Trust & Security

How we handle your data

humaaaaans is built for recruiters in the EU, UK, US and other GDPR-aware geographies. This page explains exactly what we do with the data we process, the legal basis we rely on, and your rights.

What humaaaaans actually does

humaaaaans performs AI search of public LinkedIn profiles — the same data anyone can see when browsing LinkedIn while signed in. We do not log into your LinkedIn account, we do not impersonate users, we do not use the LinkedIn Recruiter API, and we do not require you to install any extension or run anything in your browser. Searches run entirely on our own infrastructure.

For each search, you (the recruiter, our customer) provide a job description. Our AI interprets it, performs the public-profile search, and returns a curated, ranked candidate list to your inbox. We retain the search and result set inside your account for the duration of your subscription so you can re-open it later.

Legal basis (GDPR)

Our legal basis for processing public profile data of EU/UK candidates is legitimate interest under GDPR Art. 6(1)(f), supported by a documented Legitimate Interest Assessment (LIA) covering necessity, proportionality, and the balancing test described in Recital 47.

For our customers (the recruiters using humaaaaans), our legal basis is the contract between us under Art. 6(1)(b) — i.e. providing the service you signed up for.

For marketing communication and analytics, we rely on consent (Art. 6(1)(a)) — you can opt out at any time via the link in every email and via the cookie banner on our site.

Candidate rights

If your public LinkedIn profile has been included in a humaaaaans search, you have the following rights under GDPR Art. 15–22:

  • Access — get a copy of the data we hold about you (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — request removal at /privacy/remove-me (Art. 17)
  • Restriction — limit how we process your data (Art. 18)
  • Portability — receive your data in a machine-readable format (Art. 20)
  • Objection — object to legitimate-interest processing (Art. 21)
  • Complaint — to your supervisory authority. We are happy to provide the contact for the relevant authority on request.

Reach us at privacy@humaaaaans.com. We acknowledge requests within 72 hours and process them within 30 days.

Sub-processors

humaaaaans uses the following sub-processors. We choose vendors with established GDPR posture, EU hosting where available, and standard contractual clauses for any US transfers.

VendorPurposeRegionData types
StripePayments & billingEU + USCustomer name, email, billing address, payment metadata
Anthropic (Claude API)AI candidate matching & rankingUS (with EU routing where available)Job-description text, public LinkedIn snippets
AWSApplication hosting & data storageEU (eu-central-1 / eu-west-1)Application data, search results, customer accounts
CloudflareDNS, CDN, DDoS protectionGlobal (EU edge for EU traffic)Request logs, IP addresses
PostHogProduct analytics & funnel measurementEU (eu.posthog.com)Anonymous usage events, customer email on identified events
Loops.soTransactional & lifecycle emailUSCustomer name, email, lifecycle event metadata
AttioCustomer relationship databaseUSCustomer name, company, email, plan tier
CrispCustomer support chatEUSupport conversation logs, customer email
Web3FormsLead form & GDPR opt-out form deliveryEUForm submissions (transit only)
Google Analytics 4Marketing analyticsUS (with EU consent gating)Anonymous traffic data

We notify customers in advance when adding a new sub-processor that handles customer-controlled data, with the option to object.

Data flow

  1. You sign up via Stripe Checkout. Stripe stores billing data in Europe.
  2. You submit a job description through the humaaaaans web app.
  3. Our AI service (Anthropic) interprets the job description and constructs a search query. Job-description text is sent to Anthropic for processing only — not stored long-term by Anthropic.
  4. humaaaaans searches public LinkedIn profiles and returns a candidate list, stored in our EU-region AWS instance.
  5. You receive the candidate list by email (Loops.so) and can browse it inside your account.
  6. Search results are retained for the duration of your subscription. Cancellation triggers a 30-day deletion window.
  7. If a candidate exercises the right to erasure, their record is deleted within 30 days and added to a permanent suppression list.

Data Processing Agreement (DPA)

When an agency or in-house TA team uses humaaaaans, you (the customer) are a data controller and humaaaaans is a data processor under GDPR Art. 28. We provide a standard DPA on request that you can review and counter-sign without negotiation.

Email privacy@humaaaaans.com with the subject "DPA request" and we will send the latest version within one business day.

Security practices

  • All traffic over TLS 1.3.
  • Customer data encrypted at rest in EU-region AWS.
  • Application secrets managed via environment variables and a managed secret store; no plaintext credentials in code.
  • Stripe restricted keys with per-key budget caps.
  • Two-factor authentication on every staff account that touches customer data.
  • 30-day deletion window after subscription cancellation.
  • Backups encrypted, retained 30 days, then auto-deleted.
  • Incident notification: in case of a personal-data breach affecting customers, we notify the relevant supervisory authority within 72 hours under Art. 33 and notify affected customers without undue delay.

Geographic scope

humaaaaans serves customers in the US, UK, EU, Canada, Australia, and other GDPR-aware geographies. We do not currently sell to customers based in Lithuania, Russia, Belarus, or jurisdictions under broad sanctions.

Last updated: 2026-05-08. We update this page when sub-processors, legal basis, or security practices change. See also the Privacy Policy and Terms of Service.