Legal
Provara Privacy Policy
Last updated: May 2026
Effective date: May 2026
1. Introduction
Provara, Inc. ("Provara," "we," "us," or "our") operates an AI-assisted hiring trust and fraud detection platform at getprovara.com ("Services").
This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with the Services. It applies to:
- Platform Users - recruiters, administrators, and other personnel of organizations that subscribe to Provara ("Customers")
- Candidates - individuals whose data is submitted to the Services by our Customers in connection with job applications
This Policy does not apply to data practices of our Customers, who are independent data controllers with their own privacy obligations. Candidates should also review the privacy policy of the organization that submitted their data to Provara.
2. Data We Collect
2.1 Data we collect from Platform Users (recruiters and admins)
| Category | Examples | Source |
|---|---|---|
| Account information | Name, work email address, job title | Provided by you at signup |
| Authentication data | Sign-in timestamps, OAuth tokens | Clerk (our auth provider) |
| Organization data | Company name, subscription plan, settings | Provided by you |
| Usage data | Pages visited, features used, actions taken | Automatically collected |
| Communications | Support requests, feedback | Provided by you |
| Payment information | Billing address, last 4 digits of card | Stripe (our payment processor) |
2.2 Data we collect about Candidates
Candidates are individuals whose data is submitted by our Customers. We process this data on behalf of and at the direction of Customers.
| Category | Examples | Legal basis (GDPR) |
|---|---|---|
| Identity information | Full name, email address, phone number | Legitimate interests of the data controller (Customer) |
| Application documents | Resume/CV text, cover letters | Legitimate interests |
| Biometric data | Facial geometry derived from government ID photos and selfie images, liveness detection signals | Explicit consent (where required) or legitimate interests |
| Identity document data | Document type, issuing country, document number (hashed) | Legitimate interests |
| Interview data | Video recordings, audio data, deepfake analysis signals | Legitimate interests |
| Trust signals | AI-generated risk scores, fraud detection findings, evidence | Legitimate interests |
| Metadata | IP address at submission, device type, submission timestamp | Legitimate interests |
2.3 Special category data (sensitive personal data)
The Services may process the following special categories of personal data as defined under GDPR Article 9:
- Biometric data - facial geometry derived from identity verification (selfies and ID document photos)
Provara processes biometric data only:
- As necessary to provide identity verification services requested by the Customer
- With appropriate safeguards and only for the duration necessary to complete verification
- Subject to deletion rights as described in Section 7
Customers are responsible for obtaining any legally required explicit consent from candidates before submitting biometric data to the Services.
2.4 Data we do NOT collect
- Social Security Numbers or national identification numbers (raw)
- Financial account numbers
- Medical or health information
- Political opinions or religious beliefs
- Sexual orientation or gender identity
3. How We Use Data
3.1 Platform Users
We use Platform User data to:
- Create and manage your account
- Provide and improve the Services
- Process payments and send invoices
- Send service communications (security alerts, feature updates, maintenance notices)
- Respond to support requests
- Comply with legal obligations
- Detect and prevent fraud or abuse of the Services
- Analyze usage patterns to improve product features
We do not sell Platform User data to third parties or use it for advertising.
3.2 Candidates
We use Candidate data to:
- Perform the detection and analysis services requested by the Customer
- Generate trust scores, risk signals, and evidence panels
- Facilitate identity verification via third-party providers
- Maintain audit logs as required by applicable law
- Comply with legal obligations
We do not:
- Use Candidate data to train AI models without explicit Customer consent
- Share Candidate data between different Customer organizations
- Use Candidate data for advertising
- Make autonomous hiring decisions - all outputs are presented to human reviewers
3.3 AI and automated processing
The Services use automated processing to analyze candidate data and generate trust signals. Candidates have the right to:
- Know that automated processing is being used (disclosed in this Policy and required Customer disclosures)
- Request human review of automated outputs
- Challenge decisions made on the basis of automated processing
Customers are responsible for providing candidates with information about automated processing as required by applicable law, including GDPR Article 22, NYC Local Law 144, and the Colorado AI Act.
4. Data Sharing and Sub-processors
4.1 We do not sell personal data
Provara does not sell, rent, or trade personal data to third parties.
4.2 Sub-processors
We share personal data with the following categories of sub-processors to deliver the Services:
| Category | Provider | Purpose | Data shared |
|---|---|---|---|
| Authentication | Clerk | User authentication and organization management | Platform User account data |
| Database & Storage | Supabase (AWS) | Data storage and file storage | All data |
| Identity Verification | Persona | Government ID and biometric verification | Candidate biometric and ID data |
| AI/LLM Processing | Anthropic | Resume analysis and reasoning generation | Candidate resume text |
| Deepfake Detection | Reality Defender | Video and audio analysis | Interview recordings |
| Resend | Transactional email delivery | Email addresses | |
| Error Tracking | Sentry | Application error monitoring | Usage data (PII masked) |
| Analytics | PostHog | Product analytics | Usage data (anonymized) |
| Payments | Stripe | Payment processing | Platform User billing data |
A complete and current list of sub-processors is maintained at getprovara.com/legal/sub-processors.
4.3 Legal disclosures
We may disclose personal data if required by law, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Provara, our users, or the public. We will notify affected parties where legally permitted.
4.4 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will provide notice before personal data is subject to a materially different privacy policy.
5. International Data Transfers
Provara is incorporated in Delaware, USA. We operate globally and may transfer personal data across international borders.
