01Who We Are & Our Role
Heartbeat AI is an AI-powered recruitment platform operated by White Lotus Technologies Ltd, a company incorporated in Nigeria ("Heartbeat AI", "we", "our", "us"). We help businesses post jobs, screen candidates, conduct AI-assisted interviews, and manage hiring pipelines. Our platform serves clients in Nigeria, Kenya, Ghana, the United Kingdom, the European Union, and globally.
Understanding our role in processing your data matters because it determines your rights and who you should contact.
| Who you are | Our role | What this means |
|---|---|---|
| Customer (recruiter, HR team, employer) | Data Controller | We collect and use your data to provide and improve our Services, manage your account, and communicate with you. |
| Candidate (job applicant whose data a Customer submits) | Data Processor (on behalf of the Customer) | We process your data only on instruction from the Customer (your prospective employer). The Customer is the Controller of your data. For most rights, you should contact the Customer directly. We assist where we are able. |
| Visitor (browsing heartbeat365.com without an account) | Data Controller | We collect limited data for analytics, security, and marketing. |
02Scope of This Policy
This Policy applies to:
- Our website and subdomains (heartbeat365.com and related pages);
- Our web and mobile application and all Services provided through it;
- All communications we send you (email, in-app, SMS);
- Candidate Data submitted to the platform by Customers;
- Anyone who attends our webinars, events, or surveys.
This Policy does not govern how Customers use Candidate data in their own hiring processes. Customers are data controllers for Candidate data and their own privacy policies apply to their relationship with candidates.
03Lawful Bases for Processing
We rely on the following lawful bases depending on the type of processing and your jurisdiction. We do not rely on blanket consent based on your use of the platform — each processing activity has its own identified basis.
| Legal basis | When we rely on it |
|---|---|
| Contract | Creating and managing Customer accounts; delivering purchased Services; billing and invoicing. We cannot provide the Service without this processing. |
| Legitimate Interests | Platform security and fraud prevention; aggregated analytics to improve the service; marketing to existing Customers about related Heartbeat AI products (you can opt out at any time). We always balance our interests against yours before relying on this basis. |
| Consent | Non-essential cookies and tracking technologies; marketing emails to prospects who have not yet subscribed; sharing data with advertising partners for targeted advertising; using personally identifiable Candidate data to train AI models. You may withdraw consent at any time without affecting prior processing. |
| Legal Obligation | Complying with applicable law, responding to regulatory requests or court orders, tax and accounting obligations. |
| Vital Interests | Where necessary to protect life in an emergency. This basis is rarely, if ever, used in our context. |
Heartbeat AI complies with applicable data protection law in every jurisdiction where we operate, including: the Nigeria Data Protection Act 2023 (NDPA) and Nigeria Data Protection Regulation (NDPR); the Kenya Data Protection Act 2019; the EU General Data Protection Regulation (GDPR); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); the South Africa Protection of Personal Information Act (POPIA); and Ghana Data Protection Act 2012. Where applicable laws overlap, we apply the standard most protective of your rights.
04What Personal Data We Collect
4.1 Data we collect about Customers and their users
| Category | Examples | Source |
|---|---|---|
| Account & Identity | Full name, work email address, job title, phone number | Provided by you at signup |
| Organisation Data | Company name, size, industry, website, logo, job descriptions, salary expectations | Provided by you |
| Billing & Payment | Billing name and address, invoice details. We do not store full payment card numbers. Payments are processed by certified third-party processors. | Provided by you; generated by payment processor |
| Platform Usage | Login timestamps, jobs created, candidates reviewed, features used, time on platform, session duration, clicks | Generated automatically through your use of the platform |
| Communications | Emails, support requests, feedback, survey responses, webinar participation data | Provided by you |
| Device & Technical | IP address, browser type and version, operating system, device identifiers, referring URL, cookies | Collected automatically via cookies and server logs |
4.2 Candidate Data processed on behalf of Customers
| Category | Examples | Sensitivity |
|---|---|---|
| Identity & Contact | Name, email, phone number, location, LinkedIn or professional profile links | Standard |
| Resume & Work History | CV/resume documents, employment history, education, skills, certifications | Standard |
| Application Responses | Written answers to screening questions submitted through the platform | Standard |
| AI Interview Content | Video and audio recordings of AI-facilitated interviews, auto-generated transcripts, AI summaries | High — biometric-adjacent |
| Assessment Results | Skill test scores, AI evaluation metrics, performance rankings | High — hiring decisions |
| AI Screening Outputs | Shortlist tier (e.g., Strong Match / Needs Closer Review / Not Aligned), AI reasoning and match scores | High — automated profiling |
| Metadata | Application timestamp, time spent on assessments, interaction patterns within the platform | Standard |
4.3 Data we collect from visitors
When you browse heartbeat365.com without an account, we collect: IP address and approximate location (country/city level); browser type, device type, and operating system; pages visited, time spent, and referring site; and cookie identifiers (see Section 10).
