1. Who we are
This Privacy Policy explains how Neuroworx Ltd handles personal data in connection with the Picked.ai service.
- Legal entity and data controller: Neuroworx Ltd, a company incorporated in England and Wales.
- Company number: 14612373.
- Registered office: 22 Charterhouse Square, London, England, EC1M 6DX.
- ICO registration number: 09910326623.
- VAT number: GB 480543686.
"Picked.ai" is the product and brand name of a service operated by Neuroworx Ltd. It is one of Neuroworx Ltd's websites, not a separate company. In this policy, "we", "us" and "our" mean Neuroworx Ltd.
For data protection questions, contact us at support@picked.ai. If we appoint a Data Protection Officer or an EU or UK representative, their details will be added here.
2. What Picked.ai does
Picked.ai is an AI-native hiring service. A hiring manager posts a role; Picked syndicates that role, screens applicants, runs an assessment, conducts a first-round AI voice interview, and returns a ranked list of finalists to the hiring manager. The service is priced at $0.99 per AI-vetted candidate.
Two types of people use the service:
- Hiring managers (our business customers and their authorised users), who sign in using our business authentication provider.
- Candidates (job applicants), who access the service through a magic-link sent to their email address and consent to the process when they apply.
This policy covers both. A separate, candidate-facing Candidate Data Notice gives job applicants the detail they need in plainer terms; where this policy and that notice both apply to a candidate, read them together.
3. Our role: controller and processor
Data protection law distinguishes between a "controller" (who decides why and how personal data is processed) and a "processor" (who processes on a controller's instructions).
- For hiring-manager account data, billing data, marketing data, and general website data, Neuroworx Ltd is the controller.
- For candidate data processed through the hiring pipeline (applications, screening, assessment, interview, ranking), Neuroworx Ltd is the controller. We determine the means of processing (the AI pipeline, the models, the scoring) and we set the purposes for which candidate data is used across the service.
4. The personal data we process
4.1 Hiring managers and account users
- Identity and contact data: name, work email address, job title, employer / workspace.
- Authentication data: account identifiers and session data from our authentication provider (we do not store your password; authentication is handled by WorkOS).
- Workspace and role content: the roles you post, role descriptions, configuration, and notes.
- Billing data: billing contact, billing address, and payment-related identifiers processed through our payment provider (we do not store full card numbers).
- Usage and device data: log data, IP address, device and browser information, and product analytics (subject to your cookie choices, see our Cookie Policy).
- Communications: messages you send us and support correspondence.
4.2 Candidates
- Application data: name, email address, and the information in any CV or application you submit.
- Assessment data: your answers and responses in screening questions and assessments.
- Interview data: audio of your first-round AI voice interview and the transcript generated from it.
- Pipeline outputs: AI-generated scores, summaries, signals, and your position in the ranking for a role.
- Technical data: log data and limited device / connection data needed to deliver the interview and secure the service.
We ask candidates not to submit special category data (for example data revealing health, ethnicity, religion, or political opinions) unless it is necessary, and we do not request it. If such data is provided to us, see section 8.
5. Why we process it and our lawful basis (UK GDPR / EU GDPR)
| Purpose | Whose data | Lawful basis |
|---|---|---|
| Providing the Picked.ai service to hiring managers | Hiring managers | Performance of a contract; legitimate interests |
| Running the hiring pipeline for a role (screen, assess, interview, rank) | Candidates | Consent at apply time; and / or legitimate interests of the hiring manager and Neuroworx Ltd in operating a hiring process. |
| Operating the AI voice interview | Candidates | Consent at apply time |
| Billing and collecting payment | Hiring managers | Performance of a contract; legal obligation (tax / accounting) |
| Securing the service, fraud and abuse prevention | All | Legitimate interests; legal obligation |
| Product analytics and service improvement | All | Consent (where cookie-based); legitimate interests |
| Marketing communications | Hiring managers / prospects | Consent and / or legitimate interests, with an opt-out |
| Complying with legal and regulatory obligations | All | Legal obligation |
Where we rely on legitimate interests, we have carried out a balancing assessment. Where we rely on consent, you can withdraw it at any time without affecting processing already carried out.
6. Automated decision-making and the AI pipeline
Picked.ai uses artificial intelligence to screen, assess, interview, and rank candidates. This is a core part of the service. We treat the AI screening and interview as a high-risk AI system under the EU AI Act and apply additional safeguards.
- Meaningful human review. A candidate has the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Article 22 UK GDPR and the equivalent under EU GDPR). Picked.ai produces a ranked recommendation; the decision to progress, interview further, or hire a candidate is made by the hiring manager, who is able to review the underlying evidence. Candidates can request meaningful human review of an outcome, can ask for an explanation of the logic involved, and can contest an outcome.
- Transparency. Candidates are told at apply time that an AI process will screen, assess, interview, and rank their application.
- How to exercise these rights: see section 11, or use the in-product data-rights route at /legal/data-rights-request.
