Skip to content

Privacy Policy

Proof of Fit, Inc. Privacy Policy

Effective date
November 2, 2025
Postal address
Buffalo, MN 55313, USA
EU/UK representative
To be designated
Data Protection Officer
dpo@proofoffit.com (to be designated when required)
Services covered
proofoffit.com, app.proofoffit.com, and related services

1. Scope & Roles

Proof of Fit, Inc. acts as both a data Controller and a data Processor depending on the context of processing:

  • Controller for our marketing sites, application accounts, analytics, and communications with prospective or current customers.
  • Processor for candidate data supplied by our employer customers. Those employers remain the Controllers for candidate information and direct how we process it.

2. Categories of Personal Data

Website & Device Data (Controller)

IP address (truncated/full per consent), device/browser attributes, pages viewed, referrer/UTM parameters, language, approximate location, and cookie or SDK identifiers.

Account & Customer Data (Controller)

Names, work email addresses, hashed passwords, company/role, billing contacts, product usage logs, support communications, and admin events.

Candidate Data (Processor)

Résumés, screening responses, assessments, scheduling metadata, recruiter annotations, and detailed audit logs. Optional fairness attributes (gender, race/ethnicity, disability, veteran status) are processed only if Controllers enable them and solely for validation or auditing purposes—never for individual decisioning.

Inferences & Analytics

Fit scores, risk flags, recommendation rationales, and quality metrics derived from inputs. When generated under our own analytics programs, we act as Controller; when produced at a Controller’s direction, we act as Processor.

We do not require candidates to disclose protected characteristics. When fairness attributes are collected, disclosure is optional and governed by explicit notice and consent.

3. Sources

Personal data comes from the individual user, the employer (Controller), devices and browsers, integrated systems such as ATS/HRIS, and our trusted service providers (analytics, infrastructure, communications, payments).

4. Purposes & Legal Bases

When we are Controller

  • Provide, secure, and troubleshoot the Sites/Services (Art. 6(1)(b); 6(1)(f)).
  • Measure and improve performance (6(1)(a) for non-essential cookies; 6(1)(f) for essential operations).
  • Communicate product updates and marketing (6(1)(b), 6(1)(f), and 6(1)(a) where consent is required).
  • Fulfil legal obligations (6(1)(c)).

When we are Processor

  • Execute the Services strictly under the Controller’s written instructions (Art. 28 GDPR).
  • Special category data, if enabled, is handled only with explicit consent (Art. 9(2)(a)) or another lawful basis specified by the Controller and only for fairness auditing.

5. Automated Decision-Making

Our tools generate fit scores and recommendations. Employers—the Controllers—retain final hiring authority. Individuals may request human review through their employer. Where we act as Controller (e.g., marketing automations), we do not make decisions with legal or similarly significant effects.

6. Disclosures & Recipients

  • Service providers/sub-processors: hosting, monitoring, analytics (consent-gated), email, customer support, payment, and security vendors.
  • Corporate transactions involving merger, acquisition, or asset sale.
  • Legal compliance requests, including enforcement of terms and protection of rights.
  • Aggregated or de-identified data for benchmarking and research; such data is not reasonably capable of re-identifying individuals.

We do not sell personal data for monetary consideration. If we engage in cross-context behavioral advertising, we will provide a “Do Not Sell/Share” option and honor opt-outs.

7. International Transfers

When data travels outside its origin (for example, to the United States), we rely on valid transfer mechanisms such as the EU Standard Contractual Clauses, the UK IDTA/Addendum, or Swiss SCCs, and we apply supplementary safeguards.

8. Retention

  • Website analytics identifiers: up to 13 months (shorter where required).
  • Account, billing, and support records: contract term + up to 7 years.
  • Candidate data (processor): retained per Controller instructions; audit logs typically 24 months unless contract dictates otherwise.
  • Optional fairness attributes: retained only for validation windows then aggregated/de-identified.

9. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict processing, object, receive data portability, and withdraw consent. To exercise these rights, contact us at privacy@proofoffit.com. If we process your data as Processor, contact your employer.

  • EU/UK: You may complain to your local supervisory authority.
  • California (CPRA): You may request to know, delete, or correct personal information; opt-out of sale/share; and limit use of sensitive personal information. We will not discriminate for exercising these rights.

10. Cookies & Tracking

We use cookies and similar technologies. Non-essential categories load only after consent. Refer to our Cookie Policy for details and adjust preferences via the banner at any time.

11. Security

We employ administrative, technical, and physical safeguards including encryption in transit and at rest, access controls, least privilege, logging and monitoring, backups, and incident response procedures.

12. Children

The Services are not intended for individuals under 16. We do not knowingly collect personal data from children.

13. Changes

We may update this Privacy Policy. We will post a “last updated” date and, where required, notify you through the Services or email.

Legal Notice

This policy is provided for general informational purposes and does not constitute legal advice. Please consult your legal counsel to confirm that these provisions align with your specific data flows and obligations.