The AI Interview that candidates love!

Cataloop OÜ (“Flaggy,” “we” “us” or “Company;” for contact details see the end of this privacy policy) is committed to respecting your privacy and protecting your personal data.

This privacy policy explains how we collect, use, store, share, and otherwise process your personal data when you visit our website (https://www.flaggy.ai) (“Website”), when you use or interact with the Flaggy Application (“Application”), our cloud-based AI platform that enables employers to conduct, analyse, and manage job candidate interviews, and in the context of providing our services or communicating with you more generally.

This policy is divided into three sections:

Website Visitors – personal data we process when you access or use our Website, including cookies and similar technologies;
Application Users and Candidate Data – data processing in connection with the use of the Flaggy Application, covering both (a) customer personnel (e.g. recruiters and hiring managers), and (b) job candidates whose data is processed in connection with interview services provided through our AI-powered platform;
General Information – data security, international transfers, your rights under data protection laws, and how to contact us.

I. DATA PROCESSING WITH REGARD TO VISITING AND USING OUR WEBSITE

Who is Responsible for Processing Your Data

We are the data controller in relation to the personal data processed when you visit and use our Website. This means that we determine the purposes and means of the processing. Our contact details can be found at the end of this privacy policy.

Persons Affected by Data Processing, Types of Data Processed

This section and the relevant data processing applies to persons who visit and use our Website.

We may process personal data that we collect automatically (including through third-party tools) when you access or interact with our Website. This includes information about your device, browser, usage patterns, IP address, and general location. Typical data collected includes:

pages visited and time spent on each page;
interactions with elements of the Website;
IP address, browser type and version, device type, operating system;
referral URL and usage statistics.

We may also process personal data that you voluntarily provide through the Website, for example, when you book a demo, sign up for marketing communications, contact us, or interact with any other feature. This may include:

name, email address, phone number,

employer and job title,

any communications or content you submit (e.g. via forms or chats).

Where certain information is required to use a Website feature (e.g. booking a demo), we will indicate which fields are mandatory. If you choose not to provide required data, we may not be able to respond to your request or deliver the relevant feature.

We may combine information you provide with information we collect automatically.

Purposes and Lawful Basis for Data Processing

We process the personal data described in this chapter above for the following purposes and on the following legal bases:

Purpose	Lawful basis
To operate, maintain, and secure the Website	Our legitimate interest in providing a functional and secure Website
To analyse usage and improve Website performance and design	Our legitimate interest in understanding and enhancing the user experience
To respond to your requests (e.g. demos, enquiries, commercial discussions)	Taking steps prior to entering into a contract, or our legitimate interest in business development
To send you marketing communications if you have opted in	Your consent, which you may withdraw at any time via the unsubscribe link in our messages

We may also convert personal data into aggregated or anonymised information that can no longer be linked to any individual and is not therefore considered personal data. We may use or share such data to help us analyse trends, improve features, and develop new services.

Data Retention

We retain personal data only as long as necessary to fulfil the purposes described above or to comply with applicable legal requirements. The following retention periods apply:

Personal data collected via cookies and analytics tools is retained for a period of up to 1 year;
Personal data you provide in contact forms or requests (e.g. demo bookings) is retained for up to three years to manage our relationship with you and respond to any follow-up queries.

Personal data may be retained longer if required to resolve disputes, protect our rights, or comply with a legal obligation. Personal data may also be deleted earlier upon data subject request, in accordance with applicable legal acts. Please note that such data deletion requests may result in us being unable to continue the provision of all or part of our services.

Some personal data may be stored in secure backup systems for a limited time, strictly for integrity and disaster recovery purposes or as required under applicable law or compliance requirements and deleted once no longer needed.

Cookies and Tracking

We use cookies and similar technologies to distinguish you from other users, enhance Website functionality, understand usage patterns, and support relevant advertising. We use the following categories of cookies:

Necessary cookies essential cookies required for the operation of our Website. Cannot be disabled;
Analytical cookies help us understand how users interact with the Website, e.g. page visits and user flows;
Functionality and performance cookies enable enhanced features and customisation, such as remembering your preferences;
Third-party cookies set by third parties to enable analytics or advertising.

Non-essential cookies are used only with your consent, which you can manage through your browser preferences. Disabling certain cookies may impact your experience on our Website.

II. DATA PROCESSING WITH REGARD TO USING THE FLAGGY APPLICATION

Who is Responsible for Processing Your Data

The Flaggy Application is accessible via our Website and governed by our Service Terms or a Pilot Agreement, as applicable.

When providing the Flaggy Application, we may act both as a data controller and a data processor, depending on the type of data and the purpose of processing, as described below.

With respect to the contact details and other personal data relating to our customer representatives and users (e.g. recruiters or hiring managers) (Customer Personnel Data), we act as a data controller.
With respect to the personal data that is transmitted, input or otherwise made available via the Flaggy Application in relation to job candidates Candidate Data, we act as a data processor. Candidate Data may be provided or generated by our customers, directly submitted by candidates, or captured by the Application (e.g. through interview recordings or transcriptions). Our customers (typically the employer) act as the data controllers of such Candidate Data and are responsible for determining the purposes and lawful basis of processing.

Persons Affected by Data Processing, Types of Data Processed

a) Customer Personnel Data:

This concerns customer representatives and internal users of the Flaggy Application, such as recruiters and hiring managers. The data we may process includes:

name, email address, phone number, job title, and employer;
usage activity within the Flaggy Application;
invoicing and account management data.

b) Candidate Data:

This concerns natural persons who are evaluated or interviewed using the Flaggy Application. Candidate Data includes:

name, email address, job title, phone number;
interview recordings (audio and video);
automatically generated transcripts of interviews;
AI-generated scoring or summaries of interview performance;
any other personal data provided by the candidate or customer in the course of using the Flaggy Application.

