Legal
Privacy Policy
Effective May 22, 2026. We'll email subscribers 30 days before any material change.
1. What we collect
Marketing site: we collect anonymous page-view events (path, referrer, UTM parameters) and any email you submit to our Built-To-Win newsletter form. No third-party trackers - no Google Analytics, no Meta Pixel, no Hotjar, no Intercom.
Application surface:if you apply to a role on our platform, the hiring employer collects your name, email, phone, resume, answers to their knockout questions, your synthesis video, and your taste-reply text. CCR Hire processes that data on the employer's behalf - they are the data controller; we are the processor.
Subscriber surface: if you create an employer account, we collect billing information (handled by Stripe; we never see your card number) and product-usage telemetry to operate the service.
2. Cookies
We use one essential cookie (ccrhire_consent) to remember your cookie-banner choice. Logged-in employers get a session cookie from Supabase Auth (sb-*). We do not use advertising cookies. We do not sell your data.
3. Data handling
All candidate data is stored in our Supabase project hosted in the US-East region. Row-level security gates every read and write so one employer cannot see another's candidates. Service-role access is restricted to our own backend processes (newsletter sync, grading jobs, etc.) and is audit-logged.
The marketing event table (hire.marketing_event) is service-role-only by RLS. It records anonymous funnel events for conversion analysis; it does not store IP addresses or device fingerprints.
4. Retention
Newsletter subscribers: until you unsubscribe (every email contains a one-click unsubscribe). Marketing events: 18 months rolling. Candidate data: per the employer's retention setting (default: duration of subscription + 90 days). Account billing data: 7 years per US tax law.
5. Your rights
You can request a copy of, or deletion of, any data we hold about you by emailing privacy@ccrhire.com. We respond within 30 days. If you live in a jurisdiction with additional rights (GDPR, CCPA, etc.), those rights apply in addition to the rights described here.
6. Subprocessors
- Supabase - database, storage, authentication
- Stripe - billing
- Anthropic - AI grading (no training on customer data)
- Deepgram - video transcription
- Resend - transactional email + newsletter
- Vercel - hosting
7. Contact
Questions: privacy@ccrhire.com.