Gensync

Legal

Privacy Policy

Effective date: July 11, 2026 Last updated: July 11, 2026

This Privacy Policy explains how Gensync ("Gensync," "we," "us," or "our") handles personal data in connection with Gensync Hiring, our business-to-business applicant-tracking and hiring platform available at app.gensync.ai and related sites and services (the "Service"). It works alongside our Terms of Service.

Plain-English summary (not a substitute for the full policy): Organizations ("Customers") use Gensync Hiring to run their own hiring processes. For the candidate data a Customer collects and evaluates, the Customer is the data controller and Gensync is its processor / service provider — we handle that data on the Customer's instructions, not for our own purposes. Gensync is the controller for the account data of the Customer's own users and for operating the site. We use AI to help evaluate candidates, but AI is decision support only: a human at the hiring organization makes every hiring decision. We do not sell personal data and we use no advertising or analytics trackers. If you applied for a job and want to access or delete your data, contact the organization you applied to first — see the section "If you applied for a job through Gensync Hiring."

1. Scope and our roles (controller vs. processor)

The Service involves two kinds of people, and Gensync's role differs for each:

  • Customer users — people who hold accounts and use the Service on behalf of a Customer organization (recruiters, hiring managers, administrators).
  • Candidates — job applicants who submit applications through public application pages without creating an account. It also involves interview participants, such as interviewers, who may be external to the Customer.

The following table summarizes our roles under data-protection laws such as the EU and UK General Data Protection Regulation (together, "GDPR"):

DataControllerGensync's role
Candidate application and evaluation data (resumes, screening answers, scores, interview transcripts and analyses, recruiter notes, candidate email logs)The Customer organizationProcessor / service provider, acting on the Customer's documented instructions
Customer user account data (name, work email, credentials, session and role data)GensyncController
Site operations, security, and platform administrationGensyncController

Because each Customer is the controller of its candidate data, the Customer's own privacy notice and practices govern why and how that data is collected and used. Gensync processes candidate data only to provide the Service to that Customer and as described here and in our Data Processing Addendum (see Section 12). Candidates who wish to exercise rights over their application data should read the section "If you applied for a job through Gensync Hiring" below.

2. Data we collect

2.1 Customer users

When a person registers and uses a Customer account, we collect:

  • Account details: full name and work email address.
  • Credentials: a hashed password. Authentication is by email and password only (minimum twelve characters), with email verification required; the Service does not offer single sign-on. We never store passwords in plain text.
  • Session data: session identifiers and related metadata, including IP address and browser user agent, used to keep users signed in and to secure accounts.
  • Organization and role data: the organization a user belongs to and the user's role and permissions.

2.2 Candidates

When a Candidate submits an application through a public application page, the Service collects, on the Customer's behalf:

  • Contact and identity details: full name, email address, and optionally phone number and LinkedIn URL.
  • Application content: free-text answers to the Customer's screening questions.
  • Resume file: a resume in PDF or DOCX format. The resume is parsed into raw text and a structured profile to support evaluation.

Duplicate applications to the same job from the same email address may be blocked. Candidates do not create accounts.

2.3 Interviews and meetings

Where the Customer schedules and conducts interviews through the Service, we process, on the Customer's behalf:

  • Interviewer details: names and email addresses of interviewers, who may be people external to the Customer organization.
  • Meeting transcripts: full text transcripts of interviews, stored in the platform database.
  • Recording references: URLs pointing to recordings held by the meeting provider. Recordings themselves remain on the provider's side; Gensync stores the reference, not the recording file.
  • AI interview analyses: analyses of transcripts, including hire recommendations, as described in Section 4.

2.4 Communications, notes, and audit trails

  • Candidate emails: the full content of outbound emails sent to Candidates through the Service is logged, including subject, body, and sender/recipient addresses.
  • Recruiter notes: internal notes that Customer users record about Candidates.
  • Audit trails: append-only records of activity in the Service, such as stage changes, assignee changes, and system-administrator actions, retained for security and accountability.

2.5 Dictation audio

Where a user uses in-app voice dictation, the audio is sent to a third-party speech-to-text provider for transcription and is then immediately discarded. Gensync does not store dictation audio; only the resulting text, entered by the user, is retained.

3. How we use personal data and our legal bases

Gensync uses personal data for the purposes below. Where the GDPR applies and Gensync is the controller (primarily for Customer user and site-operations data), the relevant legal bases are noted. Where Gensync acts as processor for candidate data, we act on the Customer's instructions and the Customer is responsible for establishing the legal basis for the underlying processing.

