Privacy Policy | Exterview

Introduction

Exterview Inc. ("Exterview", "we", "us") is committed to protecting the privacy of individuals whose data is processed through the Exterview AI platform. This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our agentic talent intelligence platform.You can easily identify all this content because it's shown as grey in the left sidebar Navigator, and it shows a blue border when you click or hover over it.

This policy applies to all users of the Exterview platform, including enterprise customers, authorized users, job candidates, and website visitors.

Data Controller and Processor Roles

Enterprise Customers are the Data Controllers: They determine the purposes and means of processing Candidate Data through the Exterview platform.

Exterview acts as a Data Processor: We process personal data on behalf of and under the instructions of our enterprise customers.

For website visitors and direct interactions with Exterview (e.g., demo requests), Exterview acts as the Data Controller.

Data We Collect

We collect only the data necessary to operate, secure, and improve the Exterview platform, categorized based on how users interact with our system.

Candidate Data (Processed on Behalf of Customers)

Resume and CV content (name, contact details, education, work history, skills)

Interview recordings (voice, video) and transcripts

Assessment responses and AI-generated evaluation scores

Identity verification data (liveness detection, document verification)

Communication preferences and scheduling data

Customer and User Data

Organization name, billing information, and contact details

Authorized user names, email addresses, and roles

Platform usage data (feature usage, session data, login activity)

Configuration preferences and workflow settings

Website Visitor Data

Contact form submissions (name, email, company, message)

Browser type, IP address, and device information

Pages visited and interaction data (via PostHog analytics)

Cookie preferences

How We Use Data

We process personal data for the following purposes:

Platform delivery: To operate the hiring intelligence platform, run AI agents, generate assessments, and deliver reports to customers.

Service improvement: To improve platform performance, accuracy, and reliability using anonymized, aggregated data only.

Security and fraud prevention: To detect unauthorized access, prevent fraud during interviews, and maintain platform integrity.

Communication: To respond to inquiries, provide support, and send service-related notifications.

Compliance: To meet legal and regulatory obligations including audit, tax, and data protection requirements.

We do NOT use personal data for:

Advertising or marketing to candidates

Selling or sharing data with third parties for their own purposes

Training AI models on identifiable personal data

Legal Basis for Processing

We process personal data for the following purposes:

Purpose	Legal Basis
Platform delivery	Performance of contract (customer agreement)
Candidate assessment	Legitimate interest of the customer (structured hiring)
Security and fraud prevention	Legitimate interest (platform security)
Communication	Consent (website forms) / Contract (support)
Compliance	Legal obligation

Data Sharing

We share Candidate Data only with the enterprise customer who controls the hiring process.

We use the following sub-processors:

Sub-Processor	Purpose	Location
Microsoft Azure	Cloud infrastructure, compute, storage	Configurable (default: US)
Azure OpenAI Service	AI model inference for agent evaluations	US / EU (configurable)
Langfuse	Prompt observability and monitoring	EU
PostHog	Product analytics (anonymized)	EU
Microsoft Entra ID	Authentication and SSO	Global
Merge.dev	ATS/HRMS integration layer	US

We require all sub-processors to maintain security standards equivalent to or exceeding our own, including SOC 2 Type II or equivalent certification.

We do not transfer data to any entity not listed above without prior customer notification.

Data Retention

Candidate Data is retained for the duration specified in the customer's subscription agreement, typically 12 months after the hiring process concludes.

Customers may request earlier deletion of Candidate Data at any time.

Upon contract termination, Customer Data is available for export for 30 days, after which it is permanently deleted.

Anonymized, aggregated data may be retained indefinitely for platform improvement purposes.

Backup data is purged within 90 days of primary data deletion.

Data Security

All data is encrypted at rest (AES-256) and in transit (TLS 1.3).

Data is stored with tenant-level isolation, no customer can access another customer's data.

Access to production systems follows least-privilege principles with MFA enforcement.

We maintain SOC 2 Type II, ISO 27001, and ISO 42001 certifications.

For detailed security information, visit exterview.ai/trust.

Individual Rights

Depending on applicable law (GDPR, DPDP 2023, CCPA), individuals may have the following rights:

Access: Request a copy of personal data we hold.

Correction: Request correction of inaccurate data.

Deletion: Request deletion of personal data.

Portability: Request data in a structured, machine-readable format.

Objection: Object to processing based on legitimate interest.

Restriction: Request restriction of processing in certain circumstances.

Withdraw consent: Where processing is based on consent, withdraw at any time.

For Candidates: Since Exterview processes Candidate Data on behalf of enterprise customers, candidates should direct rights requests to the hiring organization. We will assist customers in fulfilling these requests.

For Website Visitors: Contact privacy@exterview.ai to exercise any rights.

We respond to verified requests within 30 days (or as required by applicable law).

International Data Transfers

Exterview is headquartered in the United States with operations in India.

For EU/EEA data subjects, transfers to the US are protected by Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreement.

For Indian data subjects, transfers comply with the Digital Personal Data Protection Act 2023 (DPDP), including processing only in jurisdictions not restricted by the Indian government.

Customers may request data residency within specific Azure regions.

Cookies and Tracking

Our website uses essential cookies for functionality and analytics cookies (PostHog) for understanding usage patterns.

We do not use advertising cookies or third-party tracking pixels.

For Indian data subjects, transfers comply with the Digital Personal Data Protection Act 2023 (DPDP), including processing only in jurisdictions not restricted by the Indian government.

Users can manage cookie preferences through their browser settings.

Children's Privacy

The Exterview platform is designed for enterprise hiring use. We do not knowingly collect data from individuals under the age of 16. If we learn that we have inadvertently collected such data, we will delete it promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered customers and posted on this page with an updated effective date.

Contact Us

For privacy-related questions or to exercise your rights:

Email: privacy@exterview.ai

Data Protection Contact: Manish, CEO & Co-Founder

Address: Manish, CEO & Co-Founder

Web: exterview.ai/contact

Trust Center: exterview.ai/trust