Pindrop Security Candidate Privacy Notice

Date: March 13, 2026

Summary of Key Points

To help you understand how we handle your personal data, here are the key highlights:

1. Your personal data is collected to evaluate your job application and includes resume
details, interview recordings, and assessment results.

2. The hiring process may include a recorded interview. From the interview recordings, we may extract audio and video data that does not reveal what was said or shown, cannot be reverse-engineered to recover original content, and is not used to uniquely identify you; this data may constitute “biometric information” under certain privacy and/or biometric laws (“Deepfake Data”). You will be asked to provide consent before any interview recording is analyzed for Deepfake Data. If you do not consent, no such data will be processed.

3. Interview recordings and Deepfake Data may be used for fraud prevention and security verification. Interview recordings may also be used to evaluate your qualifications for the role. We will not use your interview audio or video content to train AI models. Pindrop may use Deepfake Data to improve the accuracy of our fraud detection systems.

4. Your data is stored primarily in the U.S., with safeguards for international transfers where required.

5. We retain interview recordings and Deepfake Data for up to 90 days, and standard application data for up to four years (US applicants) or one year (non-US applicants). See Section 6 (Data Retention) for details.

6. You have choices about your data, including the ability to access, correct, and delete your data. Contact [email protected] for requests.

7. We may use AI tools to help prioritize job applications for human review. No hiring decision is made solely by automated processing. You may request alternative consideration by contacting [email protected]. See Section 9 for details.

For full details, please continue reading below:

1. Introduction

Pindrop Security, Inc. and our affiliated companies (i.e., entities that control, are controlled by, or are under common control with Pindrop Security, Inc.) (together, “Pindrop”, “we”, “our” or “us”) value your privacy and are committed to protecting your personal data. When you apply for a job with us, we collect and process certain information about you to manage the hiring process. This notice explains what data we collect, how we use it, who we share it with, and the rights you have regarding your information. This notice supplements, and should be read together with, our general Privacy Policy available at https://www.pindrop.com/privacy/. In the event of any inconsistency between this Candidate Privacy Notice and the general Privacy Policy, this Candidate Privacy Notice governs with respect to applicant data.

If you are a California resident, please refer to Section 11, Additional Privacy Information for California Residents below for information about the categories of information we may collect and your rights under applicable California privacy laws.

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, please refer to Section 12, Additional Information for Applicants in the EEA, UK, and Switzerland below for information about your rights and how we process your personal data under applicable data protection laws.

2. Personal Data We Collect

During the hiring process, we may collect the following types of personal data:

• Basic details: Your name, contact information, nationality, and work eligibility.
• Employment and education history: Your CV, references, qualifications, degrees, transcripts, institutions attended and any additional information you provide.
• Assessments and interview data: Results from skills assessments, including those conducted by external service providers, and interview notes.
• Recorded interviews and consent: Your interview may be recorded, including all video, audio, and other recordable data. From these recordings, our technology extracts Deepfake Data (as defined under the Summary of Key Points above). This Deepfake Data is technical in nature cannot be used to uniquely identify you; however, it may constitute ‘biometric data’ or ‘biometric information’ under certain privacy and biometric laws.
  • Pindrop processes Deepfake Data for security verification and fraud prevention purposes. This processing occurs under our legitimate interests and is not subject to candidate consent. Candidates who are unable to complete security verification may not be able to proceed with the interview.
  • Effect of withdrawal of consent: Upon withdrawal, we will stop further processing of your Deepfake Data. Deepfake Data already collected for security verification remains subject to the retention schedule in Section 6. We will not attempt to reidentify you from aggregated or deidentified data.

Background checks: Conducted after a job offer is made, where required by law or applicable to the role.

Assessment monitoring and recording: If part of an assessment, some tests may include video, audio, screen activity, and data monitoring, recording, and verification to ensure fairness and prevent fraud.

