Privacy Policy

Grapphen. ("Grapphen", "we", "us", "our") operates the website at www.grapphen.com and the Grapphen AI-powered Applicant Tracking System (the "Platform"). This Privacy Policy applies to all personal data we process in connection with these services.

We collect personal data in the following categories depending on your relationship with us:

• Providing, maintaining, and improving the Platform and related services
• Processing job applications and candidate profiles on behalf of our recruiter clients
• Running AI-powered resume screening, candidate scoring and matching — with human oversight
• Processing payments and managing subscriptions
• Sending transactional communications (account confirmations, product updates, security alerts)
• Sending marketing communications where you have opted in or we have a legitimate interest
• Providing customer support and responding to inquiries
• Complying with legal obligations and regulatory requirements
• Detecting and preventing fraud, security incidents, and misuse
• Conducting research and analytics to improve our AI models and product
• Enforcing our Terms of Service and other agreements

Under GDPR (EU) 2016/679 and the UK Data Protection Act 2018, we rely on the following legal bases:

Where we rely on legitimate interests, you have the right to object. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests or rights.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

We may share your personal data with the following categories of recipients:

• Service Providers (Data Processors): Cloud hosting (e.g., AWS), analytics platforms, email delivery services, payment processors — all bound by Data Processing Agreements (DPAs) meeting GDPR standards.
• Our Corporate Group: Subsidiaries and affiliates that assist in delivering our services, subject to internal data governance policies.
• Business Clients (Recruiters): When you submit a job application through a Grapphen-powered portal, your data is processed on behalf of that recruiter/employer.
• Legal & Regulatory Authorities: Courts, law enforcement, or regulatory bodies when required by applicable law or to protect our legal rights.
• Professional Advisors: Lawyers, auditors, and insurers under strict confidentiality obligations.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to appropriate confidentiality arrangements.

We do not sell personal data to third parties for their own marketing purposes. Any sharing with third parties is conducted under appropriate contractual safeguards.

Our security program encompasses the following controls:

• Encryption: AES-256 at rest and TLS 1.2+ in transit for all personal and candidate data.
• Access Controls: Role-based access control (RBAC), principle of least privilege, multi-factor authentication for all internal systems.
• Audit Logging: Comprehensive, immutable audit logs for all access to personal data — meeting SOC 2 CC7 and ISO Annex A.12.4 requirements.
• Vulnerability Management: Regular penetration testing, static and dynamic code analysis, and a responsible disclosure program.
• Incident Response: Documented incident response plan. We will notify affected users and supervisory authorities within 72 hours of discovering a breach, as required by GDPR Art. 33.
• Business Continuity: Geo-redundant infrastructure with RPO of 1 hour and RTO of 4 hours.
• Vendor Management: All third-party processors are assessed for security compliance before engagement and monitored annually.
• Employee Training: Mandatory annual security awareness and data privacy training for all staff.

A copy of our SOC 2 Type II report is available to enterprise customers under NDA upon request at privacy@grapphen.com.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Our default retention periods are:

Upon expiry of the applicable retention period, we securely delete or anonymise your personal data so it can no longer be associated with you. Data deleted on your request is removed within 30 days (or as soon as technically feasible, and no later than the timelines required by applicable law).

Depending on where you are located, you may have the following rights regarding your personal data:

To exercise any of these rights, submit a verifiable request to privacy@grapphen.com. We will respond within 30 days (GDPR) or 45 days (CCPA), with a possible single 45-day extension where necessary. We will never require you to create an account to make a request.

California residents have the following additional rights:

• Right to Know (Specific Pieces): Request the specific pieces of personal information we have collected about you.
• Right to Delete: Request deletion of personal information, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale / Sharing: We do not "sell" personal information as defined under CCPA. We do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: Restrict the use of sensitive personal information to specified business purposes.
• Right to Non-Discrimination: We will not deny services, charge different prices, or provide lesser quality services for exercising your rights.

