Who we are
Arvan ATS (the "Service", "we", "our") is an applicant tracking system (the "Controller"). This page describes what personal data the Service processes, the legal basis for each processing activity, with whom we share it, how long we retain it, the safeguards we apply for international transfers, and the rights individuals have under the EU General Data Protection Regulation (GDPR) and equivalent laws.
For privacy queries write to privacy@arvanats.com. For security disclosures write to security@arvanats.com.
1. Scope — who this policy applies to
- Recruiters and team members who sign in to the Service to manage hiring pipelines on behalf of their organization (our "Customer").
- Candidates whose personal data is entered into the Service by a recruiter, or who apply through a public careers page hosted by Arvan ATS.
When the Service is operated by a Customer, the Customer is the GDPR "controller" for candidate personal data and Arvan ATS acts as a "processor" on the Customer’s behalf. A separate Data Processing Addendum (DPA) is available to Customers on request from privacy@arvanats.com.
2. Categories of personal data
From recruiters / team members
- Identification data: name, work email address, role.
- Authentication data: bcrypt-hashed passwords (we never receive or store plaintext passwords) and a JWT session cookie.
- Connected-account data: when a user connects a third-party service (Google Calendar, Twilio SMS, AI provider), the access and refresh tokens issued by that provider, stored encrypted at rest.
- Activity data: audit log entries recording who did what, when, in the Service.
From candidates
- Identification + contact data: name, email, phone, location.
- Profile fields the recruiter or careers form captures.
- Resume documents uploaded to the Service.
- Communication history: emails and SMS exchanged with the recruiter.
- Interview scheduling metadata.
We do not knowingly process special-category data under Art. 9 GDPR. Customers must instruct candidates not to submit such data via free-text fields.
3. Purposes & lawful basis (GDPR Art. 6)
| Purpose | Categories | Lawful basis |
|---|---|---|
| Operating the Service for the Customer | All recruiter + candidate data | Art. 6(1)(b) — performance of a contract |
| Outbound transactional email (interview invites, status updates, password resets) | Candidate contact data | Art. 6(1)(b) and (f) — contract + legitimate interest in recruitment ops |
| Outbound SMS via the configured SMS provider | Candidate phone number + message body | Art. 6(1)(b) and (f) |
| Pushing events to the recruiter’s Google Calendar | Recruiter’s Google account tokens + event details | Art. 6(1)(a) — explicit consent of the recruiter via OAuth |
| AI-assisted resume parsing (optional, off by default) | Resume document text | Art. 6(1)(b) and (f); enabled only by Customer’s admin |
| Service security, fraud prevention, audit | Activity logs, IP, user agent | Art. 6(1)(f) — legitimate interest in protecting the Service |
| Complying with legal obligations | As required | Art. 6(1)(c) |
We do not sell personal data. We do not use personal data for advertising. We do not share data with ad networks or data brokers. We do not use Google user data, candidate personal data, or resume content to train generalized artificial-intelligence or machine-learning models.
4. Use of Google user data
When a recruiter chooses to connect their Google account in Settings → Integrations, the Service requests the minimum scope required for the feature they enabled:
https://www.googleapis.com/auth/calendar.events— used solely to create, update, and cancel interview events on the connecting recruiter’s own calendar. Not used for any other purpose.
Refresh tokens are stored encrypted in our database scoped to the connecting user only. No human at Arvan ATS reads Google user data; access is automated and limited to the Service’s calendar push path.
Arvan ATS’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular, Arvan ATS:
- Accesses Google user data only for the specific feature the user enabled.
- Does not transfer Google user data to third parties except as necessary to provide or improve user-facing features, in compliance with law, or as part of a merger / acquisition / sale of assets with the user’s explicit consent.
- Does not use Google user data for serving advertisements.
- Does not allow humans to read Google user data unless we have obtained the user’s explicit consent, it is necessary for security investigations, we are required to do so by law, or the data is aggregated and anonymised.
- Does not use Google user data to develop, improve, or train generalised AI/ML models.
Recruiters may disconnect their Google account at any time from Settings → My Account → Calendars inside the Service, or from myaccount.google.com/permissions. Tokens are deleted on our side within 24 hours of disconnection.
