Skip to content
ATSPal
Sign in Start free trial
Legal

Privacy Policy

Effective date: 2026-05-16 · Version 2.0

Plain-English summary first. We use your data to provide the screening service you signed up for. We don't sell it, share it with third parties for marketing, or use resumes to train any models. You can request deletion at any time. The full text below covers the legal details.

1. Who we are

This Privacy Policy applies to the ATS Pal service, provided through the websites at atspal.com, portal.atspal.com, and any related domains (collectively, the "Service"). In this policy, "ATS Pal", "we", "us" and "our" refer to the operator of the Service.

For the purposes of GDPR and similar laws, ATS Pal acts as a data processor when handling resumes and candidate information you upload (you are the data controller for that data) and as a data controller for your own account information (e.g., your name, email and billing details).

You can reach our privacy team at [email protected] or by post at ATS Pal, 7 Bayview Station Rd, Ottawa, ON K1Y 2C5, Canada.

2. What we collect

Account information

  • Name, work email, password (hashed), company name (optional).
  • Subscription plan and billing details (handled via our payment processor, see §5).

Content you upload

  • Job descriptions you provide.
  • Resumes (PDF, DOCX, DOC, TXT) and any related candidate notes you choose to add.
  • The analysis results we produce for you (scores, per-requirement reasoning, shortlists).

Usage information

  • Standard server logs: IP address, user agent, page or endpoint accessed, timestamp.
  • Operational metrics: number of analyses run, processing time, errors.

Communications

  • Messages you send us (support, sales, security inquiries) and our replies.

3. How we use it

We use the data described above to:

  • Provide the Service, run the screening you requested and present the results in your account.
  • Maintain account access, billing and support.
  • Detect and prevent abuse, fraud and security incidents.
  • Comply with our legal obligations.
  • Improve the Service operationally, for example, monitoring uptime, processing speed and error rates. Aggregate, non-identifying metrics may inform product decisions.

What we don't do: we do not sell your data, we do not share resumes with third parties for marketing, and we do not use customer resumes to train any model.

5. Sharing & subprocessors (including AI providers)

We share your data only with the limited set of vetted infrastructure and AI providers we need to run the Service. Each is bound by a contract that includes confidentiality and data-protection obligations:

  • Google Cloud Platform (GCP), hosting, storage, compute, identity, and database services. Resumes and analysis records are stored in GCP. Data is held in the residency region you choose; default is the United States.
  • Google Cloud AI / Gemini API, the core natural-language processing used to read resumes and produce per-requirement reasoning is performed via Google's Gemini family of models accessed through the Google Cloud Vertex AI / Gemini API. Resume content (and the job description you provide) is transmitted to this API for the sole purpose of producing your analysis. Google contractually commits that data submitted through its enterprise AI APIs is not used to train its foundation models. See Google Cloud DPA.
  • Stripe, payment processing for paid plans. Stripe handles full card details; we store only billing metadata (last four digits, expiry, brand). See Stripe Privacy Policy.
  • Transactional email provider, sending account, billing, and security notices. The provider sees only the email address and the message content.
  • ATS integration partners (Enterprise only), for customers using ATS Bridge, we exchange data with the relevant ATS (e.g., BambooHR, Greenhouse, Lever, Workable, Workday) as configured by you in your account.

We will publish any addition to the subprocessor list before it takes effect, where reasonable. Enterprise customers receive a contractual subprocessor list as part of their Data Processing Addendum (DPA) and may request advance notice of subprocessor changes under their DPA.

We may also disclose data when legally required (court order, subpoena, or other lawful process), in which case we will notify you unless prohibited from doing so. We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

6. Retention & deletion

We keep your data for as long as you maintain an active account. Specifically:

  • Resumes and analyses: retained while the analysis exists in your account. Deleting an analysis removes its resumes from live storage immediately; encrypted backups roll off within 30 days.
  • Account information: retained while your account is active and for a limited period after closure to fulfil our legal obligations (e.g., tax records).
  • Server logs: typically retained for up to 90 days.

To request permanent deletion of all your data, email [email protected] from the email address you used to register your account. Requests sent from a different address may be denied or require additional identity verification, to protect against unauthorized account deletion. Once your identity is verified, we will confirm deletion in writing within five business days.

7. Your rights

Depending on your jurisdiction (in particular if you reside in the EEA, UK, Switzerland, Canada under PIPEDA, or another applicable jurisdiction), you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten"), subject to our retention obligations.
  • Restrict or object to certain processing.
  • Data portability, receive your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent (withdrawal does not affect the lawfulness of prior processing).
  • Not be subject to a decision based solely on automated processing (where applicable under GDPR Art. 22). The Service produces a ranked shortlist as a decision-support tool; the human hiring decision is taken by the controller (you, our customer). For candidates whose resumes are processed, the controller is the customer, not us, please contact the relevant customer to exercise rights about candidate data.
  • Lodge a complaint with your local data-protection authority (see §15).