Categories of Personal Information Collected (Last 12 Months)

To exercise your California rights, submit a request to privacy@grapphen.com with "California Privacy Request" in the subject line. We will verify your identity before fulfilling requests.

You may also designate an authorised agent to submit a request on your behalf; the agent must provide written proof of authorisation and you must verify your identity directly with us.

Our Shine the Light disclosure: we do not disclose personal information to third parties for direct marketing purposes.

We extend the rights below to residents of the following states, consistent with their applicable laws:

Residents of these states have rights to access, correct, delete, and opt out of certain processing activities ("targeted advertising", "sale" of personal data, "profiling"). To exercise these rights, contact privacy@grapphen.com. Appeals of denied requests may be submitted to the same address and will be reviewed within 60 days.

To the extent Grapphen or our clients use consumer reports (background checks, credit checks) furnished by consumer reporting agencies (CRAs) in employment or tenancy-related decisions, we comply with the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.):

• Permissible Purpose: Consumer reports are obtained only for permissible purposes, including employment screening with prior written authorisation from the consumer.
• Disclosure & Authorisation: Before procuring a report, employers must provide a clear, standalone disclosure and obtain written consent from the applicant/employee.
• Adverse Action: Before taking adverse action (e.g., not hiring) based on a consumer report, the employer must: (a) provide a copy of the report to the individual; (b) provide a Summary of Rights under the FCRA; and (c) allow a reasonable time to dispute inaccuracies.
• Accuracy: We require our client employers and any CRAs we integrate with to maintain reasonable procedures to ensure accuracy of consumer reports.
• Retention: Records related to consumer report-based employment decisions are retained for at least 5 years.
• Dispute Resolution: If you believe information in a consumer report is inaccurate, you may dispute it directly with the CRA. Contact us at privacy@grapphen.com if you need assistance identifying the applicable CRA.

Grapphen does not itself act as a Consumer Reporting Agency. Our AI-generated candidate scores are not "consumer reports" under FCRA because they are derived solely from data provided directly by the candidate or recruiter client.

Grapphen uses artificial intelligence and machine learning to assist recruiters with candidate screening, scoring, matching, and interview analysis. Key safeguards:

• Human Oversight: All AI-generated scores and recommendations serve as assistance tools for human recruiters. No hiring decision is made solely by automated means without human review.
• Explainability: Our AI models provide explainable outputs — recruiters can see which factors drove a score. Candidates may request an explanation of any AI-generated assessment that affects them.
• Bias Mitigation: We conduct regular fairness audits on our models, monitoring for differential impact across protected classes (gender, race, age, disability status). Models are retrained or corrected when bias is detected.
• Opt-Out: Where legally required or practically feasible, candidates may request human-only review of their application. Contact us at privacy@grapphen.com.
• Data Minimisation: Our AI models are trained only on the minimum data necessary and do not process legally sensitive categories without explicit consent and lawful basis.

AI systems used in employment — including recruitment screening, candidate ranking, job matching, and interview analysis — are classified as High-Risk AI Systems under Annex III of the EU AI Act.

Our commitments under the EU AI Act include:

• Risk Management System: We maintain a documented AI risk management system throughout the lifecycle of all high-risk AI systems, identifying, analysing, estimating, and evaluating risks.
• Data Governance: Training, validation, and testing datasets are subject to data governance practices ensuring relevance, representativeness, and freedom from known biases.
• Technical Documentation: We maintain comprehensive technical documentation for all high-risk AI systems, available to competent authorities upon request.
• Transparency to Users: Recruiter clients (operators) are provided with instructions for use including the AI system's intended purpose, performance levels, foreseeable misuse, and limitations.
• Human Oversight Measures: Our AI systems are designed with built-in capabilities enabling human oversight: recruiters can intervene, override, or disregard AI outputs at any stage.
• Accuracy, Robustness & Cybersecurity: AI systems are designed to be accurate, robust, and secure throughout their lifecycle. Performance metrics are monitored post-deployment.
• Conformity Assessment: We conduct internal conformity assessments and will register applicable high-risk AI systems in the EU AI Act database as required.
• Candidate Notification: Candidates are informed when they are subject to AI-assisted assessment within Grapphen-powered recruitment processes.

