providers (Google Gemini) is processed according to their data retention policies (see Google Cloud Privacy Notice). Anonymized, aggregated data used for service improvement may be retained indefinitely.

Data Breach Notification: In the event of a confirmed security breach affecting your personal data, we will notify you within seventy-two (72) hours of discovery, in accordance with applicable data protection regulations including GDPR and CCPA.

9. Sharing of Information

We do not share your personal information with third parties except as described below:

  • No Sale of Data: We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes or for cross-context behavioral advertising.
  • AI Service Providers: We use Google Gemini API for resume parsing and candidate analysis. Resume content inherently contains personally identifiable information. This data is transmitted to Google for processing as described in Section 5. We configure our integration to prevent training on your data.
  • Service Providers: With vendors and consultants who need access to such information to carry out work on our behalf (e.g., payment processing, hosting).
  • Vector Database: We use Pinecone for storing vector embeddings that enable semantic search and candidate matching. This data is processed according to Pinecone's Privacy Policy.
  • Embedding Services: We use Voyage AI to generate vector embeddings from resume content for similarity matching and candidate ranking, processed according to Voyage AI's Privacy Policy.
  • Database Hosting: We use Supabase for secure database hosting and authentication services, processed according to Supabase's Privacy Policy.
  • Authentication Services: We use Clerk for secure user authentication and session management, processed according to Clerk's Privacy Policy.
  • Legal Requirements: In response to a request for information if we believe disclosure is in accordance with any applicable law, regulation, or legal process.
  • Protection of Rights: If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property, and safety of TuraHire or others.

10. International Data Transfers

TuraHire's infrastructure is primarily hosted in the United States. If you or your candidates are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your data will be transferred to and processed in the United States and other locations where our sub-processors operate.

To ensure adequate protection for these cross-border data transfers, we rely on legally approved transfer mechanisms, including the European Commission's approved Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.

11. Your Rights

Depending on your location, you may have the right to:

  • Access and update your personal information.
  • Request deletion of your personal information.
  • Object to the processing of your personal information.
  • Export your data in a portable format.

Response Timelines: We will respond to verified data subject access requests within thirty (30) days for requests under GDPR, and within forty-five (45) days for requests under CCPA/CPRA. If additional time is needed, we will notify you of the extension and the reasons for the delay.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request the deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising. However, you have the right to opt-out if our practices change.
  • Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of these rights, please contact us using the information provided in the "Contact Us" section.

Categories of Personal Information Collected

CategoryExamplesCollected
IdentifiersName, email address, account IDYes
Professional InformationResume content, work history, skills, educationYes
Internet ActivityUsage data, search queries, interaction logsYes
Commercial InformationSubscription plan, billing historyYes
Geolocation DataIP-derived approximate locationYes
Sensitive Personal InformationNot intentionally collectedNo

Right to Lodge a Complaint

If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates applicable law. A list of EU data protection authorities can be found at edpb.europa.eu.

Automated Decision-Making (GDPR Article 22)

Our AI-powered features provide recommendations and rankings to assist human decision-makers. We do not make solely automated decisions that produce legal effects or similarly significant effects on individuals. You have the right to request human intervention, express your point of view, and contest any decision that you believe was unduly influenced by automated processing. To exercise this right, contact us at the address provided in the Contact section below.

12. Children's Privacy

Our Service is not intended for use by children under the age of 13 (or 16 where applicable by law). We do not knowingly collect personally identifiable information from children. If you become aware that a child has provided us with Personal Data, please contact us immediately so we can take steps to remove that information.

13. Changes to this Policy

We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification).

14. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of law provisions.

15. Contact Us & Data Protection Officer

If you have any questions about this Privacy Policy, or to exercise your data protection rights, please contact our Data Protection Officer at:

Data Protection inquiries: privacy [at] turahire.com

General inquiries: admin [at] turahire.com

Data Processing Agreement: View our DPA