Privacy Policy

1. Controller

The controller within the meaning of Art. 4 (7) GDPR is:

HeyJobs GmbH, Paul-Lincke-Ufer 39/40, 10999 Berlin, Germany. Email: legal@madita.ai. Phone: +49 30 30 80 95 50.

You can find the imprint at https://madita.ai/imprint.

2. Data Protection Officer

You can reach HeyJobs GmbH's Data Protection Officer at: legal@madita.ai.

The Data Protection Officer of HeyJobs GmbH is DataCo GmbH, Sandstraße 33, 80335 Munich, Germany.

3. Scope and Purpose of Data Processing

This privacy policy informs you about the nature, scope and purpose of the processing of personal data in connection with your visit to the Website and your use of MADITA.

4. General Information on Legal Bases

Where we obtain your consent for processing operations involving personal data, Art. 6 (1)(a) GDPR serves as the legal basis. To the extent that special categories of personal data within the meaning of Art. 9 (1) GDPR may be affected, Art. 9 (2)(a) GDPR (explicit consent) additionally applies.

For processing required to perform a contract or to take pre-contractual steps, Art. 6 (1)(b) GDPR serves as the legal basis.

Where processing is necessary to fulfil a legal obligation, Art. 6 (1)(c) GDPR serves as the legal basis.

Where processing is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not override that interest, Art. 6 (1)(f) GDPR serves as the legal basis.

5. Server Log Files

Each time our Website is accessed, our server automatically collects technical information transmitted by your browser, stored in so-called log files. The following is collected: IP address of the requesting device (in shortened, anonymised form where technically possible), date and time of access, name and URL of the file accessed, volume of data transferred, notification of successful retrieval, browser type and version, operating system and referrer URL (the previously visited website).

Purposes: ensuring a smooth connection, ensuring system security and stability, evaluation for administrative purposes.

Legal basis: Art. 6 (1)(f) GDPR. Our legitimate interest lies in the technical provision of the Website and the defence against attacks.

Storage period: Log files are deleted after no more than 30 days. In the event of a concretely documented security-related incident, individual log files necessary for investigating the incident may be retained for up to 90 days after the investigation has been concluded and are deleted thereafter.

6. Cookies and Comparable Technologies

Overview and consent model: We use cookies and comparable technologies (e.g. local storage) on the Website. Cookies are small text files stored on your device. We use cookies and comparable technologies that are not strictly necessary exclusively on the basis of your consent. Before any non-essential storage of or access to information on your device, we obtain your consent via a cookie banner. The banner allows you to accept or reject each category individually; the actions “Accept all”, “Settings” and “Reject all” are displayed at the same visual weight on the first level.

Legal bases: For the storage of information on your device and access to it: Sec. 25 (1) TDDDG (consent) or Sec. 25 (2) No. 2 TDDDG (strictly necessary). For the processing of the related personal data: Art. 6 (1)(a) GDPR (consent) or Art. 6 (1)(f) GDPR (legitimate interest in the secure and functioning operation of the Website) for strictly necessary cookies.

Categories: We use four categories. Strictly necessary — required to operate the Website (login, security, session management); no consent required (Sec. 25 (2) No. 2 TDDDG). Comfort — stores your preferences such as language and display; consent required. Statistics — pseudonymised usage measurement to improve the application and detect errors; consent required. Marketing — tracking for advertising and conversion measurement; consent required. In the banner, all categories requiring consent are deactivated by default.

Cookies currently in use: We currently use only cookies in the “Strictly necessary” category — a session cookie (management of your login, session or until logout), a CSRF token (protection against cross-site request forgery, session), a load balancing cookie (sticky routing to the correct server instance, session) and a cookie consent cookie (storage of your cookie decision, 12 months). As soon as we use cookies in the comfort, statistics or marketing categories, we will obtain your consent.

