About us · Privacy
Privacy Policy
This policy describes in full how Velma AI, Inc. collects, uses, processes, shares, retains, and protects personal information when people visit our website, use our hiring tools, or participate in a voice interview through our platform. It also explains the rights available to individuals and the obligations we maintain toward our business clients.
Last updated: June 7, 2026
Privacy contact: privacy@velma-ai.com
Candidate consent notice: before a voice interview begins, candidates are shown a clear consent prompt explaining that the interview will be recorded, transcribed, scored by AI, and the results shared with the hiring company. Participation is voluntary. Candidates located in the EU, EEA, or UK will also be shown an explicit opt-in consent screen disclosing cross-border data transfer details prior to beginning any interview session.
Section 01
Scope and Applicability
This Privacy Policy applies to all individuals who interact with Velma AI, Inc. in any capacity, including visitors to our public website, hiring company administrators and recruiters, candidates who receive an interview invitation, and anyone who contacts us for any purpose.
It covers personal information we collect directly, information submitted to us by hiring companies on behalf of candidates, and information collected automatically through the platform, our website, and integrated third-party tools.
Where our services are provided to a business client, that client may have its own privacy notice governing how it uses data obtained through Velma. We encourage candidates to also review the privacy policy of the organization that invited them.
Section 02
Definitions
Personal Data / Personal Information:
any information relating to an identified or identifiable natural person, including name, email address, voice recording, IP address, and similar identifiers.
Data Controller:
the party that determines the purposes and means of processing personal data. In the context of hiring, the hiring company is the data controller with respect to the candidates it invites.
Data Processor:
the party that processes personal data on behalf of and under the instructions of a data controller. Velma acts as data processor when processing candidate data on behalf of a hiring company.
Sub-Processor:
a third party engaged by Velma to assist in processing personal data as part of service delivery.
GDPR:
the General Data Protection Regulation (EU) 2016/679 as amended, and the UK GDPR where applicable.
EEA:
the European Economic Area, comprising EU member states, Iceland, Liechtenstein, and Norway.
CCPA / CPRA:
the California Consumer Privacy Act and the California Privacy Rights Act.
PIPEDA:
Canada's Personal Information Protection and Electronic Documents Act.
Platform:
the Velma interview software, including all web applications, APIs, backend services, and associated tools.
Section 03
Who We Are
Velma AI, Inc. is a Canadian company that provides AI-assisted pre-screening interview software to businesses. Our platform enables hiring companies to send automated voice interview invitations to candidates, conduct and record those interviews, and receive AI-generated summaries, scores, and performance insights.
For purposes of Canadian privacy law (PIPEDA), Velma is the organization accountable for personal information under its control. For purposes of the GDPR where it applies, Velma acts as a data processor on behalf of the hiring company (the data controller) with respect to candidate personal data, and as a data controller with respect to account and platform user information we collect on our own behalf.
Privacy inquiries: privacy@velma-ai.com. General support: support@velma-ai.ca.
Section 04
Information We Collect
Depending on how you interact with our platform and website, we may collect the following categories of personal information:
account and contact details such as name, email address, job title, and organizational affiliation
role and hiring context such as job description, position requirements, custom success indicators, and interview structure defined by a hiring company
candidate profile data including first name, last name, email address, and interview invitation details
voice and audio recordings of interview sessions, including full recordings of candidate responses
biometric identifiers and voice features derived from audio processing, including speech cadence, patterns, and characteristics used for scoring and analysis
interview transcripts, written summaries, and any notes generated during or after an interview session
AI-generated interview outputs including scores, rankings, suggestions, identified strengths, and areas for improvement
technical identifiers including IP address, browser type, operating system, device type, device identifiers, and session logs
behavioral data including page interaction events, click patterns, scroll depth, time on page, navigation paths, feature usage, and session duration within the platform
website visitor and intent data including IP-based inferred company or organizational identity and browsing signals on our public website
cookie identifiers, pixel tags, JWT tokens, local storage data, and similar tracking technology identifiers
analytics and usage data derived from how the platform is used, including workflow steps, feature adoption, error events, and performance metrics
marketing and communication preferences including records of consent, opt-in, and opt-out choices
consent records and timestamps documenting when and how consent was collected
support and correspondence data submitted to us via email, form, or any other communication channel
billing and payment information where applicable to an account subscription or service tier
aggregated and de-identified data derived from any of the above categories that no longer identifies an individual
We do not require candidates to create an account or share a resume in order to complete an interview. However, certain information — including name, email address, and voice recording — is inherently collected during a voice interview session and cannot be withheld while still participating.
