The short version
- Sorinai is a desktop tool for recruiters. We process audio, transcripts, and notes from interviews you choose to record.
- For candidate data you bring into Sorinai, you (the recruiter or your organisation) are the controller and we act on your instructions. You are responsible for obtaining recording consent from candidates. Our Data Processing Addendum forms part of these terms.
- We do not sell your data, and we do not train foundation AI models on your Customer Content.
- Our infrastructure runs primarily in Western Europe (Cloudflare R2, Supabase, Redis Cloud, Render, Recall.ai EU, PostHog EU). See Section 5 for the full subprocessor list.
- You can export or delete your data at any time. Email hello@sorinai.com.
1. Who we are
This Privacy Policy describes how Sorinai Ltd, a private limited company registered in England and Wales (company number 17153714) with its registered office at 4 Baltimore Wharf, London, E14 9AQ, United Kingdom (“Sorinai,” “we,” “us”), collects, uses, and shares personal information in connection with the Sorinai desktop application, website, and related services (collectively, the “Service”).
Sorinai Ltd is the controller of personal information about Sorinai users (recruiters and administrators). For personal information about candidates that flows through the Service, our customer (your employer or you, if you signed up directly) is the controller and we are the processor acting on their instructions.
2. Information we collect
From you, the user
- Account information: name, email address, password (managed by WorkOS AuthKit), organisation, role.
- Billing information: we use Stripe to process payments. Stripe collects your card details directly; we receive only billing metadata (last 4 digits, country, plan, invoice history).
- Usage and device information: app version, operating system, IP address, crash logs, feature usage events, approximate location derived from IP. We use this to operate and improve the Service.
- Communications: messages you send to support, survey responses, and feedback.
From your interview sessions (Customer Content)
- Audio:when you start a session, Sorinai captures audio from your device's microphone and/or system audio via the Recall.ai Desktop SDK. Audio is streamed to our transcription providers and is not retained by Sorinai after the transcript is produced, unless you explicitly enable recording storage in settings.
- Transcripts: text transcripts of the captured audio, with speaker labels and timestamps.
- Candidate-related fields: name, role applied for, qualification answers, notes, and any other information you or the candidate provide during the session.
- AI outputs: assistive content generated from your session and reference material to support the interview.
- Reference data you connect: if you upload a resume, job description, or qualification template, we process that content (including extracting text from PDF and DOCX files) to generate context-aware suggestions.
From your browser, on this website
We use Vercel Analytics for aggregate website analytics and PostHog EU for product and conversion analytics. These tools help us understand page views and aggregate usage of the website. We do not send contact form message content to analytics, and we do not use advertising trackers.
3. How we use information
We use information to:
- provide, maintain, and improve the Service;
- generate transcripts, suggestions, summaries, and flags during and after sessions;
- authenticate you, process payments, and prevent fraud or abuse;
- respond to support requests and communicate with you;
- monitor for security incidents and enforce our Terms of Service;
- comply with legal obligations.
We do not sell personal information. We do notuse your Customer Content to train foundation AI models, and our AI subprocessors are contractually prohibited from doing so. We may use de-identified, aggregated telemetry (for example, “average session length”) to improve product quality.
4. Legal bases (UK GDPR / EU GDPR)
We rely on the following legal bases under the UK GDPR and, where applicable, the EU GDPR:
- Performance of a contract — to deliver the Service you have signed up for.
- Legitimate interests — to operate, secure, and improve the Service, including telemetry and abuse prevention, where those interests are not overridden by your rights.
- Consent — for any optional feature that requires it (and you can withdraw consent at any time).
- Legal obligation — where we must process data to comply with law.
For Customer Content (transcripts, candidate information), the legal basis sits with our customer as the controller. We process that content on their instructions under our Data Processing Addendum.