5.1 Transfers from the EU/EEA
For personal data transferred from the EU/EEA to the United States or other countries without an adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
Customers requiring EU Standard Contractual Clauses as part of a Data Processing Agreement should contact privacy@getprovara.com.
5.2 UK data transfers
For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs.
5.3 Other jurisdictions
For transfers involving data from other jurisdictions with international transfer restrictions, we implement appropriate safeguards as required by applicable law.
6. Data Retention
| Data type | Retention period | Basis |
|---|---|---|
| Platform User account data | Duration of subscription + 12 months | Contract performance |
| Candidate PII (name, email) | As directed by Customer, max 24 months from submission | Contract performance |
| Biometric data | 90 days from verification completion, then deleted | Minimum necessary |
| Interview recordings | 90 days, unless Customer requests earlier deletion | Contract performance |
| Trust scores and signals | 24 months from creation | Legitimate interests (audit) |
| Audit logs | 7 years | Legal compliance |
| Webhook event records | 12 months | Legitimate interests |
| Payment records | 7 years | Legal obligation |
Customers may request earlier deletion of Candidate data at any time. Biometric data is deleted within 90 days of verification completion regardless of other retention schedules.
7. Your Rights
7.1 Platform Users
Depending on your location, you may have the right to:
- Access - request a copy of personal data we hold about you
- Correction - request correction of inaccurate data
- Deletion - request deletion of your personal data
- Portability - receive your data in a machine-readable format
- Restriction - request restriction of processing in certain circumstances
- Objection - object to processing based on legitimate interests
- Opt-out of sale - we do not sell data, but you may exercise this right under CCPA
7.2 Candidates
Candidates whose data has been submitted to Provara by a Customer have the same rights as listed in 7.1. Because Provara processes Candidate data on behalf of Customers (as a data processor), Candidates should direct requests to the organization that submitted their data (the data controller). We will assist Customers in responding to Candidate requests.
Candidates may also contact us directly at privacy@getprovara.com and we will facilitate the request in cooperation with the relevant Customer.
7.3 Biometric data rights
In addition to the rights above, individuals whose biometric data has been processed have the right to:
- Know the specific biometric data collected and its purpose
- Request deletion of biometric data at any time
- Receive written notice of our biometric data retention and deletion policy
7.4 How to exercise your rights
Submit requests to: privacy@getprovara.com
We will respond within:
- 30 days for GDPR requests
- 45 days for CCPA requests
- As required by other applicable law
We may need to verify your identity before processing requests.
8. Security
Provara implements technical and organizational security measures to protect personal data, including:
- Encryption of data at rest and in transit (TLS 1.2+)
- Role-based access controls and multi-factor authentication
- Row-level security in our database (tenant isolation)
- Regular security monitoring and incident response procedures
- Vendor security assessments for sub-processors
- Annual security reviews
No system is completely secure. In the event of a data breach affecting your rights and freedoms, we will notify affected parties and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR where feasible).
To report a security vulnerability: privacy@getprovara.com
9. Cookies and Tracking
The Services use:
- Strictly necessary cookies - required for authentication and session management (cannot be disabled)
- Analytics cookies - PostHog for product analytics (anonymized, can be opted out)
- No advertising cookies - we do not use advertising or cross-site tracking cookies
You can control non-essential cookies through your browser settings.
10. Children's Privacy
The Services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. Contact privacy@getprovara.com to report concerns.
11. AI Employment Law Compliance
Provara's Services are designed to support compliance with AI employment laws. Customers are responsible for their own compliance obligations, which may include:
| Law | Jurisdiction | Key obligation |
|---|---|---|
| NYC Local Law 144 | New York City, USA | Annual bias audit of AI hiring tools; candidate notice |
| Colorado AI Act | Colorado, USA | Reasonable care to avoid algorithmic discrimination; notice to candidates |
| EU AI Act | European Union | High-risk AI system obligations; transparency; human oversight |
| GDPR Article 22 | European Union | Right not to be subject to solely automated decisions |
| Illinois BIPA | Illinois, USA | Written consent before biometric data collection |
Provara provides audit logs and compliance documentation to assist Customers in meeting these obligations. Contact privacy@getprovara.com for compliance documentation requests.
12. Jurisdiction-Specific Rights
12.1 California (CCPA/CPRA)
California residents have the right to:
- Know what personal information is collected and how it is used
- Delete personal information (subject to exceptions)
- Opt-out of sale of personal information (we do not sell data)
- Non-discrimination for exercising rights
To submit a CCPA request: privacy@getprovara.com
12.2 European Union (GDPR)
EU residents may lodge complaints with their national supervisory authority if they believe their data is being processed unlawfully. Provara's lead supervisory authority for EU operations is determined by our EU establishment.
12.3 United Kingdom (UK GDPR)
UK residents may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk.
12.4 Sri Lanka
Provara complies with the Sri Lanka Personal Data Protection Act (PDPA) where applicable to Sri Lanka-resident data subjects.
12.5 Other jurisdictions
We are committed to complying with applicable data protection laws in all jurisdictions where we operate. Contact privacy@getprovara.com for jurisdiction-specific inquiries.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via:
- Email to the address associated with your account
- In-app notification
- Prominent notice on our website
The "Last updated" date at the top of this Policy reflects the most recent revision. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.
14. Contact Us
For privacy inquiries, data subject requests, or Data Processing Agreement requests:
Privacy Team
Provara, Inc.
Email: privacy@getprovara.com
Website: getprovara.com
We aim to respond to all privacy inquiries within 5 business days.