Privacy Policy

1. Information We Collect

1.1 Account and Workspace Information

When you create an account, we collect:

• Full name
• Email address
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Phone number (optional)
• Organization, workspace, role, permission, and account settings information

1.2 Recruiting and Relationship Data You Provide

As part of using the Service, you or your organization may input, upload, or maintain recruiting and business relationship data, including:

• Names, email addresses, phone numbers, and locations
• Job titles, company affiliations, employment history, education history, and professional skills
• Public profile links and other professional identifiers you choose to provide
• Resumes, CVs, attachments, and other uploaded documents
• Notes, meeting notes, relationship context, preferences, labels, tags, workflow status, and pipeline assignments

1.3 Company, Role, and Market Data

You may add or reference companies, roles, searches, and related business opportunities within the Service. We collect and store information you provide or maintain about those records, including:

• Company names, websites, public profile links, business descriptions, and related business context
• Industry, size, location, leadership, hiring, role, and market information
• Search criteria, opportunity context, review decisions, and workflow activity

1.4 Public and Third-Party Professional Information

When you use enrichment, monitoring, matching, or intelligence features, we may process publicly available or commercially available professional and business information relevant to recruiting workflows, including:

• Public professional profile and work history information
• Public company, role, hiring, funding, market, and business information
• Publicly available news, announcements, websites, and other business sources
• Derived record updates, summaries, and relevance signals used to support the Service

1.5 Google Account Data (Optional Integration)

If you choose to connect your Google account, we access:

• Gmail send access: When you send an email from within Remly, we send that message on your behalf from your connected Gmail address. We request only the https://www.googleapis.com/auth/gmail.send scope. We do not read, search, download, or store your Gmail inbox content, message bodies, or attachments.
• Google Calendar event data: Calendar events where you and a contact are attendees (event titles, times, attendee lists, locations, conferencing links). We request only the https://www.googleapis.com/auth/calendar.events.readonly scope for Calendar access.
• OAuth tokens: Access tokens and refresh tokens necessary to maintain the connection, stored encrypted in our database.

We access your Google Calendar event data only on demand when you view a specific contact's calendar tab, and we send email only when you explicitly choose to send a message or schedule a user-authorized send. We do not continuously scan, index, or bulk-download your calendar, and we do not read your Gmail.

1.6 Uploaded Documents and Resume Data

When you upload resumes, CVs, or other documents, we may:

• Store the file securely in cloud storage
• Extract and process text or metadata from the file
• Use service providers to parse, summarize, classify, or structure the content
• Store the resulting information alongside the related record

1.7 Usage and Operational Data

We collect operational data necessary to run the Service:

• API call logs and error logs
• Feature usage counts, request counts, and resource usage
• Timestamps of account activity

We do not use third-party analytics services, advertising trackers, cookies for behavioral tracking, or marketing pixels.

2. How We Use Your Information

2.1 Core Service Functionality

• Account management: Authenticate your identity, manage your account settings, and enforce access controls.
• Contact and candidate management: Store, organize, and display the business contacts and candidates you add to the platform.
• Record enrichment and intelligence: Retrieve and process public or third-party professional and business information to enrich records, support recruiting workflows, and surface relevant updates.
• Company, role, and career monitoring: Monitor public business, hiring, and professional signals for records you choose to track.
• Matching and review workflows: Surface relevant candidate, role, company, and relationship opportunities for review by your team.
• Email and calendar integration: Send user-authorized emails through your connected Gmail account and display relevant Google Calendar events for your contacts within the Service.
• AI-assisted processing: Use artificial intelligence and automated systems to parse documents, generate drafts, summarize information, classify records, and support matching, review, and recruiting intelligence features.
• Pipeline and opportunity management: Support candidate pipeline tracking, review queues, talent sharing, follow-up workflows, and related recruiting operations.

2.2 Service Improvement and Operations

• Debug errors and maintain Service reliability
• Monitor system performance and resource usage
• Enforce usage limits associated with your subscription

2.3 Communications

• Send transactional emails related to your account (password resets, security alerts)
• Send optional job alert notifications if you have opted in

3. How We Share Your Information

3.1 Third-Party Service Providers

We share data with categories of service providers solely to operate, secure, and support the Service, including:

• Cloud infrastructure, hosting, authentication, database, storage, and serverless compute providers
• Data enrichment and public information providers
• AI processing and automation providers
• Email, calendar, and communications integration providers
• Security, logging, monitoring, legal, and operational support providers

These providers may process account information, recruiting and relationship data, company and role data, uploaded content, public or third-party professional information, usage data, and user-composed communications as needed to provide the Service. We use contractual, technical, and organizational controls intended to limit provider processing to the services they perform for us. Where available, we use API-based or enterprise configurations designed so customer data is not used to train third-party AI models. A current subprocessor list may be made available on request.

