LegalGDPR

Built for the GDPR and the UK GDPR.

How Vitae AI Ltd handles the rights, obligations, and disclosures that come with EU and UK data protection law. Plain language, no legalese where it isn’t needed.

Last updated · 6 May 2026

01Roles/ controller vs processor

Who controls what, and when.

Processor

When you use the product

Our customer (the recruiter or employer using Vitae) is the controller of candidate data they upload or generate. Vitae acts as the processor, handling that data only on the customer’s lawful instructions and under our Data Processing Addendum (DPA).

Controller

When you visit our site or sign up

For the marketing site, account signup, demo bookings, support, and direct communications, Vitae is the controller. This is covered in our Privacy Notice.

02Lawful basis/ Article 6

Why we are allowed to process your data.

Contract
To deliver the Services you have signed up for.
Legitimate interests
To run, secure, and improve our business and to market to other businesses, balanced against your rights.
Consent
For non-essential cookies and certain marketing activities. Withdrawable at any time without affecting prior processing.
Legal obligation
Where applicable law requires us to process the data (for example, tax records).
03Your rights/ eight rights

Eight rights you can exercise.

To exercise any of these rights email hello@vitae.ai. We respond within one month, extendable by two further months for complex requests. If you are a candidate whose data sits inside a customer’s Vitae workspace, please contact that customer directly — we will assist them in responding.

01

Right to be informed

We tell you how your data is used in our Privacy Notice and at the point of collection. No hidden processing.

02

Right of access

You can request a copy of the personal data we hold about you and information about how we use it.

03

Right to rectification

If anything we hold is inaccurate or incomplete, you can ask us to correct it.

04

Right to erasure

Also known as the right to be forgotten. You can ask us to delete your data, subject to limited legal exceptions.

05

Right to restrict processing

You can ask us to limit what we do with your data while we consider an objection or correct an inaccuracy.

06

Right to data portability

You can ask for your data in a portable, machine-readable format and have it transmitted to another controller.

07

Right to object

You can object to processing based on legitimate interests, including direct marketing. We will stop unless we have an overriding lawful ground.

08

Rights related to automated decision-making

You will not be subject to a decision based solely on automated processing that produces legal or similarly significant effects without a human in the loop.

04International transfers/ Chapter V

How data moves outside the UK and EEA.

Vitae is headquartered in the United Kingdom. Some of our sub-processors are based outside the UK and EEA, notably the United States. Where we transfer personal data internationally we rely on:

05Sub-processors/ Article 28

Every vendor that touches personal data.

We notify customers in advance of any change. Subscribe at hello@vitae.ai to receive updates. The full sub-processor description and DPA are available via the Trust Centre.

Vendor
Purpose
Region
Google Cloud Platform
Hosting, storage, compute
EU (Belgium), US (Iowa)
Vercel
Edge delivery for vitae.ai marketing site
Global edge
Anthropic
Claude models for agent reasoning
US (zero data retention)
OpenAI
GPT models, optional per-workspace
US (zero data retention)
Resend
Transactional email
US / EU
Sentry
Error monitoring
EU (Frankfurt)
06Breach notification/ Article 33

What happens if something goes wrong.

In the event of a confirmed personal data breach, Vitae will:

  • Notify affected customers without undue delay, and in any event within 72 hours of becoming aware.
  • Provide the information needed for the customer to comply with their own Article 33 notification obligation to their supervisory authority.
  • Document the facts, effects, and remedial action taken, and share a post-incident review.
07Contact/ DPO

Speak to our data protection team.

Vitae has appointed an internal Data Protection Lead who can be reached at hello@vitae.ai. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or the supervisory authority in your EU member state.

Need a DPA, SCCs, or a TIA template? We have them ready.

Email us and we will send the documents your privacy team needs within one business day.

Email hello@vitae.aiRead the Privacy NoticeVisit the Trust Centre