05How We Use Personal Data
5.1 Customer data
| Purpose | Legal basis | Description |
|---|---|---|
| Account management and security | Contract | Creating and securing your account, verifying identity, managing user access and permissions. |
| Service delivery and personalisation | Contract | Enabling recruiters to post jobs, generate candidate links, access applicant data, and use all platform features. |
| Billing and payment | Contract | Processing payment information via third-party processors; issuing invoices. |
| Administrative communications | Contract | Sending account alerts, verification emails, security notifications, and service updates. |
| Customer support | Legitimate Interest / Contract | Responding to support requests, feedback, and questions. |
| Platform analytics and improvement | Legitimate Interest | Analysing aggregated usage data to improve features, fix bugs, and improve user experience. |
| Security and fraud prevention | Legitimate Interest | Conducting vulnerability assessments, detecting abuse, and protecting the platform. |
| Marketing to existing Customers | Legitimate Interest | Sending information about Heartbeat AI products and features relevant to your use. You can opt out at any time. |
| Marketing to prospects | Consent | Sending promotional emails to people who have subscribed or consented. You can withdraw consent at any time. |
| Targeted advertising via third-party platforms | Consent | Using advertising pixels (e.g., Meta, Google) to deliver targeted ads. Only where you have consented. You can opt out via cookie settings. |
5.2 Candidate data
We process Candidate Data only to deliver the Services to the Customer who submitted or generated that data. Specifically:
- Running AI-powered resume screening and generating shortlist tiers with reasoning;
- Hosting and facilitating AI interview sessions and capturing recordings and transcripts;
- Generating assessment scores, AI evaluation outputs, and match scores;
- Storing and displaying Candidate Data within the Customer's hiring pipeline;
- Enabling Customers to send automated status notifications to candidates (application received, advanced, or unsuccessful).
We do not use Candidate Data for our own marketing, profiling, product development, or any purpose other than delivering the Services to the relevant Customer. We do not sell Candidate Data.
5.3 AI processing and automated decision-making
Heartbeat AI uses artificial intelligence and machine learning to analyse CVs, interview recordings, written responses, and assessment results. This produces:
- Shortlist tiers;
- AI reasoning notes explaining why a candidate received a given tier;
- Match scores comparing candidates against role criteria;
- Behavioural and competency indicators derived from interview responses.
Human oversight. Heartbeat AI's AI outputs are decision-support tools only. No candidate is hired or rejected by an automated system alone. All final hiring decisions are made by the Customer (the employer). A human decision-maker reviews AI outputs before any consequential decision is taken.
Your right to contest. Under GDPR Article 22, NDPA Section 32, and equivalent provisions in other applicable laws, individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. If you are a candidate and believe a significant decision about you was made without adequate human involvement, contact the employer (Customer) who initiated the process. Customers are obligated to provide information about how AI was used and to facilitate human review upon request.
No special category data by default. Our AI models do not intentionally analyse or infer special category data (race, ethnicity, health, religion, sexual orientation, political opinions, or biometric identity) from candidate submissions. Customers must not use the platform to collect or process special category data without first obtaining explicit consent from candidates and notifying Heartbeat AI.
5.4 AI model training
We may use aggregated, anonymised, or de-identified platform usage data — such as general usage patterns and system interactions — to improve and train our internal AI models. This data contains no personally identifiable information.
We will never use personally identifiable Candidate Data (names, resumes, interview recordings, or assessment responses) for AI model training unless: (i) the Customer has given express written consent; and (ii) appropriate data subject consent from each affected Candidate has been lawfully obtained. We will update this Policy and notify you before any such change.
