Privacy Policy
Last updated: January 18, 2025
Google API Services User Data Policy Compliant
PlacementFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
1. Introduction
PlacementFlow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our interview scheduling automation platform (the "Service").
By using PlacementFlow, you agree to the collection and use of information in accordance with this policy.
2. Information We Collect
2.1 Information You Provide
- Account Information: Name, email address, company name, job title, password
- Professional Information: Candidate resumes and profiles, client company information, interview schedules and feedback, communication templates and email campaigns
- Payment Information: Billing address, payment method details (processed securely via Stripe)
2.2 Information Collected Automatically
- Usage Data: IP address, browser type, operating system, pages visited, time spent
- Cookies: Session cookies (authentication), analytics cookies (Vercel Analytics), preference cookies
Email Tracking Technologies
We use tracking technologies to measure email campaign performance:
- Open Tracking: 1x1 transparent tracking pixels embedded in campaign emails. Records timestamp, approximate location, device type.
- Click Tracking: Links wrapped through our servers to record clicks. Records timestamp, IP address, link clicked.
- Reply Detection: Scans for replies to PlacementFlow campaign emails only. Only reads metadata (sender, subject, timestamp). Full email body is NOT read or stored.
- Submission Interest Tracking: IP address logged when clients click "Schedule Interview" or "Decline" for audit trail and duplicate click prevention.
- Unsubscribe Tracking: IP address and timestamp logged for CAN-SPAM/GDPR compliance.
2.3 Information from Third Parties
- OAuth Integrations: Google Calendar events and availability, Microsoft Outlook calendar data, Zoom meeting details, Bullhorn ATS candidate/client records (coming soon)
2.4 Google API Services User Data Policy Compliance
PlacementFlow's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Limited Use Disclosure
- We only use Gmail data to send emails you create and detect replies to auto-pause sequences
- We do NOT use Gmail data for advertising, market research, or credit assessment
- We do NOT transfer Gmail data to third parties except as necessary to provide the Service
- We do NOT allow humans to read Gmail data unless required for security or legal compliance
Google OAuth Scopes We Request
Gmail operates in send-only mode to minimize permissions. Reply detection and contact import are available with Microsoft 365/Outlook.
| Scope | Purpose |
|---|---|
| gmail.send | Send CV submissions and follow-up emails from your mailbox |
| userinfo.email | Verify your email for account linking |
| calendar.events | Read/write calendar for interview scheduling |
2.5 Email Integration Permissions (Gmail/Outlook)
When you connect your Gmail or Microsoft 365 account for email campaigns, we request specific permissions. Note that Gmail and Outlook have different capabilities:
Send Email Permission (All Providers)
- What we do: Send CV submission emails and follow-up sequences from YOUR email address
- What we don't do: Send emails without your explicit campaign creation; spam or promotional emails
Read Email Permission (Microsoft 365/Outlook Only)
Gmail operates in send-only mode. Reply detection is available for Outlook accounts only.
