Trueyy is built so that monitoring a candidate for integrity stays on the right side of privacy and fair-hiring law. The core design choices — consent-first, no biometric identification, encrypted storage with short configurable retention, and a human on every decision — are what keep it defensible across jurisdictions.
Data minimisation by design
We collect the least data needed to do the job: app/window focus, paste timing, keystroke cadence, and process scans, plus interview audio (transcribed) and periodic screenshots. We don’t record the live meeting video, and we don’t use biometric identification. Reading integrity signals rather than identifying people biometrically keeps the product out of the strictest biometric-identifier regimes and embodies the GDPR’s minimisation and privacy-by-design principles.
GDPR
- Lawful basis & transparency: candidates are informed of exactly what is monitored before a session, supporting a clear basis to process.
- Data-subject rights: access, correction, and deletion requests are supported (directed through the hiring organisation as controller).
- Configurable retention per organisation, and encryption in transit and at rest.
- Sub-processors & transfers bound by data-protection terms and appropriate transfer safeguards.
Biometric-privacy laws
Laws such as Illinois’ BIPA and similar Texas/Washington statutes regulate biometric identifiers — face geometry and voiceprints. Because Trueyy reads ordinary device telemetry rather than biometric identifiers, it avoids that category. Where any feature could touch biometrics, it is opt-in with explicit notice and consent.
EU AI Act
AI used for recruitment and to evaluate behaviour is classified as high-risk under the EU AI Act. Trueyy is designed to support deployer obligations: candidate transparency, logging, accuracy, and — critically — human oversight. Trueyy informs the decision; a person makes it.
Fair hiring & human oversight
A score is an input, not a verdict. Trueyy is built to be used with a human in the loop and weighed alongside other evidence, consistent with EEOC/DOJ guidance that the employer — not the vendor — owns the decision, and that selection tools must be used without unlawful disparate impact and with accommodations.
Recording & consent
Because interviews can span jurisdictions, the safe default is explicit notice and consent before any recording. Trueyy’s no-stored-video architecture keeps the footprint small and the wiretap exposure low.
Security & certifications
Consent flows, data-subject request handling, configurable retention, and audit logs are built in. Our security program is designed to support GDPR and SOC 2 requirements (SOC 2 in progress). See the Security & Privacy overview.
Documentation
A Data Processing Agreement, sub-processor list, and security overview are available to customers on request.
Contact
Compliance, DPA, or security questions? Reach us via our contact form.
This page summarises our approach and is general information, not legal advice. Requirements vary by jurisdiction — confirm your obligations with counsel.