New: AI now shows you why each candidate was ranked.Try it free

Privacy Policy

Effective Date: March 9, 2026 · Last Updated: June 8, 2026 · Version: 2026-06-08

1. Introduction

HeadHonta ("we," "us," or "our") operates the HeadHonta platform, an AI-powered talent operations service. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website and services (collectively, the "Service").

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account data — name, email address, and hashed password when you create an account.
  • Organisation data — company name, team member invitations, and role assignments.
  • Candidate data — resumes, CVs, candidate profiles, pipeline stages, notes, and evaluation scores that you upload or create.
  • Job postings — job descriptions, templates, and posting preferences.
  • Communications — messages you send us via email or support channels.

2.2 Information Collected Automatically

  • Usage data — pages visited, features used, actions taken, and timestamps.
  • Device data — IP address, browser type, operating system, and screen resolution.
  • Analytics — we use Mixpanel to understand how users interact with the Service, including session replays of UI interactions (no keystrokes or form input content are recorded). We also use Nodge to measure onboarding funnel progress and detect drop-offs; Nodge receives event-level data only (stage name, timestamps, and field-level error reasons) and does not record session replays or form input content.

2.3 Information from Third Parties

  • Job board integrations — when you connect Indeed, LinkedIn, or Glassdoor, we receive application data and posting status from those platforms.

3. How We Use Your Information

  • Provide, operate, and maintain the Service.
  • Power AI features including candidate matching, scoring, CV analysis, and talent sourcing.
  • Send transactional emails (account verification, notifications, password resets).
  • Analyse usage to improve the Service.
  • Enforce our Terms of Service and prevent fraud.
  • Comply with legal obligations.

If you are located in the European Economic Area or the United Kingdom, we process your data under the following legal bases:

  • Contract performance — processing necessary to provide the Service you signed up for.
  • Legitimate interests — improving the Service, preventing fraud, and ensuring security.
  • Consent — where required, such as for analytics and marketing communications.
  • Legal obligation — when we are required to process data by law.

5. How We Share Your Information

We do not sell your personal data. We share data only in these circumstances:

  • Service providers — cloud hosting and infrastructure (Railway), file and CV storage (Cloudflare R2), email delivery (Resend), billing (Paystack), recruiter signup notifications (Slack), analytics (Mixpanel and Nodge), and AI processing via OpenRouter (an LLM gateway that routes prompts to underlying model providers) to operate the Service. See our full sub-processor register.
  • Job board partners — when you choose to post jobs to Indeed, LinkedIn, or Glassdoor.
  • Legal requirements — when required by law, court order, or governmental regulation.
  • Business transfers — in connection with a merger, acquisition, or sale of assets.
  • With your consent — in any other case, only with your explicit permission.

6. AI and Automated Processing

HeadHonta uses AI to provide features such as candidate matching, CV analysis, and talent scoring. We access large language and embedding models through OpenRouter, an AI gateway that routes prompts to underlying model providers. When you use these features:

  • Candidate data (including CV text and profile information) is sent to OpenRouter, which forwards it to the model provider that serves the request. Processing is subject to OpenRouter's privacy terms and those of the routed provider.
  • We do not use your data to train our own models. We request that our AI providers not use prompts or outputs to train their models; whether this is contractually guaranteed depends on the specific provider that OpenRouter routes the request to.
  • AI-generated outputs (scores, matches, summaries) are suggestions — humans make all final hiring decisions.

7. Data Retention

We retain your personal data for as long as your account and the recruiter relationship require it, or until you request its deletion. We do not enforce a fixed maximum retention period by default; instead:

  • Account and candidate data is retained until you delete your account or request erasure of specific records.
  • Optional, configurable retention controls are available to automatically purge candidate data after a period you choose. These controls are off by default.
  • Where enabled, the original copies of uploaded documents (such as CV files) are deleted after a configurable period, while the information extracted from them (for example, parsed CV text and analysis) is retained as part of the candidate record.
  • When data is deleted, copies in routine backups are overwritten as those backups age out of rotation.
  • We may retain limited data for as long as required by law (e.g., billing records).

8. Your Rights

All Users

  • Access, correct, or delete your personal data.
  • Export your data in a machine-readable format.
  • Withdraw consent at any time.

EU/UK Users (GDPR / UK GDPR)

  • Right to erasure ("right to be forgotten").
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing.
  • Right to lodge a complaint with your local supervisory authority.

California Users (CCPA/CPRA)

  • Right to know what personal information is collected.
  • Right to delete personal information.
  • Right to opt-out of the sale or sharing of personal information. We do not sell your data.
  • Right to non-discrimination for exercising your rights.

Nigerian Users (NDPA)

  • Right to access and rectification.
  • Right to deletion.
  • Right to data portability.
  • Right to object to processing.
  • Right to withdraw consent.

How to Exercise Your Rights

  • Export your data — candidates can export their personal data and request erasure directly from the candidate portal.
  • Correct your data — you can rectify profile information through the relevant portal or account settings.
  • Opt out of emails — use the unsubscribe link in any non-essential email to opt out at any time.
  • Account deletion — account holders can delete their account from account settings.
  • All other requests — for any right not available as a self-service action above, email privacy@headhonta.com.

We will respond to requests sent to our privacy team within 30 days. We may need to verify your identity before processing a request.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where applicable.
  • We require data processing agreements with our sub-processors.

10. Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, secure password hashing (bcrypt), and role-based access controls. For more detail, see our Security page.

11. Children's Privacy

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

12. Cookies and Tracking

For full details, see our dedicated Cookie Policy. In summary, we use the following types of cookies:

  • Essential cookies — required for authentication, session management, and core functionality. These cannot be disabled without breaking the Service.
  • Functional cookies — remember your preferences such as sidebar state and cookie consent choice.
  • Analytics cookies — Mixpanel for usage analytics and session replay, and Nodge for onboarding funnel measurement (event-level only; no keystrokes, form input content, or session replays are recorded by Nodge). You can opt out of non-essential analytics via the cookie consent banner.

When you first visit HeadHonta, a cookie consent banner lets you accept or decline non-essential cookies. Your choice is remembered for future visits. You can also manage cookie preferences through your browser settings, but disabling essential cookies may prevent the Service from functioning correctly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: