Privacy Policy

Last updated: March 12, 2026
Effective date: March 12, 2026


Shortlists ApS
CVR: DK46023765
Sortedam Dossering 55, Copenhagen, Denmark
Email: [email protected]


1. Introduction

Shortlists ApS ("Shortlists," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our website at shortlists.io, our web application at app.shortlists.io, and our Chrome Extension (together, the "Platform").

Please read this policy carefully. By using the Platform, you acknowledge that you have read and understood it.

This policy covers personal data that Shortlists processes as a data controller — meaning data we collect and use for our own purposes, such as running our business, managing customer accounts, and operating our website. It does not govern data that our customers upload about their own candidates and contacts; customers are the data controllers for that data and are responsible for their own compliance obligations.


2. Who We Are

Shortlists is a cloud-based recruitment platform combining an applicant tracking system (ATS), a Client Relationship Management system (CRM), and AI-powered workflow tools, built for solo recruiters and small recruitment teams.

We are incorporated in Denmark as an ApS (Anpartsselskab) and process personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Danish data protection legislation.

For privacy questions or requests, contact us at: [email protected]


3. Personal Data We Collect

Depending on how you interact with us, we may collect and process the following categories of personal data.


3.1 Account and Registration Data

  • Name and email address

  • Password (stored in hashed form)

  • Company name and job title

  • Profile preferences and settings


3.2 Billing and Payment Data

  • Billing name and address

  • Payment method details (processed by our payment provider; we do not store full card numbers)

  • Subscription history and invoices


3.3 Usage and Technical Data

  • IP address and approximate location (country/city level)

  • Browser type, device type, and operating system

  • Pages visited, features used, and time spent on the Platform

  • Log data and error reports

  • Session and authentication data


3.4 Communications Data

  • Messages sent to our support team

  • Responses to surveys or feedback requests

  • Emails and other communications with Shortlists staff


3.5 Integration Data

When you connect third-party services to the Platform (such as Google Workspace or Microsoft 365), we access only the data necessary to provide the integration. See Sections 5 and 7 for details.


3.6 Email Data

When you connect your Gmail or Microsoft Outlook account, the Platform accesses your inbox to display emails related to your candidates and clients directly within the interface. We display this data in real time — we do not store your emails on our servers. Email content is fetched on demand and is not retained once your session ends or the view is closed.


3.7 Calendar and Meeting Data

When you enable our AI notetaker feature and authorize calendar access:

  • Calendar events and meeting schedules

  • Meeting URLs and platform (e.g., Google Meet, Microsoft Teams)

  • Meeting participants and timestamps

  • Meeting recordings and transcripts (where authorized by you)


3.8 Candidate and Client Data (Platform Data)

When you use the Platform in your recruitment work, you may upload:

  • Candidate profiles, résumés, and contact information

  • Client company information

  • Interview notes, assessments, and pipeline data

  • Documents and attachments

You are the data controller for this data. We process it only on your behalf, to provide the Platform. You are responsible for ensuring you have a lawful basis to collect and process this data, and for complying with applicable data protection and employment laws.


4. How We Use Your Personal Data

We use personal data for the following purposes and on the following legal bases.

Purpose

Legal Basis

Creating and managing your account

Performance of a contract

Providing the Platform and its features

Performance of a contract

Processing payments and managing billing

Performance of a contract

Providing customer support

Performance of a contract; legitimate interests

Sending service-related communications (updates, security alerts)

Performance of a contract; legitimate interests

Sending marketing communications about Shortlists products

Legitimate interests (opt-out available); consent where required

Improving and developing the Platform

Legitimate interests

Ensuring security, preventing fraud, and maintaining integrity

Legitimate interests; legal obligations

Complying with legal and regulatory obligations

Legal obligations

Resolving disputes and enforcing our Terms

Legitimate interests; legal obligations

Where we rely on legitimate interests, we balance those interests against your rights and will not process your data in a way that overrides your fundamental privacy rights.