Section 05
How We Collect Information
Directly from you
when you create or manage an account, log in, complete an interview, fill out a form, contact support, or otherwise voluntarily provide information to us.
From hiring companies
when a business client creates a candidate profile, sends an interview invitation, defines a job role, or submits any data in connection with their use of the platform.
Automatically through the platform
when you use the service, we collect technical and behavioral data through server logs, session tracking, cookies, JWTs, and similar technologies — including IP address, device information, feature usage, and navigation patterns.
From third-party tools embedded in our website
we use tools on our public website that may collect or infer information about visitors, including their IP address, likely company affiliation, browsing behavior, and email address where known. See Section 13 for full details.
From other service providers and data partners
third parties that help us operate the platform, provide analytics, run marketing activities, or deliver the services we offer.
Through interview audio and voice processing
when a candidate completes a voice interview, we capture audio in real time. That audio is processed by third-party AI speech models to produce transcripts, scores, and outputs. Voice data is biometric in nature and is treated accordingly.
Section 06
Legal Bases for Processing (GDPR Article 6)
Although our primary market is North America, personal data of individuals located in the EU, EEA, or UK may be processed through our platform — for example, when a North American hiring company invites a candidate who is located in the EU. In those circumstances the GDPR applies, and we process that data on the following legal bases:
Contractual necessity (Article 6(1)(b))
processing necessary to provide the interview services requested by the hiring company or to respond to a candidate's participation in an interview session.
Legitimate interests (Article 6(1)(f))
processing necessary for our legitimate interests or those of our business clients, including platform security, fraud prevention, product improvement, and analytics, where those interests are not overridden by individual rights.
Compliance with a legal obligation (Article 6(1)(c))
processing required by applicable law, regulation, court order, or governmental authority.
Consent (Article 6(1)(a))
where we rely on consent — such as for marketing communications or for processing certain sensitive data — we collect explicit, informed consent and maintain records of it. Consent may be withdrawn at any time.
Where the GDPR applies, the hiring company that invited the candidate bears primary responsibility as the data controller for establishing its own lawful basis. Velma, as data processor, processes that data only under the hiring company's documented instructions and pursuant to a Data Processing Agreement. See Section 23 for further detail.
Section 07
Special Category Data and Biometric Information
Voice data used for AI-based speech analysis may constitute biometric data or special category data under certain privacy laws, including the GDPR (Article 9) and applicable US state laws. Velma treats voice recordings and derived voice features with heightened care:
Access to voice recordings and derived features is restricted to authorized personnel and sub-processors with a documented need.
Voice data is not used for any purpose other than the interview workflow and AI analysis performed on behalf of the hiring company, unless separately and explicitly consented to.
Voice data and biometric identifiers are not sold to any third party for commercial purposes unrelated to the interview service.
Voice recordings are retained only for as long as necessary to fulfill the interview workflow and as directed by the hiring company or required by law.
All stored recordings and transcripts are encrypted in transit and at rest.
Candidates subject to US state laws that regulate biometric information — including BIPA (Illinois), CUBI (Texas), and the Washington My Health MY Data Act — may have additional rights. To exercise those rights, contact privacy@velma-ai.com.