NYC Local Law 144 requires employers and employment agencies using AEDTs in hiring or promotion decisions affecting NYC residents to:

• Bias Audit: Conduct an independent bias audit of the AEDT at least annually, covering disparate impact analysis by sex, race, and ethnicity.
• Publication of Audit Results: Publish the summary results of the most recent bias audit on the employer's public website, including the date, and the distribution date, of the AEDT.
• Candidate Notice: Before using the AEDT, provide plain-language notice to candidates and employees: (a) that an AEDT will be used; (b) the job qualifications and characteristics it evaluates; and (c) information about how to request an alternative selection process or accommodation.
• Alternative Process: Provide a reasonable alternative selection process or accommodation to candidates who request one, to the extent required under the law.

Grapphen assists its NYC-area clients in meeting these obligations by:

• Conducting and publishing independent annual bias audits of our AI screening tools
• Providing templated candidate disclosures for clients to include in job postings
• Documenting tool characteristics, data sources, and model methodology for audit purposes

Clients using Grapphen's AI features to screen NYC-based candidates bear primary employer responsibility for compliance and must ensure candidate notices are provided. Our bias audit results are available at privacy@grapphen.com.

When Grapphen's video interview or AI analysis features are used in connection with Illinois-based job applicants, the following requirements apply:

• Prior Notice & Consent: Before requiring a video interview, candidates must be informed that AI may be used to analyse the interview and the general types of characteristics AI will assess. Consent is required.
• No Sharing: Video interview recordings and AI analysis data may not be shared with any third party other than those whose expertise or technology is necessary to evaluate the candidate's fitness for a position.
• Deletion on Request: Upon request by a candidate, their video interview recordings must be deleted within 30 days. Grapphen will honour deletion requests from individuals and direct our clients to do the same.
• Retention Limit: Video recordings may not be retained beyond the period necessary to consider the applicant for the position, and in any event no longer than 1 year from the date of interview under AIVIA requirements.

Clients using Grapphen's video interview analysis features for Illinois candidates must ensure they have complied with all notice and consent requirements under AIVIA before recording interviews. Grapphen provides configurable consent capture workflows to assist with this requirement.

Equal Employment Opportunity Commission (EEOC)

Grapphen supports our clients' obligations under federal anti-discrimination laws enforced by the EEOC, including Title VII, the Age Discrimination in Employment Act (ADEA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA).

• Our AI systems are designed not to screen or score candidates based on protected characteristics (race, colour, religion, sex, national origin, age, disability, genetic information).
• We conduct proprietary adverse impact analyses on our AI outputs to detect and correct disparate impact on protected groups.
• We maintain applicant data sufficient to allow clients to prepare EEO-1 and AAP reports as required.
• Recruiter clients retain all obligations as employers-of-record under EEOC regulations; Grapphen is a technology service provider.

Office of Federal Contract Compliance Programs (OFCCP)

For clients who are federal contractors, Grapphen's Platform supports Affirmative Action Plan (AAP) compliance:

• Record Retention: Application and selection data for each job is retained for a minimum of 2 years from the date of making the personnel action (48 months for contractors with 150+ employees or contracts of $150,000+).
• Internet Applicant Rule: Our system helps clients track and document "Internet Applicants" as defined in 41 CFR Part 60-1.3, including basic qualification screening and expression of interest.
• Data Export: Clients can export solicitation-of-voluntary-disclosure data for race, gender, and veteran/disability status (collected post-offer or pursuant to AAP), ensuring separation from selection decisions.
• Audit Support: We provide data exports and logs necessary to respond to OFCCP compliance evaluations or desk audits.

We are committed to ensuring our website and Platform are accessible to all users, including those with disabilities, in compliance with the Americans with Disabilities Act (ADA) Title III and Section 508 of the Rehabilitation Act.

