Privacy Policy

Privacy Policy

Last updated: 10/27/2025

Effective Date: 01.10.2025
Staffer.ai AS, company registration number 935665825, with business address at Tjuvholmen Allé 1, 0250 Oslo, Norway ("Staffer.ai", "we", "our", or "us") respects your privacy.
This Privacy Policy describes how we collect, use, disclose, and protect personal data, and how we comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable privacy laws. It also explains your rights and how to exercise them.

1. Who This Privacy Policy Applies To

1.1 Candidates

Individuals who:

  • Apply for jobs via Staffer.ai
  • Are sourced by our AI tools and appear in candidate search results
  • Provide data through OAuth (e.g., Google, LinkedIn)
  • Upload or submit personal data, including resumes, job preferences, or professional profiles

We act as:

  • An independent controller for certain data uses such as analytics and candidate enrichment
  • A joint controller when working with business customers in the talent-matching process

In some cases, our business customers may be independent data controllers when processing your personal data through our services. In those cases, please refer to their privacy policies.

1.2 Business Customers, Partners, and Suppliers

This includes individuals who:

  • Represent companies using Staffer.ai’s services
  • Act as HR professionals, recruiters, or hiring managers
  • Contact us for business, support, demos, or partnerships

We act as a data controller for personal data relating to business contact persons and their use of our platform.

1.3 Website Visitors and Contact

Individuals who:

  • Visit www.staffer.ai or related domains
  • Contact us via email, phone, social media, or scheduling integrations

2. Contact Details of the Data Controller

Staffer.Ai AS
Org. No: 935665825
Tjuvholmen Allé 1, 0250 Oslo, Norway
Email: privacy@staffer.ai
Phone: +47 981 59 119

3. How We Collect Personal Data

We collect personal data from:

  • Direct input from you when you register, apply for jobs, or contact us
  • Public sources (e.g., LinkedIn, company websites)
  • OAuth integrations (Google, Outlook, LinkedIn)
  • Business customers importing candidate data
  • Cookies and usage tracking tools
  • Third-party APIs and recruitment tools

4. Purposes and Legal Bases for Processing

We process your personal data for the following purposes:

  • Candidate matching and AI screening — Legitimate interest or consent
  • Providing our services and platform functionality — Performance of contract
  • User account creation and management — Contract or legitimate interest
  • Analytics and product improvement — Legitimate interest
  • Sending marketing communications (with opt-out) — Legitimate interest or consent
  • Payment and subscription processing — Performance of contract
  • Responding to inquiries or support requests — Legitimate interest
  • Defending legal claims or complying with laws — Legitimate interest or legal obligation

5. Categories of Personal Data We Process

Depending on your role (candidate, customer, visitor), we may process:

  • Full name
  • Email address
  • Phone number
  • LinkedIn profile
  • CVs and resumes
  • Employment history
  • Location data (inferred or provided)
  • Calendar data (if integrated)
  • OAuth profile information
  • Cookies and usage data
  • Payment and billing data (if applicable)
  • Communication history

6. Retention Periods

We retain your personal data:

  • As long as necessary for the purposes outlined above
  • In line with statutory obligations (e.g., accounting laws)
  • For candidates: typically 3–12 months unless agreed otherwise
  • For analytics: up to 12 months in anonymized or pseudonymized form
  • For legal defense: as long as required to establish or defend claims

OAuth tokens are stored securely and refreshed automatically. If access is revoked or your account is deleted, tokens and related data are permanently deleted within 30 days. We delete or anonymize data when no longer needed.

7. Your Rights

  • You have the following rights under GDPR:
    Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (right to be forgotten)
  • Right to restriction of processing
  • Right to object to processing (especially for marketing)
  • Right to data portability
  • Right to withdraw consent (where applicable)
  • Right to lodge a complaint with your local data protection authority

You can also withdraw consent to email integrations at any time by disconnecting your mailbox. This will stop further processing of your mailbox data immediately. To exercise any of these rights, contact us at privacy@staffer.ai.

8. International Transfers

Some of our service providers are based outside the EEA, including in the United States.

  • When transferring personal data to third countries:
    We rely on adequacy decisions, standard contractual clauses, or Data Privacy Framework (DPF) compliance
  • We implement appropriate safeguards to ensure your data remains protected

You may request a copy of the safeguards by contacting us.

9. Data Security

We implement technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit and at rest
  • Access controls
  • Secure APIs
  • Monitoring and logging
  • Internal policies and staff training

In case of a data breach likely to result in risk to your rights, we will notify you and relevant authorities as required by law.

10. Third-Party Services

Staffer.ai integrates with third-party services for functionality, analytics, and communication.
Examples include:

  • Google (OAuth, Calendar, Gmail API for email sending and reply detection)
  • Microsoft (OAuth, Calendar, Graph API for Outlook email sending and syncing)
  • LinkedIn (OAuth and profile enrichment)
  • Stripe (Payment processing)
  • PostHog (Product analytics)
  • Cal.com (Scheduling)
  • Customer.io (Transactional and marketing emails)
  • Attio (CRM and customer management)

These providers may process your data as independent controllers.

Their privacy policies apply when using those integrations.

Email Integrations (Gmail & Microsoft Outlook)

If you choose to connect your email account (e.g., Gmail or Outlook), Staffer.ai will request limited access through OAuth to send emails and detect replies as part of our outreach automation features.


We request the following scopes:

  • gmail.send or Mail.Send — to send messages from your mailbox
  • gmail.readonly or Mail.ReadBasic — to detect replies and update conversation status

We do not store or read your full mailbox content.
Only metadata (such as message ID, sender, recipient, and timestamps) and messages related to candidate communication are stored for outreach tracking.

You can disconnect Staffer’s access at any time in Settings → Integrations.
Upon disconnection, all associated tokens are deleted immediately, and synced message data is purged within 30 days.

Staffer.ai’s access complies with the Google API Services User Data Policy and Microsoft Graph API Terms of Use.

11. Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Enable site functionality
  • Analyze usage and improve performance
  • Personalize user experience
  • Remember user preferences

You can manage cookie preferences via our banner or browser settings. See our Cookie Policy for full details.

12. Children’s Data

Our services are not directed to individuals under 16. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us for deletion.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically. If we make material changes, we will notify users via our website, email, or other means, and seek new consent where required. You can always find the latest version at: https://www.staffer.ai/privacy-policy

14. Contact Us

For questions about this Privacy Policy or your personal data rights:
Staffer.Ai AS
Tjuvholmen Allé 1, 0250 Oslo, Norway
Email: privacy@staffer.ai
Phone: +47 981 59 119