The Flaggy Application enables customers to conduct AI-led candidate interviews and to receive AI-generated insights, such as role-specific scores. These insights are made available to the customer for review and do not result in any automated decision-making. All decisions regarding the candidate selection process are made by the customer’s human users. The customer remains fully responsible for how such insights are used in the recruitment process.

We do not process any special categories of personal data (as defined under Article 9 GDPR), and the Flaggy Application is not intended to collect or analyse biometric or otherwise sensitive data. If any such data is inadvertently submitted, the customer remains responsible for ensuring a lawful basis exists.

Purposes and Lawful Basis for Data Processing

We process the personal data described in this chapter above for the following purposes and on the following legal bases:

Data	Role	Purpose	Lawful Basis
Customer Personnel Data	Controller	Customer relationship management, service provision, support, invoicing, contract performance, dispute resolution, and protection of our legitimate interests (relationship management, debt recovery).	Contract performance and our legitimate interests (relationship management, debt recovery)
Candidate Data	Processor	Enable customers to conduct and analyse interviews using the Flaggy Application.	Processing on behalf of and under the instructions of the customer, pursuant to the data processing agreement

As a controller, we may also process Candidate Data in an anonymised form to maintain and improve the performance of the Flaggy Application, develop new features and improve our AI models, and perform statistical or quality analysis. Such processing is based on our legitimate interest in improving our services. Personal data will be anonymised prior to use for these purposes, and the resulting data will no longer be linked to an identifiable individual.

Data Retention

We retain personal data only for as long as necessary to fulfil the relevant purposes or comply with legal requirements. The following retention periods apply:

Customer Personnel Data is retained for the duration of the customer relationship and up to 3 years thereafter;
Candidate Data is retained for the duration of the customer agreement and deleted within 1 month after termination, unless otherwise agreed with the customer or required by applicable law;
Certain data (e.g. for accounting or tax purposes) may be retained for up to ten years.

Personal data may also be deleted earlier upon customer request or data subject request, in accordance with the data processing agreement. Please note that such data deletion requests may result in us being unable to continue the provision of all or part of our services.

III. GENERAL REGULATION

Storing and Transferring Your Personal Data

We implement appropriate technical and organisational measures to protect personal data, including Customer Personnel Data and Candidate Data, against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. This includes encryption of data in transit and at rest, strict access controls, and internal bias mitigation measures in connection with AI model development.

All data we process is hosted on secure infrastructure within the European Union. As of the date of this policy, we do not transfer personal data outside the EU/EEA. Should such transfers become necessary, we will implement appropriate safeguards and shall ensure that such transfers are carried out in compliance with Chapter V of the GDPR and on the basis of an adequacy decision by the European Commission or Standard Contractual Clauses approved by the European Commission.

If you would like further information about such safeguards, you may contact us using the details below.

Recipients

We may share personal data with trusted third-party service providers that perform services for us or on our behalf. These services include hosting and infrastructure providers, communication and customer support platforms, AI language model and transcription tools, analytics, security, and fraud prevention services.

Our list of current subprocessors is available here.

We may also disclose personal data if required by law, such as in response to court orders or requests from data protection authorities. In doing so, we will ensure that such disclosure is based on a valid legal basis.

Additionally, we may share personal data in the context of investigating suspected contract breaches or unlawful conduct, or in connection with the legitimate exercise or defence of legal rights. In such cases, data may be disclosed to legal advisors, law enforcement, or other appropriate authorities.

If we are involved in a merger, acquisition, reorganisation, asset sale, funding or financing round, personal data may be shared with parties to the transaction and their professional advisors, subject to appropriate confidentiality arrangements and strictly to the extent required for achieving the good faith purpose of any of the transactions described above, as relevant.

Your Rights

To the extent that we act as a data controller in connection with your personal data, you have the following rights under applicable data protection laws:

Right to Information: you have the right to obtain clear and transparent information about how we process your personal data, including the purposes for the processing and the lawful basis;
Right of Access: you may request access to your personal data processed by us, including a copy of such data;
Right to Data Portability: you may request that we provide your personal data in a structured, commonly used, and machine-readable format, or that we transfer your data directly to another controller, where technically feasible;
Right to Rectification: if your personal data is inaccurate or incomplete, you have the right to request correction or completion of the data held by us;
Right to Restrict Processing: you may request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data, the processing is unlawful, or when you need the data for legal claims, and we no longer require it for processing purposes;
Right to Object: you have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights or if the processing is required for legal claims;
Right to Erasure: you may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful. This right is subject to exceptions, such as where processing is required to comply with legal obligations or to establish, exercise, or defend legal claims;
Right to Withdraw Consent: : if our processing of your personal data is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
Right to Lodge a Complaint: if you believe we have not complied with applicable data protection laws, you have the right to lodge a complaint with your local data protection authority.

Where we act as a processor (e.g. for Candidate Data), data subject rights should be exercised directly against the relevant customer (the data controller). We will assist the customer in responding to any such requests in accordance with our data processing agreement.

Amendments to the Privacy Policy

We may update this privacy policy from time to time. If we make material changes, we will provide reasonable notice (e.g. via our Website or by email). The effective date will always be shown at the top of this policy. We encourage you to review this page periodically.

Contacting Us

If you have any questions, comments, or requests regarding this privacy policy or our processing of your personal data, please contact us at:

Cataloop OÜ
Estonian commercial register code: 17020739
Registered address: Telliskivi tn 57b/1, 10412 Tallinn, Estonia
E-mail address: info@flaggy.ai

Our supervisory authority is the Estonian Data Protection Inspectorate (www.aki.ee).