Ashby Privacy Policy
Last updated October 1, 2024
Introduction
This page describes how Ashby, Inc. ("Ashby", "we", "our", "us") collects and processes personal information in accordance with this Privacy Policy.
What information do we collect and where do we collect it from?
We automatically collect information such as your IP address and device ID in order to provide our services to you. We also collect information from you when you register on our site or fill out a form or upload information to the Service.
The information we may collect includes, without limitation:
- Name, email address, social media accounts, cover letter (if applicable), resume and job experience, education, email communications sent via our Service, or email communications that you chose to send to us or to give us administrative access to, availability for interviews, notes from interviewers, offer letter contents, and custom fields created by customers of our platform as well as other content a user of our platform may upload.
- Metadata related to your use of the Service, such as: when you login to the Service and how you use the Service
If you are using “Ashby for Recruiting”:
The sources of this collection are from job applicants or candidates directly, from customers, and from third party sources such as social media service providers.
If you are using “Ashby Analytics”:
The sources of this collection are from systems the customer has connected to Ashby.
What do we use personal information for?
If you are using “Ashby for Recruiting”:
We provide a job candidate and job applicant relationship management and tracking system. Any of the personal information we collect may be processed and/or used in the following ways:
- To help companies post and manage jobs
- To help companies source candidates for jobs
- To help companies manage applicants for jobs
- To help companies schedule interviews with candidates and interviewers
- To personalize your experience (your information helps us to better respond to your individual needs)
- To improve our Service (we continually strive to improve based on the information and feedback we receive from you)
- To provide and improve customer service (your information helps us to more effectively respond to your customer service and support needs)
If you are using “Ashby Analytics”:
We provide a talent analytics solution. Any of the personal information we collect may be processed and/or used in the following ways:
- To help analyze recruiting activities
- To personalize your experience (your information helps us to better respond to your individual needs)
- To improve our Service (we continually strive to improve based on the information and feedback we receive from you)
Do we use cookies?
Yes. Cookies are small files that a site or its service provider transfers to your computers hard drive through your Web browser (if you allow) that enables the sites or service providers systems to recognize your browser and capture and remember certain information.
Where do we process data?
We locate our data centers in the United States. By utilizing our services, you expressly instruct us to process personal information within the United States and consent to its processing in accordance with this privacy policy.
How long do we retain your data?
How long we retain your Personal Data depends on the type of data and the purpose for which we process the data. We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law.
Do we disclose any information to outside parties?
We share information about you as follows:
- Service Providers. We may share your information with our agents, vendors and other service providers (collectively "Service Providers") in connection with their work on our behalf. Service Providers assist us with services such as payment processing, credit checks, data analytics, marketing and promotional services, website hosting, and technical support. Service Providers are prohibited from using your information for any purpose other than to provide this assistance, although we may permit them to use aggregate information which does not identify you or de-identified data for other purposes. You can find a list of Service Providers (Sub-processors) in the following section.
- Affiliates. We may share your information with our related entities, including our parent and sister companies. For example, we may share your information with our affiliates for customer support, marketing and technical operations.
- Business Partners. We may share your information with our business partners in connection with offering you co-branded services, selling or distributing our Service, or engaging in joint marketing activities.
- Merger or Acquisition. We may share your information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale or any other type of acquisition or business combination of all or any portion of our assets, or transfer of all or a portion of our business to another business.
- Security and Compelled Disclosure. We may share your information to comply with the law or other legal process, and where required, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also share your information to protect the rights, property, life, health, security and safety of Ashby, our Service or any third party.
- Consent. We may share your information for any other purpose disclosed to you and with your consent.
Without limiting the foregoing, in our sole discretion, we may share aggregated information that does not identify you or de-identified information about you with third parties or affiliates for any purpose except as prohibited by applicable law.
We do not sell, trade, or otherwise transfer your personal information except in accordance with this policy.
Sub-processors
The following sub-processors provide services necessary for core platform features:
| Amazon Web Services | Cloud data processing and warehousing |
| Intercom | Monitor interaction, provide customer support, send product updates |
| FullStory | Monitor and analyze interaction |
| Sovren Group, inc | Process resume files |
| RudderStack, inc | Product usage analytics |
| Dropbox, inc | Electronic signatures via Dropbox Sign |
| Mapbox, inc | Provide structured location data for address text |
| WorkOS, inc. | Magic link authentication |
The following sub-processors provide services necessary for the use of optional add-ons:
| NamSor SAS | Only used when customer has purchased the diversity add-on. Used to infer demographic information based on candidate names. |
| OpenAI | Only used when customer has purchased the AI add-on. Used for LLM text generation. |
| WorkOS, inc. | Single sign-on and active directory sync |
California Online Privacy Protection Act Compliance
Because we value your privacy we have taken the necessary precautions to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute your personal information to outside parties without your consent. Your submission of personal information in connection with creating an applicant or candidate profile constitutes your consent to our distribution of your personal information to our customers for the purposes of using our Services.
