Privacy Policy
Heimdall AI ("we," "us," "our") is the data controller for the personal data processed through our platform at heimdall-talent.ai.
Registered Address:
Heimdall AI
Sorgenfrigårdsvej 78, 1.th
2800 Lyngby, Denmark
Privacy Contact: privacy@heimdall-talent.ai
2. What We Do
Heimdall AI helps companies understand candidates better through AI-powered assessments. When a company invites you to take an assessment, you upload your CV or portfolio, and our AI analyzes it to produce scores in two areas:
- Transformation Quotient (TQ): How well you navigate change and complexity.
- AI Potential: Your aptitude for working effectively with AI tools and technologies.
These scores are decision-support tools — they give hiring teams additional perspective, but don't make hiring decisions. The humans at the company always decide.
3. What Personal Data We Collect
3.1 Candidates
| Data Category | Examples | Source |
|---|---|---|
| Identity & profile data | Name, email, profile photo, LinkedIn profile URL | LinkedIn OAuth (OIDC) login |
| CV / portfolio content | Work history, education, skills, certifications, project descriptions | Uploaded by the candidate |
| Assessment results | TQ score, AI Potential score, trait breakdowns | Generated by our AI system |
| Technical data | IP address, browser type, session timestamps | Automatic collection |
3.2 Company Users
| Data Category | Examples | Source |
|---|---|---|
| Identity & contact data | Name, company email, LinkedIn URL | Registration form |
| Company information | Company name, billing address | Registration form |
| Payment data | Card details (processed by Stripe — we do not store card numbers) | Stripe checkout |
| Usage data | Assessments purchased, candidates invited | Platform activity |
3.3 Referral Program Participants
| Data Category | Examples | Source |
|---|---|---|
| Contact and payment data | Name, email, payment details for payout | Referral registration |
| Referral activity | Referred users, completed assessments | Platform activity |
| Tax documentation | W-9 (US persons) or W-8BEN (non-US persons), where required for payouts exceeding $600/year | Provided by participant |
4. Legal Bases for Processing
| Processing Activity | Legal Basis (GDPR) | Details |
|---|---|---|
| Candidate assessment | Art. 6(1)(b) — Performance of contract | Necessary to deliver the assessment the candidate consented to participate in |
| AI-generated scoring | Art. 6(1)(b) + Art. 22 safeguards | See Section 8 (Automated Decision-Making) |
| Account creation via LinkedIn OAuth | Art. 6(1)(b) — Performance of contract | Required to authenticate and deliver the service |
| Payment processing | Art. 6(1)(b) — Performance of contract | Necessary to fulfill purchased services |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation | Tax records, EU AI Act documentation requirements |
| Service improvement and security | Art. 6(1)(f) — Legitimate interest | Fraud prevention, system reliability, aggregated analytics |
| Algorithm improvement | Art. 6(1)(f) — Legitimate interest | Anonymized assessment data may be used to improve our algorithms. You can opt out during the assessment process or at any time by contacting privacy@heimdall-talent.ai. Data used for this purpose is retained up to 3 years. |
In plain terms: we process your data because it's necessary to deliver the service you're using. You can always choose not to use the service.
5. How We Use Your Data
We process personal data to:
- Deliver assessments: Analyze uploaded CVs/portfolios using our AI system to generate TQ and AI Potential scores.
- Share results: Provide assessment results to (a) the company that invited the candidate, and (b) the candidate themselves.
- Process payments: Handle purchases and referral payouts via Stripe.
- Maintain the platform: Ensure security, prevent fraud, and fix technical issues.
- Comply with legal requirements: Maintain records required under GDPR, Danish tax law, and the EU AI Act.
What we don't do (because we think you'd want to know):
- We don't sell your data. To anyone. Ever.
- We don't use your CV to train AI models.
- We don't track you across different employers or assessments.
- We don't build profiles on you beyond the specific assessment you took.
6. Sub-Processors and Data Sharing
We use the following sub-processors to operate the platform:
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | Account data, uploaded CVs, assessment results | EU region (Frankfurt, Germany) |
| Vercel, Inc. | Web application hosting | Technical/request data (IP addresses, headers) | Edge network (EU-preferred routing) |
| Anthropic, PBC | AI model provider (Claude) | CV/portfolio content for assessment generation | United States* |
| Stripe, Inc. | Payment processing | Payment and billing data | United States and EU |
| LinkedIn (Microsoft) | Authentication (OAuth/OIDC) | Authentication tokens, basic profile data | United States |
*Anthropic processes your CV content to generate the assessment. This means your CV is sent to servers in the United States. The transfer is protected by Standard Contractual Clauses (SCCs), and Anthropic's terms prohibit them from using your data to train their AI models. We send only the content needed to generate your assessment — nothing more.