5. Subprocessors
We share information only as needed to run the Service and only with vendors bound by confidentiality and data-protection obligations. Our current subprocessors are:
| Subprocessor | Purpose | Region |
|---|---|---|
| Recall.ai | Meeting capture and transcription | EU |
| OpenAI | Large language model inference for copilot features | US (Zero Data Retention) |
| WorkOS | Authentication and organisation management | US |
| Stripe | Subscription billing and payment processing | US / EU / UK |
| Resend | Transactional email | US / EU |
| Cloudflare R2 | Object storage for uploaded documents and recordings | Western Europe |
| Supabase | Primary application database | Western Europe |
| Redis Cloud | Caching and rate limiting | Western Europe |
| Render | Backend application hosting | Western Europe |
| PostHog | Product analytics and feature usage telemetry | EU |
| Sentry | Error monitoring and crash reporting | US / EU |
| Vercel | Marketing website hosting and web analytics | Global edge |
Some subprocessors (notably Recall.ai) engage their own sub-processors to deliver their service. Those onward sub-processors are governed by the contract we hold with the direct subprocessor and are listed on the direct subprocessor's own website.
We will update this list when we add or change a subprocessor and will notify customers with an active subscription by email or in-product notice. We may also disclose information to comply with law, respond to valid legal process, protect the rights and safety of Sorinai or others, or in connection with a merger, acquisition, or sale of assets (in which case we will notify affected users).
6. International transfers
Sorinai is operated from the United Kingdom and our primary data infrastructure (database, object storage, cache, backend hosting, transcription, and product analytics) is located in Western Europe. Some subprocessors — notably OpenAI, WorkOS, and Sentry — are based in, or transfer data to, the United States. Where personal information is transferred out of the UK or EEA, we rely on the UK International Data Transfer Agreement, the European Commission's Standard Contractual Clauses (with the UK Addendum where applicable), or another lawful transfer mechanism.
7. Retention
We retain personal information for as long as needed to provide the Service and for legitimate business or legal purposes:
- Account information: for the life of your account, then removed from active systems promptly after closure (longer where required for tax or legal reasons).
- Audio: not stored after transcription unless you enable recording storage; if enabled, retained until you delete it or close your account.
- Transcripts and session data: retained while your account is active so you can revisit past sessions; deleted on request, and removed from active systems promptly after account closure.
- Billing records: retained for 6 years to meet UK tax and accounting obligations.
- Backups:may persist for a limited period after deletion in line with our infrastructure providers' backup cycles, then are overwritten.
8. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit (TLS) and encryption at rest at the infrastructure layer, authenticated access scoped to your organisation, application logging, and review of the vendors we rely on. No system is perfectly secure; if we become aware of a breach affecting your personal information, we will notify you and the Information Commissioner's Office (ICO) within 72 hours where required by law.
9. Your rights
Depending on where you live, you may have rights to access, correct, delete, port, restrict, or object to our processing of your personal information, and to withdraw consent. You can delete your account from within the app, and you can exercise any other right by emailing hello@sorinai.com. We will respond within the timeframes required by applicable law (one month under the UK and EU GDPR).
Candidates whose information appears in a Sorinai session: please direct your request to the recruiter or organisation that captured the session, since they are the controller of your data. We will assist them in honouring your request.
UK and EU residents:you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, you can complain to your local data protection authority.
California residents:you have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of “sharing” for cross-context behavioural advertising. We do not sell or share personal information for cross-context behavioural advertising.
10. Children
The Service is for professional use and is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact hello@sorinai.com and we will delete it.
11. Recording consent — recruiter responsibility
Sorinai captures live conversations only when you start a session. Many jurisdictions require the consent of all participants before a conversation may be recorded or transcribed. You are responsible for obtaining the consents required by law from every participant in any session you capture with Sorinai. See our Terms of Service for the full obligation.
12. EU representative
Sorinai Ltd is established in the United Kingdom. We will appoint an EU representative if and when Article 27 of the EU GDPR requires us to do so. In the meantime, individuals in the EU may contact us directly with privacy enquiries at hello@sorinai.com.
13. Changes to this policy
We may update this Privacy Policy from time to time. If we make a material change, we will notify you by email or in-product notice and update the effective date above. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact us
Privacy questions, requests, or complaints: hello@sorinai.com.