Transfers to third countries: Where cookies trigger data transfers to third countries (in particular to the USA), we point out in the cookie register the applicable safeguards, in particular the EU–US Data Privacy Framework and/or standard contractual clauses pursuant to Art. 46 (2)(c) GDPR. The strictly necessary cookies currently in use do not involve any third-country transfers.

Withdrawal and management of your consent: You can withdraw your consent at any time with effect for the future or adjust your selection by clicking the “Cookie settings” link in the footer or, in logged-in areas, opening the corresponding entry in the settings menu. Withdrawal is just as easy as giving consent. We will obtain your consent again if 12 months have passed since your last decision or the cookie configuration changes in a way that requires renewed consent.

Proof of consent: To document your consent as required by Art. 7 (1) GDPR, we store technical metadata in pseudonymised form. Legal basis: Art. 6 (1)(c) in conjunction with Art. 7 (1) GDPR and Art. 6 (1)(f) GDPR. Storage period: 3 years from the respective consent decision (based on Sec. 195 BGB).

Note on the AI interview: The recording and processing of your voice as part of the AI interview is not cookie processing within the meaning of this section. Separate information notices and a dedicated consent or confirmation screen apply before the start of the interview.

7. MADITA Product

The MADITA product is a SaaS application that enables companies (“Customers”) to conduct structured AI-powered interviews with candidates. You can first test the product with up to 10 free interviews (“Trial Phase”) and then use it on a paid basis.

Roles and contractual structure: Three parties are involved — the company (“Customer”), the candidate as the data subject and us as the operator of the Platform. The Customer is the controller (Art. 4 (7) GDPR) for the processing of candidate data. We process candidate data exclusively as a processor (Art. 4 (8) GDPR) on the basis of a data processing agreement (Art. 28 GDPR). Vis-à-vis the Customer, we are the controller with regard to account and contract data.

Registration and account creation: Data processed: name, business email address, company, position, password (hashed), optionally telephone number, and other information. Purpose: product access, authentication, protection of the platform, and the initiation and performance of the contractual relationship. Legal basis: Art. 6 (1)(b) GDPR and, in addition, Art. 6 (1)(f) GDPR. Storage period: for the duration of the contractual relationship; thereafter deleted unless commercial- or tax-law retention obligations prevent it (generally up to 10 years). During account creation you conclude a DPA with us pursuant to Art. 28 GDPR.

Social login: As an alternative you can sign in with your existing account at Google, Microsoft or LinkedIn (each based in Ireland). The respective provider transmits the profile data required for account creation (typically name and email address). The legal basis is Art. 6 (1)(b) GDPR. If the providers process data outside the EEA, Section 11 applies accordingly.

Trial Phase (10 free interviews): If you wish to conduct interviews with real candidates during the Trial Phase, the same requirements apply as for paid use. Data from the Trial Phase is automatically deleted no later than 6 months after the end of the respective interview session, unless a paid contractual relationship is concluded.

Paid use: Before using MADITA with candidate data, the conclusion of a DPA is required. The Customer is obliged to inform candidates about the processing of their data before the selection process begins and to comply with the applicable disclosure obligations, in particular the disclosure of the use of an AI system.

Candidate data – note on processing on behalf: Insofar as companies use MADITA for AI-powered interviews, we process candidate data (in particular audio recordings, transcripts and AI evaluations) exclusively as a processor on behalf of and according to the instructions of the respective company (Art. 28 GDPR). The respective company is the controller. Candidates who wish to exercise data subject rights should contact the company that invited them. Before the interview begins, we inform candidates on behalf of the company that they are interacting with an AI system.

8. Post-Demo Feedback Form (Google Forms)

After completing the demo interview, we ask for your feedback via an online form that we provide using Google Forms (provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

Data processed: your entries in the form, including voluntary contact data (e.g. name, email address, company, role) and your substantive feedback. Purpose: evaluation of your feedback to improve the product. Legal basis: Art. 6 (1)(a) GDPR (consent given by submitting the form).