- What we do: Check if clients have replied to emails YOU sent via PlacementFlow campaigns
- Why: Auto-pause follow-up sequences when a client responds (prevents duplicate emails)
- How it works: We only scan for replies to threads YOU initiated via PlacementFlow
- What we DON'T read: Your personal emails, other conversations, attachments, or any emails not related to PlacementFlow campaigns
Technical Details of Email Reading (Outlook Only)
- We match replies using Outlook "Conversation ID"
- We only read: sender address, subject line, and a short snippet (first ~100 characters)
- We do NOT read: full email body, attachments, or metadata of unrelated emails
- Scanning occurs every 15 minutes for active campaigns only
- Data retention: Reply records are deleted 30 days after campaign completion
Gmail Send-Only Mode
- Gmail accounts can send emails but cannot detect replies automatically
- Clients can use the "Schedule Interview" or "Not Interested" buttons in emails to respond
- Button clicks automatically pause follow-up sequences
- For automatic reply detection, consider using Microsoft 365/Outlook
Contacts Access (Microsoft 365/Outlook Only)
- Import contacts from your sent emails for quick recipient selection
- Contact data is not shared with third parties
Your Control
- You can disconnect your email account at any time from Settings > Email Accounts
- Disconnecting immediately stops all email access
- OAuth tokens are securely deleted upon disconnection
- We cannot access your email without an active OAuth connection
2.6 Calendar Integration Permissions
When you connect your Google or Microsoft calendar for interview scheduling:
What We Access
- Event times (start/end) to detect conflicts
- Event titles (to show busy/free status)
- Your primary calendar only (not shared calendars unless you specify)
What We DON'T Access
- Event descriptions or attendee details (privacy preserved)
- Personal appointments beyond availability checking
- Calendars from other accounts unless explicitly connected
2.7 Understanding OAuth: Sign-In vs. Integration
PlacementFlow uses OAuth for two different purposes:
1. Sign-In (Authentication Only)
- When you click "Sign in with Google" or "Sign in with LinkedIn"
- This ONLY verifies your identity—we don't access your Google/LinkedIn data
- Permissions: Basic profile (name, email, profile picture)
- No access to: Gmail, Calendar, Contacts, LinkedIn connections, or any other data
2. Integration (Data Access)
- When you explicitly connect Calendar or Email in Settings > Integrations
- This grants access to specific data for specific features
- Each integration requires separate consent with clear permission scopes
- You can revoke access at any time without affecting your login
Key Point: Signing in with Google does NOT give us access to your Gmail or Calendar. Those are separate, optional integrations you must explicitly authorize.
2.8 Email Enrichment Services
When candidates lack email addresses, we automatically attempt to find business emails using third-party providers:
Third-Party Providers
- Hunter.io - Email finder and verification
- Apollo.io - B2B contact database
- SmartProspect (SmartLead) - LinkedIn contact enrichment
- Bouncer - Email verification
- Snov.io - Email finder
- LinkedIn Data Dump (LDD) - Private profile database
Data We Send: First name, last name, company name/domain, LinkedIn URL
Data We Receive: Business email address, confidence score
Retention: Results cached 30 days to avoid redundant lookups
2.9 Interview Recording and AI Analysis
Fireflies.ai Recording
When you enable interview recording, a Fireflies.ai bot joins Zoom meetings and captures:
- Full audio/video recording
- Complete text transcript
- Participant names and speaking times
AI Analysis (Anthropic Claude)
Transcripts are analyzed by AI to generate:
- Hiring recommendation (strong hire, hire, maybe, no hire)
- Candidate score (1-10)
- Strengths, concerns, and red flags
- Key moments with timestamps
- Skills assessment with confidence levels
Your Control: You can disable recording per interview and delete transcripts anytime.
2.10 AI-Powered Search
We generate vector embeddings from candidate profiles for semantic search:
- Enables "Find similar candidates" functionality
- Powers intelligent candidate-job matching
- Stored locally using pgvector (PostgreSQL)
- No personal data shared externally for this feature
3. How We Use Your Information
We use collected information to:
- Provide the Service: Schedule interviews, send email campaigns, analyze interview transcripts
- Process Payments: Manage subscriptions via Stripe
- Improve the Service: Analyze usage patterns, fix bugs, develop new features
- Communicate: Send transactional emails, product updates, support responses
- Ensure Security: Detect fraud, prevent abuse, enforce Terms of Service
- Comply with Legal Obligations: Respond to legal requests, protect rights
4. How We Share Your Information
We do NOT sell your personal information. We share data only in these limited circumstances:
4.1 With Your Consent
When you authorize third-party integrations (Google, Microsoft, Zoom, Bullhorn)
4.2 Service Providers
- Vercel: Hosting and deployment
- Supabase: Database hosting (PostgreSQL)
- Resend: Email delivery and tracking
- Stripe: Payment processing
- Anthropic: AI interview analysis (Claude API)
- Fireflies.ai: Interview recording and transcription
- Zoom: Video meeting creation
- Hunter.io, Apollo.io, SmartProspect, Bouncer, Snov.io: Email enrichment
- Sentry: Error tracking and monitoring
All service providers are contractually obligated to protect your data and use it only for specified purposes.
