GDPR & Compliance
Last updated: March 2026
1. Automatic deletion of candidate data
Candidate data is automatically deleted 24 months after the closure of the recruitment process, unless the client explicitly requests a different retention period or a specific legal obligation requires otherwise. This deletion is permanent and covers all personal data associated with the candidate's file. Kynto does not archive candidate data beyond this period for any commercial or analytical purpose. Clients are notified before deletion occurs and can export their data at any time prior to that date.
2. Right to erasure — candidate privacy portal
Kynto provides a publicly accessible privacy portal allowing any candidate to request complete deletion of their personal data simply by entering their email address — no account or login required. This deletion covers all associated information without exception: CV, application documents, AI-generated analyses, scoring, interview transcriptions, voice recordings, and all related metadata. Deletion requests are processed promptly and candidates receive confirmation once their data has been removed. This right is available at any time, regardless of the status or outcome of the recruitment process.
3. Data portability and access
In addition to the right to erasure, candidates can use the same privacy portal to export all data Kynto holds about them, in a structured and machine-readable format. This right to portability is provided in compliance with Article 20 of the GDPR and allows candidates to retrieve their data for use elsewhere. Candidates can also request access to their data at any time to verify what information has been collected and how it has been processed. All such requests are handled without charge and within the timeframes required by applicable law.
4. Full data export for clients
Client companies can export the entirety of their data from Kynto at any time — including candidate files, recruitment processes, scoring history, interview transcriptions, and activity logs. This export capability is available directly from the platform, without requiring a support request, and produces a complete and portable dataset. It guarantees full client autonomy and ensures the reversibility of the service: if a client decides to leave Kynto, they retain full ownership of their data. No data is held hostage to commercial terms.
5. Data hosted exclusively in Europe
All personal data processed through Kynto is hosted exclusively within the European Union, with priority given to infrastructure located in France where technically feasible. Kynto does not transfer personal data to servers outside the EU, including for processing, backup, or analytics purposes. This commitment applies to all data types, including candidate files, AI outputs, and calendar data. Clients operating under strict data residency requirements can rely on this commitment as a baseline guarantee.
6. Compliant subprocessors and contractual framework
Kynto works exclusively with subprocessors that are themselves GDPR-compliant and subject to appropriate contractual safeguards. A Data Processing Agreement (DPA) is signed with each subprocessor before any personal data is shared with them, defining the scope, purpose, and conditions of processing. The full list of subprocessors is publicly available on Kynto's subprocessors page and is kept up to date. Clients are notified of any material change to the subprocessor list in advance, giving them the opportunity to raise objections if needed.
7. AI models — no training on client or candidate data
The language models and AI systems used by Kynto are never trained, fine-tuned, or improved using client data or candidate personal data. All AI providers are configured in no-training and no-retention mode, meaning that data submitted for processing is not stored or reused by the model provider beyond the immediate inference. AI infrastructure used by Kynto is hosted within the European Union, ensuring that personal data does not leave the EU during AI processing. These commitments are contractually enforced through DPAs with each AI provider.
8. Kynto acts as a data processor
Under the GDPR, Kynto acts exclusively as a data processor on behalf of its clients. Client companies are the data controllers: they determine the purposes and means of processing candidate personal data, and they bear the corresponding legal responsibilities. Kynto processes personal data only on documented instructions from the client and does not use that data for any purpose beyond the delivery of the contracted service. This clear allocation of roles ensures that clients retain full legal control over their recruitment data at all times.
9. No automated decision-making — compliance with Article 22 of the GDPR
Kynto does not make any automated decision that produces legal effects or similarly significant effects on candidates. All AI-generated outputs — including scoring, analyses, summaries, and recommendations — are decision-support tools intended to assist human judgment, not replace it. The final hiring decision in every case belongs to a human: the recruiter, the HR manager, or the hiring manager. This approach is not only compliant with Article 22 of the GDPR but reflects a core design principle of the Kynto platform — AI assists, humans decide.
Questions about our GDPR commitments
For any question regarding data protection, to exercise your rights as a candidate or client, or to request a copy of our Data Processing Agreement, contact our privacy team at privacy@kyntoai.com. We aim to respond to all data-related requests within 72 hours.