Trust & Responsible AI

Last updated: [DATE]

Template for review — replace the bracketed placeholders and have a legal professional check this before you rely on it.

Our commitment

recroo generates recruitment documents — CVs, job specs, interview questions and candidate scores — from your inputs using AI. Recruitment is a high-stakes use of AI, so we design the product so a person stays in charge of every decision. This page explains, in plain English, how the AI is used, how your data is handled, and how the platform is secured.

How we use AI

  • Every AI output is a draft for you to review and edit, not a final answer. Outputs can contain errors and should be checked before you use or send them.
  • The AI works from the brief and content you provide. We don’t use your candidate data to train models.
  • We tell you where output is AI-generated, and keep this disclosure next to the output — not buried in the terms.

Human oversight (candidate scoring)

The Bulk CV Scorer is decision support, not a decision. Scores are indicative and may reflect bias in the underlying data. We require — and the product reminds every user — that:

  • A person reviews every candidate before any hiring decision.
  • No candidate is auto-rejected, filtered out or ranked out on an AI score alone.
  • Scores are sense-checked against the actual CV and the role.

If you are subject to the EU AI Act or equivalent rules, treat AI-assisted candidate evaluation as a high-risk use and keep a human meaningfully in the loop. Your agency remains the decision-maker.

Your data

For candidate content you process, your agency is the controller and recroo is a processor acting on your instructions. Candidate content is never sent to third-party analytics. You can delete your organisation and all its data at any time from Settings. See the Privacy Policy for the full detail, including your rights and how to exercise them.

Sub-processors

We rely on a small set of trusted providers, each processing data only as needed to deliver their part: [Anthropic] (AI generation), [Stripe] (payments), [Resend] (email), [Render] (hosting and database), and the identity provider you sign in with. A current list is available on request.

Security

  • Tenant isolation. Each agency’s data is scoped to its own organisation; the platform resolves your organisation from your authenticated session, never from anything a request can supply — so one agency can’t reach another’s candidates or drafts.
  • Authentication. Sign-in is delegated to Google or Microsoft; we don’t store passwords. Sessions are server-side and can be revoked.
  • Least privilege. Administrative and billing actions require an owner/admin role; platform administration is separated from tenant data.
  • In transit. All traffic is served over HTTPS.
  • Abuse & cost controls. The AI endpoints are rate-limited to protect availability and prevent misuse.

Found a security issue? Please email [security@recroo.co.uk]. We welcome responsible disclosure and will work with you on a fix.

Availability

We aim for high availability and monitor errors continuously. Planned status and incident communications will be published at [status.recroo.co.uk]. [State your target uptime / SLA here.]

Questions

For anything on this page — data processing agreements, sub-processor lists, security questionnaires or the AI approach — contact [hello@recroo.co.uk] and we’ll help.