Valitron Privacy Policy

Effective date: 14 June 2025

Thank you for choosing Valitron ("Valitron", "we", "our", or "us"). We are an interviewing-as-a-service platform that allows recruiters and employers (collectively, "Recruiters") to invite job applicants ("Candidates") to complete an AI-conducted video interview. This Privacy Policy explains how YouMakr Ltd (UK company no. 10655849, registered address 6 London Road, Stanmore, HA7 4NZ, United Kingdom) collects, uses, discloses and safeguards personal data when anyone ("you") visits valitron.ai or uses our products, mobile or web applications, or related services (the "Services").

This Policy is written to satisfy:

  • UK GDPR and EU GDPR (Articles 12–14, 26 & 28)
  • US privacy laws including California CCPA/CPRA, Virginia CDPA, Colorado CPA, Connecticut and Utah privacy statutes, and FTC fair-practice guidance.

1. Who is responsible for your data?

Valitron — Controller (GDPR) / "Business" or "Controller" (U.S. states)

  • Operates the platform, hosts interview recordings, runs AI analysis, and maintains Recruiter accounts.
  • Improves and secures the Service.

Valitron — Processor (GDPR) / "Service Provider" or "Processor" (U.S. laws)

  • Processes Candidate recordings strictly on the written instructions of the Recruiter who organised the interview.

Recruiter — Independent Controller / Business

  • Decides whom to invite, sets job criteria, and evaluates shortlists.

A Data Processing Agreement (DPA) is incorporated into our Terms of Service. Recruiters are responsible for providing lawful notices to Candidates and for meeting their own privacy obligations.

2. Information we collect

2.1 Data you or your organisation provide directly

Account data (Recruiters)

— Name, business email, password, company name, industry, and whether you are a recruitment agency or direct employer.

Purpose: Create and manage accounts, authenticate users, and provide dashboards.

Billing data

— Credit/debit card details captured on Stripe's secure checkout pages (Valitron never sees full card numbers), billing address, and transaction IDs.

Purpose: Process payments, issue invoices, and detect fraud.

Interview inputs (Candidates)

— Video and audio feed, CV/résumé file, text or multiple-choice answers, suitability score, and AI-generated follow-up suggestions.

Purpose: Deliver to Recruiters, generate shortlists and feedback, and improve the product.

Communications

— Support requests, survey responses, and marketing opt-ins.

Purpose: Respond to inquiries, send service messages, and occasional marketing (with an opt-out).

2.2 Data collected automatically

  • Usage logs & device data – IP address, browser/OS, referrer URL, pages viewed, and timestamps.
  • Analytics & session tools – Google Analytics, Mixpanel, Hotjar.
  • Cookies & similar technologies – see § 6.

2.3 Sensitive or special categories

We do not intentionally process biometric templates, union membership, health data, or other special-category data. If future features require such data, we will obtain explicit consent and update this Policy first.

3. Legal bases & business purposes

Provide and administer the Services (including interview hosting and scoring)

  • EU/UK GDPR legal basis: Art 6 (1)(b) – Contract
  • U.S. business purpose: "Perform services"

Record Candidate video/audio

  • EU/UK GDPR legal basis: Art 6 (1)(a) – Consent (Candidate agrees by continuing after seeing the notice)
  • U.S. business purpose: "Perform services"

Improve, debug, and secure the platform

  • EU/UK GDPR legal basis: Art 6 (1)(f) – Legitimate interests
  • U.S. business purpose: "Internal operations"

Send marketing newsletters (Recruiters only)

  • EU/UK GDPR legal basis: Art 6 (1)(a) – Consent / soft opt-in
  • U.S. business purpose: "Advertising/marketing"

Comply with legal and tax obligations

  • EU/UK GDPR legal basis: Art 6 (1)(c)
  • U.S. business purpose: "Comply with law"

You may withdraw consent or object to processing at any time (see § 9).

4. How we disclose or share data

We do not sell or share personal data for cross-context behavioural advertising and have no past disclosures for such purposes. We disclose data only to the following:

Stripe Payments Europe Ltd.

Payment processor

Location: Ireland / Global

Safeguard: DPA + Standard Contractual Clauses (SCCs)

Vercel Inc.

