Privacy Policy
Effective date: [Effective date]
Attia AS ("Attia", "we", "us", or "our") provides a business-to-business software service for applicant tracking, recruiting workflows, and related business operations (the "Services").
This Privacy Policy explains how Attia processes personal data when we provide the Services, operate our websites, communicate with customers and users, and support our product. It is written for business customers and their authorized users, but it may also apply to candidates, applicants, referrals, employees, leads, or other people whose personal data is submitted to the Services by or on behalf of a customer.
Some details in this policy are marked "Needs confirmation" because they could not be fully verified from this workspace. Attia should confirm those details before publication or replace them with the confirmed operational facts.
Controller: Attia AS, organization number [organization number pending], Solheimgata 1a, 0267 Oslo, Norway.
Contact: hello@attia.app
Data protection contact: Njål Wiik
1. Scope and Roles
Attia is established in Norway and provides B2B Services to customers worldwide, including customers and users in the EU/EEA, the United Kingdom, Switzerland, the United States, and other countries.
Attia acts as a controller when we decide why and how personal data is processed for our own business purposes. This includes account administration, customer relationship management, billing administration, product security, service analytics, support, marketing communications, legal compliance, and vendor management.
Attia acts as a processor when we process personal data contained in customer content or customer-controlled workflows on behalf of a business customer. This may include candidate data, recruiting records, workspace content, files, prompts, messages, notes, evaluations, job postings, workflow state, and other information submitted to the Services by or for the customer.
When Attia acts as a processor, the customer is usually the controller of that data. Requests from candidates, employees, applicants, or other customer-controlled data subjects should normally be directed to the relevant customer first. Attia will support customers with data subject requests as required by law and contract.
Needs confirmation: Attia should maintain a separate Data Processing Agreement ("DPA") for customer-controlled personal data, including subprocessors, international transfers, security measures, deletion and return, audit rights, and assistance with data subject requests.
2. What Personal Data We Process
The categories below describe the personal data Attia may process. The exact data depends on how the Services are configured and used.
| Category | Examples | Source | Role |
|---|---|---|---|
| Account and user data | Name, business email, user ID, role, workspace membership, admin status, invitation status | Customer, user, identity provider | Controller for account administration; processor where customer controls workspace users |
| Authentication and access data | Login events, session identifiers, authentication provider metadata, access tokens where applicable | User, identity provider, service logs | Controller and processor depending on context |
| Customer company data | Company name, workspace name, business contact details, plan, procurement details | Customer, customer admin | Controller |
| Billing and payment data | Billing contact, invoice details, payment status, tax details, limited payment metadata | Customer, payment provider | Controller |
| Customer content and workspace data | Job postings, recruiting records, candidate profiles, resumes, applications, notes, communications, attachments, workflow state, comments, files, user-generated text | Customer, users, integrations, candidates where customer enables candidate-facing workflows | Processor |
| Support and communications | Support emails, messages, feedback, troubleshooting details, attachments voluntarily sent to us | Customer, user | Controller, or processor if support content includes customer-controlled data |
| Product usage and diagnostics | Feature usage, events, performance data, settings, error reports, operational metadata | Services, device, browser | Controller for service improvement and security; processor where tied to customer content |
| Logs and security data | IP address, request metadata, browser/device information, timestamps, request IDs, security events, audit records | Services, hosting provider, browser/device | Controller and processor depending on context |
| AI inputs and outputs | Prompts, selected text, editor content, document context, title, summary, description, model metadata, generated outputs | Customer or user using AI features | Usually processor for customer-controlled content; controller for security and operational logs |
| Integrations data | Data exchanged with third-party services enabled by the customer, such as job boards, email, calendar, HRIS, identity, assessment, background-check, or AI tools | Customer, user, integration provider | Usually processor |
| Marketing data | Business contact details, preferences, campaign engagement, unsubscribe records | User, customer, public business sources, marketing tools | Controller |
We do not intentionally require users to submit special-category personal data to use the Services. However, because the Services may allow customers and users to upload, generate, or process free-form content and files, the Services can technically process sensitive or regulated information if a customer submits it.
3. Sensitive and Regulated Data
Customers and users are responsible for ensuring they have the necessary rights, notices, consents, and lawful bases for the data they submit to the Services.