We collect this information:

• Directly from you
• Through third-party recruiters and recruiting platforms
• Through third-party service providers (e.g. background screeners, skills assessors, etc.)
• From publicly available sources
• From referrals and references
• From affiliates and subsidiaries

3. Why We Process Your Personal Data

We process your personal data only for the purposes disclosed in this notice and for no other purpose. We process your personal data to:

• Assess your qualifications and suitability for the role.
• Communicate with you about your application and interview process.
• Verify the information you provide, including references and work eligibility.
• Conduct pre-employment assessments where applicable.
• Ensure a fair, secure, and efficient recruitment process.
• Comply with legal and regulatory obligations.
• Secure our resources, networks, premises, and assets, including to detect, prevent, investigate, and respond to suspected or alleged misconduct, use of synthetic, AI-generated or other manipulated content, violations of company policies, and fraudulent activity.
• Improve the accuracy of our AI-powered fraud detection systems using Deepfake Data .
• Protect and defend our rights and interests and those of third parties, including to manage and respond to legal claims or disputes, and to otherwise establish, defend, or protect our rights or interests, or the rights, interests, health or safety of others, including in the context of anticipated or actual litigation with third parties.
• Make hiring decisions with appropriate human oversight (see Section 9 for information about our use of AI in hiring).

4. How We Share Your Personal Data

We limit access to your personal data to those involved in the hiring process. This may include:

• Internal teams: Recruiters, hiring managers, and relevant team members.
• Service providers: External vendors supporting our recruitment efforts, such as background check providers, assessment platforms, HR systems, and providers of fraud detection services used during video interviews.
• Affiliated companies: If relevant to your hiring process, we may share data within our corporate group.

Your personal data will not be sold or shared with unauthorized third parties. If we engage a service provider to process data on our behalf, they are required to handle it securely and in compliance with applicable laws.

5. International Data Transfers

Because Pindrop is a global company, your personal data may be transferred outside of your home country, including to the United States, where our primary data storage is located. For candidates applying from the European Economic Area (EEA) or United Kingdom (UK), we use Standard Contractual Clauses (SCCs) or similar safeguards to ensure compliance with data protection laws. If you would like more details on these safeguards, you may contact us.

6. Data Retention

We retain candidate data as follows:

• Interview recordings and Deepfake Data are retained for up to 90 days from the date of each interview and permanently destroyed thereafter, unless a shorter retention period applies or longer retention is required by law.
• For applicants located in the United States, standard application data (such as resumes, cover letters, interview notes, and assessment results) is retained for up to four years following the conclusion of the hiring process.
• For applicants located outside the United States, standard application data is retained for up to one year following the conclusion of the hiring process.

If required by law, we may retain data for a longer period. If you are not selected for a position, we may retain your application materials for the periods above so that we may consider you for other roles, unless you explicitly request deletion or opt out of consideration for future openings. If you request deletion of your data or withdraw your application, we will delete your data, subject to legal or contractual obligations, system backups, and a reasonable administrative period to complete deletion. You may also opt out of consideration for future openings without requesting full deletion of your data.

7. Your Privacy Choices

You may choose to take the following action over your personal data:

• Access – You can request a copy of the data we hold about you.
• Correct – If any of your data is incorrect, you can request that we update it.
• Delete – You may request that we delete your data, subject to legal requirements.
• Portability – If processing is based on a contract or consent, you can request a transferable copy of your data.

To exercise these rights, contact us at [email protected], submit a request through our webform, or write to us at Pindrop Security, Inc., 1115 Howell Mill Rd, Ste 700, Atlanta, GA 30318. We will respond in accordance with applicable laws.

8. Data Security

We implement security measures designed to protect your personal data from unauthorized access, loss, or misuse. However, no system is completely secure, and online data transmission carries inherent risks. We encourage you to use strong passwords and avoid sharing sensitive information over unsecure channels.

9. Pindrop’s Use of AI in Hiring

We may use AI tools to help prioritize job applications for human review. This tool analyzes your work experience and skills to assess fit for the role, but does not consider your name or contact details. Applications with the strongest match to job requirements are prioritized for human review; not all applications may be individually reviewed.

Your options:

• You may request alternative consideration by contacting [email protected]. We will review such requests on a case-by-case basis.
• View the vendor’s independent bias audit results relevant to the tool we use here: https://trust.warden-ai.com/squarepeg/applicant-screening.

10. Updates to This Notice

We may update this notice from time to time. If changes are significant, we will notify you in advance where required. Otherwise, we encourage you to check back periodically to stay informed.

For any questions, please contact us at [email protected], submit a request through our webform, or write to us at Pindrop Security, Inc., 1115 Howell Mill Rd, Ste 700, Atlanta, GA 30318. We will respond in accordance with applicable laws.

