GDPR Compliance
HeadHonta is committed to protecting the privacy and rights of individuals in the European Economic Area and the United Kingdom under the General Data Protection Regulation (GDPR).
Last updated: April 20, 2026
Lawful Basis for Processing
We process personal data under the following legal bases as required by Article 6 of the GDPR:
| Processing Activity | Lawful Basis | Details |
|---|---|---|
| Account creation and management | Contract performance | Necessary to provide the Service you signed up for. |
| AI candidate matching and scoring | Contract performance | Core feature of the Service as described at signup. |
| Product analytics | Legitimate interests | Improving service quality and user experience. You can opt out. |
| Transactional emails | Contract performance | Necessary for account verification, notifications, and alerts. |
| Marketing emails | Consent | Opt-in only. You can unsubscribe at any time. |
| Security monitoring and logs | Legitimate interests | Fraud prevention and protecting the Service and its users. |
| Legal compliance | Legal obligation | Where we are required to process data by applicable law. |
Your Rights Under GDPR
As a data subject, you have the following rights. We will respond to all valid requests within 30 days.
Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data ("right to be forgotten").
Right to restrict processing
Request that we limit how we use your data while a concern is being resolved.
Right to data portability
Receive your personal data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests, including profiling.
Right to withdraw consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Right to lodge a complaint
File a complaint with your local data protection supervisory authority.
Some rights can be exercised directly: candidates can export their data and request erasure from the candidate portal, rectify profile details through the relevant portal, and opt out of non-essential emails via the unsubscribe link in any such email. Account holders can delete their account from account settings. For any other request, email privacy@headhonta.com with the subject line "GDPR Request." We may need to verify your identity before processing your request.
Sub-Processors
We use the following sub-processors to deliver the Service. We require Data Processing Agreements (DPAs) with our sub-processors and will notify customers of any changes. Interview transcription is handled by our own self-hosted speech-to-text service (faster-whisper) within our infrastructure and is not a third-party AI vendor.
| Sub-Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Railway | Application hosting and infrastructure (processes all platform data) | United States / EU | DPA, SCCs |
| Cloudflare R2 | File and CV storage | United States / EU | DPA, SCCs |
| OpenRouter | AI/LLM and embedding inference (gateway that routes prompts, including full CV text and profile data, to underlying model providers) | United States | DPA and SCCs requested; no-training requested, subject to the routed provider's terms |
| Resend | Transactional email delivery (candidate email address and message content) | United States | DPA, SCCs |
| Paystack | Billing and payment processing (recruiter payment data) | Nigeria / United States | DPA; Paystack is PCI-DSS compliant |
| Slack | Internal recruiter signup notifications | United States | DPA, SCCs |
| Mixpanel | Product analytics and session replay | United States | DPA, SCCs, EU data residency available |
| Nodge | Onboarding funnel analytics and drop-off detection (event-level, no session replay) | United States | DPA to be executed prior to production launch; SCCs on file |
"Safeguards" indicates the data-protection measures we require for each sub-processor. Data-processing agreements and, where personal data leaves the EEA/UK, Standard Contractual Clauses are being put in place across our sub-processors as the applicable transfer mechanism.
International Data Transfers
HeadHonta processes data in the United States and the European Union. When personal data is transferred outside the EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) — approved by the European Commission and required in our DPAs with sub-processors.
- Adequacy decisions — where the European Commission has determined a country provides adequate data protection.
- Supplementary measures — including encryption, access controls, and contractual protections assessed on a case-by-case basis.
Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals, including:
- AI-powered candidate scoring and matching.
- Large-scale processing of candidate personal data.
- Integration with third-party job boards.
DPIAs are reviewed and updated when processing activities change or new risks are identified.
Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:
- We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
- We will notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- We maintain detailed records of all breaches, including their effects and remediation actions taken.
Data Processing Agreements
Enterprise customers can request a Data Processing Agreement (DPA) that includes Standard Contractual Clauses. Contact us to get started.
For all GDPR-related inquiries, contact our privacy team at privacy@headhonta.com.