Unless expressly agreed in writing, the Services are not intended for processing special-category personal data under GDPR Article 9 or equivalent sensitive data, including health data, biometric data, children's data, precise location data, government ID data, background-check data, immigration data, criminal-offense data, or other regulated information.
Recruiting workflows may involve employment-related information, resumes, interview notes, application materials, compensation expectations, eligibility information, and other candidate data. Customers are responsible for their recruiting and hiring practices, including notices, retention periods, anti-discrimination compliance, accommodations, human review, and responses to candidate requests.
If a customer needs to process sensitive or regulated data through the Services, the customer should confirm with Attia in writing that the Services, DPA, subprocessors, security measures, and AI configuration are appropriate for that data before submitting it.
4. Purposes and Legal Bases
We process personal data only where we have a lawful basis.
| Purpose | Examples | Legal basis | Role |
|---|---|---|---|
| Provide and administer the Services | Create accounts, manage workspaces, authenticate users, process customer content, provide product features | Contract necessity for customer/user account data; customer instructions where Attia is processor | Controller and processor |
| Support and communicate | Respond to support requests, send service messages, provide onboarding, handle product feedback | Contract necessity; legitimate interests; legal obligation where applicable | Controller |
| Secure and protect the Services | Prevent abuse, investigate incidents, maintain logs, enforce access controls, detect errors | Legitimate interests; legal obligation; customer instructions | Controller and processor |
| Billing and commercial administration | Invoicing, payment status, tax records, procurement, renewals | Contract necessity; legal obligation; legitimate interests | Controller |
| Improve and develop the Services | Debugging, analytics, usage measurement, product research, quality improvements | Legitimate interests where permitted; consent where required for non-essential tracking | Controller |
| Marketing | Send product updates, events, newsletters, and similar business communications | Consent where required; legitimate interests for B2B marketing where permitted | Controller |
| AI functionality | Generate, summarize, edit, classify, or assist with content when a customer or user enables or uses AI features | Customer instructions where Attia is processor; contract necessity or legitimate interests for operational metadata | Usually processor |
| Legal compliance | Respond to lawful requests, maintain required records, enforce agreements, handle disputes | Legal obligation; legitimate interests | Controller |
Where we rely on legitimate interests, we balance those interests against the rights and freedoms of the affected individuals. Where we rely on consent, consent can be withdrawn at any time without affecting processing that occurred before withdrawal.
5. AI Features
Certain optional features may allow customers or users to send content to third-party AI providers, such as OpenAI, Google, or Anthropic. The workspace verifies an optional Editor AI integration using Vercel AI Gateway and Vercel AI SDK route handlers. The default model configured in the code is an OpenAI model, while model IDs can be configured server-side. The user-provided known facts also state that OpenAI, Google, and Anthropic may be used when users activate certain AI features.
AI features are used only when enabled or used by the customer or user, or where the customer has configured the Services to make the feature available. The data sent depends on the feature and may include prompts, selected text, workspace content, editor content, document context, titles, summaries, descriptions, instructions, model metadata, and AI-generated outputs. If files or file references are included in the workspace content or prompt context, those may also be sent.
Attia uses AI providers to provide the requested AI functionality and configures them according to our agreements and available privacy controls. The workspace does not verify that all AI requests have zero data retention, no-training controls, or EU-only processing enabled. Attia should confirm its active AI Gateway, OpenAI, Google, and Anthropic contractual settings before making stronger promises.
Customers should not submit sensitive, special-category, children's, health, biometric, government ID, background-check, immigration, or other regulated data to AI features unless they have confirmed that the feature, provider configuration, DPA, and their own lawful basis are appropriate for that data.
AI-generated outputs may be inaccurate, incomplete, biased, or unsuitable for the customer's intended use. Customers and users should review AI outputs before relying on them, especially in recruiting, hiring, employment, legal, financial, medical, or similarly significant contexts. Attia does not use AI features to make solely automated decisions that produce legal or similarly significant effects about individuals. Customers must not use AI outputs as the sole basis for hiring, rejection, promotion, compensation, or other employment decisions where human review or other safeguards are required by law.
Needs confirmation: Whether customers can disable each AI feature globally, by workspace, by role, or by user; whether team-wide or per-request zero data retention is enabled in Vercel AI Gateway; whether OpenAI, Google, or Anthropic process any AI data outside the EU/EEA; and the exact AI-provider retention periods under Attia's contracts.