7. Where your data is stored and processed (EU posture)
Our data posture is EU storage with lawful transfer for processing. This means:
- Data at rest stays in the EU. Candidate and account data at rest is held in EU-located services: our primary database (Supabase, London,
eu-west-2), file storage (Cloudflare R2, EU), our application and serverless functions (Vercel, London,lhr1), and our transactional email provider (Resend, EU region). - Some processing uses vendors hosted outside the EU. To deliver best-in-class AI features, certain processing is carried out by sub-processors hosted outside the EU (for example AI reasoning, speech-to-text, and text-to-speech). When this happens, the relevant data is transferred under appropriate safeguards: a signed Data Processing Agreement plus Standard Contractual Clauses (SCCs), which are the lawful basis for the transfer under UK GDPR and EU GDPR. UK transfers rely on the UK International Data Transfer Addendum to the SCCs.
We do not claim that your data never leaves the EU. We do claim that data at rest is held in the EU and that any processing outside the EU is covered by appropriate transfer safeguards. The full list of sub-processors is in section 9.
8. Special category data
We do not ask for special category data. If special category data reaches us (for example, because it appears in a CV or is mentioned during an interview), we process it only so far as necessary to deliver the service, and we rely on an appropriate Article 9 condition (such as explicit consent, or processing necessary for reasons of substantial public interest). We will not use such data for any automated profiling beyond what is necessary to deliver the requested hiring assessment.
9. Sub-processors and other recipients
We use the following categories of sub-processor. This list mirrors our sub-processor register and our public sub-processors page; we keep all three in sync.
Storage and infrastructure (data at rest in the EU):
| Sub-processor | Role | Hosting |
|---|---|---|
| Supabase | Primary database | London, eu-west-2 |
| Cloudflare (R2) | CV and file storage | EU |
| Vercel | Application and serverless functions (no storage at rest) | London, lhr1 |
| Resend | Candidate and transactional email | EU |
AI and voice processing (may process outside the EU, under DPA + SCCs):
| Sub-processor | Role | Hosting |
|---|---|---|
| Anthropic (Claude) | AI reasoning across all pipeline stages | US |
| Deepgram | Interview speech-to-text | US |
| OpenAI | Whisper speech-to-text and text-to-speech only (never reasoning) | US |
| ElevenLabs | Interview text-to-speech (voices the interviewer's words; minimal candidate data) | US |
| LiveKit | Interview audio transport (in transit only, no storage) | Global mesh |
Authentication, billing, and operations:
| Sub-processor | Role | Notes |
|---|---|---|
| WorkOS | Hiring-manager authentication | Account / auth data |
| Stripe | Billing and payments | Billing data; Stripe is an independent controller for some payment data |
| Braintrust | AI evaluation and quality tooling | May process pipeline content for evaluation |
| Inngest | Background job orchestration | Orchestrates the pipeline workflow |
| PostHog (EU) | Product analytics | EU-hosted; loaded only with analytics-cookie consent; session recording disabled |
| Sentry (EU) | Error and performance monitoring | EU-hosted (Sentry EU region); processes error and diagnostic data; configured to minimise personal data; no session replay |
We may also share data with professional advisers, with authorities where legally required, and with a successor entity in the event of a corporate transaction. We do not sell personal data.
10. How long we keep data
We keep personal data only as long as necessary for the purposes above, then delete or anonymise it.
- Hiring-manager account data: for the life of the account and a reasonable period afterwards.
- Billing records: as required by tax and accounting law (typically several years).
- Candidate pipeline data (applications, assessments, transcripts, scores): up to 24 months from your last activity with us, after which it is deleted or anonymised. An anonymised, non-personal record of any automated decision about you is kept for 6 years to meet our record-keeping obligations under the EU AI Act.
- Interview audio: no longer than 24 months, and we review raw interview audio for deletion once the transcript has been produced.
11. Your rights
Subject to UK GDPR and EU GDPR, you have the right to: access your data; rectify inaccurate data; erase data ("right to be forgotten"); restrict processing; object to processing (including profiling); data portability; withdraw consent; and not be subject to a decision based solely on automated processing with legal or similarly significant effects, including the right to obtain human review, an explanation, and to contest the outcome (see section 6).
To exercise any right, contact support@picked.ai or use /legal/data-rights-request. We will respond within the statutory time limit (normally one month). We may need to verify your identity first.
You also have the right to complain to a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), https://ico.org.uk. In the EU you may complain to your local supervisory authority.
12. Security
We use technical and organisational measures appropriate to the risk, including access controls, tenant isolation (row-level security in our database), encryption in transit, restricted sub-processor access, and the EU storage posture described above. No system is perfectly secure, and we cannot guarantee absolute security.
13. Children
Picked.ai is not directed at children and is intended for use by adults in a professional hiring context. We do not knowingly process the personal data of children.
14. Changes to this policy
We may update this policy. We will post the updated version here and change the "Last updated" date. Material changes will be communicated as required by law.
15. Contact
Neuroworx Ltd, 22 Charterhouse Square, London, England, EC1M 6DX. Data protection contact: support@picked.ai.