11. Additional Privacy Information for California Residents

This section of the notice provides additional information for California and is intended to satisfy our notice and privacy policy requirements under the California Consumer Privacy Act and related regulations as amended (collectively, the “CCPA”). This section applies to “personal information” as defined in the CCPA, whether collected online or offline. This section does not address or apply to our handling of publicly available information or personal information that is otherwise exempt under the CCPA.

Categories of Personal Information Collected. The list below generally identifies the categories of personal information that we may collect and may have collected in the prior twelve (12) months. In some cases (such as where required by law), we may ask for your consent or give you certain choices prior to collecting or using certain personal information.

• Identifiers. Such as name, alias, or unique personal identifier; email address, phone number, address and other personal contact details; IP address and other online identifiers.
• Categories of Personal Information Described in Cal. Civ. Code § 1798.80. Such as records containing personal information, such as name, signature, photo, contact information, education and employment history, or certain government identifiers.
• Internet or Other Electronic Network Activity Information. Including, but not limited to, browsing history, search history, and information regarding your interaction with an internet website or application, as well as physical and network access logs and other network activity information related to your use of any company device, network, or other information resource.
• Biometric Information. Certain voice- or video-derived technical features (e.g., content-agnostic digital features extracted from interview recordings) that, while not capable of uniquely identifying any individual, may be considered “biometric information” under certain U.S. state privacy and biometric laws. These features are used solely for liveness and deepfake detection, not to establish or verify a candidate’s identity.
• Location Data. Includes general location information (such as country or region) inferred from IP address; does not include precise geolocation.
• Characteristics of Protected Classifications. Under California and Federal Law. Such as race/ethnicity, gender, sex, veteran status, disability, and other characteristics of protected classifications under California or federal law. Generally, this information is collected on a voluntary basis and is used in support of our anti-discrimination efforts, reporting obligations, or where otherwise required by law.
• Audio, Electronic, Visual, Thermal, or Similar Information. Such as video and audio recordings of interviews, as well as screen activity collected during assessments. From these recordings, we may extract Deepfake Data (as defined in the Summary of Key Points section above).
• Professional or Employment-Related Information. Such as performance information, professional membership records, references, assessment records, resumes, cover letters and work history, attendance records, conduct information (including disciplinary and grievance records), and termination data.
• Education Information. Such as degrees earned, educational institutions attended, transcripts, training records, and other information about your educational history or background that is not publicly available personally identifiable information as defined under the Family Educational Rights and Privacy Act.
• Inferences drawn from the information identified above to evaluate a candidate’s qualifications, such as skills, competencies, aptitude, or fraud risk determinations generated through interview processes or skills assessment tools.
• Sensitive Personal Information. Such as certain government identifiers, racial/ethnic origin or sexual orientation (e.g., on a voluntary basis to support of our anti-discrimination efforts, reporting obligations, or where otherwise required by law), immigration or citizenship information, and health information (e.g., as necessary to provide reasonable accommodations).

We may also disclose each of the categories of personal information identified in the table above to service providers or contractors who provide services or perform functions on our behalf, as described in this notice.

Sales and Sharing of Personal Information. California privacy laws define a “sale” as disclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising. We do not sell or share (as defined by the CCPA) personal information or sensitive personal information related to candidates, including those we know who are under sixteen (16) years of age.

Sources of Personal Information. As described in Section 2 above, in general, we may collect the personal information identified in the table above from the following categories of sources:

• Directly from you
• Through third-party recruiters and recruiting platforms
• Through third-party service providers (e.g. background screeners, skills assessors, etc.)
• From publicly available sources
• From referrals and references
• From affiliates and subsidiaries

Retention of Personal Information. As described in Section 6 above, we retain candidate data as follows: (i) interview recordings and Deepfake Data are retained for up to 90 days from the date of each interview; (ii) for applicants located in the United States, standard application data (such as resumes, cover letters, interview notes, and assessment results) is retained for up to four years following the conclusion of the hiring process; and (iii) for applicants located outside the United States, standard application data is retained for up to one year following the conclusion of the hiring process. If required by law, we may retain data for a longer period. If you are not selected for a position, we will not keep your details for future job openings unless you explicitly request that we do so. If you withdraw your application, your data will be deleted, and you will no longer be considered for the role. We will not use your interview audio or video content to train AI models; however, we may use Deepfake Data to improve the accuracy of our fraud detection tools.