6. Cookies, Local Storage, Analytics, and Tracking
The current workspace uses essential and functional browser storage for the Exponential UI registry/docs site, including theme preferences, sidebar state, docs sidebar preferences, and preview background settings. These are used to remember interface preferences and are not advertising identifiers.
The workspace also uses Vercel Speed Insights to understand page performance. Vercel's documentation describes Speed Insights as designed to provide performance information without tying it to an individual visitor or IP address.
The workspace does not show Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, PostHog, Segment, Customer.io, advertising cookies, heatmaps, or session replay.
Attia expects to add analytics or tracking later. If Attia adds non-essential analytics, advertising, session replay, or similar tracking, Attia will update this policy and, where required in the EU/EEA, Norway, the UK, Switzerland, or other jurisdictions, provide a consent banner or preference tool before setting non-essential cookies or similar technologies.
You can also control cookies through your browser settings. Browser settings may not replace a legally required consent or preference tool for non-essential tracking.
7. Sharing and Subprocessors
We share personal data only as needed to provide, secure, support, and improve the Services; comply with law; complete business transactions; or follow customer instructions.
We may share personal data with:
- hosting, infrastructure, CDN, logging, security, and monitoring providers;
- AI providers and AI gateway providers when AI features are used;
- authentication, email, support, billing, payment, analytics, and communication providers where configured;
- customer-enabled integrations and third-party services;
- professional advisers, auditors, insurers, and legal authorities where necessary;
- another organization in connection with a merger, acquisition, financing, restructuring, or sale of assets, subject to appropriate safeguards.
Public-facing subprocessor list based on this workspace:
| Vendor | Service | Personal data | Status |
|---|---|---|---|
| Vercel | Hosting/deployment, Speed Insights, AI Gateway when enabled | Request metadata, performance data, logs, AI metadata and AI request routing data depending on feature | Verified in workspace; exact production region and DPA status need confirmation |
| OpenAI | Optional AI model provider | Prompts, context, inputs, outputs, metadata depending on feature | Known fact; exact contract, retention, region, and training controls need confirmation |
| Optional AI model provider | Prompts, context, inputs, outputs, metadata depending on feature | Known fact; exact product path, contract, retention, region, and training controls need confirmation | |
| Anthropic | Optional AI model provider | Prompts, context, inputs, outputs, metadata depending on feature | Known fact; exact contract, retention, region, and training controls need confirmation |
| UploadThing | Optional upload scaffold for editor files | Files and file metadata if enabled | Present in code but disabled by default until app auth and storage limits are configured |
| GitHub | Source control and CI for this repository | Contributor/account metadata and build logs; not verified as processing production customer content | Verified for repository operations; customer-data role needs confirmation |
| Untitled UI | Private icon package registry | Developer package-install metadata, not production customer content | Verified for development dependency |
| Auth, email, support, payment, CRM, newsletter, product analytics, error monitoring | Operational services | Depends on vendor | Needs confirmation; not verified in this workspace |
Attia should keep a current public subprocessor list and provide customers with notice of new subprocessors as required by the DPA.
8. International Transfers
Attia is established in Norway. Based on the known facts provided for this review, Attia's production servers are located in the EU/EEA. The workspace itself verifies Vercel deployment configuration, but it does not verify exact production hosting regions, database regions, storage regions, backup regions, log regions, support access locations, or all AI-provider processing locations.
Some vendors, support personnel, optional integrations, AI providers, payment providers, email providers, or analytics providers may process or access limited personal data from outside the EU/EEA. Where this happens, Attia uses appropriate safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, data processing agreements, and technical and organizational measures.
We do not state that all personal data stays in the EU/EEA because that has not been fully verified.
9. Retention
We retain personal data only for as long as needed for the purposes described in this policy, to provide the Services, follow customer instructions, comply with law, resolve disputes, enforce agreements, and maintain security.