Section 08
How We Use Your Information
We use personal information collected through the platform and website to:
conduct, facilitate, record, and deliver voice-to-voice AI-assisted pre-screening interviews on behalf of hiring companies
generate role-specific interview questions tailored to a job description and the live conversation during an interview
produce transcripts, scores, rankings, suggestions, and other candidate performance insights for hiring teams
share interview results, recordings, transcripts, and AI-generated outputs with the hiring company that requested the interview
authenticate users and maintain secure sessions using JWTs, cookies, and related technologies
detect, investigate, prevent, and respond to fraud, abuse, unauthorized access, and security threats
monitor, debug, and maintain the reliability and performance of the platform and its underlying infrastructure
conduct internal analytics and product research to understand how features are used and to guide product improvements
analyze aggregate usage trends and hiring patterns across the platform for research and business intelligence purposes
personalize the platform experience based on user role, usage history, and preferences
send service-related communications including account updates, security notices, and policy change notifications
send marketing and promotional communications where we have a lawful basis to do so and subject to your stated preferences
identify companies and organizations visiting our public website using IP-based identification tools
associate website activity with known or inferred email addresses for the purpose of targeted marketing communications and advertising retargeting
respond to support requests, inquiries, disputes, and legal correspondence
comply with applicable laws, regulations, and court orders
fulfill our obligations under data processing agreements executed with business clients
establish, exercise, or defend legal claims and rights
complete or facilitate a corporate transaction such as a merger, acquisition, or sale of assets
We do not use candidate personal information to train AI or machine learning models for any purpose other than processing the specific interview session in which that data was collected, unless we obtain explicit consent from the individual to do so.
Section 09
Data Controller and Data Processor Roles
Velma as Data Controller
with respect to information collected from platform account holders, administrators, and users who interact with us directly — including contact information, account credentials, billing details, and support correspondence — Velma is the data controller and determines the purposes and means of processing.
Velma as Data Processor
with respect to candidate personal data submitted by or on behalf of a hiring company — including candidate names, email addresses, voice recordings, interview results, and AI-generated outputs — Velma acts as a data processor operating under the instructions of the hiring company (the data controller).
Hiring companies are responsible for their own compliance obligations with respect to the candidates they invite, including ensuring they have a lawful basis to collect and process candidate data, providing candidates with any required notice, and complying with applicable employment or data protection law in their jurisdiction.
Section 10
AI-Assisted Interviews, Automated Processing, and Profiling
Velma uses AI-assisted workflows throughout the interview process, including to generate role-specific questions, guide the conversation in real time, produce transcripts, and generate scores, rankings, strengths, and areas for improvement from interview audio and content. These outputs constitute automated processing and, in some cases, profiling within the meaning of the GDPR and other privacy laws.
Outputs are advisory, not determinative
AI-generated scores, rankings, and assessments are intended to assist the hiring company in its evaluation process. Velma does not make or purport to make final hiring decisions. The hiring company is solely responsible for all employment decisions.
Human review
hiring companies are encouraged to ensure a qualified human reviewer evaluates AI-generated outputs before making any consequential employment decision. In compliance with GDPR Article 22, where EU/EEA/UK candidate data is processed, our platform is designed to support rather than replace human decision-making.
Transparency
candidates are informed prior to starting an interview that AI will be used to analyze their responses and produce a report for the hiring company.
Profiling opt-out
where applicable law provides a right to object to profiling, candidates may contact us at privacy@velma-ai.com. Because the interview itself constitutes the service, opting out of all AI analysis may mean the candidate cannot participate in the interview in its current form. Candidates should also direct such concerns to the hiring company that invited them.
Section 11
How We Share Your Information
With the hiring company
interview recordings, transcripts, scores, and AI-generated outputs are shared with the business client that requested the interview. The hiring company determines how it stores and uses those results in its own systems.
With sub-processors and service providers
we engage third-party vendors to help operate the platform, including for cloud hosting, AI processing, audio handling, analytics, and marketing. Those vendors process personal data only as directed by us and pursuant to contractual data protection obligations. A current list is provided in Section 12.
For legal compliance and safety
we may disclose personal information to law enforcement, regulatory authorities, or courts where required by applicable law, valid legal process, or where we believe in good faith that disclosure is necessary to prevent harm or protect our rights or those of others.
