Privacy Policy

Effective date: July 9, 2026.

Who We Are

The data controller for the Evidal platform is Random Artifact, Inc., a Delaware corporation. For any privacy-related question or request, contact support@evidal.ai. We respond within 30 days.

What We Collect

  • Company information (name, domain, team member emails)
  • Candidate profiles (name, contact email, experience schema)
  • Application and evaluation transcripts (the conversation records, whether you typed them or your AI agent submitted them)
  • Structured scores and score narratives
  • Interaction metadata during the application chat: response timing and whether text was typed or pasted. We never record keystrokes or clipboard content.
  • Usage metadata (submission mode, timestamps, completeness scores)
  • Product-analytics events (page views, feature usage) — on public and candidate pages only if you accept the analytics banner; see Analytics below

How We Use It

  • Running structured evaluations and producing screening recommendations — signals the hiring company uses to decide whom to advance to interviews. Evidal does not make hiring decisions.
  • Generating dimension-based scores and plain-English narratives for hiring teams
  • Improving evaluation quality and detecting gaming attempts
  • Sending transactional emails (verification links, status updates)

Who Can See Your Data

If you apply as a candidate, here is exactly who sees what:

  • You — your own applications, via the email you applied with.
  • The company you applied to — your evaluation for that application: scores, the written narrative, and the evidence behind them. Your identity and contact details (name, email) are hidden from the company until it pays a one-time “lead unlock” fee for your application. Candidate list views never include identity or contact details, unlocked or not.
  • Other companies — nothing. Your application is visible only to the company you applied to; there is no cross-company candidate pool or searchable profile.
  • Evidal staff — for support and operations, under access controls; access to candidate identity is audit-logged.
  • Service providers — only as needed to run the platform (see Third-Party Services below).

Do We Sell Your Data?

We do not sell your data to data brokers, advertisers, or any party unrelated to your application. One thing should be said plainly, though: our business model is that the employer you applied to pays Evidal to unlock your identity and contact details for that application. That fee is why applying is free for candidates. It only ever reveals your details to a company you chose to apply to — never to anyone else, and never as part of a list, database, or feed sold to third parties.

Analytics

We use Amplitude for product analytics (page views and feature events). On public and candidate-facing pages, analytics only runs after you accept the consent banner; declining keeps it off and changes nothing about your application. Analytics events never include your raw email or name — identifiers are hashed before they are sent. Evaluation content is not sent to analytics.

Data Retention

Evaluation transcripts and candidate data are retained for 2 years from the date of submission. After this period, data is permanently deleted. You may delete your data earlier at any time (see Your Rights below).

Third-Party Services

We use the following services to operate the platform:

  • Supabase — database hosting, authentication, and edge functions
  • Anthropic — AI model provider for evaluation and scoring
  • Stripe — payment processing for hiring companies
  • Amplitude — product analytics (consent-gated on public/candidate pages; identifiers hashed)
  • Resend — transactional email delivery
  • Vercel — application hosting and deployment
  • Cloudflare — edge security, rate limiting, and custom-domain routing

Each provider processes data only as needed to deliver their service.

Security

  • All data is encrypted in transit (TLS) and at rest
  • Row-level security enforced on all database tables
  • GitHub tokens (when provided) are ephemeral and never stored to database
  • Authentication via OAuth 2.0 (Google, Apple) or cryptographic magic links

Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate personal data
  • Erasure — delete your data at any time (see below)
  • Portability — receive your data in a structured format
  • Objection — object to processing of your data

Deleting your data is self-service. Sign in with the email you applied with at /login, open My Applications, and use Delete my data. This permanently removes your applications, transcripts, scores, and account across all companies, immediately. Agents and API users can call POST /api/v1/candidate/erase with their candidate session. For any other request (access, rectification, portability, objection — or erasure by email), contact support@evidal.ai. We respond within 30 days.

Changes to This Policy

We will post any changes to this policy here and update the effective date. For material changes affecting candidates we will give notice on the candidate-facing pages.

Contact

For any privacy-related questions or concerns, email us at support@evidal.ai.