TalntlyTalntly

Privacy Policy

Last updated: 2026-04-22

1. Who we are

Talntly ("we", "us", "our") is an applicant-tracking platform operated by Talntly, a recruiting-technology company. This Privacy Policy describes how we collect, use, and share information when you use the Talntly web application, our websites at talntly.co, and any connected product experiences (together, the "Services").

If you have questions, contact us at privacy@talntly.co.

2. Information we collect

  • Account information — name, email address, organisation name, role, password hash, language, and timezone.
  • Candidate and company data — any data about candidates, companies, jobs, placements, and notes that your organisation adds to the Services.
  • Usage data — pages visited, actions taken, IP address, user agent, and timestamps used to operate and secure the product.
  • Billing information — if you upgrade to a paid plan, handled by our payment processors; we never store raw card numbers.
  • Content you upload — resumes, cover letters, attachments, and profile media stored in encrypted object storage.
  • Information from connected integrations — see Section 5 for specific scopes (Google, Zoom, Indeed).

3. How we use information

  • Provide, maintain, and improve the Services.
  • Authenticate users, enforce access controls, and prevent fraud or abuse.
  • Support your recruiting workflows (search, pipeline, scheduling, messaging).
  • Send transactional email (invitations, password resets, notifications you have opted into).
  • Generate analytics that are visible only to your organisation and, in aggregate and de-identified form, to us for product research.
  • Comply with legal obligations and defend our legal rights.

We never sell personal information and never use candidate data to train third-party AI models.

4. Legal bases (GDPR)

Where the GDPR applies, we process personal data under these lawful bases:

  • Contract — to deliver the Services you have requested.
  • Legitimate interests — product security, fraud prevention, and limited, anonymous product analytics.
  • Consent — for optional cookies, marketing communications, and specific integrations you choose to connect.
  • Legal obligations — to respond to lawful requests and retain records required by law.

5. Google API Services User Data

Talntly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

When you connect Google Calendar / Google Meet, Talntly requests only the scopes strictly needed to run the product:

  • https://www.googleapis.com/auth/calendar.events — to create, update, and delete the calendar events you schedule inside Talntly (interviews, follow-ups). We do not modify events we did not create.
  • https://www.googleapis.com/auth/calendar.readonly — to support two-way sync, so changes you make directly in Google Calendar (reschedules, cancellations) flow back into Talntly. We only read events tagged with a Talntly identifier (extendedProperties.private.talntlyOrgId); personal events that coexist on the same calendar are filtered out server-side and never stored in our database.
  • https://www.googleapis.com/auth/calendar.freebusy — to show interviewer availability inside Talntly when scheduling a panel. Only free/busy metadata is retrieved; no event details are exposed.
  • openid, email, profile — to identify the connected Google account and display your email in the connected-account state.

We use Google user data solely to provide user-facing features. We do not sell it, transfer it to third parties (except to our sub-processors solely to operate the Services — see Section 9), use it for advertising, or train AI models on it. Access tokens and refresh tokens are encrypted at rest with AES-256-GCM.

You can revoke access at any time by disconnecting inside Talntly (Settings → Integrations) or from your Google account at myaccount.google.com/permissions. When revoked, Talntly stops all calendar sync and wipes the locally stored tokens. Events already written to your calendar are not deleted.

6. Zoom integration

If you connect Zoom, Talntly requests permission to create, read, update, and delete Zoom meetings associated with your account so that scheduling an interview inside Talntly automatically provisions a Zoom meeting with a passcode and waiting room. Optional scopes allow us to import meeting recordings and transcripts into the candidate file, where they are used exclusively to help your team review interviews. Recording imports respect your organisation's storage policy (link-only by default; download-to-MinIO opt-in). You can disconnect Zoom at any time, which revokes the refresh token and stops further imports.

7. Indeed integration

If your organisation enables Indeed distribution, Talntly publishes the public fields of your jobs to Indeed's public XML feed and receives applications via Indeed Apply webhooks (which are HMAC-verified). Applicants who apply via Indeed become Candidates in Talntly with the source tagged "Indeed Apply". We transmit hiring outcomes (hired, rejected, withdrawn) back to Indeed only for candidates originally sourced via Indeed, as required by the Indeed Partner Program.

8. Data retention

Candidate and company data persists for as long as your organisation's Talntly account is active. When you close the account, we delete personal data within 30 days, with the exception of audit logs retained up to 90 days for security and legally required records. You can request immediate deletion via privacy@talntly.co.

9. Sub-processors

We use a small number of vendors to operate the Services:

  • Contabo (hosting, EU/DE)
  • Anthropic (AI — Claude, powering our Neo assistant)
  • Resend (transactional email delivery)
  • Google (for customers who connect Google Calendar / Meet)
  • Zoom (for customers who connect Zoom)
  • Indeed (for customers who publish to Indeed)

A current list is available on request. We do not share personal information with third parties for their own marketing purposes.

10. Your rights

Depending on your location, you may have rights to access, correct, export, or delete your personal information; to object to or restrict our processing of it; and to withdraw consent. Submit a request to privacy@talntly.co and we will respond within 30 days. In-product self-service for export and deletion is available under Settings → Data Requests.

11. Security

We encrypt data in transit (TLS 1.2+) and at rest. Third-party integration tokens are wrapped with AES-256-GCM. Access to production systems is limited to a small set of engineers with hardware-key-enforced SSH. Webhook payloads are HMAC-verified against raw bytes. We do not use your data to train external AI models.

12. Children

Talntly is not directed to children under 16 and we do not knowingly collect data from them.

13. Changes

We may update this Privacy Policy; the "Last updated" date above reflects the most recent revision. Material changes will be communicated by email to account owners at least 14 days in advance.

14. Contact

Questions, complaints, or data-subject requests: privacy@talntly.co.