Recommended retention schedule. Needs business approval before publication if not already adopted.
| Data | Recommended retention or deletion trigger |
|---|---|
| Active account and workspace administration data | For the life of the account or customer relationship |
| Deleted user account data | Delete or de-identify within 30 to 90 days after deletion, unless needed for security, legal, billing, or customer instructions |
| Customer content and workspace data | Retain during the subscription; after termination, make available for export for a confirmed period, then delete or de-identify within 30 to 90 days, except backups and legal holds |
| Candidate and recruiting data | Controlled by the customer; Attia processes according to customer instructions and the DPA |
| AI prompts and outputs | Retain as part of workspace content if saved by the user or customer; transient AI request data depends on AI provider and gateway settings and needs confirmation |
| Support messages | Retain while needed for support, customer relationship, quality, and legal purposes, typically 2 to 5 years depending on content and obligations |
| Billing, invoice, tax, and accounting records | Retain as required by accounting and tax law; exact period needs confirmation |
| Product usage and analytics data | Retain for the shortest period needed for product improvement and reporting; exact period needs confirmation |
| Application, request, and error logs | Typically 30 to 180 days unless needed for security, debugging, or legal reasons |
| Security and audit logs | Typically 12 to 24 months where needed for security, compliance, and investigation |
| Backups | Retain on a rolling backup cycle, typically 30 to 90 days; exact period and deletion behavior need confirmation |
| Marketing preferences and unsubscribe records | Until the person opts out, plus as long as needed to honor the opt-out |
| Trial or inactive workspaces | Delete or de-identify after a defined inactivity period; exact period needs confirmation |
Deletion from backups may take longer than deletion from active systems, but backup data should be isolated and overwritten according to the backup cycle.
10. Security
We use appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, and disclosure. These may include access controls, least-privilege permissions, secure configuration, encryption in transit, encryption at rest where supported by the relevant infrastructure provider, logging, monitoring, backups, vendor review, and secrets management.
The workspace verifies production safeguards for optional AI routes that fail closed unless credentials and production authorization controls are configured, including app-owned authorization and rate limiting requirements. The workspace does not verify all operational security measures, such as MFA enforcement, backup regions, vulnerability management cadence, incident response procedures, admin access locations, or formal vendor review records.
No method of transmission or storage is completely secure. If we become aware of a security incident affecting personal data, we will take appropriate steps and notify affected customers, individuals, and authorities where required by law or contract.
11. Your Rights
Depending on where you live and how your personal data is processed, you may have rights to request access, correction, deletion, restriction, portability, objection, withdrawal of consent, or information about how your personal data is processed.
If Attia processes your personal data as a controller, you can contact us at hello@attia.app. We may need to verify your identity before responding.
If your request concerns customer-controlled data, such as candidate data, recruiting records, workspace content, or information submitted by an Attia customer, please contact the relevant customer first. Attia will support the customer as required by law and contract.
If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority. In Norway, the supervisory authority is Datatilsynet. UK and Swiss residents may have similar rights under the UK GDPR and Swiss FADP.
For US residents, Attia does not currently verify that it meets the thresholds for California or other US state comprehensive privacy laws. We do not sell personal data or share it for cross-context behavioral advertising based on the current workspace facts. If this changes or if Attia becomes subject to additional state privacy laws, we will update this policy.
12. Marketing Communications
We may send business communications about Attia, product updates, events, or similar topics where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or by contacting hello@attia.app.
We may still send service, security, billing, legal, or administrative messages that are necessary for the Services or our relationship with a customer.
13. Children
The Services are intended for business use and are not directed to children. Users must be legally able to use business services and must use the Services only as authorized by their organization.
Attia does not knowingly collect personal data directly from children. If we learn that child data was provided without proper authorization, we will take appropriate steps to delete or restrict the data, unless we are required or permitted to retain it by law or customer instructions.
14. Automated Decision-Making
Attia does not use personal data to make solely automated decisions that produce legal or similarly significant effects about individuals.
The Services may include automated or AI-assisted features that help customers draft, summarize, classify, parse, or review content. These are decision-support tools. Customers are responsible for deciding whether and how to use these features in recruiting or employment workflows, including any required human review, notices, bias assessments, impact assessments, appeal rights, accessibility measures, and recordkeeping.
15. Changes
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice in a reasonable way, such as by posting the updated policy on our website, notifying customer admins, or sending an email where appropriate.
The updated policy will apply from the effective date stated at the top of the policy.
16. Contact
Questions about this Privacy Policy or Attia's privacy practices can be sent to:
Attia AS
Organization number: [organization number pending]
Solheimgata 1a
0267 Oslo
Norway
Email: hello@attia.app
Data protection contact: Njål Wiik