5. Calendar and Meeting Data


5.1 Why We Need Calendar Access

Our AI notetaker feature requires access to your Google Calendar or Microsoft 365 calendar to identify upcoming meetings, join them automatically, and generate transcripts. This access is granted only when you explicitly connect your calendar and enable the feature.


5.2 What We Access

  • We read calendar events to identify upcoming meetings

  • We access meeting URLs to join video conferences automatically (Google Meet and Microsoft Teams)

  • We use participant information to attribute transcript content accurately

  • We use meeting timing to start and stop recordings


5.3 How We Use It

Calendar and meeting data is used exclusively to provide the notetaker functionality. We do not use it for advertising or share it with third parties for commercial purposes.


5.4 Your Control

You can disconnect your calendar or disable the notetaker feature at any time from your account settings. You can also revoke calendar permissions directly through your Google or Microsoft account settings.


5.5 Google API Services

Our use of Google API Services complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not use data obtained through Google APIs for any purpose other than providing the features you have enabled.


6. Email Integration


6.1 What We Access

When you connect your Gmail or Microsoft Outlook account, the Platform accesses your inbox to surface relevant email conversations alongside your candidate and client records. This lets you see your recruitment-related correspondence in context without leaving the Platform.


6.2 Display Only — No Email Storage

We do not store your emails on our servers. Email content is fetched in real time when you view it within the Platform and is not retained once your session ends or the view is closed. We do not index, analyze, or process your email content for any purpose other than displaying it to you.


6.3 Scope of Access

We access only the emails necessary to display relevant conversations between you and your candidates and clients. We process the conversations, but we do not store your email data in Shortlists.


6.4 Your Control

You can disconnect your Gmail or Outlook account at any time from your account settings. You can also revoke permissions directly through your Google or Microsoft account.


6.5 Google API Services

Our use of Gmail via the Google API complies with the Google API Services User Data Policy, including the Limited Use requirements. Email data accessed through Google APIs is used solely to display it to you within the Platform and for no other purpose.


7. AI Features


6.1 How AI Works in Shortlists

The Platform uses AI to assist with tasks such as drafting candidate reports and outreach messages, suggesting candidate matches, summarizing profiles, and transcribing meetings. These are productivity tools designed to assist your judgment, not replace it.


6.2 Your Data and AI Training

We do not use your data — including candidate data, meeting transcripts, or any other content you upload — to train, fine-tune, or improve AI models, whether our own or those of any third-party provider.


6.3 Third-Party AI Providers

Some AI features are powered by third-party AI providers whose models we access via their standard APIs (such as OpenAI). These providers operate under their own terms of service and privacy policies. We use API access configurations that, where available, disable training on submitted data. We recommend reviewing the relevant provider's privacy documentation if you have specific concerns.


6.4 AI-Generated Output

AI-generated content is probabilistic and may not always be accurate. You should review all AI Output before relying on it or sharing it externally. You are responsible for decisions made on the basis of AI Output.


8. Third-Party Integrations

The Platform supports integrations with services such as Google Workspace, Microsoft 365, and LinkedIn. When you enable an integration:

  • We access only the data necessary to provide the functionality of that integration.

  • Data exchanged with third-party services is governed by the terms and privacy policies of those services.

  • You can disconnect any integration at any time from your account settings.

Shortlists is not responsible for the data practices of third-party services. We recommend reviewing their privacy policies before enabling integrations.


9. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and Platform for the following purposes:

  • Essential cookies — Required for the Platform to function (authentication, session management)

  • Performance cookies — Analytics to understand how the Platform is used and to improve it

  • Marketing cookies — Where applicable, to measure the effectiveness of our marketing

You can manage cookie preferences through our cookie banner or your browser settings. Disabling certain cookies may affect Platform functionality.

For more information, see our Cookie Policy at shortlists.io/cookies.


