Privacy Policy | OpenSeat

1. Who we are and how to contact us

The Service is operated by:

Streamline Moderne Technology Inc.
("Streamline", doing business as OpenSeat)

If you have any questions or requests about this Privacy Policy or our handling of personal information, you can contact us at:

Email: [email protected]

2. Information we collect

We collect information in the following categories.

2.1 Information you provide directly

When you use the Service, you may provide:

Account information – name, email address, password or federated login identifier, company name, job title, and workspace settings.
Organization information – hiring team structure, job postings, interview stages, templates, internal notes, and configuration.
Support and communication – messages you send to us by email or through support channels, and any other information you choose to provide.

2.2 Information from single sign-on (e.g. Google Login via Auth0)

If you sign in using Google or another identity provider, we receive from that provider:

Name
Email address
Profile picture (if available)
Other basic profile information the provider shares for authentication

We use this information to create and authenticate your OpenSeat account and personalize your experience.
We do not get access to your email contents, drive files, or other unrelated data.

2.3 Candidate and applicant data ("Customer Data")

Organizations using OpenSeat may upload, sync, or enter information about job candidates and applicants, including via integrations such as Lever ATS. This may include:

Candidate names and contact details
CVs / resumes, portfolios, and links
Interview notes, feedback, ratings, and status
Hiring decisions and offer information
Tags, comments, and other structured or unstructured metadata

We process this information solely on behalf of the organization that controls the workspace ("Customer").
For this data, Streamline acts as a processor (or similar role under relevant laws); the Customer is the controller responsible for ensuring a lawful basis for collecting and using Candidate Data.

2.4 Automatically collected technical data

When you access or use the Service, we automatically collect certain technical information, such as:

IP address and approximate location
Browser type and version, device type, operating system
Referring URLs and pages visited
Timestamps and duration of sessions
Log data about requests, errors, and performance

We use this information to operate, secure, and improve the Service.

2.5 Cookies and similar technologies

We use cookies and similar technologies to:

Keep you signed in
Remember your preferences
Measure usage patterns
Protect the Service against abuse

You can control cookies through your browser settings. Some cookies are essential; disabling them may impair the Service.

3. How we use information

We use the information we collect for purposes including:

Providing the Service – creating and managing accounts, workspaces, and candidate pipelines.
Authentication and security – logging you in, verifying identity, detecting suspicious activity, and protecting accounts.
Integrations – syncing data to/from connected services (e.g., Lever ATS) as configured by Customers.
Improvement and analytics – understanding how the Service is used, diagnosing issues, and developing new features.
Communications – sending you service-related messages (e.g., security notices, feature updates, support responses).
Legal and compliance – enforcing our Terms of Service, complying with legal obligations, and defending legal claims.

Where applicable (e.g., in the EU/UK), our legal bases for processing include performance of a contract, legitimate interests in operating and improving the Service, and compliance with legal obligations.

4. How we share information

We do not sell personal information.

We share information only in the ways described below.

4.1 Service providers and subprocessors

We use third-party providers ("Subprocessors") to host, operate, and support the Service. These providers may process personal information on our behalf and are contractually limited to using it only to provide their services to us.

As of the date above, our key Subprocessors include:

Auth0 – authentication and identity services (OIDC/OAuth, social login).
Processes user identifiers, login events, and basic profile information.
Cloudflare, Inc. – CDN, DNS, and security services (including Cloudflare Tunnel and WAF).
Processes network traffic, IP addresses, and security logs.
Hostinger International Ltd. – cloud hosting and infrastructure (VPS hosting for core application and database).
Stores application data at rest and processes it as part of infrastructure operations.
OpenAI, L.L.C. – AI services used for candidate analysis and related features.
We use the OpenAI API configured so that submitted data is not used to train or improve OpenAI's models, in line with OpenAI's current API data-usage policies.
We minimize personal data sent to OpenAI and primarily send structured, job-related text.
GitHub / GitHub Container Registry (ghcr.io) – container image hosting and CI/CD infrastructure.
Processes build artifacts and deployment metadata; production customer data is not intentionally stored here.
Lever, Inc. – Applicant Tracking System integration.
When enabled by a Customer, candidate data may flow between Lever and OpenSeat according to the Customer's configuration and Lever's own policies.
Email service provider – for sending verification, notification, and support emails.
This may include your email address, message contents, and basic delivery metadata. Details of the current provider can be obtained by contacting us.

We may update this list from time to time. For Customers with data protection agreements in place, we will follow the change-notification procedures specified in those agreements.

4.2 Within your organization

If you use the Service as part of a team or organization, information in your workspace (including Candidate Data) may be visible to other authorized users according to your workspace settings and permissions.

4.3 Legal, safety, and rights protection

We may disclose information if we believe in good faith that it is reasonably necessary to:

Comply with any applicable law, regulation, legal process, or governmental request.
Protect the rights, property, or safety of Streamline, our users, candidates, or the public.
Detect, prevent, or address fraud, abuse, or security issues.
Enforce our agreements, including our Terms of Service.

4.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, your information may be transferred as part of that transaction, subject to appropriate confidentiality protections.

5. Data retention

We retain personal information for as long as necessary to:

Provide the Service and maintain your account.
Fulfill the purposes described in this Privacy Policy.
Comply with legal, accounting, or reporting requirements.
Resolve disputes and enforce our agreements.

Retention periods may vary for different categories of data.
Customers may control retention of Candidate Data through their own practices; deleting data from within the Service will usually result in deletion from active systems in a reasonable period, subject to backups and legal holds.

6. Security

We use reasonable technical and organizational measures to protect information, including:

Encrypted connections (HTTPS/TLS) for data in transit.
Access controls and authentication mechanisms.
Segregated environments and principle-of-least-privilege access to production systems.
Logging and monitoring of critical infrastructure.

No online service can guarantee absolute security. You are responsible for choosing strong authentication methods and keeping your credentials confidential.

7. International data transfers

Depending on your location and the location of our infrastructure and Subprocessors, your information may be transferred to and processed in countries other than your own. These countries may have data-protection laws that differ from those of your jurisdiction.

Where required, we implement appropriate safeguards for international transfers, such as standard contractual clauses or equivalent mechanisms, and we rely on legitimate transfer bases permitted under applicable law.

8. Your rights and choices

Depending on your jurisdiction, you may have rights with respect to your personal information, such as:

Accessing and receiving a copy of your information.
Correcting inaccurate or incomplete information.
Deleting your information in certain circumstances.
Objecting to or restricting certain processing.
Porting your information to another service.

Requests relating to Candidate Data should typically be directed to the Customer (the organization using OpenSeat) that controls that data. If we receive a request relating to Candidate Data, we may forward it to the relevant Customer.

You can also contact us at [email protected], and we will respond to your request in accordance with applicable law.

You may opt out of non-essential marketing emails by using the unsubscribe link in those messages. You will still receive essential service and security emails.

9. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16.

If you believe a child has provided us with personal information, please contact us so we can delete it where appropriate.

10. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.
When we do, we will revise the "Last updated" date at the top of this page. For material changes, we may provide additional notice (such as email or in-app notification).

Your continued use of the Service after an updated Privacy Policy becomes effective means you accept the changes.

11. Contact

If you have any questions, concerns, or complaints about this Privacy Policy or our practices, you can contact us at:

Email: [email protected]