Storage period: The responses are deleted no later than 24 months after receipt. If you expressly request sales contact, this data is transferred to the CRM system described in Section 9. Your consent to provide feedback does not automatically extend to continued processing in the CRM. Google may process data in the USA; for the safeguards, see Section 11.

9. Sales and Marketing Communication, CRM (HubSpot)

Insofar as you expressly request sales contact via the feedback form or otherwise provide your business contact data, we store and process this data in our CRM system HubSpot (HubSpot, Inc., 2 Canal Park, Cambridge, MA 02141, USA, and HubSpot Ireland Limited, Dublin, Ireland).

Data processed: business contact data (name, email, telephone number, company, role), content of the communication, interaction data with our emails. Purposes: maintenance of the business relationship, sales contact, processing of your enquiries, information about the product.

Legal basis: Art. 6 (1)(a) GDPR (consent), (b) GDPR (pre-contractual measures/contract performance) or (f) GDPR (legitimate interest in acquiring and maintaining business customer relationships). You can object at any time to processing for advertising and direct marketing purposes informally at legal@madita.ai.

Storage period: no longer than 36 months after our last contact; thereafter deleted unless statutory retention obligations prevent it. HubSpot also processes data in the USA; for the safeguards, see Section 11.

10. Processors Used

For the operation of the MADITA offering we use carefully selected service providers that process personal data on our behalf (Art. 28 GDPR). We have concluded a data processing agreement with each of these processors.

Categories: cloud hosting and infrastructure, AI inference and speech processing, application monitoring and error analysis, email delivery, CRM and sales communication, payment processing, ATS integration.

Individual processors are based or process data outside the EEA; for the transfer mechanisms used, see Section 11. We provide a current list of the processors used, including their sub-processors, on request at legal@madita.ai.

11. Data Transfers to Third Countries (in particular the USA)

Some of the providers mentioned in Section 10 are based or process data in countries outside the European Economic Area (EEA), in particular in the USA.

Transfer mechanisms: Where data is transferred to the USA, we rely on the following safeguards in order — the EU–US Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023, Implementing Decision (EU) 2023/1795), if the respective US provider is certified; in addition, standard contractual clauses pursuant to Art. 46 (2)(c) GDPR (Implementing Decision (EU) 2021/914) as a fallback. We provide a copy of the standard contractual clauses on request.

Specific note on AI speech processing: The AI service used for live speech processing in the interview currently processes audio streams and transcript fragments via a global endpoint, including processing in the USA. We base this transfer on the EU–US Data Privacy Framework and, subsidiarily, on standard contractual clauses. As soon as permanent EU hosting is available, we will switch processing to EU endpoints.

12. Your Rights as a Data Subject

You have the following rights vis-à-vis us as controller: right of access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction of processing (Art. 18 GDPR), right to data portability (Art. 20 GDPR), right to object (Art. 21 GDPR) where the processing is based on Art. 6 (1)(e) or (f) GDPR, and the right to withdraw consent (Art. 7 (3) GDPR).

The lawfulness of processing carried out up to a withdrawal remains unaffected. To exercise your rights, please contact legal@madita.ai.

13. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement (Art. 77 GDPR).

The supervisory authority responsible for us is: Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstr. 219, 10969 Berlin, Germany, Phone: +49 30 13889-0, Email: mailbox@datenschutz-berlin.de.

14. Data Security

We take appropriate technical and organisational measures pursuant to Art. 32 GDPR to protect your data against unauthorised access, loss and manipulation. The measures are reviewed regularly and adapted to the state of the art.

15. Currency and Amendment of this Privacy Policy

This privacy policy has the status shown above. We reserve the right to amend it to adapt to changes in the legal situation or to changes in our offering. The respective current version is available at https://madita.ai/privacy and at https://interview-demo.madita.ai/privacy.

In the event of material changes, we will inform you by email or by means of a clearly visible notice the next time you access the product. To the extent that a change affects the scope of a granted consent, we will obtain renewed consent before further processing. For any questions, please contact legal@madita.ai.