• WCAG 2.1 AA: We strive to meet Web Content Accessibility Guidelines 2.1 Level AA standards. All new features are designed with accessibility in mind.
• Keyboard Navigation: All interactive elements are accessible via keyboard without requiring mouse use.
• Screen Reader Compatibility: We use semantic HTML, ARIA roles, and tested compatibility with common screen readers (NVDA, JAWS, VoiceOver).
• Colour Contrast: Text and UI elements meet a minimum 4.5:1 contrast ratio against backgrounds.
• Alternative Text: All meaningful images include descriptive alt text.
• Accessible Forms: All form fields are labelled, described, and provide clear error messages.
• Captioning: Video content includes captions or transcripts.
• Periodic Audits: We conduct regular accessibility audits and remediation sprints.

If you experience accessibility barriers on our website or Platform, please contact us at accessibility@grapphen.com. We will respond within 2 business days and provide an accessible alternative where possible.

CAN-SPAM Act (United States)

All commercial email communications from Grapphen comply with the CAN-SPAM Act (15 U.S.C. § 7701 et seq.):

• We clearly identify ourselves as the sender in the "From" field.
• Subject lines are not deceptive and accurately reflect the email content.
• We include our physical postal address in every commercial email.
• Every marketing email includes a clear and conspicuous unsubscribe mechanism.
• Opt-out requests are honoured within 10 business days.
• We do not send emails to harvested or purchased lists.

CASL (Canada)

For recipients in Canada, we comply with Canada's Anti-Spam Legislation (CASL, S.C. 2010, c. 23):

• Commercial electronic messages (CEMs) are sent only with express or implied consent as defined under CASL.
• Every CEM identifies the sender, includes contact information, and provides a working unsubscribe mechanism honoured within 10 business days.
• Consent records are maintained with date, method, and context of consent.

TCPA (United States)

For text/SMS and automated telephone communications:

• We only send SMS/text messages to recipients who have provided prior express written consent under the Telephone Consumer Protection Act (47 U.S.C. § 227).
• Every SMS message includes clear opt-out instructions (reply STOP to unsubscribe).
• We never use autodialer or pre-recorded messages for sales calls without required consent.
• We respect the National Do Not Call Registry and maintain our own internal Do Not Call list.
• Opt-outs are processed immediately and recipients are not contacted again for marketing purposes.

To unsubscribe from our communications: (a) click the unsubscribe link in any email, (b) reply STOP to any SMS, or (c) email privacy@grapphen.com.

Our primary infrastructure is hosted in the United States. When we transfer personal data from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, we use the following safeguards:

• Standard Contractual Clauses (SCCs): EU Commission Implementing Decision (EU) 2021/914 SCCs for transfers to third countries, and the UK International Data Transfer Addendum.
• Transfer Impact Assessments (TIAs): We conduct TIAs for all restricted international transfers to assess legal access risks in the destination country.
• Data Processing Agreements (DPAs): All sub-processors processing EEA/UK data are bound by GDPR-compliant DPAs.

Customers may request a copy of the applicable SCCs and DPA from dpo@grapphen.com.

The Platform is not directed to individuals under the age of 16 (or 13 in jurisdictions where COPPA applies). We do not knowingly collect personal data from children. If you believe we have inadvertently collected information from a child, contact us at privacy@grapphen.com and we will promptly delete the information.

We use cookies and similar tracking technologies on our website. Our Cookie Policy (available at grapphen.com/cookie-policy) provides full details. In summary:

You can manage your cookie preferences at any time via our Cookie Preference Centre or by adjusting your browser settings. Note that disabling certain cookies may affect the functionality of our services.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Effective Date" at the top of this page
• Notify you via email (if we have your address) or a prominent notice on our website
• Where required by law, obtain your consent before applying the changes to your data

We encourage you to review this policy periodically. Your continued use of our services after the effective date of any changes constitutes acceptance of the revised policy.

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a complaint, please contact us:

We aim to respond to all privacy enquiries within 72 hours and resolve them within 30 days (or any shorter mandatory period under applicable law). For complex requests we will keep you informed of progress.