CometHire is designed with GDPR-conscious data processing practices and processes personal data on behalf of its customers in a secure, transparent and responsible manner.

Our approach includes:

• data minimization
• temporary data retention
• explainable AI-supported workflows
• human oversight
• EU-based infrastructure and AI providers where possible

Candidate data is not used to train AI models.

Data Retention

Candidate data is retained only for as long as necessary to support the recruitment process and comply with applicable legal obligations.

By default, candidate-related data, including application documents, AI-supported analyses, generated reports, and associated audit records, is deleted six (6) months after a recruitment process has been closed.

This retention period is intended to support legitimate recruitment-related purposes, including documentation of hiring decisions and the handling of potential legal claims.

Customers may implement different retention periods where required by applicable law or internal policies.

Roles & Responsibilities under GDPR

CometHire acts as a data processor across its product features. Our customers remain the data controllers and determine the purposes and means of processing candidate data.

CometHire processes personal data solely on behalf of and under the documented instructions of the controller in accordance with a Data Processing Agreement (DPA).

This setup applies consistently across both AI-supported and non-AI features. The use of AI functionality does not change the underlying roles and responsibilities under GDPR.