In a corporate transaction
if Velma is involved in a merger, acquisition, financing, restructuring, or sale of all or part of its assets, personal information may be transferred as part of that transaction, subject to appropriate confidentiality protections.
With your consent
we will share personal information with third parties not described above only with your explicit consent.
We do not sell personal information in exchange for monetary consideration. We do not share personal information with advertising networks for the purpose of serving behaviorally targeted advertising to individuals through third-party websites, except as described in Section 13 with respect to our own marketing activities.
Section 12
Sub-Processors and Third-Party Service Providers
The following third-party service providers currently process personal data in connection with the delivery of our services. All sub-processors are subject to data processing agreements requiring them to maintain appropriate security and use personal data only for the stated purpose:
Amazon Web Services
cloud infrastructure, compute, storage, content delivery, authentication, and AI speech processing for interview audio.
RB2B
website visitor identification and intent data; identifies companies visiting our website by IP address for outreach purposes.
Retention.com
email retargeting; associates website visits with known email addresses to enable follow-up marketing communications.
This list will be updated as the platform evolves. Several of our sub-processors operate infrastructure in the United States. Where personal data of individuals located in the EU, EEA, or UK is transferred to these providers, we implement the safeguards described in Section 20.
Section 13
Website Tracking, Behavioral Analytics, Intent Identification, and Email Retargeting
When you visit our public website, we and our third-party data partners use cookies, pixels, and similar technologies to collect information about your visit. This includes information used for analytics, market research, behavioral analysis, and targeted marketing communications.
IP-based company and visitor identification (RB2B)
we use RB2B, a website visitor identification tool, to identify the company or organization associated with an IP address that visits our website. This tool may infer your name, company affiliation, job title, and email address based on publicly available data. We use this data to understand which companies are interested in our platform and to conduct outreach. You may opt out of the collection of your personal data by RB2B in compliance with GDPR by visiting rb2b.com/rb2b-gdpr-opt-out.
Email retargeting (Retention.com)
when you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email address. We (or service providers on our behalf) may then send communications and marketing to these email addresses. You may opt out of receiving this advertising by visiting app.retention.com/optout. You also have the option to opt out of the collection of your personal data in compliance with GDPR by visiting rb2b.com/rb2b-gdpr-opt-out.
Behavioral analytics and usage tracking
we collect data about how visitors navigate our website, including pages viewed, time on page, scroll depth, link clicks, and referral sources. This data is used to understand which content and pages are most valuable, improve website performance, and optimize our marketing efforts.
Intent tracking and market research
we may use data collected from website visits — including inferred industry, company size, and browsing behavior — to segment audiences, conduct market research, and tailor outreach. This activity may involve combining data from multiple sources including our own records and third-party data providers.
Platform usage analytics
within the platform itself, we collect behavioral and usage data from account holders and platform users, including feature interaction patterns, workflow completion rates, error events, and session metrics. This data guides product development and platform improvements.
Section 14
Cookies, JWTs, Pixels, and Similar Technologies
Strictly necessary cookies and tokens
used to keep users signed in, maintain session state, and secure the service. These are essential to the operation of the platform and cannot be disabled without preventing the service from functioning.
Analytics cookies and scripts
used to collect information about how the website and platform are used, which pages are visited, and how users navigate the product.
Marketing and retargeting pixels
used by our data partners (including Retention.com and RB2B) to associate website visits with known email addresses or company identities for the purpose of sending targeted communications. These may link your website activity to your identity if your email address is known to our data partners.
Preference cookies
used to remember your settings and preferences, such as your preferred language or display settings.
You can control cookies through your browser settings. Blocking cookies may affect platform functionality. To opt out of marketing and retargeting activities specifically, use the opt-out links provided in Section 13.
Section 15
Data Retention and Deletion
Interview data (recordings, transcripts, scores)
retained until the hiring company deletes the candidate record, the candidate submits a verified deletion request, or until a retention period agreed in a DPA expires. Hiring companies may configure automated purging windows within the platform.