4.3 Legal Requirements
- To comply with legal obligations (subpoenas, court orders)
- To protect rights, property, or safety of PlacementFlow, users, or public
- In connection with business transfers (mergers, acquisitions)
5. Data Security
We implement industry-standard security measures:
- Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
- Access Controls: Role-based permissions, least privilege principle
- Authentication: Auth.js with JWT tokens, httpOnly cookies
- Monitoring: Sentry error tracking, audit logs for sensitive actions
- HMAC Verification: Webhook signatures to prevent tampering
However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.
6. Your Data Rights
6.1 Access and Portability (GDPR/CCPA)
- Request a copy of your personal data
- Export data in machine-readable format (CSV, JSON)
6.2 Correction and Deletion
- Correct inaccurate or incomplete data
- Request deletion of your account and associated data
6.3 Opt-Out
- Unsubscribe from marketing emails (one-click unsubscribe)
- Disable non-essential cookies
- Withdraw consent for data processing
6.4 Data Retention
- Active accounts: Data retained for duration of subscription
- Canceled accounts: Data deleted within 30 days unless legal retention required
- Backups: Deleted from backups within 90 days
To exercise these rights, contact us at hello@placementflow.com.
7. Cookies and Tracking
7.1 Essential Cookies (Cannot be Disabled)
__Secure-next-auth.session-token: Authentication session__Host-next-auth.csrf-token: CSRF protection
7.2 Analytics Cookies (Can be Disabled)
- Vercel Analytics: Page views, performance metrics
7.3 Managing Cookies
- Browser settings: Most browsers allow you to refuse cookies
- Opt-out links: Vercel Analytics Opt-Out
8. International Data Transfers
PlacementFlow is operated from the United Kingdom. If you access the Service from outside the UK, your information may be transferred to, stored, and processed in the UK or other countries where our service providers operate.
International Data Transfers: We comply with GDPR requirements for international transfers, including:
- Standard Contractual Clauses (SCCs) with service providers
- Adequate safeguards for data protection
9. Children's Privacy
PlacementFlow is NOT intended for use by individuals under 16 years of age. We do not knowingly collect personal information from children.
If you believe a child has provided us with personal information, contact us immediately at hello@placementflow.com.
10. Third-Party Links
The Service may contain links to third-party websites (e.g., Google Calendar, Zoom). We are not responsible for the privacy practices of these websites. Please review their privacy policies.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the new Privacy Policy on this page
- Updating the "Last Updated" date
- Sending an email notification (for significant changes)
Your continued use of the Service after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us:
- Email: hello@placementflow.com
- Address: PlacementFlow Inc., 14 Western Gateway, London, E16 1BP, UK
- Support: hello@placementflow.com
13. GDPR-Specific Information (EU Users)
Legal Basis for Processing
We process personal data under the following legal bases:
- Contract Performance: To provide the Service per our Terms of Service
- Legitimate Interests: To improve the Service, prevent fraud
- Consent: For marketing communications, non-essential cookies
- Legal Obligation: To comply with tax, accounting, legal requirements
Data Controller
PlacementFlow Inc. is the data controller for personal information collected through the Service.
Supervisory Authority
EU users have the right to lodge a complaint with their local data protection authority.
14. CCPA-Specific Information (California Residents)
Categories of Personal Information Collected
- Identifiers (name, email, IP address)
- Professional information (job title, company)
- Internet activity (usage data, cookies)
- Financial information (payment method via Stripe)
Sale of Personal Information
We do NOT sell personal information.
California Privacy Rights
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale (N/A - we don't sell data)
- Right to non-discrimination for exercising privacy rights
To exercise your rights, email hello@placementflow.com with subject "CCPA Request".