Legal

Provara Privacy Policy

Last updated: May 2026
Effective date: May 2026

Legal Notice: This Privacy Policy was prepared as a draft for Provara, Inc. It should be reviewed by a qualified attorney - particularly one specializing in privacy law - before being published. Biometric data processing and AI employment tools are subject to rapidly changing regulations. This document does not constitute legal advice.

1. Introduction

Provara, Inc. ("Provara," "we," "us," or "our") operates an AI-assisted hiring trust and fraud detection platform at getprovara.com ("Services").

This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Services. It applies to:

  • Platform Users - recruiters, administrators, and other personnel of organizations that subscribe to Provara ("Customers")
  • Candidates - individuals whose data is submitted to the Services by our Customers in connection with job applications

This Policy does not apply to data practices of our Customers, who are independent data controllers with their own privacy obligations. Candidates should also review the privacy policy of the organization that submitted their data to Provara.

2. Data We Collect

2.1 Data we collect from Platform Users (recruiters and admins)

CategoryExamplesSource
Account informationName, work email address, job titleProvided by you at signup
Authentication dataSign-in timestamps, OAuth tokensClerk (our auth provider)
Organization dataCompany name, subscription plan, settingsProvided by you
Usage dataPages visited, features used, actions takenAutomatically collected
CommunicationsSupport requests, feedbackProvided by you
Payment informationBilling address, last 4 digits of cardStripe (our payment processor)

2.2 Data we collect about Candidates

Candidates are individuals whose data is submitted by our Customers. We process this data on behalf of and at the direction of Customers.

CategoryExamplesLegal basis (GDPR)
Identity informationFull name, email address, phone numberLegitimate interests of the data controller (Customer)
Application documentsResume/CV text, cover lettersLegitimate interests
Biometric dataFacial geometry derived from government ID photos and selfie images, liveness detection signalsExplicit consent (where required) or legitimate interests
Identity document dataDocument type, issuing country, document number (hashed)Legitimate interests
Interview dataVideo recordings, audio data, deepfake analysis signalsLegitimate interests
Trust signalsAI-generated risk scores, fraud detection findings, evidenceLegitimate interests
MetadataIP address at submission, device type, submission timestampLegitimate interests

2.3 Special category data (sensitive personal data)

The Services may process the following special categories of personal data as defined under GDPR Article 9:

  • Biometric data - facial geometry derived from identity verification (selfies and ID document photos)

Provara processes biometric data only:

  • As necessary to provide identity verification services requested by the Customer
  • With appropriate safeguards and only for the duration necessary to complete verification
  • Subject to deletion rights as described in Section 7

Customers are responsible for obtaining any legally required explicit consent from candidates before submitting biometric data to the Services.

2.4 Data we do NOT collect

  • Social Security Numbers or national identification numbers (raw)
  • Financial account numbers
  • Medical or health information
  • Political opinions or religious beliefs
  • Sexual orientation or gender identity

3. How We Use Data

3.1 Platform Users

We use Platform User data to:

  • Create and manage your account
  • Provide and improve the Services
  • Process payments and send invoices
  • Send service communications (security alerts, feature updates, maintenance notices)
  • Respond to support requests
  • Comply with legal obligations
  • Detect and prevent fraud or abuse of the Services
  • Analyze usage patterns to improve product features

We do not sell Platform User data to third parties or use it for advertising.

3.2 Candidates

We use Candidate data to:

  • Perform the detection and analysis services requested by the Customer
  • Generate trust scores, risk signals, and evidence panels
  • Facilitate identity verification via third-party providers
  • Maintain audit logs as required by applicable law
  • Comply with legal obligations

We do not:

  • Use Candidate data to train AI models without explicit Customer consent
  • Share Candidate data between different Customer organizations
  • Use Candidate data for advertising
  • Make autonomous hiring decisions - all outputs are presented to human reviewers

3.3 AI and automated processing

The Services use automated processing to analyze candidate data and generate trust signals. Candidates have the right to:

  • Know that automated processing is being used (disclosed in this Policy and required Customer disclosures)
  • Request human review of automated outputs
  • Challenge decisions made on the basis of automated processing

Customers are responsible for providing candidates with information about automated processing as required by applicable law, including GDPR Article 22, NYC Local Law 144, and the Colorado AI Act.

4. Data Sharing and Sub-processors

4.1 We do not sell personal data

Provara does not sell, rent, or trade personal data to third parties.

4.2 Sub-processors

We share personal data with the following categories of sub-processors to deliver the Services:

CategoryProviderPurposeData shared
AuthenticationClerkUser authentication and organization managementPlatform User account data
Database & StorageSupabase (AWS)Data storage and file storageAll data
Identity VerificationPersonaGovernment ID and biometric verificationCandidate biometric and ID data
AI/LLM ProcessingAnthropicResume analysis and reasoning generationCandidate resume text
Deepfake DetectionReality DefenderVideo and audio analysisInterview recordings
EmailResendTransactional email deliveryEmail addresses
Error TrackingSentryApplication error monitoringUsage data (PII masked)
AnalyticsPostHogProduct analyticsUsage data (anonymized)
PaymentsStripePayment processingPlatform User billing data

A complete and current list of sub-processors is maintained at getprovara.com/legal/sub-processors.

4.3 Legal disclosures

We may disclose personal data if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Provara, our users, or the public. We will notify affected parties where legally permitted.

4.4 Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will provide notice before personal data is subject to a materially different privacy policy.

