Privacy Policy

Comsalo ("we", "our", or "us") operates comsalo.com and its sub-domains including recruit.comsalo.com and interview.comsalo.com (collectively, the "Platform"). This Privacy Policy explains how we collect, use, and protect your personal data when you use our Platform.

By using our Platform, you agree to the collection and use of information in accordance with this policy.

Comsalo is a technology company that builds AI-driven SaaS infrastructure and applications for businesses. Our products include enterprise hiring tools, AI-powered interview management systems, and related cloud services.

For GDPR purposes, Comsalo acts as the data controller for personal data collected through the Platform.

We collect the following categories of personal data:

• Account data: Company name, email address, password (hashed)
• Candidate data: First name, last name, email address, phone number, CV/resume files
• Interview data: Interview responses, scores, access tokens, and timestamps
• Usage data: IP address, browser type, pages visited, and session duration collected automatically via server logs

We do not collect sensitive personal data such as racial origin, health data, or financial information.

We use the data we collect to:

• Provide, operate, and improve the Platform
• Send transactional emails such as interview invitations and confirmations
• Authenticate users and maintain session security
• Monitor service uptime and diagnose technical issues
• Comply with legal obligations

We do not sell your personal data to third parties.

Under the General Data Protection Regulation (GDPR), we process your data under the following legal bases:

• Contract performance: Processing necessary to provide the services you requested
• Legitimate interests: Service monitoring, security, and fraud prevention
• Consent: Where you have explicitly provided consent (e.g., marketing communications)
• Legal obligation: Where required by applicable law

We share your data only with trusted third-party service providers necessary to operate the Platform:

• Supabase — database hosting and storage (DPA)
• Resend — transactional email delivery (DPA)
• Railway — backend infrastructure hosting (Privacy Policy)
• Vercel — frontend hosting (DPA)

All processors are contractually bound to handle data securely and only for the purposes we specify. Each processor maintains their own GDPR compliance and Data Processing Agreements. We do not share data with advertisers or data brokers.

We retain your personal data for as long as your account is active or as needed to provide services. Candidate data associated with completed interviews is retained until deletion is requested by the candidate or the recruiting company. Service monitoring data (uptime logs) is retained for 90 days.

Under GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your personal data ("right to be forgotten")
• Restrict processing of your data
• Data portability — receive your data in a machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

We use session cookies strictly necessary for authentication and maintaining your logged-in state. We do not use advertising or tracking cookies. You can disable cookies in your browser settings, but this may affect Platform functionality.

We implement industry-standard security measures including HTTPS encryption, hashed passwords, and access-controlled infrastructure. However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

Some of our third-party providers may process data outside the European Economic Area. Where this occurs, our processors maintain their own GDPR compliance frameworks including Standard Contractual Clauses (SCCs) and Data Processing Agreements as required by applicable data protection regulations.

The Platform is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

If you are located in the EU and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.