GDPR Compliant

Privacy Policy

This policy explains how your personal data is collected, processed, and protected when you use QualiVally.ai, in accordance with the General Data Protection Regulation (GDPR).

Last updated: 2026

1. Data Controllers and Processors

Under GDPR, responsibilities are shared between two parties:

Recruiting Company (Data Controller)

The company or recruiter who posted the job vacancy is the Data Controller for your application data. They determine the purpose and means of processing your personal data, are identified by their VAT/organisation number, and are responsible for ensuring the recruitment process complies with GDPR.

QualiVally.ai (Data Processor)

QualiVally.ai acts as a Data Processor on behalf of the recruiting company, processing your data solely on their instructions and providing the technical platform for recruitment. QualiVally.ai is the Data Controller only for recruiter account data.

A Data Processing Agreement (DPA) โ€” based on the Danish Data Protection Agency's standard contractual clauses (Article 28(3) GDPR) โ€” governs the relationship between QualiVally.ai and each recruiting company. Recruiters must accept this agreement before using the platform.

2. Data We Collect

From Candidates: Name, email address, phone number, CV content, and transcripts of AI-assisted interview sessions.

From Recruiters: Name, company name, email address, phone number, and company logo.

3. Purpose of Processing

Your data is processed solely for the purpose of evaluating your candidacy for a specific job role. The legal basis for processing is your explicit consent (GDPR Article 6(1)(a)), which you provide when submitting your application.

4. Use of Artificial Intelligence

QualiVally.ai uses AI services to analyse CV content and conduct interactive interview sessions. Your personal data, including CV text and interview responses, may be transmitted to an external AI provider for processing.

Important โ€” AI Provider & Data Policy

The recruiting company selects which AI provider is used for your application. Each AI provider operates under its own data policy. The recruiting company is responsible for ensuring their chosen AI provider complies with GDPR, including any transfer of data to countries outside the EU/EEA. If the AI provider is based outside the EU (e.g., in the USA), the transfer is subject to appropriate safeguards such as Standard Contractual Clauses (SCCs) under GDPR Article 46.

You have the right to request information about which AI provider processed your data by contacting the recruiting company directly.

AI Providers & Their Data Processing Agreements

QualiVally.ai supports five approved AI providers โ€” Google Gemini, OpenAI, Anthropic Claude, Mistral AI, and Aleph Alpha. Each provider has a Data Processing Agreement (DPA) that includes Standard Contractual Clauses for lawful GDPR-compliant data transfers. For detailed information about each provider, their data retention policies, certifications, and links to their DPAs, see our dedicated AI provider page.

View AI Providers & DPAs

5. Your Rights (GDPR)

Under EU law, you have the right to:

  • Access your personal data and receive a copy of it.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten") โ€” you can withdraw your application and delete all your data at any time.
  • Restriction of processing in certain circumstances.
  • Data portability โ€” receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time without affecting the lawfulness of prior processing.

Self-Service Tools

You can withdraw any application at any time directly in the QualiVally platform, which triggers immediate and permanent deletion of your CV and interview data for that role.

To exercise rights not covered by the self-service tools, contact the recruiting company directly. You may also contact QualiVally.ai at privacy@qualivally.ai for platform-level requests.

6. Data Retention

All personal data and application materials are permanently deleted no later than 2 weeks after a job's application deadline, unless the recruiting company specifies a shorter period.

Compliance Logging: When data is deleted โ€” whether by your request or automatically โ€” a minimal audit log is maintained containing your name, email, the job title, and the reason for deletion. This log is used solely to demonstrate GDPR compliance and is accessible only to authorised administrators and recruiters of the relevant company.

7. Data Security

QualiVally.ai implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. Data is stored on secured servers and access is restricted to authorised personnel only.

8. Contact & Complaints

For privacy-related inquiries regarding your application data, contact the recruiting company directly โ€” they are the Data Controller.

For platform-related inquiries, contact QualiVally.ai at privacy@qualivally.ai.

You also have the right to lodge a complaint with your national data protection authority. In Norway: Datatilsynet (datatilsynet.no). In the EU: your local supervisory authority under GDPR Article 77.

Home ยท AI Providers & DPAs ยท privacy@qualivally.ai