3.2 No Sale of Personal Data

We do not sell, rent, or trade personal information to third parties for their marketing or advertising purposes.

3.3 No Advertising

We do not serve advertisements or share data with advertising networks.

3.4 Legal and Safety Disclosures

We may disclose information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service
• Protect the safety, rights, or property of Remly, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

3.5 Business Transfers

If Remly is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via email or prominent notice on the Service.

4. Data Storage, Security, and Retention

4.1 Storage Location

Your data is stored on Google Cloud Platform infrastructure, primarily in the United States (us-central1 region). By using the Service, you consent to the transfer and storage of your data in the United States.

4.2 Security Measures

We implement the following security measures:

• Authentication: Firebase Authentication with secure password hashing and JWT-based session tokens
• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS
• Encryption at rest: Data stored in Firestore and Cloud Storage is encrypted at rest using Google Cloud's default encryption
• Secret management: API keys and OAuth credentials are stored in Google Cloud Secret Manager, not in application code
• Access isolation: All customer data is logically isolated by organization; users can only access data belonging to their organization
• OAuth token security: Google OAuth tokens are encrypted before storage in Firestore and access is restricted to backend services

4.3 Data Retention

• Active accounts: We retain your data for as long as your account is active and as needed to provide the Service.
• Deleted data: When you delete a contact, candidate, or other record through the Service, it is permanently removed from our database.
• Account termination: Upon account or organization deletion, we will delete all associated data within 30 days, except as required by law or legitimate business purposes.
• Google OAuth tokens: If you disconnect your Google account, tokens are immediately revoked and deleted from our systems.

5. Your Rights and Choices

5.1 Access and Correction

You can access, update, or correct your account information at any time through the Service settings. You can view, edit, or delete any contacts, candidates, or companies you have added.

5.2 Google Account Disconnection

You can disconnect your Google account at any time from the Settings page. This immediately revokes our access and deletes stored tokens. You can also revoke access from your Google Account permissions page.

5.3 Data Deletion

You may request deletion of your account and all associated data by contacting us at the address below. We will process deletion requests within 30 days.

5.4 Data Export

You may request an export of your data by contacting us at the address below.

5.5 Profile Monitoring Opt-Out

Profile monitoring (periodic refresh of contact/candidate data from public sources) can be disabled at the organization level through your account settings.

5.6 Job Alert Opt-Out

Email notifications for job alerts can be disabled through your Settings page.

6. Google API Services Usage Disclosure

Remly's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only use Google user data for the purposes described in this Privacy Policy (displaying relevant calendar events for your business contacts, and sending emails on your behalf).
• We do not use Google user data for serving advertisements.
• We do not allow humans to read your Google data unless (a) you provide affirmative consent, (b) it is necessary for security purposes, (c) it is necessary to comply with applicable law, or (d) our use is limited to internal operations and the data has been aggregated and anonymized.
• We do not transfer Google user data to third parties except as necessary to provide or improve the Service, to comply with applicable law, or as part of a merger/acquisition with adequate data protection commitments.

7. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

8. International Users

The Service is hosted in the United States. If you access the Service from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For users in the European Economic Area (EEA) or United Kingdom, our legal basis for processing personal data includes:

• Contract performance: Processing necessary to provide the Service you have requested
• Legitimate interests: Processing necessary for our legitimate business interests (e.g., improving the Service, ensuring security), where those interests are not overridden by your rights
• Consent: Where you have provided specific consent (e.g., connecting your Google account)

EEA and UK users may have additional rights under GDPR, including the right to access, rectification, erasure, restriction of processing, data portability, and objection. To exercise these rights, contact us at the address below.

9. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to know: You may request details about the categories and specific pieces of personal information we have collected.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information, so this right does not apply.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at the address below.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a revised "Last Updated" date, and where appropriate, by email. Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise any of your rights, please contact us at:

Remly Inc.
Email: arel@remly.co
Website: https://remly.co