10. Data Sharing and Disclosure

We do not sell your personal data. We may share it in the following circumstances:


9.1 Service Providers

We share data with trusted third-party vendors who help us operate the Platform, including hosting providers, payment processors, analytics tools, email delivery services, and AI API providers. These vendors are permitted to process data only as necessary to provide their services to us.


9.2 Legal Requirements

We may disclose personal data if required by law, court order, or other legal process, or to protect the rights, property, or safety of Shortlists, our customers, or others.


9.3 Business Transfers

If Shortlists is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users before data is transferred and becomes subject to a different privacy policy.


9.4 With Your Consent

We may share your data for other purposes with your explicit consent.


11. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required by law.

Data Type

Retention Period

Account data

Duration of account, plus up to 2 years after closure

Billing and payment records

5 years (Danish bookkeeping requirements)

Meeting recordings and transcripts

Up to 12 months, or until deleted by you

Calendar data

Processed in real time; not stored beyond operational need

Email data (Gmail / Outlook integration)

Not stored; displayed in real time only

Support communications

3 years from last contact

Usage and log data

Up to 12 months

Candidate/client data (Platform)

Per your data management settings; deleted within 30 days of account closure

You can request earlier deletion of your data at any time. See Section 13 for your rights.


12. Data Security

We take the security of your data seriously. Below is an overview of the technical and organizational measures we have in place.


12.1 Infrastructure and Hosting

The Platform is built on Supabase, an enterprise-grade PostgreSQL database platform. Our database is hosted in the EU-North-1 region (Stockholm), ensuring your data stays within the European Economic Area. Infrastructure is continuously patched and maintained, and database access is restricted to Shortlists development staff, protected by two-factor authentication (2FA).


12.2 Encryption

  • All data stored on our servers is encrypted at rest using AES-256

  • All data in transit is encrypted using TLS to prevent interception or tampering


12.3 Authentication and Access Controls

  • Passwords are bcrypt-hashed and salted — never stored in plain text

  • JSON Web Tokens (JWT) are used for secure session management

  • Access permissions are clearly defined to prevent unauthorized escalation

  • Internal access to production data is strictly limited to authorized development staff

  • We recommend all users sign in via our Google or Microsoft SSO integrations


12.4 Row-Level Security

We enforce Supabase's built-in Row-Level Security (RLS) at the database level. This ensures that users can only access data they are explicitly permitted to view or modify, and that data from one account can never be accessed by another.


12.5 Backups

Automatic daily backups are performed for disaster recovery and data restoration purposes. Backups are encrypted and securely stored.


12.6 Compliance Posture

Our infrastructure provider (Supabase) maintains the following certifications:

  • SOC 2 compliant

  • GDPR-compliant data architecture

  • HIPAA-compatible configuration


12.7 Breach Notification

No system is completely secure. If you become aware of any security concern, please notify us at [email protected]. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by GDPR.


13. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you

  • Right to rectification — Request correction of inaccurate or incomplete data

  • Right to erasure — Request deletion of your personal data (subject to legal retention obligations)

  • Right to restriction — Request that we limit how we use your data in certain circumstances

  • Right to data portability — Receive your data in a structured, machine-readable format

  • Right to object — Object to processing based on legitimate interests, including direct marketing

  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at www.datatilsynet.dk.


14. International Data Transfers

Shortlists is based in Denmark and our primary data hosting is within the European Economic Area. Some of our service providers and AI API providers may process data outside the EEA. Where this occurs, we ensure that appropriate safeguards are in place — such as the European Commission's Standard Contractual Clauses — to provide an equivalent level of protection.


15. Children's Privacy

The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.


16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or via an in-app notification before the changes take effect. The updated policy will be posted at shortlists.io/privacy with a revised "Last updated" date.

Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated policy.


17. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:


Shortlists ApS
Sortedam Dossering 55, Copenhagen, Denmark
CVR: DK46023765
Email: [email protected]
Website: shortlists.io


We will respond to all privacy inquiries within 30 days of receipt.