Contact

Privacy Policy

Bifrost Defence

Last updated: 12/08/2025

 

 

1. Controller Information (Art. 13 GDPR)

 

The data controller responsible for processing personal data within the meaning of the General Data Protection Regulation (GDPR) is:

 

Bifrost Defence

Email: info@bifrostdefence.com

 

For all data protection matters, you may contact:

Data Protection Contact: info@bifrostdefence.com

 

If required under German law (§38 BDSG), a Data Protection Officer (DPO) will be formally appointed and published here.

 

 

2. Scope of This Policy

 

This Privacy Policy applies to all users of the Bifrost Defence recruitment productivity SaaS platform, including:

• AI notetaker functionality

• Candidate shortlist services

• Meeting transcription services

• Client and candidate management tools

 

This policy applies to users located in Germany, the European Union, the United Kingdom, and internationally.

 

 

3. Legal Basis for Processing (Art. 6 GDPR)

 

We process personal data only where a lawful basis exists:

• Art. 6(1)(b) GDPR – Performance of a contract (platform services)

• Art. 6(1)(c) GDPR – Compliance with legal obligations

• Art. 6(1)(f) GDPR – Legitimate interests (platform security, service improvement)

• Art. 6(1)(a) GDPR – Consent (e.g., calendar access, recordings)

 

For AI transcription of meetings, processing is based on:

• User consent

• Contractual necessity

• Legitimate interest in recruitment documentation efficiency

 

Where special categories of data (Art. 9 GDPR) are processed (e.g., potentially sensitive candidate data), such processing occurs only where legally permitted and necessary.

 

 

4. Categories of Data We Process

 

4.1 Account Data

• Name

• Email address

• Login credentials

• Account settings

 

4.2 Calendar and Meeting Data

• Calendar events

• Meeting URLs

• Participant names and metadata

• Meeting timestamps

• Recordings (if authorized)

• Transcripts

 

4.3 Candidate and Client Data

• CVs and resumes

• Contact information

• Interview notes

• Evaluation data

• Client company information

 

4.4 Technical Data

• IP address

• Device information

• Log files

• Usage analytics

 

 

5. Google Calendar API Compliance

 

Bifrost Defence’s use of Google Calendar API data complies with:

• Google API Services User Data Policy

• Limited Use requirements

 

We access calendar data strictly to:

• Detect scheduled meetings

• Join meetings automatically

• Record and transcribe (where authorized)

• Attribute speakers correctly

 

We do not:

• Use Google data for advertising

• Sell Google data

• Transfer Google data to data brokers

 

Calendar data is processed securely and retained only as operationally necessary.

 

Users may revoke access at any time via their Google account.

 

 

6. AI Processing & EU AI Act Transparency

 

Our platform includes AI systems used for:

• Automated transcription

• Candidate summarization

• Shortlist generation

• Report drafting

 

In accordance with emerging EU AI Act standards:

• Users are informed when AI systems are used

• AI outputs are assistive tools and do not replace human decision-making

• Human review is expected for recruitment decisions

• We implement technical safeguards to reduce bias

 

We do not use AI for fully automated legal or employment decisions within the meaning of Art. 22 GDPR.

 

 

7. Data Security (Art. 32 GDPR)

 

We implement appropriate technical and organizational measures including:

• TLS/HTTPS encryption

• Encrypted cloud storage

• Role-based access controls

• Multi-factor authentication support

• Regular penetration testing

• Audit logging

• Data minimization principles

 

Access to candidate and meeting data is strictly limited.

 

 

8. Data Retention Policy

• Account data: retained during contract term + statutory retention period

• Meeting recordings: max. 12 months unless deleted earlier

• Calendar metadata: processed temporarily, not permanently stored

• Candidate data: retained according to client settings and legal requirements

• Log files: retained for security and compliance purposes

 

Data is deleted or anonymized when no longer required.

 

 

9. Data Processing Agreements (Art. 28 GDPR)

 

Where we process personal data on behalf of clients, we act as a data processor.

 

We provide:

• Data Processing Agreements (DPAs)

• Standard Contractual Clauses where applicable

• Clear role definitions (controller vs processor)

 

Clients remain responsible for lawful collection of candidate data.

 

 

10. International Data Transfers

 

Where data is transferred outside the EU/EEA:

• We use Standard Contractual Clauses (SCCs)

• We assess third-country risk

• We implement supplementary safeguards where required

 

Data hosting locations and subprocessors are available upon request.

 

 

11. Your Rights Under GDPR (Art. 15–22)

 

If you are located in Germany or the EU, you have the right to:

• Access your data (Art. 15)

• Rectification (Art. 16)

• Erasure (Art. 17)

• Restriction of processing (Art. 18)

• Data portability (Art. 20)

• Object to processing (Art. 21)

• Withdraw consent at any time

 

You also have the right to lodge a complaint with a supervisory authority.

 

For Germany, the relevant authority is typically:

 

The State Data Protection Authority (Landesdatenschutzbehörde) of your federal state.

 

 

12. Automated Decision-Making

 

We do not conduct solely automated decision-making with legal or similarly significant effects under Art. 22 GDPR.

 

All recruitment decisions remain subject to human review.

 

 

13. Confidentiality in Defence Context

 

Given the potential defence and dual-use environment in which Bifrost Defence operates:

• We apply heightened internal confidentiality controls

• Access to sensitive recruitment data is restricted

• We apply need-to-know principles

• Security logging and monitoring are implemented

 

We may implement additional compliance measures where required by German or EU security regulations.

 

 

14. Children’s Data

 

Our services are not directed at individuals under 16 years of age in Germany and the EU.

 

We do not knowingly process data of minors.

 

 

15. Updates to This Policy

 

We may update this Privacy Policy to reflect:

• Legal developments

• Regulatory changes

• Platform improvements

 

Material changes will be communicated via email or platform notification.

 

 

16. Contact for Data Protection Matters

 

Bifrost Defence

Email: info@bifrostdefence.com

 

We respond to GDPR-related requests within 30 days.