  • Providing the Service — to authenticate users, host and operate the platform, and deliver its features to Customers. Legal basis: performance of a contract; our legitimate interest in operating the Service.
  • Evaluating candidates on the Customer's behalf — to parse resumes, score candidates against the Customer's rubric, analyze interview transcripts, and draft interview guides and communications. Processed on the Customer's instructions; the Customer establishes the legal basis.
  • Communicating — to send transactional and account emails to Customer users, and to send Customer-authored emails to Candidates through the Service. Legal basis: performance of a contract; legitimate interests.
  • Security, fraud prevention, and integrity — to protect accounts, enforce tenant isolation, maintain audit trails, and investigate misuse. Legal basis: legitimate interests; legal obligation.
  • Maintaining and improving the Service — to monitor performance, fix problems, and improve functionality, using aggregated or de-identified data where feasible. Legal basis: legitimate interests.
  • Legal compliance — to comply with applicable law and to establish, exercise, or defend legal claims. Legal basis: legal obligation; legitimate interests.

Where we rely on legitimate interests, we balance those interests against your rights and freedoms. Where consent is the appropriate basis under applicable law, we (or, for candidate data, the Customer) will obtain it and you may withdraw it at any time.

We do not use personal data for advertising, and we do not use Customer Content or candidate data to train third-party foundation models.

4. AI processing and automated decision-making

The Service uses artificial intelligence to assist Customers in their hiring processes. Resumes, screening answers, and interview transcripts are processed by large language models provided by Anthropic (the Claude models) to:

  • parse resumes into raw text and a structured profile;
  • score candidates against the Customer's rubric (a score from 0 to 100, with per-criterion rationale and supporting evidence);
  • analyze interview transcripts, including generating hire recommendations; and
  • draft interview guides and candidate communications for the Customer to review.

No solely automated decisions with legal or similarly significant effect. AI output is decision support only. The Service does not automatically reject, advance, or otherwise decide the outcome for any Candidate. Every stage change and hiring decision is made by a human user of the hiring organization. Accordingly, the Service is not designed to make decisions based solely on automated processing that produce legal or similarly significant effects on a Candidate within the meaning of Article 22 of the GDPR. AI outputs may be incomplete or inaccurate and must be reviewed by a person before being relied upon.

Speech-to-text. In-app dictation audio is transcribed by OpenAI and immediately discarded; the audio is never stored (see Section 2.5).

Laws governing AI in hiring. Laws such as New York City Local Law 144, Illinois laws addressing artificial intelligence and video interviews, the EU AI Act, and comparable laws elsewhere may apply to the use of automated tools in hiring. As the employer running the hiring process, the Customer is responsible for its own compliance with these laws in its jurisdictions, including any required bias audits and candidate notices or disclosures. Gensync provides the tooling and information to support the Customer's compliance but is not the employer or deployer for these purposes.

5. Sharing and subprocessors

Gensync does not sell personal information and does not share it for cross-context behavioral advertising. We do not use advertising or analytics trackers. We share personal data only as described here:

  • With the Customer. Candidate and evaluation data is made available to the relevant Customer organization, which is its controller.
  • With subprocessors. We use the service providers listed below to operate the Service. They process personal data only on our instructions and under contractual confidentiality and data-protection obligations.
  • For legal reasons. We may disclose data where required by law, to respond to lawful requests, or to protect the rights, safety, and integrity of the Service, our users, or the public.
  • In a business transfer. If Gensync is involved in a merger, acquisition, or sale of assets, data may be transferred as part of that transaction, subject to this Policy.

Subprocessors:

SubprocessorPurposeNotes
AnthropicAI processing of resumes, screening answers, and interview transcripts (Claude models)Used to parse, score, and analyze, and to draft content
OpenAISpeech-to-text transcription of in-app dictation onlyAudio is not retained; discarded immediately after transcription
ResendTransactional and outbound email deliveryHandles email sending on our behalf
Amazon Web Services (AWS)Cloud hosting and file storage (regions us-east-2 and us-east-1)Resumes stored in S3; access via presigned URLs that expire in approximately five minutes
MicrosoftCalendar, online meetings, and meeting transcripts/recordings — only if the Customer connects Microsoft 365 or TeamsDelegated OAuth access; access tokens stored encrypted with AES-256-GCM
CloudflareBot protection (Turnstile) on public application submissionProcesses connection and browser signals, including IP address, to distinguish people from bots; not used for advertising or tracking

Microsoft is engaged only where a Customer chooses to connect its Microsoft 365 or Teams environment. A current list of subprocessors is available on request at privacy@gensync.ai.

6. International data transfers

The Service is hosted in the United States (AWS regions us-east-2 and us-east-1), and personal data may be processed in the United States and in other countries where our subprocessors operate. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy determination, we rely on appropriate safeguards recognized under applicable law, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with additional measures where needed. You may request more information about these safeguards at privacy@gensync.ai. For candidate data, the Customer as controller is responsible for the lawfulness of any transfer it directs.

7. Retention

We retain personal data for as long as needed for the purposes described in this Policy, subject to the following:

  • Candidate and evaluation data. This data is retained for as long as the hiring organization keeps it. Gensync does not impose an automatic retention limit on candidate data; it is retained until the Customer deletes it or the Customer's account is purged. A Candidate who wants their data deleted should contact the hiring organization, or contact us at privacy@gensync.ai and we will assist the Customer as its processor.
  • Account and organization deletion. Deletion of an account or organization uses a soft-delete with a thirty (30) day recovery window during which it can be restored. After the recovery window, or on request to purge, the organization's data is permanently deleted — including candidate data, resumes, interview transcripts, and email logs. Permanent deletion is irreversible.
  • Backups and legal holds. Copies may persist transiently in routine backups and are overwritten on our standard backup cycle. We may retain the minimum data necessary to comply with legal obligations or to establish, exercise, or defend legal claims.

