FINK · HR
Legal

Privacy Policy

Effective date: April 20, 2026

This Privacy Policy explains how Fink HR (“Fink HR,” “we,” “our,” or “us”) collects, uses, stores, and shares personal data when you use our applicant tracking service at finkhr.com(the “Service”).

Fink HR serves two kinds of users: recruiters (employers and their team members who operate a hiring workspace) and candidates (job applicants who apply through a job posting hosted on the Service). Some sections of this policy apply to one group, some to both.

1. Information we collect

Recruiters

When you create or use a workspace as a recruiter, we collect:

  • Account details: your name, email address, and a hashed version of your password.
  • Workspace details: the name of the organization you create, and the roles of team members you invite.
  • Session data: a hashed session token, the IP address that created the session, the user-agent string of the browser you used, and timestamps.
  • Content you post: job titles, descriptions, and any notes or data you enter while using the Service.

Candidates

When you apply to a job posted on the Service, we collect information from LinkedIn using Sign In with LinkedIn using OpenID Connect. Specifically, after you authorize the connection on LinkedIn, we receive from LinkedIn:

  • Your LinkedIn member identifier (an opaque string).
  • Your name.
  • Your email address on file with LinkedIn.
  • Your LinkedIn profile photo URL, if one is set.
  • Your locale.

We do not receive your work history, education, connections, skills, phone number, address, or any other profile data from LinkedIn. We store only what is necessary to associate your application with the job you applied for.

We also store a record of which job you applied to, the current stage of your application (for example, applied, screening, interview, offer, hired, or rejected), and the timestamps of stage changes.

2. How we use information

We use personal data to:

  • Provide, operate, and maintain the Service.
  • Authenticate users and keep workspaces secure.
  • Route candidate applications to the correct recruiter workspace.
  • Send transactional emails, such as invitations and account notifications.
  • Detect, prevent, and respond to fraud or abuse.
  • Comply with legal obligations.

We do not sell personal data. We do not use personal data for advertising, profiling, or automated decision-making that produces legal or similarly significant effects.

3. LinkedIn and other third parties

We use LinkedInas an identity provider for candidate sign-in. When you click “Sign in with LinkedIn” on an application page, you are redirected to LinkedIn, which authenticates you and asks for your permission to share the fields listed in Section 1. LinkedIn’s handling of your data is governed by its own privacy policy at linkedin.com/legal/privacy-policy.

We also rely on the following categories of service providers:

  • A managed PostgreSQL database provider to store application data.
  • A cloud hosting provider to run the Service.
  • A transactional email provider to deliver invitation and notification emails.

These providers process personal data only on our instructions and under contractual confidentiality and security obligations. We do not share personal data with third parties for their own marketing.

4. Who sees your data inside the Service

When you apply to a job, the employer who posted that job (and the members of their workspace) can view your application and the data we received from LinkedIn on your behalf. That is the purpose of the Service. If you would like your application withdrawn, contact the employer directly, or contact us using the details in Section 12 and we will assist.

5. Cookies

We use a single first-party session cookie to keep recruiters signed in. The cookie is HttpOnly, scoped to our domain, and expires after 30 days or when you sign out. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies that identify individual users.

6. Data retention

  • Recruiter accounts: retained while the account is active. When a recruiter deletes their account, we remove personal data within 90 days, except where we are required to keep it for legal or security reasons.
  • Candidate applications:retained by the employer’s workspace for as long as the employer keeps them. When the employer deletes an application or a workspace, the associated candidate data is removed from our systems within 90 days.
  • Session records: deleted when the session expires, when you sign out, or after 30 days, whichever comes first.
  • Backups: encrypted backups are retained for up to 30 days on a rolling basis and are not used for any purpose other than disaster recovery.

7. Your rights

Depending on where you live, you may have the right to access, correct, delete, or export the personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, email privacy@finkhr.com. We will verify your identity before we act on a request, and we will respond within 30 days.

Residents of Canada have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access the personal information we hold about them, to request corrections, and to file a complaint with the Office of the Privacy Commissioner of Canada. Residents of the European Economic Area, the United Kingdom, and Switzerland have the right to lodge a complaint with their local data protection authority. Residents of California have rights under the California Consumer Privacy Act, including the right to know what personal information we have collected and to request its deletion.

8. International data transfers

Fink HR is operated from Canada, and personal data we collect is processed and stored in Canada. The European Commission has determined that Canada provides an adequate level of data protection for personal data processed by organizations subject to PIPEDA, so transfers from the European Economic Area to Canada can proceed under that adequacy decision. For transfers of categories of data that fall outside the scope of the adequacy decision, we rely on standard contractual clauses and other lawful transfer mechanisms.

9. Security

We protect personal data with encryption in transit (TLS), password hashing using a modern algorithm (bcrypt), server-side hashing of session tokens at rest, role-based access controls within each workspace, and principle-of-least-privilege on our infrastructure. No system is completely secure, and we cannot guarantee absolute security; we work to minimize risk and we will notify affected users and regulators in the event of a qualifying personal data breach in accordance with applicable law.

10. Children

The Service is intended for users who are at least 16 years old. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, contact us and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify recruiters by email and update the effective date at the top of this page. Continued use of the Service after an update means you accept the revised policy.

12. Contact us

Questions or requests about this policy, or about personal data we hold, can be sent to privacy@finkhr.com.

Back to home