Account data
retained for the duration of the account and for a reasonable period after termination to allow for dispute resolution, re-engagement, and legal compliance.
Website visitor and analytics data
retained in accordance with the data retention policies of the applicable third-party analytics and tracking tool.
Support correspondence
retained for a reasonable period sufficient to resolve the inquiry and comply with any applicable record-keeping requirements.
Legal hold
we may retain personal information beyond standard retention periods if it is subject to a legal hold, pending litigation, regulatory inquiry, or audit.
We may retain de-identified or aggregated data that no longer identifies any individual for an indefinite period for research, analytics, and product improvement. Deleting data from our systems does not automatically remove copies that a hiring company has exported or stored in its own systems.
Data deletion requests: any individual whose personal data has been processed through our platform may request deletion of that data at any time by emailing privacy@velma-ai.com with "Data Deletion Request" in the subject line. We will respond to verified requests within 30 days, or 45 days with notice where additional time is required.
Section 16
Security
We implement technical, organizational, and administrative safeguards designed to protect personal information from unauthorized access, disclosure, alteration, and destruction:
Encryption of data in transit using TLS and at rest using industry-standard encryption algorithms.
Access controls and authentication requirements that limit access to personal data to authorized personnel.
Regular security reviews and monitoring of platform infrastructure.
Contractual data security obligations applied to all sub-processors and service providers.
Role-based access controls within the platform that limit what data each account role can view or export.
No system is completely secure. While we work to protect personal information, we cannot guarantee that unauthorized access, disclosure, or alteration will never occur.
Section 17
Data Breach Notification
In the event of a data breach involving personal information, we will comply with applicable notification requirements, including:
Under PIPEDA (Canada): notifying the Office of the Privacy Commissioner of Canada and affected individuals where the breach poses a real risk of significant harm.
Under the GDPR (where applicable): notifying the relevant supervisory authority within 72 hours of becoming aware of a qualifying breach, and notifying affected individuals without undue delay where there is a high risk to individual rights and freedoms.
Notifying hiring company clients pursuant to our contractual obligations under applicable DPAs.
Complying with applicable US state breach notification laws where data of individuals in those states has been affected.
Section 18
Your Privacy Rights and Choices
Subject to applicable law and the limitations described in this policy, you may have the right to:
request access to the personal information we hold about you
ask us to correct inaccurate or incomplete information
request deletion of personal information we control, subject to legal and contractual limits
withdraw consent where processing is based on consent
object to or restrict certain processing where applicable law gives you that right
opt out of marketing communications at any time
receive your data in a portable format where technically feasible
lodge a complaint with a relevant supervisory or regulatory authority
To exercise any of these rights, contact us at privacy@velma-ai.com with "Privacy Request" in the subject line. Include your name, email address, the nature of your request, and sufficient information for us to verify your identity.
Where your personal data is controlled by a hiring company, you should also direct privacy requests to that company, as they control certain aspects of how your data is stored and used after the interview is completed.
Section 19
GDPR Rights — EU, EEA, and UK Residents
If you are located in the European Union, the European Economic Area, or the United Kingdom and your personal data is processed in connection with our platform, you have the following rights under the GDPR and UK GDPR:
Right of Access (Article 15)
You may request a copy of the personal data we hold about you and information about how it is used.
Right to Rectification (Article 16)
You may ask us to correct inaccurate or incomplete personal data we hold about you.
Right to Erasure / Right to be Forgotten (Article 17)
You may request deletion of your personal data where we have no continuing lawful basis to retain it. This right is subject to legal and contractual limits.
Right to Restriction of Processing (Article 18)
You may ask us to restrict how we use your data in certain circumstances, such as while a dispute about accuracy is resolved.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, machine-readable format.
Right to Object (Article 21)
You may object to processing based on legitimate interests or for direct marketing. Where you object to direct marketing, we will cease that processing immediately.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Velma's AI outputs are designed to assist, not replace, human hiring decisions.