We do not share personal data with any other third parties except where required by law.
7. International Data Transfers
Some of our sub-processors are based in the United States. For each transfer outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by transfer impact assessments where appropriate.
- Sub-processor contractual commitments regarding data handling and security.
You may request a copy of the relevant transfer safeguards by contacting privacy@heimdall-talent.ai.
8. Automated Decision-Making (GDPR Article 22)
8.1 What Happens
When a candidate uploads a CV or portfolio, our system uses an AI language model (Anthropic Claude) to analyze the content and generate assessment scores. This processing is automated — no human reviews individual CVs before scores are generated.
8.2 How the Logic Works
The AI reads your CV or portfolio and evaluates it against structured criteria:
- For TQ: It looks for evidence of adaptability, cross-domain experience, learning trajectory, and comfort with ambiguity in your career history.
- For AI Potential: It looks for technical curiosity, tool adoption, workflow integration capability, and related competencies.
The result is a set of scores and trait-level breakdowns based on what's in your uploaded materials. The system does not search the internet for additional information about you, and it doesn't use data from other candidates' assessments.
8.3 What This Means in Practice
- Results may vary slightly between runs — this is normal for AI systems and doesn't mean anything is wrong.
- Your score reflects your materials — a detailed CV gives the AI more to work with than a sparse one.
- It's a tool, not a verdict — companies are expected to use these scores alongside other information when making hiring decisions, not as the sole basis.
8.4 Your Rights Regarding Automated Processing
Under GDPR Article 22 and consistent with Danish law (which does not provide exemptions to Article 22), you have the right to:
- Obtain meaningful information about the logic involved (provided in this section and in your assessment results).
- Express your point of view regarding the assessment outcome.
- Contest the result and request human review of the assessment.
To exercise these rights, contact privacy@heimdall-talent.ai. We will arrange for a qualified person to review your assessment and respond within 30 days.
9. EU AI Act Transparency Disclosure
Heimdall AI's assessment system is classified as high-risk under the EU AI Act (Regulation 2024/1689), Annex III, Section 4(a): "AI systems intended to be used for recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates."
High-risk obligations become enforceable on August 2, 2026. We're working toward compliance ahead of that deadline — this includes maintaining documentation, logging system activity, and designing the system so that humans (not the AI) make the actual hiring decisions.
If you have questions about our AI Act compliance, contact privacy@heimdall-talent.ai.
10. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Candidate accounts, uploaded CVs/portfolios, and assessment results | Duration of active account. After 3 years of inactivity, we will contact you to confirm whether you wish to keep your profile; data is only deleted if you do not respond or request deletion. | Your profile and assessments remain available as long as you want them — this is a core part of the service. |
| Company accounts and transaction records | Duration of account + 5 years after termination | Danish bookkeeping requirements (Bogføringsloven) |
| Payment records | 5 years from transaction date | Danish tax and accounting law |
| AI Act compliance logs | 10 years from system decommissioning or last use | EU AI Act Article 19 record-keeping requirements |
| Technical/security logs | 12 months | Security and incident response |
You can request deletion of your data at any time (see Section 11 — Right to Erasure). If you don't request deletion, we retain your profile and assessments so you can access them when you need them. After the retention period, data is deleted or irreversibly anonymized.
11. Your Rights Under GDPR
You have the following rights, which you can exercise by contacting privacy@heimdall-talent.ai:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Request deletion of your data, subject to legal retention requirements.
- Restriction (Art. 18): Request limited processing in certain circumstances.
- Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Object (Art. 21): Object to processing based on legitimate interest.
- Automated Decision-Making (Art. 22): See Section 8 above.
We will respond to all rights requests within 30 days. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.
12. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest.
- Role-based access controls.
- Sub-processor contractual obligations regarding data security.
13. Children
Our service is not directed at individuals under 18. We do not knowingly process personal data of minors. If you believe a minor's data has been submitted, contact privacy@heimdall-talent.ai and we will delete it promptly.
14. Complaints
If you believe we have not handled your data correctly, you have the right to lodge a complaint with:
The Danish Data Protection Agency (Datatilsynet)
Carl Jacobsens Vej 35
2500 Valby, Denmark
Phone: +45 33 19 32 00
Email: dt@datatilsynet.dk
Website: datatilsynet.dk
You may also lodge a complaint with the supervisory authority in your country of residence.
15. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via the platform. The "Last Updated" date at the top indicates the most recent revision.
16. Contact
For any questions about this privacy policy or your personal data:
Privacy Contact: privacy@heimdall-talent.ai
Legal Contact: legal@heimdall-talent.ai
Heimdall AI
Sorgenfrigårdsvej 78, 1.th
2800 Lyngby, Denmark