Trust & Security
How we handle your data
humaaaaans is built for recruiters in the EU, UK, US and other GDPR-aware geographies. This page explains exactly what we do with the data we process, the legal basis we rely on, and your rights.
What humaaaaans actually does
humaaaaans performs AI search of public LinkedIn profiles — the same data anyone can see when browsing LinkedIn while signed in. We do not log into your LinkedIn account, we do not impersonate users, we do not use the LinkedIn Recruiter API, and we do not require you to install any extension or run anything in your browser. Searches run entirely on our own infrastructure.
For each search, you (the recruiter, our customer) provide a job description. Our AI interprets it, performs the public-profile search, and returns a curated, ranked candidate list to your inbox. We retain the search and result set inside your account for the duration of your subscription so you can re-open it later.
Legal basis (GDPR)
Our legal basis for processing public profile data of EU/UK candidates is legitimate interest under GDPR Art. 6(1)(f), supported by a documented Legitimate Interest Assessment (LIA) covering necessity, proportionality, and the balancing test described in Recital 47.
For our customers (the recruiters using humaaaaans), our legal basis is the contract between us under Art. 6(1)(b) — i.e. providing the service you signed up for.
For marketing communication and analytics, we rely on consent (Art. 6(1)(a)) — you can opt out at any time via the link in every email and via the cookie banner on our site.
Candidate rights
If your public LinkedIn profile has been included in a humaaaaans search, you have the following rights under GDPR Art. 15–22:
- Access — get a copy of the data we hold about you (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request removal at /privacy/remove-me (Art. 17)
- Restriction — limit how we process your data (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Objection — object to legitimate-interest processing (Art. 21)
- Complaint — to your supervisory authority. We are happy to provide the contact for the relevant authority on request.
Reach us at privacy@humaaaaans.com. We acknowledge requests within 72 hours and process them within 30 days.
Sub-processors
humaaaaans uses the following sub-processors. We choose vendors with established GDPR posture, EU hosting where available, and standard contractual clauses for any US transfers.
| Vendor | Purpose | Region | Data types |
|---|---|---|---|
| Stripe | Payments & billing | EU + US | Customer name, email, billing address, payment metadata |
| Anthropic (Claude API) | AI candidate matching & ranking | US (with EU routing where available) | Job-description text, public LinkedIn snippets |
| AWS | Application hosting & data storage | EU (eu-central-1 / eu-west-1) | Application data, search results, customer accounts |
| Cloudflare | DNS, CDN, DDoS protection | Global (EU edge for EU traffic) | Request logs, IP addresses |
| PostHog | Product analytics & funnel measurement | EU (eu.posthog.com) | Anonymous usage events, customer email on identified events |
| Loops.so | Transactional & lifecycle email | US | Customer name, email, lifecycle event metadata |
| Attio | Customer relationship database | US | Customer name, company, email, plan tier |
| Crisp | Customer support chat | EU | Support conversation logs, customer email |
| Web3Forms | Lead form & GDPR opt-out form delivery | EU | Form submissions (transit only) |
| Google Analytics 4 | Marketing analytics | US (with EU consent gating) | Anonymous traffic data |
We notify customers in advance when adding a new sub-processor that handles customer-controlled data, with the option to object.
Data flow
- You sign up via Stripe Checkout. Stripe stores billing data in Europe.
- You submit a job description through the humaaaaans web app.
- Our AI service (Anthropic) interprets the job description and constructs a search query. Job-description text is sent to Anthropic for processing only — not stored long-term by Anthropic.
- humaaaaans searches public LinkedIn profiles and returns a candidate list, stored in our EU-region AWS instance.
- You receive the candidate list by email (Loops.so) and can browse it inside your account.
- Search results are retained for the duration of your subscription. Cancellation triggers a 30-day deletion window.
- If a candidate exercises the right to erasure, their record is deleted within 30 days and added to a permanent suppression list.
Data Processing Agreement (DPA)
When an agency or in-house TA team uses humaaaaans, you (the customer) are a data controller and humaaaaans is a data processor under GDPR Art. 28. We provide a standard DPA on request that you can review and counter-sign without negotiation.
Email privacy@humaaaaans.com with the subject "DPA request" and we will send the latest version within one business day.
Security practices
- All traffic over TLS 1.3.
- Customer data encrypted at rest in EU-region AWS.
- Application secrets managed via environment variables and a managed secret store; no plaintext credentials in code.
- Stripe restricted keys with per-key budget caps.
- Two-factor authentication on every staff account that touches customer data.
- 30-day deletion window after subscription cancellation.
- Backups encrypted, retained 30 days, then auto-deleted.
- Incident notification: in case of a personal-data breach affecting customers, we notify the relevant supervisory authority within 72 hours under Art. 33 and notify affected customers without undue delay.
Geographic scope
humaaaaans serves customers in the US, UK, EU, Canada, Australia, and other GDPR-aware geographies. We do not currently sell to customers based in Lithuania, Russia, Belarus, or jurisdictions under broad sanctions.
Last updated: 2026-05-08. We update this page when sub-processors, legal basis, or security practices change. See also the Privacy Policy and Terms of Service.