Privacy Policy
Last updated: April 3, 2025
This Privacy Policy explains how CaskCoded s.r.o., operating the Lorn.ai platform ("we", "us", "our"), collects, processes, and protects your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Slovak law.
By using Lorn.ai, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use our services.
1. Controller Identity
Data Controller: CaskCoded s.r.o.
Email: studio@caskcoded.com
Platform: lornai.caskcoded.com
For all privacy-related inquiries, including exercising your rights under GDPR, contact us at studio@caskcoded.com.
2. Data We Collect and Legal Basis
We collect only data necessary to provide our services. The table below describes each category, the specific data, and the legal basis under GDPR Art. 6.
| Category | Data | Legal Basis (GDPR) |
|---|---|---|
| Account & Identity | Email address, password (hashed), display name, phone number (optional), authentication tokens (Google/Apple OAuth) | Art. 6(1)(b) - Contract performance |
| Candidate Profile | Full name, education history, work experience, skills, preferred locale, avatar URL, profile completion status | Art. 6(1)(b) - Contract performance |
| Pre-Screening Form | Salary expectations, availability date, location preference (office/hybrid/remote) | Art. 6(1)(b) - Contract performance |
| Voice & Interview Data | Voice recordings, full conversation transcripts, conversation duration, number of questions | Art. 6(1)(a) - Explicit consent |
| AI Evaluation Results | Scores (communication, confidence, experience, problem-solving, cultural fit), personality classification, hire/reject recommendation, red flags, strengths, weaknesses, AI-generated summary | Art. 6(1)(b) - Contract performance; Art. 6(1)(f) - Legitimate interest |
| CV-JD Analysis | CV-to-job-description match score, skills gaps, language proficiency analysis, generated interview prompts | Art. 6(1)(b) - Contract performance |
| Technical & Security Data | IP address, browser type, user agent, audit logs (login, logout, account changes), timestamps | Art. 6(1)(f) - Legitimate interest (security, fraud prevention) |
| Organization Data (HR users) | Organization name, logo, job postings, team member roles, invite tokens | Art. 6(1)(b) - Contract performance |
| Google Sign-In | Google account ID, email address, display name, profile picture URL received via Google OAuth | Art. 6(1)(b) - Contract performance; Art. 6(1)(a) - Consent |
3. How We Use Your Data
- Providing the AI screening simulation service to candidates and HR teams
- Authenticating users and securing accounts (including Google OAuth)
- Processing voice conversations through ElevenLabs AI infrastructure
- Generating AI-powered evaluation reports via OpenAI
- Matching candidate CVs against job descriptions
- Sending transactional emails (registration, invitations, account deletion)
- Maintaining audit logs for security and legal compliance
- Detecting and preventing fraud and abuse
- Improving our platform based on aggregated, anonymized usage data
We do not use your data for automated decision-making with legal effects beyond the scope of the screening service you explicitly choose to use. Evaluation scores are advisory tools for HR professionals, not binding hiring decisions.
4. Google User Data
When you sign in with Google, we receive your email address, name, and profile picture from Google. We use this information solely to create and manage your Lorn.ai account. We do not share Google user data with third parties except as described in Section 5, and only to the extent necessary to operate the service. We do not use Google user data for advertising purposes.
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. Third-Party Processors
We share data with trusted third-party processors under Data Processing Agreements (DPAs) where required by GDPR. These processors act only on our instructions:
- ElevenLabs, Inc. (USA) - Voice AI conversation processing. Your voice recordings and transcripts are processed on ElevenLabs infrastructure. ElevenLabs is certified under EU-US Data Privacy Framework.
- OpenAI, Inc. (USA) - AI-powered analysis and evaluation generation. Interview transcripts are processed to generate evaluation reports. OpenAI is certified under EU-US Data Privacy Framework.
- Supabase, Inc. (USA) - Database hosting and authentication infrastructure. Data is stored in AWS eu-central-2 (Frankfurt). Supabase operates under Standard Contractual Clauses.
- Google LLC (USA) - OAuth 2.0 authentication and reCAPTCHA spam protection.
- Vercel, Inc. (USA) - Application hosting and edge infrastructure. Data is served via Vercel's EU edge network.
- Websupport, a.s. (Slovakia) - Transactional email delivery (SMTP).
All transfers to processors outside the EEA are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission or equivalent adequacy mechanisms.
5a. Third-Party Privacy Policies
When using Lorn.ai, your data is also processed by the following third-party services. We encourage you to review their privacy policies to understand how they handle your data:
| Service | Purpose | Privacy Policy |
|---|---|---|
| ElevenLabs | Voice AI - records and transcribes your voice during screening sessions | View policy |
| OpenAI | AI analysis - processes interview transcripts to generate evaluation reports | View policy |
| Supabase | Database & authentication - stores your account data and session tokens | View policy |
| Google reCAPTCHA | Spam protection - verifies that registration requests come from humans | View policy |
| Google OAuth | Sign-in - authenticates your identity via your Google account | View policy |
| Vercel | Hosting - serves the application and processes HTTP requests | View policy |
| Websupport | Email delivery - sends transactional emails (confirmation, invites) | View policy |
6. Data Retention
- Account data: retained for the duration of your account, plus 30 days after deletion request
- Voice recordings: retained for up to 90 days after the screening session, then permanently deleted
- Evaluation reports and transcripts: retained for as long as the HR organization's account is active
- Audit logs: retained for 12 months for security and legal purposes
- Technical logs (IP, browser): retained for 30 days
- Account deletion: upon request, we initiate deletion within 30 days (grace period for recovery)
7. Cookies and Tracking
Lorn.ai uses the following types of cookies and similar technologies:
- Strictly necessary cookies: Authentication session tokens required for login functionality. These cannot be disabled.
- Security cookies: reCAPTCHA tokens from Google to prevent spam and abuse during registration.
- No advertising or tracking cookies are used on this platform.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at studio@caskcoded.com:
- Right of access (Art. 15): Request a copy of all personal data we hold about you.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure / 'right to be forgotten' (Art. 17): Request deletion of your account and personal data. Available directly in your account settings under Profile → Delete Account.
- Right to restriction of processing (Art. 18): Request that we limit how we use your data while a dispute is resolved.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV).
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw consent for voice recording processing at any time. This does not affect prior lawful processing.
- Right to lodge a complaint: You may file a complaint with the Slovak Data Protection Authority (Úrad na ochranu osobných údajov, dataprotection.gov.sk).
We respond to all rights requests within 30 days. Identity verification may be required before processing requests.
9. Data Security
- All data in transit is encrypted using TLS 1.2+
- Passwords are hashed and never stored in plaintext
- Database access is restricted to authorized services only, via row-level security policies
- API endpoints require authentication and validate user identity before returning any data
- Voice recordings are proxied through our backend and never exposed directly to client browsers
- Account deletion uses token-based verification to prevent accidental or malicious deletions
- Audit logs capture all sensitive actions for security review
10. Children's Privacy
Lorn.ai is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at studio@caskcoded.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by displaying a prominent notice on the platform at least 14 days before the changes take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related inquiries, data subject rights requests, or complaints:
CaskCoded s.r.o.
Email: studio@caskcoded.com
Platform: lornai.caskcoded.com