5. Recipients & sub-processors
The Service is single-tenant: candidate data is visible only to users inside the Customer’s ATS instance, subject to the per-role access controls (admin / hiring manager / recruiter / reviewer). We engage the following sub-processors strictly to deliver the Service:
| Sub-processor | Purpose | Region | Transfer safeguard |
|---|---|---|---|
| Hosting & CDN provider | Hosting, networking, CDN, TLS termination | EU (Frankfurt) primary | EU Commission SCCs 2021/914 (Mod. 2) where applicable |
| Google LLC | Google Calendar API push (recruiter-connected only) | Global (US/EU) | EU Commission SCCs 2021/914 (Mod. 2) + EU–US Data Privacy Framework certification |
| Twilio Ireland Ltd. | Outbound SMS delivery (admin-configured only) | EU (Dublin) primary | EU Commission SCCs 2021/914 (Mod. 2) |
| Anthropic PBC or OpenAI Ireland Ltd. | Optional AI resume parsing (admin-enabled only) | US / EU | SCCs 2021/914 (Mod. 2) + provider’s data-deletion-after-use policy |
| Customer’s configured SMTP server | Outbound email delivery | Customer-determined | Customer responsibility |
We notify Customer administrators by email at least 30 days before adding a new sub-processor; Customers may object on reasonable data protection grounds.
6. International transfers
Where personal data is transferred outside the European Economic Area (e.g., to Google, Anthropic, or OpenAI infrastructure in the United States), Arvan ATS relies on the European Commission’s Standard Contractual Clauses (Commission Decision (EU) 2021/914), Module 2 (controller to processor) or Module 3 (processor to sub-processor) as applicable. We perform a transfer impact assessment before onboarding each sub-processor. For UK transfers we apply the ICO’s International Data Transfer Addendum; for Swiss transfers we apply the FDPIC’s addendum.
7. Retention
- Candidate records are retained for the duration of the Customer’s subscription, plus an additional 30 days after subscription end to allow export / restore.
- Audit logs are retained for 12 months for security and compliance.
- Email and SMS conversation logs live with the candidate record they belong to and are deleted with it.
- Connected third-party tokens (Google, Twilio, AI provider keys) are deleted within 7 days of a Customer admin clearing them in Settings or disconnecting the integration.
- Aggregated, anonymized statistics may be retained indefinitely as they no longer identify an individual.
8. Data subject rights
Individuals in the EU/EEA, UK, and Switzerland have the following rights:
- Access (Art. 15) — request a copy of personal data we hold about you.
- Rectification (Art. 16) — correct inaccurate or incomplete data.
- Erasure (Art. 17) — request deletion, subject to lawful retention obligations.
- Restriction (Art. 18) — limit processing while a dispute is resolved.
- Portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
- Objection (Art. 21) — object to processing based on legitimate interests.
- No automated decision-making (Art. 22) — Arvan ATS does not subject candidates to decisions with legal effect produced solely by automated means.
- Withdraw consent (Art. 7(3)) — where processing is based on consent (e.g., Google OAuth), revoke it at any time without affecting prior lawful processing.
- Lodge a complaint with your supervisory authority. A directory is available at the European Data Protection Board.
To exercise any of these rights, email privacy@arvanats.com. We respond within one month under Art. 12(3). Candidates may also ask the Customer operating the ATS instance directly, since the Customer holds the controller relationship for candidate data.
9. Security
- All traffic is served over TLS 1.2 or higher at the edge.
- Secret material at rest (mail server credentials, Twilio tokens, Google OAuth client secret, AI API keys, Google refresh tokens) is encrypted with AES-256-GCM under a server-side key held in environment storage, not in source code.
- Passwords are stored as bcrypt hashes; plaintext is never logged.
- Access to production data is restricted to a small group of operations engineers, gated by SSO + 2FA, with all access logged.
- Confirmed breaches affecting personal data are reported to affected Customer administrators and (where required) to supervisory authorities within 72 hours under Art. 33.
10. Cookies
Arvan ATS uses a single first-party cookie, ats_session, to authenticate signed-in users. It is HTTP-only, Secure, SameSite=Lax, scoped to arvanats.com. No third-party advertising or analytics cookies are set by the Service.
11. Children
The Service is not directed to and may not be used by individuals under 16 years of age. Customers must not enter information about anyone under 16 into the Service.
12. Changes to this Policy
We update this page when our practices change. The "Last updated" date at the top reflects the most recent revision. For material changes (e.g. adding a category of recipients), we will email signed-in administrators at least 14 days in advance.
13. Contact
Privacy queries, data subject requests, sub-processor objections: privacy@arvanats.com
Security disclosures: security@arvanats.com