picked.
Log inPost a role
Trust · Privacy
Where it lives. When it leaves. Who decides.
GDPR, UK GDPR, single jurisdiction in London, no model training on candidate data, candidate-owned profile, candidate-driven deletion.
Submit a data rights request →Read the privacy policy
Data handling
Where it lives. When it leaves.
Artefact
Region
Retention
Notes
CV / cover letter
London (eu-west-2)
30 days after role closes
Used for triage only. Not training data.
Voice screen recording
London (eu-west-2)
30 days. Earlier on request.
Transcribed by OpenAI Whisper. Not retained by the model.
Assessment responses
London (eu-west-2)
12 months. For re-use.
Candidate-owned. Portable.
Interview transcript
London (eu-west-2)
30 days. Earlier on request.
Available to the candidate. Always.
Decision metadata
London (eu-west-2)
7 years. Regulatory.
Hashed candidate ID. No PII.
Aggregate bias telemetry
London (eu-west-2)
Indefinite. De-identified.
k-anonymity >= 5. Published quarterly.
Encryption · AES-256 at rest, TLS 1.3 in transitSub-processors · see /trust/sub-processorsDPA · signable per customer (/legal/dpa)
GDPR / UK GDPR · Article 22
No solely-automated decision affects the candidate.

Article 22 of GDPR (and UK GDPR) gives candidates the right not to be subject to a decision based solely on automated processing that produces legal effects or significant effects. We comply by enforcing human-in-the-loop at the decision point: Picked scores, ranks, and recommends; a named human hiring manager makes the final hire-or-no-hire call.

The candidate sees who decided. The dashboard tells the candidate "scored by Picked, decided by [hiring manager name, title]". The decision is logged with the manager's identity, the timestamp, and the score breakdown that informed it.

  • Candidates can request human review of any score or stage. 14-day SLA (legal requirement is 30).
  • Candidates can request deletion of any artefact. Done within the 30-day default retention.
  • Candidates can export the full file (transcript, recording, scores, notes) in JSON or PDF.
  • Candidates can opt out of AI screening entirely in favour of human screening. Same fee to the employer.
Controller / processor
Who controls. Who processes. Who decides.

For hiring data, the employer is the controller (they decide why the data is being processed). Picked is the processor (we act on their instructions to screen, assess, and interview). The candidate is the data subject. This is standard for SaaS hiring tools and matches the GDPR posture of every other vendor in this category.

  • DPA available at /legal/dpa. Signable per customer. Standard Contractual Clauses included.
  • Sub-processor list at /trust/sub-processors. Notification of changes 30 days in advance.
  • Joint controller arrangement available for enterprise customers who require it.
London.
Single jurisdiction. Vercel lhr1. Supabase eu-west-2. R2 EU.
Adequacy.
UK is currently an EU adequacy country (renewed 2025). UK-hosted data is legal for EU customers under GDPR.
Migration path.
If adequacy is ever revoked, migration to Frankfurt is a half-day config change. Every component picked supports both regions.
The line we do not cross
We do not use candidate CVs, voice recordings, assessment responses, or interview transcripts to train the underlying foundation models. Anthropic operates under a zero-retention agreement for our API traffic. OpenAI Whisper API runs under the same zero-retention terms for our use. The candidate profile is candidate-owned, candidate-controlled, candidate-deletable.
Subject access requests
One form. Five working days. Free.

Any candidate (or any employee at a customer org) can request access, correction, deletion, restriction, portability, or objection. The form is at /legal/data-rights-request. We respond within 5 working days; legally we have 30.

  • Identity verification via existing magic-link auth (no separate verification required for active users).
  • Free of charge for the first request in any 12-month period. Subsequent requests in the same period may carry a reasonable fee.
  • We never use a DSAR to retain or process additional data; the request itself is logged only as a compliance record.
  • Contact: privacy@picked.ai.
Related
TRUST · SECURITY
Security
Infrastructure, encryption, access, audit trail. SOC 2 Type II in progress.
Read →
TRUST · COMPLIANCE
Compliance
Eight frameworks across four jurisdictions. Per-framework posture.
Read →
TRUST · RESPONSIBLE AI
Responsible AI
Six principles. Eight candidate rights. The lines we will not cross.
Read →
Last reviewed · 22 May 2026 · v1.0
Still on the legal review?
We'll send you the file.
Pre-filled vendor security questionnaire (SIG Lite), DPA, sub-processor list, SOC 2 letter, model card, latest bias audit. One zip. Reply within one business day.
Request the legal pack Email legal@picked.ai
Operated by Neuroworx Ltd · ICO #09910326623
picked.
The AI-native replacement for inbound hiring. For the hiring manager, not HR.
© 2026 Picked · Made in London · Three finalists in forty-eight hours.
Privacy · Picked.ai