Privacy Notice

• We process candidate CVs, voice interviews, and AI-generated scores for the sole purpose of producing an assessment for the hirer who invited the candidate.
• The interview is conducted by an AI agent and scored by AI. You have the right to request human review before any decision is made about you.
• We don't sell candidate data, and we don't use it to train any AI model.
• You can access, export, or delete your data at any time.
• Default retention: assessment data 12 months, voice recordings 6 months, after which they are automatically purged.

Basanite (the “Platform”) is currently operated as an unincorporated UK venture by its three founders — Aditya Shah, Andrew Robertson, and Lynn Zhao— based in the United Kingdom. For privacy queries: privacy@basanite.co.uk.

Roles under GDPR: When you take an assessment, the hirer who invited you (e.g. the company you applied to) is the data controller. The founders act jointly as the data processor that hirer engages. When you sign up as a hirer, the founders are joint data controllers for your account information. Once a UK company is incorporated these roles will transfer to that entity and we will update this notice.

Joint controllers' single point of contact (Art. 26 UK GDPR): the founders have agreed that privacy@basanite.co.uk is the single point of contact for exercising any of the rights set out below, regardless of which founder you reach. The essence of the arrangement is available on request.

Candidates

• Name and email, captured at signup or pulled from the hirer's ATS.
• CV text, either uploaded by you or fetched from the hirer's ATS attachment.
• Voice recording of the interview (audio only) and a written transcript.
• AI-generated scores and reports across the dimensions the hirer has configured.
• Consent records — every consent you grant or withdraw is logged with timestamp.

Hirers

• Account email, name, and password hash (handled by Supabase Auth).
• Roles you create — title, company name, job description, evaluation dimensions.
• Encrypted ATS connection tokens (AES-GCM at rest, decrypted only in memory at the moment of an API call).
• Voice samples and cloned voice IDs — when you opt to clone your voice as the interviewer voice. The original audio sample is sent to ElevenLabs for processing; we store the resulting voice ID against your org plus a 5-second preview clip we generate so your team can listen back. We log your consent at the moment of cloning.

Visitors / waitlist

• If you sign up to the waitlist: name, email, optional company.
• Standard server logs (IP, request path, timestamp). IPs are masked at the last octet within 24 hours of capture.

• Performance of contract / pre-contract steps (Art. 6(1)(b)) — for delivering the assessment you started.
• Legitimate interests (Art. 6(1)(f)) — for fraud prevention, security, and product improvement (in aggregate, never identifying you).
• Consent (Art. 6(1)(a)) — for the voice recording, AI scoring, and CV processing. You can withdraw at any time without affecting prior lawful processing.
• Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from regulators or law enforcement.

Voice recordings can constitute biometric data, and free-text interviews may inadvertently reveal information about your health, beliefs, or other special categories. We collect this on the basis of your explicit consent (Art. 9(2)(a)), which we ask for at the start of the interview. You can withdraw at any time and we will erase the recording and transcript on request within 30 days.

The interview is conducted by an AI agent. Scores and dimension assessments are generated by AI and presented to the hirer. Under Article 22 of the UK GDPR, you have the right not to be subject to a decision based solely on automated processing where it produces legal or similarly significant effects.

Before you start the interview we ask whether you object to fully automated decisions about you. If you object, we flag your assessment so the hirer must apply human review before relying on any score in a hiring decision. You can also register an objection at any later time.

We use the following sub-processors. Each receives only the data it needs for its function. See the full sub-processors list for current providers, locations, and Data Processing Agreement status.

• Supabase — database, authentication, storage of recordings.
• Anthropic — AI inference for CV extraction, interview conduct, and scoring.
• ElevenLabs — voice agent serving the live interview audio.
• Resend — transactional email delivery (invites, reports).
• Merge.dev — unified ATS API for hirers who connect Greenhouse, Lever, Ashby etc.
• Vercel and Render — hosting for frontend and backend.

Some sub-processors are based outside the UK/EU. For US-based providers we rely on the UK Extension to the EU-US Data Privacy Framework or Standard Contractual Clauses. See the sub-processors page for details per provider.

• Voice recordings: 6 months from interview completion, then automatically deleted.
• Interview transcripts and AI scores: 12 months from completion, then automatically deleted.
• Hirer reports: 12 months from completion, then automatically deleted (PDFs may have been downloaded by the hirer; that copy is outside our control).
• CV text: 12 months from upload, then automatically deleted.
• Cloned hirer voices: kept until you delete them from the dashboard. Deletion cascades to ElevenLabs (the voice slot is freed) and to our own records within 30 days.
• Hirer accounts: kept until the hirer deletes their account; deletion cascades to all associated data within 30 days.
• Waitlist entries: kept until acted on (approved / rejected) or until you ask us to delete.
• Consent records and DSAR audit trail: retained for 6 years as required for legal defence.

You can request earlier erasure at any time via the data-rights page.

Under the UK GDPR you have the right to:

• Access a copy of the personal data we hold on you.
• Rectify inaccurate data.
• Erase your data (“right to be forgotten”).
• Restrict or object to processing — including the right not to be subject to automated decisions.
• Portability — receive your data in a structured, machine-readable format.
• Withdraw consent at any time.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

Submit any of these requests via the self-serve data-rights page or by emailing privacy@basanite.co.uk. We respond within 30 days.

We use TLS 1.2+ in transit, encryption at rest for the database and ATS tokens, RLS-enforced access scoping in the database, and short-lived session tokens. Recordings are stored in a deny-by-default bucket only the backend service role can read.

Basanite is intended for users aged 16 or over. We ask candidates to confirm they are at least 16 before starting an interview. If you are under 16, please do not use the platform; if you have already submitted information and are under 16, contact us and we will erase it.

When we change this notice we update the version date at the top and, for material changes, notify users by email or in-app banner. Previous versions are kept on file and available on request.

2026-05-07: identified the operator as the three founders acting jointly until a UK company is incorporated, and added the joint-controller single point of contact.

Privacy enquiries: privacy@basanite.co.uk
UK Information Commissioner: ico.org.uk · 0303 123 1113.