Cloud hosting & CDN

Location: United States, EU & global edge nodes

Safeguard: SCCs

OpenAI L.L.C.

Audio transcription & language model

Location: United States

Safeguard: SCCs

Analytics providers

Google LLC, Mixpanel Inc., Hotjar Ltd. (Product analytics & UX diagnostics)

Location: United States, EU

Safeguard: SCCs & IP anonymisation

A current list of sub-processors is available at valitron.ai/sub-processors and is incorporated by reference.

5. International Transfers

We are UK-based but use suppliers in the United States and other jurisdictions. Where GDPR applies and data leaves the UK/EEA, we rely on Standard Contractual Clauses (2021/914/EU & UK Addendum) or an adequacy decision.

6. Cookies and Tracking Technologies

Valitron uses first-party and third-party cookies and similar technologies to:

  • maintain secure log-in sessions;
  • collect aggregate analytics;
  • remember user preferences.

Where required by law, we display a cookie banner seeking consent before non-essential cookies are placed. You can change preferences in your browser or via the banner. See our separate Cookie Notice for details.

7. Security Measures

We employ appropriate technical and organisational measures, including:

  • Encryption – TLS 1.2+ in transit; AES-256 (or better) at rest where supported by our providers;
  • Role-based access controls and multi-factor authentication for staff accounts;
  • Regular vulnerability scanning and logging;
  • Data minimisation – videos auto-delete after 30 days by default;
  • Incident response plan – we notify relevant supervisory authorities and affected users without undue delay if legally required.

No internet transmission or storage system is 100% secure, but we work to keep risk proportionate to the data processed.

8. Data Retention

Candidate video recordings

— Retained for 30 days after the interview.

Deletion method: Automatic deletion with encryption-key destruction.

AI suitability scores & metadata

— Retained until the Recruiter deletes the Candidate record.

Deletion method: Secure logical delete.

Recruiter account data

— Retained while the account is active plus six years for tax/audit purposes.

Deletion method: Secure deletion and archival purge.

If we need to retain data longer (e.g., to resolve disputes or comply with legal obligations), we will restrict processing and erase the data when no longer required.

9. Your Rights

9.1 EU/UK Data Subjects

You have the rights to access, correct, erase, restrict, object, port data, and not be subject to a solely automated decision that significantly affects you (GDPR Arts 15–22).
To exercise, email hey@valitron.ai with "GDPR Request" in the subject. We will respond within one month God willing.

You also have the right to lodge a complaint with the UK ICO or your local EU supervisory authority.

9.2 California, Virginia, Colorado, Connecticut & Utah Residents

You may:

  1. Know the categories and specific pieces of personal information we have collected;
  2. Delete personal information (subject to exceptions);
  3. Correct inaccurate personal information;
  4. Opt-out of targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects (we currently do none of these);
  5. Port your data in a usable format;
  6. Appeal a refusal (VA/CO/CT).

Submit requests via hey@valitron.ai with "Privacy Rights Request" in the subject or via the dashboard (account holders).
We will verify your identity and respond within 45 days (extendable once by 45 days).
We will not discriminate against you for exercising rights.

Authorized agents may submit requests by providing signed permission and proof of identity.

10. Automated Decision-Making & Profiling

Our AI interviewer produces a suitability score and recommended follow-up areas for each Candidate. While Recruiters ultimately decide whom to shortlist, Candidates may:

  • request an explanation of the significant logic involved;
  • ask for human review of any decision that relies solely on automated processing.

11. Children's Privacy

The Services are not directed to individuals under 16. We do not knowingly collect personal data from children. Recruiters must not invite minors without ensuring lawful grounds and any required parental consent.

12. Changes to This Policy

We may update this Policy occasionally. Material changes will be announced by email (Recruiters) and via a notice on our website at least 10 days before they take effect.

Continuing to use the Services after the effective date constitutes acceptance.

13. Contact

YouMakr Ltd

Attn: Privacy Team

6 London Road

Stanmore, HA7 4NZ, United Kingdom

E-mail: hey@valitron.ai

Last updated: 14 June 2025