Purposes for Collecting, Using, and Disclosing Personal Information. We process your personal information for the purposes described in Section 3 above and for no other purpose.

Sensitive Personal Information. Notwithstanding the purposes described above, we do not collect, use or disclose sensitive personal information about candidates beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information about candidates as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to detect, prevent, and respond to malicious, fraudulent, deceptive, or illegal conduct, including the use of synthetic, AI-generated, or manipulated content and impersonation attempts; (iii) to verify or maintain the quality and safety of our services; (iv) for compliance with our legal obligations; (v) to our service providers who perform services on our behalf; and (vi) for purposes other than inferring characteristics about you.

Your CCPA Rights. California candidates have certain rights under the CCPA with respect to their personal information, subject to certain limitations and exceptions:

• Know/Access. The right to know what personal information we have collected about them, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about them.
• Deletion. The right to request deletion of their personal information that we have collected from them.
  Correction. The right to request correction of inaccurate personal information we maintain about them.
• Opt-Out of Sales and Sharing. The right to opt-out of the sale and sharing of their personal information. However, as discussed above, we do not sell or share candidate personal information.
• Limit Use and Disclosure. The right to request to limit certain uses and disclosures of sensitive personal information. However,
  as discussed above, we do not use or disclose candidate personal information beyond the purpose authorized by the CCPA.
• Non-Retaliation. The right not to be subject to retaliatory treatment for exercising their rights under the CCPA.

Submitting CCPA Requests. Candidates may submit a request to us to exercise their CCPA rights to know/access, limit, delete, and to correct their personal information held by us by submitting a privacy request to us online through our webform located at
https://www.pindrop.com/privacy/submit-a-request/ or via an email to [email protected].

We will take steps to verify your request by matching the information provided by you with the information we have in our records. Your request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (i.e., by completing all required fields on our webform if you choose to submit a request in that manner).
• Describe your request with sufficient details that allows us to properly understand, evaluate, and respond to it.
  In some cases, we may request additional information to verify your request or where necessary to process your request.

In some cases, we may request additional information to verify your request or where necessary to process your request. 

Authorized Agents. Authorized agents may initiate a request on behalf of another individual through one of the above methods; authorized agents will be required to provide proof of their authorization, and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.

12. Additional Information for Applicants in the EEA, UK, and Switzerland

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the following additional information applies to our processing of your personal data:

Data Controller

The data controller for your personal data is Pindrop Security, Inc., 1115 Howell Mill Rd, Ste 700, Atlanta, GA 30318, USA. You may contact our Data Protection Officer at [email protected].

Legal Basis for Processing

We rely on the following legal bases to process your personal data:

• Contractual Necessity: To take steps at your request prior to entering into an employment contract (e.g., evaluating your application).
• Legal Obligation: To comply with applicable laws (e.g., verifying eligibility to work).
• Legitimate Interests: To protect our business interests, including fraud prevention, network security, and improving our hiring processes, provided these interests are not overridden by your rights and interests. For fraud prevention, we rely on Article 6(1)(f) and, where processing may involve special category data, Article 9(2)(f). Pindrop requires security verification as part of the interview process; candidates who are unable to complete security verification may not be able to proceed with the interview.
• Consent: For the processing of interview recordings and related special categories of data, including where such processing may constitute biometric data collection under applicable law.

Your GDPR Rights

In addition to the choices described in Section 7, you have the following rights:

• Restriction: You may request that we restrict the processing of your data in certain circumstances.
• Objection: You may object to processing based on legitimate interests.
• Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.
• Erasure (Deletion): You may request that we erase your personal data in certain circumstances, as provided under Article 17 of the GDPR, subject to applicable legal exceptions.
• Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

Automated Decision-Making Rights

We use technology-assisted tools, including automated systems, to support candidate evaluation at various stages of the hiring process, including early-stage application review. At every stage, human decision-makers retain the ability to review and override automated outputs. No hiring decision is made solely through automated processing; automated tools provide assessments and rankings that inform, but do not replace, human judgment. You have the right to request human intervention, express your point of view, and contest any decision involving automated processing that produces legal or similarly significant effects.

International Transfers

Your personal data will be transferred to the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and UK Information Commissioner’s Office to ensure your data remains protected during such transfers. See Section 5 for more details.