Privacy Policy

RYZE is an AI-powered recruiting and HR operations platform. In delivering our Service we process personal data belonging to:

• Users — employees and HR staff of organisations that subscribe to RYZE.
• Candidates — job seekers whose data is sourced or uploaded by our customers for recruiting purposes.
• Visitors — anyone who browses our marketing website.

For candidate data, RYZE acts as a data processor on behalf of the subscribing organisation (the data controller). For user and visitor data, RYZE is the data controller.

The data controller for user and visitor data is RYZE. If you have questions about how we handle your data, contact us at privacy@getryze.app.

We collect the following categories of personal data depending on how you interact with us:

We process your personal data for the following purposes and on the following legal bases:

• Providing the Service

  Contract

  Authenticating accounts, delivering platform features, processing payments, sending system notifications.

• AI-powered features

  Contract / Legitimate interest

  Running candidate scoring, drafting outreach, powering the AI chat assistant. Data submitted to AI features is processed by Anthropic (see Section 5).

• Security & fraud prevention

  Legitimate interest

  Detecting abuse, enforcing rate limits, monitoring for unauthorised access.

• Service improvement

  Legitimate interest

  Analysing aggregated usage patterns to improve platform performance and features. We do not use individually identifiable data for model training without consent.

• Legal compliance

  Legal obligation

  Retaining records as required by law, responding to lawful requests from public authorities.

• Marketing & communications

  Consent / Legitimate interest

  Sending product updates, onboarding emails, and promotional communications to users. You may opt out at any time.

RYZE uses Anthropic’s Claudeto power AI scoring, outreach drafting, and the AI chat assistant. When you use these features, relevant data (such as job descriptions, search queries, candidate summaries, or chat messages) is sent to Anthropic’s API for processing.

Anthropic processes data under its own Privacy Policy. We have a Data Processing Agreement with Anthropic. Anthropic does not use API inputs to train its models by default.

We do not send full candidate PII (e.g. raw email addresses or phone numbers) to AI providers unnecessarily. Candidate data sent to AI features is limited to the minimum required for the feature (e.g., name, headline, skills, and job description for scoring purposes).

When you use RYZE to source or manage candidates, you (the subscribing organisation) become the data controller for that candidate data. RYZE processes it only on your instructions.

Candidate data sourced via LinkedIn or Evaboot is publicly available profile data. As the data controller, you are responsible for:

• Establishing a lawful basis for processing (typically legitimate interest for recruitment).
• Providing a privacy notice to candidates when you make contact.
• Deleting candidate data when it is no longer needed for the recruiting process.
• Responding to data subject requests from candidates (access, correction, deletion, portability).

If a candidate contacts us directly with a data request, we will direct them to the relevant organisation and assist where we can as the data processor.

Users may optionally connect their Google account to enable Google Calendar two-way sync. When connected:

• We store an OAuth access token and refresh token in our database (encrypted at rest via Supabase).
• We read and write events on your Google Calendar to sync meetings and approved vacation requests.
• We do not access any other Google services or data beyond the Calendar scope you grant.

You can disconnect Google Calendar at any time from Settings → Integrations. Upon disconnection, all stored OAuth tokens are permanently deleted. Previously synced calendar events remain on your Google Calendar until you manually remove them.

Google’s use of data is governed by Google’s Privacy Policy.

We share personal data only in the following circumstances:

• Sub-processors: We share data with our technical sub-processors (Supabase, Anthropic, Vercel, Resend, Evaboot) to deliver the Service. A current list of sub-processors is available on request.
• Within your Organisation: Data you add to the platform (including candidate profiles) is accessible to other authorised users within your Organisation according to their role.
• Legal requirements: We may disclose data if required by law, court order, or governmental authority, or to protect the rights, property, or safety of RYZE, our users, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections.
• With your consent: We may share data for any other purpose with your explicit consent.

We do not sell your personal data to third parties.

We retain personal data for as long as necessary to provide the Service and comply with legal obligations:

• Account data — retained for the duration of the subscription plus 30 days after account deletion (to allow data export).
• Candidate data — retained as long as your account is active. You may delete individual candidates at any time.
• Usage & audit logs — retained for up to 12 months.
• Billing records — retained for 7 years as required by tax and accounting regulations.
• Google OAuth tokens — deleted immediately upon disconnection of the integration or account deletion.

After the relevant retention period, data is securely deleted or anonymised.

We implement technical and organisational measures to protect personal data against unauthorised access, loss, or misuse. These include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256 via Supabase).
• Row-level security (RLS) policies ensuring users can only access data belonging to their Organisation.
• Authentication via Supabase Auth with support for email/password and OAuth providers.
• Access tokens with short expiry and automatic refresh; Google OAuth tokens stored securely and accessible only server-side.
• Regular security reviews and dependency updates.

No method of transmission over the internet is 100% secure. If you discover a security vulnerability, please disclose it responsibly to privacy@getryze.app.

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication (session cookies) and core platform functionality. These cannot be disabled.
• Analytics cookies: We may use privacy-respecting analytics to understand how visitors use our marketing site (e.g. page views, referrer data). These are anonymised and do not track individuals across sites.
• Preference cookies: Storing UI preferences such as colour theme.

We do not use third-party advertising cookies or cross-site tracking technologies. You can manage cookie preferences through your browser settings, though disabling essential cookies will prevent you from using the platform.

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have the following rights under data protection law:

• Right of access

  Request a copy of the personal data we hold about you.

• Right to rectification

  Request correction of inaccurate or incomplete data.

• Right to erasure

  Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.

• Right to restrict processing

  Request that we limit how we process your data in certain circumstances.

• Right to data portability

  Receive your data in a structured, machine-readable format and transfer it to another controller.

• Right to object

  Object to processing based on legitimate interests, including direct marketing.

• Right to withdraw consent

  Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

• Right to lodge a complaint

  Lodge a complaint with your local supervisory authority (e.g. the DPA in your country).

To exercise any of these rights, contact us at privacy@getryze.app. We will respond within 30 days. We may need to verify your identity before processing requests.

RYZE and its sub-processors may process data outside the EEA. Where data is transferred to countries that do not provide an equivalent level of data protection, we ensure appropriate safeguards are in place, such as:

• EU Standard Contractual Clauses (SCCs) with sub-processors.
• Adequacy decisions by the European Commission.

Our primary infrastructure (Supabase) is hosted in the EU by default. Requests to Anthropic’s API may be processed in the United States; we rely on SCCs for this transfer.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@getryze.app and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the platform at least 14 days before the changes take effect. The “Effective date” at the top of this policy indicates when it was last revised.

Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

For any privacy-related questions, requests, or complaints, contact us:

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.