Right to Withdraw Consent (Article 7(3))
Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with your national or regional supervisory authority if you believe we have processed your personal data unlawfully.
To exercise any of these rights, email privacy@velma-ai.com with "GDPR Request" in the subject line. We will respond within one calendar month.
Supervisory authority: you have the right to lodge a complaint with the supervisory authority in your country of residence or place of work. EU supervisory authority contacts are available at edpb.europa.eu. The UK authority is the Information Commissioner's Office at ico.org.uk.
EU candidates invited by North American hiring companies: when a North American business client invites a candidate located in the EU, EEA, or UK, that individual's personal data is processed on behalf of the hiring company (the data controller). The hiring company is responsible for ensuring it has a lawful basis and for providing required GDPR notice. Velma, as data processor, implements appropriate cross-border transfer safeguards (see Section 20) and provides the candidate-facing consent mechanism described at the top of this page. EU candidates may exercise the rights listed above directly with us and also with the hiring company that invited them.
Section 20
International Data Transfers
Velma is based in Canada. Our cloud infrastructure and sub-processors may operate in Canada, the United States, and other countries. When personal data of individuals located in the EU, EEA, or UK is transferred outside those regions, we implement the following safeguards:
Standard Contractual Clauses (SCCs)
where required, we incorporate the European Commission's Standard Contractual Clauses into agreements with sub-processors who receive EU personal data in countries not recognized as providing an adequate level of protection.
Canada's adequacy recognition
Canada has been recognized by the European Commission as providing an adequate level of protection for personal data under PIPEDA. Transfers to Velma's Canadian operations are therefore protected by this adequacy decision.
Transfer Impact Assessments
where SCCs are used, we conduct or rely on transfer impact assessments to evaluate whether the protections offered in the destination country are sufficient.
Sub-processor obligations
we require all sub-processors that receive EU personal data to either operate in an adequate country, be certified under an applicable data transfer framework, or enter into SCCs or equivalent contractual protections.
Section 21
CCPA / CPRA Rights — California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information, including the right to:
know what categories of personal information we collect, the sources, the purposes, and the third parties with whom we share it
access the specific pieces of personal information we have collected about you
request deletion of personal information we have collected from you, subject to certain exceptions
correct inaccurate personal information we hold about you
opt out of the sale or sharing of your personal information for cross-context behavioral advertising
limit the use and disclosure of sensitive personal information to what is necessary to perform the requested service
not be discriminated against for exercising any of these rights
Velma does not sell personal information in exchange for monetary consideration. However, certain data sharing with advertising and analytics partners (such as those described in Section 13) may constitute "sharing" for cross-context behavioral advertising under the CPRA. To opt out of such sharing, use the opt-out links in Section 13 or contact us at privacy@velma-ai.com.
We will not discriminate against you for exercising any of your CCPA/CPRA rights. To submit a verifiable consumer request, email privacy@velma-ai.com with "CCPA Request" in the subject line. We respond to verified requests within 45 days, with the option to extend by an additional 45 days with notice.
Section 22
PIPEDA Rights — Canadian Residents
As a Canadian company, Velma is subject to PIPEDA and applicable provincial privacy legislation. Under PIPEDA, Canadian residents have the right to:
access the personal information we hold about them and challenge its accuracy
withdraw consent to collection, use, or disclosure at any time, subject to legal and contractual limitations
complain to the Office of the Privacy Commissioner of Canada (OPC) if they believe their rights have been violated
receive a meaningful response to privacy inquiries within a reasonable timeframe
Privacy complaints from Canadian residents should be directed to privacy@velma-ai.com. Unresolved complaints may be escalated to the Office of the Privacy Commissioner of Canada at priv.gc.ca.
Section 23
Data Processing Agreements for Business Clients
Velma makes a Data Processing Agreement (DPA) available to business clients (hiring companies) that use our platform to process personal data. The DPA governs the relationship between Velma (as data processor) and the hiring company (as data controller). Key terms include:
Velma will process personal data only on documented instructions from the hiring company and for the purposes set out in the service agreement.
