1. Controller & Data Protection Officer

Data Controller: Qling.ai AB, Kistagårdsväg 20, 164 55 Stockholm, Sweden
EU Representative: Qling.ai AB, Kistagårdsväg 20, 164 55 Stockholm, Sweden
DPO Contact: info@qling.ai

2. Purpose & Lawful Basis

• Automated job search & applications: Performance of contract.
• Interview-status detection via AI email-filtering: Your explicit consent (opt-in).
• Identity/email verification: Legitimate interests (fraud prevention) & Performance of contract.
• Service improvement, analytics & support: Legitimate interests (service quality).
• Marketing communications: Your consent (withdrawable at any time).

3. Categories of Personal Data Collected

• Account & Profile: Name, email, phone, organization, résumé, work history, education, LinkedIn URL.
• Verification Data: One-time codes, timestamps.
• Email Integration Metadata: Sender, recipient, timestamp, subject line (no body or attachments).
• AI Classification Logs: Non-identifying flags (e.g. “InterviewInvite”: true/false) and timestamp.
• Usage & Behavioral: IP address, device info, browser data, clicks, page views, feature-use logs.
• Support Communications: Chat transcripts, support tickets, feedback.
• Cookies & Tracking: Essential, preferences, analytics under anonymized IP.

4. Recipients & Subprocessors

• Google & Microsoft (OAuth & metadata retrieval only).
• AWS / GCP (encrypted storage & compute).
• Mixpanel, Sentry (pseudonymized analytics & error tracking).
• Legal authorities (when required by law).

We publish a current list of subprocessors and their GDPR-compliant Data Processing Agreements on our website.

5. Data Minimization & Retention

We collect only data necessary for each purpose. Retention is based on these criteria:

• Account & Profile Data: Until account deletion + 2 years (for compliance).
• Email Metadata & AI Labels: Up to 24 months or until you revoke consent.
• Verification Records: 6 months post-verification.
• Logs & Analytics: Aggregated data 36 months; raw logs 12 months.

6. International Transfers

Data may be processed in the EU, UK, and US under Standard Contractual Clauses, the EU–US Data Privacy Framework, or adequacy decisions.

7. Technical & Organizational Security

• Encryption in transit (TLS ≥1.2) and at rest (AES-256).
• Role-based access control; quarterly access reviews.
• Monthly vulnerability scans; annual third-party penetration tests.
• Incident response plan with 72-hour breach notification to authorities.

8. Privacy by Design & by Default

We integrate data-protection measures throughout product development: data minimization, pseudonymization, secure defaults, and continuous auditing.

9. Data Protection Impact Assessments (DPIAs)

For high-risk processing (e.g., AI profiling of email metadata), we conduct DPIAs under Article 35 GDPR, documenting risks, mitigations, and outcomes.

10. Record of Processing Activities

We maintain an Article 30 register of all processing operations, available to supervisory authorities upon request.

11. Automated Decision-Making & AI Filtering

With your explicit opt-in, our machine-learning model analyzes only email metadata (sender, recipient, subject line, timestamp) for messages in your connected inbox and classifies each as one of:

• Interview Invitation
• Assessment Request
• Rejection Notice
• Other Inquiry

These labels power your dashboard statuses and notifications only. We do not access email bodies or attachments. You have the right at any time to request a human review of any automated classification and to correct or challenge it by contacting our support team.

12. Use of Data from Google APIs

When you connect your Google account, we access only the minimal metadata needed—sender, recipient, timestamp, and subject line—via Google Workspace and/or Gmail APIs to power our job-tracker email classification feature. We do not use or retain Google-sourced data for any AI/ML model training or evaluation beyond your personal account context, nor do we share it with third parties except our listed subprocessors under GDPR-compliant agreements. All Google API data processing is performed solely to provide and improve the Services as described in Section 11.

13. Data Breach Notification Procedures

• We maintain an incident-response plan with internal escalation and forensics.
• Notify the relevant supervisory authority within 72 hours of awareness.
• Inform affected data subjects without undue delay if there is a high risk to their rights.

14. Cookies & Tracking Technologies

We use cookies, local storage, and similar technologies. For a full cookie declaration—categories, purposes, durations, and opt-out instructions—see our Cookie Policy.

15. Data Subject Rights

• Access & Rectification: View/edit via Dashboard or support.
• Erasure (“Right to be Forgotten”): Request deletion; completed within 90 days.
• Restriction: Temporarily suspend processing.
• Portability: Export data in machine-readable form.
• Withdraw Consent: Revoke at any time for email integration or marketing.
• Object to Processing: Especially for direct marketing and legitimate-interest uses.
• Lodge Complaint: With your supervisory authority (see below).

16. Consent & Record-Keeping

We log all consents (e.g. email integration, marketing) with timestamps and versioning, so we can demonstrate who consented to what and when.

17. Children’s Data Processing

Our services are not for individuals under 16. We verify age via self-declaration at sign-up; parental consent mechanisms apply where required by local law. Any data discovered from minors is deleted immediately.

18. Supervisory Authorities

You may lodge a complaint with your local Data Protection Authority:

• Sweden (IMY): imy.se
• Belgium (APD): dataprotectionauthority.be
• France (CNIL): cnil.fr
• …or any other EU Member-State authority.

19. Changes to This Policy

Material changes: notified via email and in-app ≥30 days before effective date. Non-material updates take effect immediately. See “Effective Date” and “Version” above.

20. Contact Us

Support: info@qling.ai