ISMNS
ISMNS

Candidate assessment platform. Test, score, and rank candidates automatically.

Product

How it worksPricingFAQContact

Legal

Terms of ServicePrivacy Policy

Contact

support@ismns.com+1 (307) 424-2261

5830 E 2nd St, Ste 7000
Casper, WY 82609, USA

© 2026 ISMNS. All rights reserved.

TermsPrivacyContact

Privacy Policy

Last updated: May 3, 2026

ISMNS (“we”, “us”, or “our”) operates the ISMNS candidate assessment platform (the “Service”). This Privacy Policy describes how we collect, use, share, and protect your personal data when you use the Service. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable U.S. state privacy laws.

1. Information We Collect

a) Recruiter Account Information

When you create a recruiter account, we collect:

  • Name and email address
  • Company name (if provided)
  • Password (stored hashed using a strong one-way algorithm — we never store your password in clear text)
  • Job descriptions and assessment configurations you create

b) Candidate Information

When candidates take an assessment, we collect:

  • First name, last name, email, and phone number
  • CV/resume file (PDF or DOCX) uploaded by the candidate
  • Information provided in the intake form: location, availability, notice period, salary expectations
  • Assessment responses, scores, and (in AI Interview mode) the full text conversation with the AI interviewer
  • Anti-cheat signals: paste events, tab switches, response times
  • Session metadata: timestamps, browser type, IP address

c) Payment Information

Payments are processed by Stripe. We do not store credit card numbers or bank details on our servers. Stripe may collect payment card information, billing address, and other data necessary to process transactions.

d) Usage Data

We automatically collect:

  • IP address, browser type, and device information
  • Pages visited and actions taken within the Service
  • Timestamps of access and session duration

2. Legal Basis for Processing (GDPR)

For users located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR:

  • •Performance of a contract (Art. 6(1)(b)) — to provide the Service to recruiters and to allow candidates to complete an assessment they have agreed to take.
  • •Legitimate interests (Art. 6(1)(f)) — to secure the Service against abuse, prevent fraud, and improve the product. We balance these interests against your rights and freedoms.
  • •Consent (Art. 6(1)(a)) — for any optional processing that requires it. You can withdraw consent at any time.
  • •Legal obligation (Art. 6(1)(c)) — to comply with applicable law (tax, accounting, security incident reporting).

3. How We Use Your Information

We use the data we collect to:

  • Provide, operate, and maintain the Service
  • Generate AI-powered assessments and candidate evaluation reports
  • Make assessment results available to the recruiter who created the assessment
  • Send service-related communications (account verification, password reset, security notices)
  • Process payments and send transaction confirmations
  • Detect, prevent, and mitigate abuse, fraud, and security incidents
  • Improve the Service and fix technical issues
  • Comply with legal obligations
We do not sell your personal information to third parties. We do not use candidate data for advertising purposes. We do not train AI models on your data.

4. Sub-processors and Data Sharing

We use a small set of trusted sub-processors to operate the Service. We do not share personal data outside of these necessary partners:

  • •OpenAI (United States) — Generates assessment questions, conducts AI interviews, and produces evaluation reports. Personal data sent to OpenAI may include candidate names, CV content, intake information, and AI interview transcripts. Per OpenAI’s API terms, your data is not used to train their models. See OpenAI Privacy Policy.
  • •Amazon Web Services — AWS S3 (Stockholm, Sweden, eu-north-1) — Stores candidate CVs and generated PDF reports. Files are stored within the European Economic Area (EEA). See AWS Privacy Notice.
  • •Render (United States) — Hosts our backend application servers and database. See Render Privacy Policy.
  • •Vercel (United States) — Hosts our public website and frontend application. See Vercel Privacy Policy.
  • •Cloudflare (United States, GDPR-compliant) — Provides DDoS protection, web application firewall, and bot mitigation in front of our API. May process IP addresses and request metadata. See Cloudflare Privacy Policy.
  • •Stripe (United States / Ireland) — Processes payments. See Stripe Privacy Policy.
  • •Recruiter access: Candidate assessment data is accessible to the recruiter who created the assessment. Candidates are informed of this when they begin the assessment.
  • •Legal requirements: We may disclose information if required by law, court order, or in response to a valid legal request.

5. International Data Transfers

Personal data may be transferred to and processed in countries outside the EEA, including the United States, where some of our sub-processors are based (OpenAI, Render, Vercel, Cloudflare). Where required, these transfers are covered by appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework.

Candidate CVs and generated PDF reports are stored on AWS S3 in Stockholm, Sweden (eu-north-1), within the European Economic Area.

6. Data Security

We apply industry-standard security measures, including:

  • Encryption in transit (HTTPS/TLS 1.2+) and at rest
  • One-way password hashing with a strong, salted algorithm
  • Strict access controls, role-based permissions, and authentication
  • DDoS protection, web application firewall, and rate limiting via Cloudflare
  • Logging and monitoring of suspicious activity
  • Regular review of dependencies and infrastructure

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but we work hard to protect your data.

7. Data Retention

  • •Recruiter accounts: Retained for as long as the account is active. You may request account deletion at any time. After deletion, residual backups are purged within 90 days.
  • •Candidate data (CV, intake, scores, transcripts): Retained for the duration the recruiter requires it to make a hiring decision, typically up to 12 months from the assessment date. Candidates may request earlier deletion at any time.
  • •Server and security logs: Retained for up to 90 days for security and abuse prevention.
  • •Payment records: Retained as required by applicable tax and accounting laws (typically 7-10 years).

8. Cookies and Tracking

We use only essential cookies required for the Service to function:

  • sid — your authenticated session (for recruiters)
  • Cloudflare cookies (__cf_bm, cf_clearance) — bot mitigation and security

We do not use third-party analytics cookies (no Google Analytics), advertising cookies, social media tracking pixels (no Meta Pixel, no LinkedIn Insight Tag), or A/B testing cookies. Because all our cookies are strictly necessary, no consent banner is displayed.

You can block or delete cookies at any time through your browser settings. Note that disabling essential cookies may prevent you from using parts of the Service (e.g. logging in).

9. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure (“right to be forgotten”) — request deletion of your data
  • Restriction — request that we limit the processing of your data
  • Portability — receive your data in a structured, commonly used, machine-readable format
  • Objection — object to processing based on our legitimate interests
  • Withdraw consent — where processing is based on consent
  • Lodge a complaint — with your local data protection authority (e.g. CNIL in France, AEPD in Spain, ICO in the UK)

To exercise any of these rights, contact us at support@ismns.com. We will respond within 30 days. Candidates: if the recruiter is the data controller for your data, we may direct your request to them; we will tell you if that is the case.

EU representative: ISMNS does not currently appoint an Article 27 GDPR representative in the EU. For all data protection requests originating from the EU/EEA, please contact us at support@ismns.com.

10. Controller and Processor Roles

For recruiter account data, ISMNS acts as the data controller.

For candidate data processed on behalf of a recruiter, the recruiter is the data controller and ISMNS acts as data processor. Recruiters are responsible for informing candidates about the processing and obtaining any consent required under applicable law.

11. Children's Privacy

The Service is not intended for individuals under 16. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service. The “Last updated” date at the top of this page indicates when the policy was last revised.

13. Contact

For questions about this Privacy Policy, your data, or to exercise any of your rights, contact us at:

Email
support@ismns.com
Phone
+1 (307) 424-2261
Address

5830 E 2nd St, Ste 7000
Casper, WY 82609, USA