Velma will implement appropriate technical and organizational security measures.
Velma will assist the hiring company in responding to data subject requests, including access, deletion, and portability requests.
Velma will notify the hiring company of any personal data breach affecting their candidates within the timeframes specified in the DPA.
Velma will delete or return personal data at the end of the service relationship, as instructed.
Where required for EU/EEA/UK data transfers, the DPA incorporates Standard Contractual Clauses as the legal mechanism for cross-border transfer.
Business clients requiring a DPA should contact support@velma-ai.ca.
Section 24
Our Market Scope — GDPR Non-Solicitation Statement
Velma's commercial services are directed exclusively at businesses and organizations based in North America. We do not actively market, solicit, sell to, or target companies or organizations located in countries subject to the GDPR, including member states of the European Union, the European Economic Area, or the United Kingdom. Any business entity located in a GDPR-regulated jurisdiction that accesses or uses our services does so of its own initiative, and Velma makes no representation that its platform is specifically designed or certified for use by data controllers directly subject to GDPR compliance obligations.
Notwithstanding the above, because our North American business clients may at times invite candidates who are located in the EU, EEA, or UK, the personal data of those candidates may be processed through our systems. In those situations:
Velma processes that data as a data processor under the GDPR, acting on behalf of the hiring company (the data controller).
The hiring company is responsible for establishing a lawful basis for inviting and processing the data of EU-located candidates.
Velma will provide an EU-candidate consent screen prior to interview commencement that discloses the nature of processing, the AI analysis to be performed, and the cross-border nature of the data transfer.
Appropriate transfer safeguards (including SCCs where required) apply as described in Section 20.
EU, EEA, and UK candidates retain all rights described in Section 19, exercisable directly against Velma or against the hiring company.
Section 25
Children's Privacy
Our platform is intended for use by adults in a professional employment context. We do not knowingly collect personal information from children under the age of 16. If we become aware that we have inadvertently collected personal information from a child under 16, we will take prompt steps to delete that information and take any other steps required by applicable law. If you believe we have collected personal information from a minor, please notify us immediately at privacy@velma-ai.com.
Section 26
Third-Party Links and External Services
Our website and platform may contain links to third-party websites, services, or applications that are not operated by Velma. When you click a third-party link, you leave our platform and are subject to the privacy policy of that third party. We have no control over the content, privacy practices, or data handling of third-party services and are not responsible for them.
This policy does not apply to any third-party website, tool, or service, including any hiring company's own website or applicant tracking system. We encourage you to review the privacy policies of any third parties whose services you access in connection with the hiring process.
Section 27
Changes to This Policy
We may update this policy from time to time to reflect changes in our practices, services, legal requirements, or technology. When we update the policy, we will revise the "Last updated" date at the top of this page and make the new version available here.
For material changes — particularly those that affect how candidate data is processed, shared, or retained — we will provide additional notice to platform account holders via email or a prominent in-platform notice. Where required by applicable law, we will seek your consent before implementing material changes.
Section 28
Contact, Data Deletion Requests, and Supervisory Authority Complaints
Privacy and data rights requests
to exercise any privacy right, request deletion of your data, submit a GDPR or CCPA request, or ask any question about this policy or our data practices, email privacy@velma-ai.com with "Privacy Request" or "Data Deletion Request" in the subject line. We will acknowledge your request promptly and respond within the timeframe required by your applicable law (generally 30 days under GDPR and PIPEDA, 45 days under CCPA).
General support
for non-privacy platform support, contact support@velma-ai.ca.
Supervisory authority complaints
if you are not satisfied with our response to a privacy inquiry, you have the right to escalate your complaint to the relevant supervisory authority in your jurisdiction: the Office of the Privacy Commissioner of Canada (priv.gc.ca) for Canadian residents; your national data protection authority for EU/EEA residents; the Information Commissioner's Office (ico.org.uk) for UK residents; or the California Privacy Protection Agency (cppa.ca.gov) for California residents.
You can also return to the landing page or review contact details in our footer.