How Vitae handles your data.

This privacy notice is issued by Vitae AI Ltd, a company registered in England & Wales, with its registered office in London, United Kingdom (“Vitae”, “we”, “us”).

Vitae provides an AI-native recruiting platform used by talent and hiring teams. This notice explains how we handle personal data in connection with our marketing website (vitae.ai), our product (app.vitae.ai), and our communications with customers, candidates, prospects, and visitors.

When you use our product, our customer (your employer or the recruiter using Vitae) is the controller of candidate data they upload or generate, and Vitae is the processor acting on their instructions under our Data Processing Addendum.

When you visit our marketing site, sign up for an account, attend a demo, or contact us directly, Vitae acts as the controller for that personal data. This notice covers the controller activities. Customers’ own privacy notices govern how candidate data is handled inside their workspaces.

Information you give us

• Account details: name, work email, password hash, role, employer.
• Billing details: company name, billing address, VAT/tax ID. Card details are handled by our payment processor; we do not store full card numbers.
• Communications: messages you send us via email, chat, demo bookings, or support requests.
• Marketing signups: email and any optional metadata you provide on a form.

Information collected automatically

• Device, browser, IP address (truncated where possible), and approximate location.
• Pages visited, referrer, time on page, and basic interaction events.
• Authentication events, error logs, and feature usage telemetry inside the product.

Information from third parties

• Identity providers when you sign in via SSO (Google, Microsoft, Okta).
• Public business profile data (e.g. LinkedIn, company websites) used for sales outreach where lawful.

• Provide, maintain, and secure the marketing site and the product.
• Set up and bill for accounts, and provide customer support.
• Send service emails (changes, security notices, billing, downtime).
• Send marketing emails where you have signed up or where soft opt-in applies. You can unsubscribe at any time.
• Improve the product through aggregated usage analytics — never by training shared models on customer content.
• Detect, prevent, and respond to fraud, abuse, and security incidents.
• Comply with our legal, regulatory, tax, and accounting obligations.

Under the UK GDPR and EU GDPR we rely on the following lawful bases:

• Contract — to deliver the services you have signed up for.
• Legitimate interests — to run, secure, and improve our business, market our services to other businesses, and prevent misuse. We balance our interests against your rights and have completed legitimate-interest assessments where required.
• Consent — for non-essential cookies and certain marketing activities. You can withdraw consent at any time without affecting prior processing.
• Legal obligation — where we must process data to comply with applicable law.

We share personal data only with parties that need it, under appropriate contracts and safeguards:

• Sub-processors who help us run the service (hosting, email, error monitoring, analytics, AI model providers). The current list is published in our Trust Centre.
• Professional advisers such as auditors, lawyers, and accountants, where reasonably necessary.
• Authorities and regulators where required by law, court order, or to protect our rights.
• A successor entity in the event of a merger, acquisition, or restructure, subject to confidentiality and notice.

We do not sell personal data.

Vitae is headquartered in the United Kingdom. Some of our sub-processors are located outside the UK and EEA (notably the United States). Where we transfer personal data internationally we rely on:

• The UK International Data Transfer Agreement or EU Standard Contractual Clauses (with the UK Addendum where applicable).
• Adequacy decisions, where the destination country is recognised as providing equivalent protection.
• Supplementary measures including encryption in transit and at rest, access controls, and contractual restrictions on government access.

We keep personal data only for as long as we need it for the purposes set out in this notice, then delete or anonymise it. Indicative timeframes:

• Account data — for the life of the account, then up to 90 days for backup purges.
• Billing and tax records — 7 years from the end of the relevant tax year.
• Marketing signups — until you unsubscribe, then suppressed for unsubscribe enforcement.
• Support and security logs — up to 12 months.

Customers can configure shorter retention windows for candidate data inside the product.

Where Vitae is the controller, you have the following rights under the UK GDPR and EU GDPR:

• Access a copy of your personal data.
• Correct inaccurate or incomplete data.
• Erase your data (the “right to be forgotten”), subject to limited exceptions.
• Restrict or object to specific processing activities.
• Withdraw consent where processing is based on it.
• Receive your data in a portable, machine-readable format.
• Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or your local supervisory authority.

To exercise any of these rights, email hello@vitae.ai. We respond within one month, extendable by two further months for complex requests.

If you are a candidate whose data sits inside a customer’s Vitae workspace, please contact that customer directly. We will assist them in responding.

• Customer data is never used to train shared or third-party models.
• When agents reason over your records they do so in-context for a single request only.
• The model providers we work with (Anthropic, OpenAI) are contractually bound to zero data retention for our API usage.
• Human-in-the-loop is on by default for any consequential candidate-facing action.

We use a small number of strictly necessary cookies for authentication, security, and load balancing. We use privacy-friendly analytics that do not set cross-site identifiers. We do not run advertising trackers on the marketing site. Where consent is required, you will see a banner the first time you visit and can change your choices at any time.

We protect personal data with encryption in transit and at rest, strict access controls, audit logging, and ongoing monitoring. A full description of our controls is published in the Trust Centre and the Security page.

We may update this notice from time to time. The “Last updated” date at the top reflects the most recent version. For material changes we will notify customers by email or in-product notice before the change takes effect.

Questions, requests, or complaints about this notice or our use of your data:

• Email: hello@vitae.ai
• Postal: Vitae AI Ltd, London, United Kingdom