5. International Data Transfers

Provara is incorporated in Delaware, USA. We operate globally and may transfer personal data across international borders.

5.1 Transfers from the EU/EEA

For personal data transferred from the EU/EEA to the United States or other countries without an adequacy decision, we rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable

Customers requiring EU Standard Contractual Clauses as part of a Data Processing Agreement should contact privacy@getprovara.com.

5.2 UK data transfers

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.

5.3 Other jurisdictions

For transfers involving data from other jurisdictions with international transfer restrictions, we implement appropriate safeguards as required by applicable law.

6. Data Retention

Data typeRetention periodBasis
Platform User account dataDuration of subscription + 12 monthsContract performance
Candidate PII (name, email)As directed by Customer, max 24 months from submissionContract performance
Biometric data90 days from verification completion, then deletedMinimum necessary
Interview recordings90 days, unless Customer requests earlier deletionContract performance
Trust scores and signals24 months from creationLegitimate interests (audit)
Audit logs7 yearsLegal compliance
Webhook event records12 monthsLegitimate interests
Payment records7 yearsLegal obligation

Customers may request earlier deletion of Candidate data at any time. Biometric data is deleted within 90 days of verification completion regardless of other retention schedules.

7. Your Rights

7.1 Platform Users

Depending on your location, you may have the right to:

  • Access - request a copy of personal data we hold about you
  • Correction - request correction of inaccurate data
  • Deletion - request deletion of your personal data
  • Portability - receive your data in a machine-readable format
  • Restriction - request restriction of processing in certain circumstances
  • Objection - object to processing based on legitimate interests
  • Opt-out of sale - we do not sell data, but you may exercise this right under CCPA

7.2 Candidates

Candidates whose data has been submitted to Provara by a Customer have the same rights as listed in 7.1. Because Provara processes Candidate data on behalf of Customers (as a data processor), Candidates should direct requests to the organization that submitted their data (the data controller). We will assist Customers in responding to Candidate requests.

Candidates may also contact us directly at privacy@getprovara.com and we will facilitate the request in cooperation with the relevant Customer.

7.3 Biometric data rights

In addition to the rights above, individuals whose biometric data has been processed have the right to:

  • Know the specific biometric data collected and its purpose
  • Request deletion of biometric data at any time
  • Receive written notice of our biometric data retention and deletion policy

7.4 How to exercise your rights

Submit requests to: privacy@getprovara.com

We will respond within:

  • 30 days for GDPR requests
  • 45 days for CCPA requests
  • As required by other applicable law

We may need to verify your identity before processing requests.

8. Security

Provara implements technical and organizational security measures to protect personal data, including:

  • Encryption of data at rest and in transit (TLS 1.2+)
  • Role-based access controls and multi-factor authentication
  • Row-level security in our database (tenant isolation)
  • Regular security monitoring and incident response procedures
  • Vendor security assessments for sub-processors
  • Annual security reviews

No system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR where feasible).

To report a security vulnerability: privacy@getprovara.com

9. Cookies and Tracking

The Services use:

  • Strictly necessary cookies - required for authentication and session management (cannot be disabled)
  • Analytics cookies - PostHog for product analytics (anonymized, can be opted out)
  • No advertising cookies - we do not use advertising or cross-site tracking cookies

You can control non-essential cookies through your browser settings.

10. Children's Privacy

The Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Contact privacy@getprovara.com to report concerns.

11. AI Employment Law Compliance

Provara's Services are designed to support compliance with AI employment laws. Customers are responsible for their own compliance obligations, which may include:

LawJurisdictionKey obligation
NYC Local Law 144New York City, USAAnnual bias audit of AI hiring tools; candidate notice
Colorado AI ActColorado, USAReasonable care to avoid algorithmic discrimination; notice to candidates
EU AI ActEuropean UnionHigh-risk AI system obligations; transparency; human oversight
GDPR Article 22European UnionRight not to be subject to solely automated decisions
Illinois BIPAIllinois, USAWritten consent before biometric data collection

Provara provides audit logs and compliance documentation to assist Customers in meeting these obligations. Contact privacy@getprovara.com for compliance documentation requests.

12. Jurisdiction-Specific Rights

12.1 California (CCPA/CPRA)

California residents have the right to:

  • Know what personal information is collected and how it is used
  • Delete personal information (subject to exceptions)
  • Opt-out of sale of personal information (we do not sell data)
  • Non-discrimination for exercising rights

To submit a CCPA request: privacy@getprovara.com

12.2 European Union (GDPR)

EU residents may lodge complaints with their national supervisory authority if they believe their data is being processed unlawfully. Provara's lead supervisory authority for EU operations is determined by our EU establishment.

12.3 United Kingdom (UK GDPR)

UK residents may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk.

12.4 Sri Lanka

Provara complies with the Sri Lanka Personal Data Protection Act (PDPA) where applicable to Sri Lanka-resident data subjects.

12.5 Other jurisdictions

We are committed to complying with applicable data protection laws in all jurisdictions where we operate. Contact privacy@getprovara.com for jurisdiction-specific inquiries.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via:

  • Email to the address associated with your account
  • In-app notification
  • Prominent notice on our website

The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

14. Contact Us

For privacy inquiries, data subject requests, or Data Processing Agreement requests:

Privacy Team

Provara, Inc.

Email: privacy@getprovara.com

Website: getprovara.com

We aim to respond to all privacy inquiries within 5 business days.