Privacy Policy

1. Data Controller

We Are Over The Moon B.V. (hereinafter: 'we' or 'WAOTM') is the data controller for the processing of personal data of companies and their candidates via our platform.

2. Data Collection

• From companies: Company name, contact details, billing information, user accounts of HR employees, organizational structure, and cultural DNA questionnaires.
• From candidates: CVs, cover letters, personal information (name, email, phone number), cognitive test results, voice interview recordings, cultural fit assessment data, and communication via the platform.
• Technical data: IP addresses, browser information, session data, and usage statistics for security and platform improvement.

3. Purpose of Processing

• Providing AI-driven candidate analyses, including cognitive assessments, voice interviews, and cultural fit matching.
• Facilitating the recruitment process between companies and candidates.
• Improving our AI models (only with anonymized data).
• Billing and contract management.
• Compliance with legal obligations.

4. AI Processing

Candidate data is processed by our AI systems to provide insights into cognitive abilities, personality, cultural fit, and job suitability. Voice interviews are analyzed for communication skills and authenticity markers. All AI analyses are intended as decision support; the final decision always rests with the employer.

5. Retention Period

• Active candidate data: During the recruitment process, maximum 12 months after last activity.
• Rejected candidates: 4 weeks after rejection, unless candidate consents to longer retention in talent pool.
• Hired candidates: Data is transferred to employer after hiring and deleted from our system within 30 days.
• Company data: During the contract period and 7 years thereafter for fiscal purposes.
• Voice recordings: Maximum 90 days, then automatically deleted.

6. Sharing with Third Parties

• Stripe: For secure payment processing (under data processing agreement).
• OpenAI: For AI analysis of textual content and voice transcription (under data processing agreement with opt-out for model training).
• Hosting providers: For secure data storage within the EU.
• We never sell personal data to third parties. Candidate data is only shared with the companies that invited them for assessment.

7. Data Security

All data is stored encrypted (AES-256) on secure servers within the EU. We maintain strict access controls, regular security audits, and ISO 27001 security standards. Voice recordings are stored with additional security using end-to-end encryption.

8. Data Subject Rights (GDPR)

• Right of access: You can request which data we process about you.
• Right to rectification: You can have incorrect data corrected.
• Right to erasure ('right to be forgotten'): You can request deletion, subject to legal retention requirements.
• Right to restriction: You can request restriction of processing in certain cases.
• Right to data portability: You can receive your data in structured format.
• Right to object: You can object to processing.
• Candidates can exercise these rights via privacy@weareoverthemoon.nl. We respond within 30 days.

9. Cookies

We use functional cookies (necessary for platform operation), analytical cookies (for usage statistics, with consent), and no tracking cookies for advertising purposes. You can adjust your cookie preferences via our cookie banner.

10. Legal Basis for Processing

Our processing is based on: (a) performance of contract with companies, (b) consent from candidates for assessment participation, (c) legitimate interest for platform improvement and security, and (d) legal obligation for fiscal administration.

11. International Transfer

All data is processed and stored within the EU. For services like OpenAI, we use Standard Contractual Clauses and data processing agreements that comply with GDPR requirements.

12. Right to Complain

If you are not satisfied with how we handle your data, you have the right to file a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl) or your local data protection authority.