Online Privacy Policy Only
This online privacy policy applies only to information collected through our website and not to information collected offline.
Your Consent
By using our site, you consent to our privacy policy. If you do not consent to the collection and processing of the information required to be processed, we are unable to provide you with our service, and you should not use our site.
Changes to our Privacy Policy
If we decide to change our privacy policy, we will post those changes on this page and update the Privacy Policy modification date above. Policy changes will apply only to information collected after the effective date of the change.
EU, UK and Swiss Residents
If you are a resident of the European Union, the United Kingdom or Switzerland, you are entitled to certain information and you have certain rights under, respectively, the General Data Protection Regulation (Regulation (EU) 2016/679) (the “EU GDPR”), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) (collectively, the “GDPR”) and the Swiss Federal Act on Data Protection (“FADP”). Those rights include:
- The right of access to your personal data.
- The right to rectify your personal data if it is incorrect or incomplete.
- The right to have your personal data erased (“right to be forgotten”) if certain grounds are met.
- The right to withdraw your consent to our processing of your personal data at any time (if our processing is based on consent).
- The right to object to our processing of your personal data (if processing is based on legitimate interests).
- The right to object to our processing of your personal data for direct marketing purposes.
- The right to receive your personal data from us in a structured, commonly used and machine-readable format, and the right to transmit your personal data to another controller without hindrance from us (data portability).
If you are located in the European Union, the United Kingdom or Switzerland and you are or have been a user of our Service, we may send you marketing communications based on our legitimate interests, subject always to your right to opt out of such communications. Further, if you are located in the European Union, the United Kingdom or Switzerland, we will never share your personal data with a third party for such third party’s marketing purposes, unless you have specifically consented to us doing so.
You may contact us at privacy[at]ashbyhq.com to exercise any of the above rights. We may request specific information from you to confirm your identity, and in some circumstances, we may charge a reasonable fee for access to your information.
Furthermore, if you believe that our processing of your personal data is inconsistent with your data protection rights under the GDPR or FADP (as applicable) and we have not adequately addressed your concerns, you have the right to lodge a complaint with the data protection supervisory authority of your country.
Ashby has appointed the following representatives:
European Representative pursuant to GDPR:
Rivacy GmbH
Mexikoring 33
22297 Hamburg
info[at]rivacy.eu
UK Representative pursuant to UK GDPR:
Rivacy Ltd.
87, Warriner Gardens
Unit G1/G2,
London, SW11 4DX
info[at]rivacy.co.uk
CH Representative pursuant to FADP:
Rivacy Switzerland GmbH
epartners Rechtsanwälte AG
Hardturmstrasse 11
8005 Zurich
info[at]rivacy.ch
Participation in the Data Privacy Framework
Ashby complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Ashby has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Ashby has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Ashby commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Ashby using the contact information provided in the Contacting Us section below.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Ashby commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution, operated by the American Arbitration Association, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of the International Centre for Dispute Resolution are provided at no cost to you.
The Federal Trade Commission has jurisdiction over Ashby’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
EU, UK and Swiss individuals may invoke binding arbitration under the Data Privacy Framework Principles if a complaint has not been resolved by Ashby or by other recourse and enforcement mechanisms.
As required under the Data Privacy Framework, Ashby has responsibility for the processing of personal information it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. Ashby remains liable under the Data Privacy Framework Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Ashby proves that it is not responsible for the event giving rise to the damage.
California Consumer Privacy Act Requests
To request a copy of your personal data under the California Consumer Privacy Act, please email a request with the subject “CCPA data request” and your full name, address, and last employer to ccpa[at]ashbyhq.com. We will work with all parties who make requests to verify their identity and to enable them to exercise their applicable rights under the CCPA. We will not discriminate against individuals who legally exercise their own rights under the CCPA.
Google API Services User Data Policy
Ashby’s use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Contacting Us
If there are any questions regarding this privacy policy you may contact us via email: privacy[at]ashbyhq.com
Or via our mailing address:
Ashby, Inc.,
548 Market St PMP 397006
San Francisco, CA 94104-5401