To exercise these rights, email [email protected] from the email address you used to register your account. Requests from a different address may require additional identity verification, to protect against unauthorized data access. We respond within 30 days of successful verification (or sooner where required by law). If we deny a request, we will explain why and how you can appeal, internally to us, and externally to a supervisory authority.

8. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information.

Categories of personal information we collect. In the past 12 months, we have collected the following categories: identifiers (name, email, IP address); commercial information (subscription history); internet or other electronic network activity information (server logs, usage metrics); and professional information (uploaded resumes and job descriptions, processed on behalf of our business customers acting as data controllers).

Sources. Directly from you, from your account activity, and from automatically-collected technical information.

Purposes. See §3 above ("How we use it").

Disclosures for a business purpose. See §5 above (subprocessors). We disclose categories of personal information to these subprocessors solely to provide the Service.

We do not "sell" or "share" personal information as those terms are defined under CCPA/CPRA. We do not use or disclose sensitive personal information for purposes that would require offering an opt-out under §7027 of the CCPA regulations.

Your California rights:

  • Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
  • Right to delete personal information we have collected from you, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing (not applicable, as we do not sell or share personal information).
  • Right to limit use of sensitive personal information (not applicable in our case).
  • Right to non-discrimination, we will not deny service, charge different prices, or provide a different level of service because you exercised your CCPA rights.

To exercise these rights, email [email protected] with "California Privacy Request" in the subject line, ideally from the email address you used to register your account. We may need to verify your identity before responding. You may also designate an authorized agent to make a request on your behalf, in which case we may require written authorization and additional verification.

9. Security

We protect your data with industry-standard controls including TLS in transit, AES-256 encryption at rest, multi-tenant isolation, restricted internal access, and operational logging. See the Security page for the full picture.

If a security incident affects your data, we will notify you in writing within 72 hours (or sooner where required by law) with a description, scope, and remediation plan. However, no method of internet transmission or electronic storage is 100% secure, and we cannot guarantee absolute security.

10. International transfers

The Service is operated from Canada and uses Google Cloud regions in the United States by default. AI processing via Google Gemini may take place in any region where Google Cloud operates the relevant model endpoints.

If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with data-export restrictions, your data may be transferred to and processed in countries that have not been recognized by your jurisdiction's regulator as providing an adequate level of data protection.

Where required, we rely on EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent safeguards. Enterprise customers may choose alternative residency regions (e.g., EU or Canada) under their Data Processing Addendum (DPA).

By using the Service, you acknowledge and consent to such international transfers where applicable law permits consent as a transfer mechanism.

11. Cookies & tracking

We use a minimal set of cookies and similar local-storage mechanisms strictly to make the Service work. These are commonly referred to as "strictly necessary" or "essential" cookies and, in most jurisdictions, do not require user consent because they are essential to delivering a service the user has requested:

  • Authentication cookies, keep you signed in across pages.
  • Session cookies, maintain your active session and CSRF protection tokens.
  • Local storage, remember UI preferences (e.g., filter selections for a specific role).

We do not use:

  • Third-party advertising cookies or trackers.
  • Cross-site tracking cookies.
  • Analytics cookies that profile individual users.

If we add optional analytics or non-essential cookies in the future, we will update this section, present an explicit consent banner where required (EU/EEA, UK, and other applicable jurisdictions), and offer a clear opt-out. We honour Global Privacy Control (GPC) signals where applicable.

You can block or delete cookies through your browser settings, but doing so may break sign-in and other essential features.

12. Children

The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact [email protected] so we can remove it.

13. Third-party services

The Service depends on third-party providers (see §5) and may link to or interoperate with third-party websites, APIs, or applications. Each third-party service has its own privacy policy and terms, which we encourage you to review.

We are not responsible for the privacy practices, content, or operation of any third-party service. Your use of any third-party service is between you and that provider, and any data you exchange with that provider is subject to their privacy policy, not ours.

14. Changes to this policy (your duty to review)

We may update this Privacy Policy from time to time to reflect changes in our Service, business, applicable law, or industry practice. The "Effective date" at the top of this page reflects the latest version.

Material changes will be announced by email to active account holders at least 14 days before they take effect, or by a prominent notice on the Service. Non-material changes (clarifications, formatting fixes, typo corrections) take effect immediately when posted.

You are responsible for reviewing this policy periodically, we recommend at least every six months, to remain aware of any updates. Your continued use of the Service after a change takes effect constitutes your acceptance of the updated Privacy Policy.

15. Contact & complaints

Privacy team: [email protected] (responses within 30 days)

Postal address:
ATS Pal
7 Bayview Station Rd
Ottawa, ON K1Y 2C5
Canada

EU/EEA & UK residents. You have the right to lodge a complaint with your local data-protection authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents can contact the Information Commissioner's Office (ICO).

Canadian residents. You may lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial privacy commissioner.

We encourage you to contact us first so we can try to resolve any concern directly.