Privacy Policy

molte.ai is a recruitment platform that helps employers manage job applications, evaluate candidates, and streamline hiring processes. This privacy policy describes how we collect, use, and protect personal data when you use our service.

This policy refers to Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter "GDPR").

The data controller for personal data processed to provide the molte.ai platform is Molte AS, organisation number 937588712, with registered business address Kystadvegen 6 B, 7024 Trondheim, Norway (trading as "molte.ai"). For matters where Molte AS acts as controller, you may contact hello@molte.ai. For personal data relating to candidates and applications in recruitment processes, the employer customer is generally the controller for application data and the recruitment process, while molte.ai processes such data as a processor under a data processing agreement with the customer and the customer's instructions, cf. GDPR Art. 28.

Molte AS has not appointed a data protection officer (DPO). For questions about this privacy policy and to exercise your rights where Molte AS is the controller, please contact hello@molte.ai.

We collect and process personal data to different extents depending on how you use the service:

• On pages you can visit without signing in, we may process limited technical data (e.g. IP address and usage logs) and cookies for operation, security, and improvement. See also our cookie policy.
• When you are signed in as an employer or organization user, we process account data and activity in the service that is necessary to deliver the service to the customer and your organization.
• When you enable optional features (e.g. Gmail or Outlook email integration), we may process additional categories of personal data as described in this policy to provide that feature.

Depending on how you use molte.ai, we may collect the following categories of personal data:

• Account data: Name, email address, company affiliation, and login credentials (including OAuth via Google, Microsoft, or LinkedIn).
• Candidate data: Name, contact information, work experience, education, and other details submitted through job applications.
• Documents: CVs, cover letters, diplomas, and other files uploaded in connection with applications.
• Email integration data: Email metadata and message content when Gmail or Outlook integration is enabled by the employer.
• Usage data: IP address, browser type, device information, and interaction data for service operation and improvement.

Using the following features may require additional processing of personal data:

• Email integration: When Gmail or Outlook is connected, we may process email metadata, message content, and authentication data necessary to read, sync, and send email in line with the service settings.
• Documents and attachments: CVs, applications, and other files uploaded in connection with applications and positions.
• AI-assisted evaluation and ranking of candidates against job requirements when enabled in the workflow.
• Notifications and email: system notifications and email related to your account, positions, and applications.

Application documents such as CVs and cover letters may occasionally contain special categories of personal data (e.g. health information, trade union membership, or religious affiliation), whether included deliberately or inadvertently by the applicant. Where such data is processed, the legal basis is typically GDPR Art. 9(2)(b) (employment purposes) or the explicit consent of the data subject. Employers are encouraged to inform candidates not to include unnecessary sensitive information in their applications.

• Managing recruitment processes, including receiving, storing, and organizing job applications.
• AI-assisted evaluation and ranking of candidates against job requirements.
• Communication between employers and candidates, including system notifications and email.
• Maintaining, securing, and improving the platform.

AI-assisted evaluation and ranking of candidates constitutes profiling within the meaning of GDPR Art. 4(4). However, molte.ai does not make solely automated decisions that produce legal effects or similarly significant effects on data subjects, cf. GDPR Art. 22. AI features are intended as decision support and should always be reviewed by a human before hiring decisions are made. molte.ai does not guarantee complete accuracy of AI-generated assessments, and employers are responsible for final hiring decisions. The employer customer decides the legal basis for candidate data (for example consent, legitimate interest, or a combination as permitted by law) and Molte AS processes such data on the employer's instructions as processor. Where consent is used, it is obtained by the employer as described in the employer's recruitment process.