8. Security

We use technical and organizational measures designed to protect personal data, including:

  • encryption in transit (TLS) and encryption at rest;
  • encrypted storage of third-party OAuth tokens (AES-256-GCM);
  • tenant isolation enforced at the application layer, so each Customer's data is segregated from others';
  • role-based access controls within each organization;
  • audited, restricted system-administrator access;
  • short-lived presigned URLs (expiring in approximately five minutes) for access to stored resumes; and
  • rate limiting and bot protection (Cloudflare Turnstile) on public application submission.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We do not currently claim any third-party security certification. If we become aware of a personal-data breach, we will act in accordance with applicable law and, where Gensync is a processor, notify the affected Customer so it can meet its own obligations.

9. Your privacy rights

Depending on where you live and the applicable law, you may have some or all of the following rights over your personal data:

  • Access — to know what personal data is held about you and obtain a copy.
  • Correction — to have inaccurate or incomplete data corrected.
  • Deletion — to have your data deleted, subject to legal exceptions.
  • Portability — to receive certain data in a portable format.
  • Objection and restriction — to object to or restrict certain processing, including processing based on legitimate interests.
  • Withdrawal of consent — where processing is based on consent, to withdraw it at any time.
  • Non-discrimination — not to be discriminated against for exercising your rights.

These rights arise under laws including the GDPR, the UK GDPR, and US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, and comparable laws in other US states, in each case to the extent the law applies to the data and context in question. Gensync does not sell personal information and does not share it for cross-context behavioral advertising, so there is no "sale" or "sharing" to opt out of.

How to exercise your rights. Where Gensync is the controller (for Customer user account data), contact us at privacy@gensync.ai and we will respond as required by applicable law. Where Gensync is a processor — which is the case for candidate and hiring data — direct your request to the relevant hiring organization, which is the controller; Gensync will assist that organization in responding. We will not charge a fee or discriminate against you for making a request except as permitted by law, and we may need to verify your identity before acting. If you believe your rights have been violated, you may lodge a complaint with your local data-protection or privacy authority.

10. If you applied for a job through Gensync Hiring

If you submitted an application through Gensync Hiring, the organization you applied to — not Gensync — is the controller of your application data and decides how it is used, how long it is kept, and whether you advance in its hiring process. Gensync operates the platform on that organization's behalf as its processor.

To access, correct, or delete your application data, or to ask questions about how it is used in the hiring process, contact the hiring organization directly in the first instance. If you are unable to reach them, or you need help, you may also contact us at privacy@gensync.ai and we will assist the hiring organization as its processor. Because the organization controls the data, we generally act on its instructions when responding to your request.

Your application materials, including your resume, screening answers, and interview transcripts, are evaluated with AI assistance as described in Section 4, but no decision about your application is made by AI alone — a person at the hiring organization makes the decision.

11. Cookies and local storage

The Service uses only strictly-necessary cookies. Specifically, we use a single authentication session cookie to keep signed-in users authenticated; the session lasts seven days. We store a theme preference in your browser's local storage to remember light or dark mode. We do not use analytics, advertising, or marketing cookies, and there are no third-party tracking cookies, so no cookie-consent banner is required for optional cookies. Blocking the authentication cookie will prevent you from signing in. The public application form may include a Cloudflare Turnstile bot-protection challenge, which is served by Cloudflare and uses its own strictly-necessary mechanisms to distinguish people from bots; it is not used for advertising or cross-site tracking (see Section 5).

12. Data Processing Addendum

For Customers that require one, Gensync makes a Data Processing Addendum ("DPA") available on request at privacy@gensync.ai or legal@gensync.ai. The DPA reflects the controller/processor relationship described in this Policy and includes terms addressing the GDPR, the UK GDPR, and applicable US state privacy laws, including international-transfer safeguards. Once executed, the DPA forms part of the agreement between Gensync and the Customer.

13. Children's data

The Service is intended for business use and for job applicants who are adults in the employment context. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of sixteen. If you believe a child has provided personal data through the Service, contact us at privacy@gensync.ai and we will take appropriate steps, coordinating with the relevant Customer where the data is candidate data.

14. Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change, we will provide reasonable notice, for example by posting the updated Policy with a new "Last updated" date or by notifying Customer administrators. Changes are effective on the date stated. Your continued use of the Service after an update takes effect means you accept the updated Policy.

15. Contact

For privacy questions or to exercise your rights where Gensync is the controller, contact Gensync at privacy@gensync.ai. For legal notices, contact legal@gensync.ai. See our Terms of Service for the terms that govern use of the Service.