Plain-English version: recruiters use Shortlistr to organise candidate information they already hold. We host that data on their behalf, we don't sell it, and we don't train AI on it. The detail is below.
Shortlistr handles two categories of personal data with two different legal postures.
Recruiter account data. When you create an account, we act as the controller of your personal data — name, work email, login credentials, billing details, and the activity logs needed to run the service. The legal basis is performance of our contract with you (Art. 6(1)(b) GDPR) and our legitimate interest in operating a secure product (Art. 6(1)(f)).
Candidate and reviewer data. The candidate profiles, CVs, LinkedIn imports, briefs, reviewer email addresses and reactions you process inside Shortlistr are personal data for which you are the controller. We act as the processor on your behalf, under the data processing addendum (DPA) available on request from our trust page.
Full list with regions on the trust page. We do not sell personal data to advertisers or data brokers, and we do not share it for marketing purposes outside Shortlistr.
Our primary database is hosted in the EU (Frankfurt). Some sub-processors (OpenAI for AI features, Stripe for billing, Cloudflare for edge hosting) process data outside the EEA. Transfers rely on Standard Contractual Clauses (Module 2 / Module 3 as applicable) and supplementary measures. OpenAI is contractually prohibited from training models on Shortlistr customer data.
For candidate or reviewer data you processed via Shortlistr, contact the recruiter who invited you — they are the controller. We will help them respond.
We'll update this page when we change how we handle data. Material changes — new sub-processors that touch candidate data, new categories of collection — will be emailed to workspace owners at least 30 days before they take effect.