• Consent (GDPR Art. 6(1)(a)): Where an employer relies on consent for application processing (including AI-assisted evaluation), the employer is responsible for obtaining and documenting valid consent from the candidate in line with GDPR. Molte AS may process that data on behalf of the employer as processor under the data processing agreement.
• Contract (GDPR Art. 6(1)(b)): When processing is necessary to deliver the service to employers who have an active subscription.
• Legitimate interest (GDPR Art. 6(1)(f)): For platform security and fraud prevention. Where legitimate interest is used as a basis for processing usage data and logs for service improvement, the interest pursued is maintaining platform stability, detecting and fixing errors, and improving user experience; these interests are balanced against the limited nature of the data and the low impact on data subjects.

We use selected subprocessors to deliver the service, including hosting, database, authentication, email integrations, and AI-assisted processing. We only share personal data when necessary to provide functionality in the solution, and within the framework of applicable privacy legislation.

* For transfers to subprocessors in third countries (including the US), we use Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46, supplemented where required.

** Google Gemini is accessed via Google's European API endpoint for regional processing.

Some of our subprocessors may process personal data outside the EU/EEA, as indicated in the table above. Such processing is carried out in accordance with applicable privacy law, including Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46 as the transfer mechanism. Where relevant, a transfer impact assessment has been carried out in accordance with the requirements following the Schrems II ruling.

When you connect Google (Gmail) or Microsoft (Outlook) to molte.ai for authentication and/or email handling, we process email and account data necessary to perform the functions you request in the service (for example reading, syncing, and sending email within the scope of the integration). Use and transfer of information received from Google APIs to other apps follows Google's API user requirements where applicable; we use such data only to deliver and improve the features you use in molte.ai in accordance with this policy and the terms. When you sign in or apply for a position using LinkedIn, we process your LinkedIn profile data (name, email address, and profile picture) solely to authenticate your identity and pre-fill application forms. We do not access your LinkedIn connections, messages, or activity.

Under GDPR Chapter III, you have the following rights regarding your personal data. For rights relating to candidate data and applications (where the employer is the controller), please direct your request to the employer in the first instance. For rights relating to your molte.ai account or platform data (where Molte AS is the controller), contact us directly at hello@molte.ai.

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request correction of inaccurate or incomplete data.
• Right to withdraw consent (cf. GDPR Art. 7(3)): Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
• Right to erasure: You can request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: You can request your data in a structured, machine-readable format.
• Right to restriction of processing: You can request that we temporarily restrict processing in certain cases, for example if you contest the accuracy of the data or the processing.
• Right to object: You can object to processing based on legitimate interest.
• Right to complain: You can file a complaint with the Norwegian Data Protection Authority (Datatilsynet).

Providing personal data is voluntary, but certain data is required to use the service. For employer accounts, name and email are required for account creation and are a contractual requirement to access the platform. For candidates, mandatory application fields are determined by the employer; not providing the required information means the application cannot be submitted or processed.

molte.ai is designed to support privacy-friendly recruitment workflows. The platform processes personal data only for specific recruitment purposes, limits data collection to what is necessary, gives candidates and users control over their rights, and ensures that AI-assisted evaluation is always reviewed by a human before hiring decisions are made. molte.ai acts as a processor for employer customers and follows their instructions within the framework of the data processing agreement and applicable privacy legislation.

Personal data is retained only as long as necessary for the purposes described in this policy, or as required by law. Candidate data associated with completed recruitment processes is retained for the duration determined by the employer customer (as controller); as a guideline, application data is typically deleted no later than 6 months after a completed recruitment process unless the data subject consents to longer storage or longer retention is required by law. Account data is retained as long as the account is active; when an account is deleted or a customer relationship ends, data will be deleted or anonymized within 90 days unless we have a legal obligation to retain it.

On pages you visit without signing in, we do not process the same types of personal data as in signed-in recruitment workflows, but we may use cookies and technically necessary data for operation and security.

Read more about cookies

If you have questions about this privacy policy, wish to exercise your rights (including withdrawing consent), or want to request access, rectification, or restriction, please contact us at hello@molte.ai. Please indicate whether your request relates to an employer account or candidate data.