07International Data Transfers
Heartbeat AI is headquartered in Nigeria. We serve Customers globally, and our third-party service providers may be located in various countries. This means personal data may be transferred to and stored in countries outside your own, including countries with different data protection standards from your jurisdiction.
We do not rely on "user consent through use of the platform" as a transfer mechanism. We put appropriate safeguards in place for every international transfer.
You may request a copy of the relevant transfer safeguards applicable to your data by contacting connect@heartbeat365.com.
08Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, and as required by applicable law. We do not retain data indefinitely.
Where we are required to retain data for longer by law (e.g., for tax or regulatory purposes), we will do so and will restrict it to the minimum necessary. Where data is no longer needed, it is securely deleted or anonymised.
Prior to the deletion of long-held Customer data, we will send a reminder email giving you an opportunity to download or retain information you may need.
Contact connect@heartbeat365.com if you have questions about retention of your specific data.
09Your Privacy Rights
Your rights depend on your jurisdiction. We honour the rights below regardless of location, to the extent technically and legally feasible. To exercise any right, contact connect@heartbeat365.com with the subject line "Privacy Rights Request" and include sufficient information to verify your identity.
9.1 Rights available to all users
| Right | What it means in practice |
|---|---|
| Access | Request a copy of the personal data we hold about you, in a readable format. |
| Correction / Rectification | Request that inaccurate, incomplete, or outdated data be corrected. |
| Erasure / Deletion | Request deletion of your personal data, subject to legal retention obligations and other lawful grounds for continued processing. |
| Objection | Object to processing based on legitimate interests (including direct marketing). We will stop unless we have compelling, legitimate grounds. |
| Restriction | Request that we restrict processing of your data in certain circumstances (e.g., while accuracy is contested). |
| Portability | Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and transmit it to another controller. |
| Withdraw Consent | Withdraw consent at any time for consent-based processing. Withdrawal does not affect prior lawful processing. |
| Automated Decision-Making | Not be subject to a decision based solely on automated processing — including AI-generated hiring scores — that produces significant effects. See Section 5.3. |
11Security of Your Personal Information
We implement security measures designed to protect your information from unauthorized access. Your account is protected by your account password, and we urge you to take steps to keep your Personal Information safe by not disclosing your password and by logging out of your account after each use. We further protect your information from potential security breaches by implementing certain technological security measures.
However, these measures do not guarantee that your information will not be accessed, disclosed, altered, or destroyed by breach of such firewalls and secure server software. While we use reasonable efforts to protect your Personal Information, we cannot guarantee its absolute security. By using our Service, you acknowledge that you understand and agree to assume these risks.
12Children's Privacy
Heartbeat AI is a professional platform intended exclusively for use by businesses and adult individuals. We do not knowingly collect, solicit, or process personal data from anyone under the age of 18. If you are under 18, do not use this platform or provide any personal information.
If we learn that we have inadvertently collected personal data from anyone under 18, we will delete it promptly. If you believe we hold data about a minor, contact connect@heartbeat365.com immediately.
13Third-Party Websites and Integrations
Our platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy applies only to data processed by Heartbeat AI. Third-party sites and services have their own privacy policies, which we encourage you to read before using them. We are not responsible for the privacy practices of third parties.
14Marketing Communications
We may contact you with information about Heartbeat AI products and services. The basis for this depends on your relationship with us:
- Existing Customers. We may send marketing communications based on legitimate interest. You can opt out at any time via the unsubscribe link in any email or by contacting connect@heartbeat365.com.
- Prospects. We will only send marketing emails where you have given consent. You can withdraw consent at any time.
Even if you opt out of marketing, we may still send essential transactional and administrative communications (e.g., account alerts, invoices, service updates, policy changes). We do not share your email address, mobile number, or SMS opt-in data with third parties for their own marketing purposes.
15Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the Effective Date at the top of this document;
- Notify Customers by email to the registered account address, at least 14 days before changes take effect;
- Display a prominent notice on the platform.
Your continued use of the platform after the effective date constitutes acceptance of the updated Policy. If you do not agree, you should discontinue use and may request account deletion before the effective date.
Non-material changes (e.g., corrections, clarifications, updated contact details) take effect immediately upon posting.
16Contact and Complaints
For privacy questions, rights requests, or complaints, contact us at: