Introvy
Sign In
📄

Privacy Policy

Last updated: 5/13/2026

Privacy Policy

Effective Date: May 8, 2026 Last Updated: May 8, 2026 Document Version: 2026-05-08

Introvy Solutions Inc ("Introvy," "we," "us," or "our") provides an AI‑assisted recruiting and candidate‑preparation platform (the "Service"). This Privacy Policy explains how we collect, use, share, transfer, retain, and safeguard personal information, and the rights you have under applicable laws including the EU/UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act/CPRA ("CCPA/CPRA"), and other privacy laws.

Read this carefully. By accepting this Policy and the Terms of Service at sign‑up, invite acceptance, upload, recording, or share‑link entry, you confirm that you understand it and that — where you are providing data on behalf of someone else — you have the authority and lawful basis to do so.

Questions or rights requests: hello@introvy.ai.

1. Who We Are

Introvy Solutions Inc operates a B2B SaaS platform used by:

  • Recruiting organizations and staffing firms ("Customers") and the recruiters, account managers, and admins acting under their accounts.
  • Candidates and job seekers ("Candidates") who receive workflows (apply video, practice interview, research brief, thank‑you, interview prep) from Customers.
  • Subscribed individual users who use Introvy directly for their own preparation.

Introvy is headquartered in New Lenox, Illinois, United States.

For most Candidate data, the Customer is the data controller and Introvy acts as data processor. For account, billing, and platform‑telemetry data, Introvy acts as controller. See Section 5.

2. Scope and Controllership

| Data category | Controller | Processor | |---|---|---| | Customer / recruiter account data | Introvy | n/a | | Candidate identifiers submitted by a recruiter (name, email, resume, ATS IDs) | The Customer | Introvy | | Candidate‑uploaded user content (videos, audio, transcripts, answers) | The Customer (or the Candidate, when self‑initiated) | Introvy | | AI‑generated questions, transcripts, evaluations and summaries derived from Candidate content | The Customer | Introvy | | Billing and subscription metadata | Introvy and Stripe (joint, for payment) | n/a | | Service logs, telemetry, security events | Introvy | n/a |

When a Candidate uses Introvy independently of a recruiter (e.g., self‑initiated practice), Introvy acts as controller for that workflow.

3. International Operations and Cross‑Border Transfers

Introvy is built for globally distributed staffing. Customers commonly include offshore recruiters in India, the Philippines, Latin America, Eastern Europe, and elsewhere, and may submit EU/UK candidates to US, Canadian, or other employers.

This means your personal data will routinely move across borders, including to and from:

  • The United States (Introvy's primary processing location)
  • Cloudflare's global edge (video delivery)
  • OpenAI processing regions (AI inference)
  • Customer recruiters working from their home country
  • Hiring companies receiving candidate submissions in other jurisdictions

Where personal data of EU/EEA, UK, or Swiss data subjects is transferred outside their jurisdiction, Introvy relies on:

  • Standard Contractual Clauses (SCCs) Module 2 (Controller → Processor) and Module 3 (Processor → Sub‑processor) as adopted by the European Commission;
  • the UK International Data Transfer Addendum for UK transfers;
  • Swiss‑adapted SCCs for Swiss transfers;
  • supplementary measures including encryption in transit and at rest, access logging, least‑privilege access, and prompt response to government access requests.

These mechanisms are incorporated into Introvy's Data Processing Addendum (DPA) which is offered to all Customers and is available at /data-processing-addendum. Candidates may request a copy at hello@introvy.ai.

By accepting this Policy you acknowledge that recruiters, evaluators, and operators of the Service may access your data from countries other than your own.

4. Information We Collect

4.1 Account information

Name, work email, password (hashed), organization, role, country, time zone, ATS platform connected.

4.2 Candidate identifiers

Submitted by recruiters or by the Candidate: name, email, phone (optional), resume, job description, ATS candidate/job IDs, recruiter notes.

4.3 User content

Video recordings, audio recordings, AI‑generated transcripts and summaries, written answers, practice‑session metadata, research briefs, thank‑you scripts.

4.4 AI inputs and outputs

Prompts derived from your content, AI‑generated interview questions, transcripts, evaluations, coaching feedback, and summaries written back to your ATS.

4.5 Recruiter workflow data

Invitations, acceptance state, share‑link tokens, evaluation notes, ATS write‑back records, interaction logs.

4.6 Payment data

Processed by Stripe. Introvy stores a customer ID, subscription ID, plan, and last‑four card metadata. We do not store full card numbers.

4.7 Consent records

For every accepted Terms of Service, Privacy Policy, AI processing disclosure, video/transcript processing notice, and cross‑border processing acknowledgment we record the user ID (if known), the surface (signup, invite, upload, share‑link entry), the document version, the IP address, the user agent, and the timestamp. These records are used to demonstrate compliance and are retained for the periods in Section 9.

4.8 Automatically collected

IP address, browser/device, pages visited, feature usage, error logs, request IDs, security events. We use only essential cookies plus optional analytics that you may decline (see Section 11).

4.9 What we do not collect

We do not knowingly collect biometric identifiers (faceprint/voiceprint templates), genetic data, government IDs (unless your Customer explicitly enables Stripe Identity verification, in which case Stripe is the processor), or special‑category data as defined in GDPR Article 9. Do not upload such data via your free‑text fields, transcripts, or videos.

5. How We Use Your Information and Lawful Bases (GDPR Art. 6)

| Purpose | Lawful basis | |---|---| | Provide and operate the Service for Customers | Performance of contract (Customer); legitimate interests (recruiter access); processor under Customer instructions (Candidate data) | | Generate AI questions, transcripts, evaluations | Contract (with Customer) and the Customer's documented instructions; Candidate consent collected at submission | | Bill subscribing organizations | Performance of contract; legal obligation (tax/accounting) | | Provide candidate access to invited workflows | Consent recorded at invite acceptance | | Send transactional notices (security, account, payment) | Performance of contract; legitimate interests | | Send product and marketing communications | Consent (where required); legitimate interests in B2B contexts; you can opt out at any time | | Detect fraud, abuse, security incidents | Legitimate interests; legal obligation | | Comply with legal obligations and respond to legal process | Legal obligation | | Improve the Service using aggregated and de‑identified analytics | Legitimate interests |

We do not sell personal information. We do not use identifiable Candidate content to train third‑party foundation models. AI inference is performed under contract with our AI provider, with content excluded from provider training where the provider supports that setting (currently OpenAI's API default).

6. Candidate Data — Special Notice for Recruiter‑Initiated Workflows

When a recruiter sends you an invite, share link, or apply link:

  • The recruiting organization is the data controller. Introvy is the data processor acting on the recruiter's documented instructions.
  • The recruiter is responsible for having a lawful basis to process your data and for providing you with appropriate notice (under GDPR, this is typically Art. 13).
  • We require the recruiter to obtain the consent surfaced inside Introvy before you can submit content. That consent is logged against your identity (email or user ID) and the invite token.
  • You may direct any data‑rights request to the recruiter, or to Introvy at hello@introvy.ai. We will route requests appropriately and respond within 30 days (extendable by up to two months for complex requests under GDPR).
  • You may withdraw consent and delete your content at any time from your candidate dashboard. Withdrawal does not affect lawfulness of processing prior to withdrawal.

7. AI Processing Disclosures

Introvy uses AI ("AI Features") to:

  • generate interview questions, scripts, prep packages, and research briefs;
  • transcribe audio and video;
  • extract structured insights, summaries and topical tags;
  • write workflow completion summaries back to a Customer's ATS;
  • power the Introvy Assistant inside recruiter dashboards.

Important AI disclosures:

  • AI output may contain errors, hallucinations, or omissions. You and any recruiter relying on AI output must apply human judgment.
  • AI Features are not professional, legal, medical, or hiring advice. They are not a hiring decision and they do not screen Candidates in or out.
  • We do not use Candidate content to train Introvy's, OpenAI's, or any other provider's foundation models.
  • AI inference may occur in regions other than your own (typically the United States).
  • For applicable U.S. state AI hiring laws (e.g., NYC Local Law 144, Illinois AI Video Interview Act, Colorado SB 24‑205), the Customer is responsible for any required notices, audits, and bias testing on its hiring decisions. Introvy provides Customer‑facing controls and documentation to support that compliance.

8. How We Share Information

We disclose personal data to the following recipients:

  • Customers and their authorized users, including offshore recruiters acting under the Customer's account, who may access your submission for evaluation and ATS write‑back.
  • Sub‑processors listed at /subprocessors, each bound by a written DPA: Supabase (database, auth, storage), Vercel and Render (compute), Netlify (frontend hosting), Cloudflare (video delivery and CDN), Stripe (payments), Postmark (transactional email), OpenAI (AI inference), and others as updated on the subprocessors page.
  • ATS platforms that the Customer connects (e.g., RecruitCRM, RecruiterFlow), which receive completion summaries, share links, and stage updates as directed by the Customer.
  • Legal and safety: when required by law, valid legal process, or to protect rights, safety, or the integrity of the Service.
  • Corporate transactions: in a merger, acquisition, financing, or asset sale, with notice to you where required.

We do not sell personal data and do not disclose personal data for cross‑context behavioral advertising.

9. Data Retention

Retention is set in accordance with the GDPR storage‑limitation principle and the operational realities of staffing.

| Data | Retention | |---|---| | Public, anonymous share / submittal links (Apply video, etc.) | 90 days from creation, then auto‑expired and unfetchable | | Thank‑you videos accessed via public link | 60 days from creation, then auto‑expired | | Practice (audio/video) sessions | 30 days unless the Candidate keeps them in their dashboard; revoked instantly on Candidate request | | Research briefs (recruiter‑facing) | Lifetime of the originating job in the recruiter's ATS, maximum 24 months since last access | | Recruiter‑authenticated submission artifacts | Lifetime of the Customer account, plus a 30‑day grace period after deletion | | Customer account & organization data | Lifetime of account + 30 days | | AI prompts and intermediate AI outputs | 30 days in operational logs; final outputs stored with the artifact and inherit the artifact's retention | | Webhook payloads (ATS) | 14 days in our queue and logs | | Consent records | 7 years (legal demonstrability) | | Payment records | 7 years (tax/accounting) | | Security and audit logs | 12 months (extendable for active investigations) | | Backups | Encrypted, rolling 35 days; deletion requests propagate as backups roll forward |

When a record reaches its retention horizon, our scheduled cleanup jobs revoke share tokens, soft‑delete metadata, purge storage objects, and remove transcript text. See Section 14 for deletion mechanics.

10. Your Rights

Subject to applicable law you may:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • erase your data (the GDPR "right to be forgotten");
  • restrict or object to processing, including AI processing;
  • receive a portable copy of data you provided;
  • withdraw consent at any time without affecting prior processing;
  • complain to your local supervisory authority (in the EEA, UK, or Switzerland) or to the California Attorney General.

To exercise rights, email hello@introvy.ai or use the in‑product controls in your candidate dashboard or account settings. We may verify your identity before responding. We will respond within 30 days for GDPR requests and 45 days for CCPA/CPRA requests, extendable as the law permits.

If your data was submitted by a recruiter, we will route your request to that recruiter as the controller, and we will assist them as processor.

11. Cookies, Tracking, and Local Storage

Introvy uses:

  • Strictly necessary cookies for authentication and session management. These are always on.
  • Local storage (your browser's localStorage) to keep drafts, preferences, and consent state. Local storage is not sent to third parties.
  • Optional analytics (privacy‑respecting, aggregate). We do not load analytics scripts until you accept analytics in our cookie banner.
  • No third‑party advertising trackers, fingerprinting libraries, or cross‑site behavioral profiles.

You can change your preferences any time from the cookie banner footer link or by clearing your browser's storage for introvy.ai.

12. Security

We use TLS 1.2+ in transit, AES‑256 at rest (Supabase storage), least‑privilege access controls, role‑based permissions and Row‑Level Security on customer‑sensitive tables, signed URLs for media, scheduled token rotation for ATS and webhook secrets, and continuous security monitoring. We will notify affected parties without undue delay, and within 72 hours where required by law, in the event of a confirmed personal‑data breach.

No system is completely secure. If you discover a vulnerability please email security@introvy.ai.

13. Minors

Introvy is for adults only. You must be at least 18 years old to use Introvy. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe a minor has provided personal data, contact us and we will delete it.

14. Deletion and Withdrawal Mechanics

When you delete an artifact, withdraw consent, or close your account:

  1. The artifact is immediately marked deleted in our database and removed from all recruiter dashboards.
  2. Public share tokens are revoked and return 404 within seconds.
  3. The underlying media file in Supabase Storage / Cloudflare Stream is purged within 24 hours.
  4. AI transcripts and AI‑generated text tied to the artifact are deleted with the artifact.
  5. ATS write‑back stops; we do not recall summaries previously written to your ATS, but we do flag the artifact as deleted on the next webhook.
  6. Backups containing the deleted record are aged out within 35 days; we do not restore from backups for any reason that would re‑introduce deleted data.
  7. Account deletion cancels active Stripe subscriptions, removes the Auth user, and purges practice/submission/usage rows; consent and billing records are kept under Section 9.
  8. An audit row is written to deletion_requests recording the user, the surface, and the result.

15. California (CCPA/CPRA) Disclosures

In the prior 12 months we collected the following CCPA categories: identifiers, customer records, professional/employment information, internet activity, geolocation (city‑level), and inferences derived from that data. Sources: you, your recruiter, your ATS, our Service. Purposes: as described in Section 5.

We do not sell personal information and do not share personal information for cross‑context behavioral advertising. California residents have rights to know, delete, correct, limit use of sensitive personal information, and opt out of sale/sharing. To exercise rights email hello@introvy.ai.

16. Contact

Introvy Solutions Inc, New Lenox, IL, United States — hello@introvy.ai

EEA/UK representative and Data Protection Officer requests may be sent to the same address; we will route to our designated representative where one is appointed.

17. Changes to This Policy

We will notify users of material changes at least 30 days before they take effect, via email and/or in‑product notification, and will require re‑acceptance where the change materially affec

Other Legal Documents

Terms of ServiceCookie NoticeAccessibility StatementData Processing AddendumDisclosuresDMCA PolicySecurity PolicyLegal ContactAcceptable Use PolicyAI Content DisclaimerCandidate Video ReleaseSubprocessorsInternational Data Transfers

Cookies & local storage

We use strictly necessary cookies for sign-in, plus optional analytics that we never load until you say yes. We never load advertising trackers. Learn more.