Logo Smart Sifty

Privacy Policy

Last updated: May 27, 2026

Welcome to Smart Sifty ("Service"), operated by CORTX AI LIMITED ("we", "our", "us", "Company"). We are committed to protecting your privacy and the privacy of the candidates whose data is processed through our Service. This Privacy Policy ("Policy") explains how we collect, use, store, disclose and safeguard personal data when you visit our website at smartsifty.com, access our platform at app.smartsifty.com, or use our API. By accessing or using the Service, you agree to the terms of this Policy.

This Policy should be read together with our Terms of Service, which set out how the Service may be used and the obligations of users of the platform.

1. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person.
  • "Processing": Any operation or set of operations performed on Personal Data, whether or not by automated means.
  • "Data Controller": The entity that determines the purposes and means of Processing Personal Data.
  • "Data Processor": The entity that Processes Personal Data on behalf of a Data Controller.
  • "Data Subject": The individual to whom Personal Data relates.
  • "Client" or "User": The organisation or professional individual (recruiter, employer, agency) using the Service.
  • "Candidate": An individual whose CV is submitted through the Service by a Client.
  • "GDPR": UK GDPR and/or EU General Data Protection Regulation (Regulation (EU) 2016/679), as applicable.
  • "EU AI Act": Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence.
  • "Sub-processor": Any third party engaged by us to Process Personal Data on behalf of a Client.
  • "Cookies": Small data files stored on your device to improve your browsing experience.

2. Controller Information

CORTX AI LIMITED
Company Number: 15284483
Registered in England and Wales
Privacy contact: privacy@smartsifty.com
Phone: 0843 122 8260

We have not appointed a formal Data Protection Officer as defined under UK GDPR Article 37, as we are not currently required to do so. Our Privacy Contact handles all data protection enquiries and can be reached at the address above.

3. Our Role: Controller vs Processor

Smart Sifty operates in two distinct data-protection relationships:

  • As Data Controller (in respect of Client account data and website visitors): We are the Data Controller for Personal Data we collect directly from website visitors and from Clients during account registration, billing, support and platform use.
  • As Data Processor (in respect of Candidate data submitted by Clients): Where a Client uploads CVs, job descriptions or any other Candidate-related material, the Client is the Data Controller of that data, and we act as Data Processor on their behalf, in accordance with our Data Processing Agreement (DPA) and the Terms of Service.

This Policy primarily addresses our role as Data Controller. Our obligations as Data Processor are governed by the DPA, which is available on request at privacy@smartsifty.com.

4. Information We Collect

4.1 Information You Provide

  • Account Information: When you register, we collect your name, email address, password (stored as a salted hash), company information and billing details.
  • Communications: Any correspondence between you and us, including emails, support requests and any information you share with our team.
  • Payment Information: Billing details are processed securely through Stripe; we do not store full card numbers on our infrastructure.
  • Newsletter Preference: An optional preference indicating whether you wish to receive future newsletters from us.

4.2 Candidate Data Submitted by Clients

Where Clients use the Service to evaluate Candidates, the following data may be Processed on the Client's behalf:

  • CV Content: CVs uploaded as files (PDF, DOCX or other formats) or as text, and the structured data extracted from them (name, contact details, location, languages, education, work history, certifications, skills).
  • Job Description Content: Text and structured representation of job descriptions submitted for the purpose of candidate-job matching.
  • Scoring Output: The category-level scores, overall match score and written observations generated by the Service.

For this category of data, the Client is the Data Controller and is responsible for ensuring a valid legal basis for the Processing and for providing required notices to Candidates. We act as Data Processor.

4.3 Automatically Collected Information

  • Usage Data: IP address, browser type, device information, referring URL, pages visited, time spent and similar metrics.
  • Log Data: Server logs containing technical information about Service usage, including request timestamps, endpoints accessed and request identifiers. These logs are used for security, debugging, performance monitoring and audit purposes.
  • Cookies and Tracking Technologies: See Section 12 for details.

5. How We Use Your Information

We use Personal Data for the following purposes:

  • To provide and operate the Service: Managing your account, processing CVs and Job Descriptions, generating Scoring Output and making it available to authorised Client users.
  • To process payments: Handling transactions through Stripe and managing Credits and billing.
  • To communicate with you: Responding to enquiries, sending service-related notices and providing customer support.
  • To secure the Service: Detecting and preventing fraud, unauthorised access, abuse and security incidents.
  • To comply with legal obligations: Including accounting, tax and regulatory requirements.
  • To improve the Service: Analysing usage metrics (in aggregated and pseudonymised form where possible) to enhance functionality, reliability and user experience.
  • Newsletter (with consent): If you have opted in to receive newsletters, we may use your email address to send them. You can withdraw consent at any time.

We do not use your data or Candidate data to train any foundation model or AI system. See Section 7 for details on AI processing.

6. Legal Basis for Processing

Under UK GDPR / EU GDPR, we rely on the following legal bases:

  • Performance of a Contract: Processing necessary to provide the Service to you under our Terms of Service.
  • Legitimate Interests: Processing necessary for our legitimate business interests in operating, securing, monitoring and improving the Service, where these interests are not overridden by your rights and freedoms.
  • Legal Obligations: Processing necessary to comply with applicable law.
  • Consent: Where required, for example for non-essential cookies and for newsletters. Consent can be withdrawn at any time.

For Candidate data, the Client (as Controller) is responsible for identifying and documenting the legal basis for Processing.

7. AI Processing, PII Substitution and Decision-Support

7.1 How the Service Uses AI

Smart Sifty is an AI-assisted scoring system. Job Descriptions and CVs submitted to the Service are processed in a controlled pipeline that uses third-party foundation models (currently provided by xAI Corp. and by Anthropic via AWS Bedrock) to produce structured analytical output (category-level scores, overall match score and written observations) for the use of qualified human recruiters.

Smart Sifty does not train, fine-tune, customise or update the weights of any underlying foundation model. The Service uses these models in their standard form, with runtime configuration only (prompt design, deterministic preprocessing, structured outputs, PII substitution and input validation).

7.2 PII Substitution Before Scoring

As a built-in bias-mitigation control, identity-related fields extracted from CVs (such as name, email, phone and location) are substituted with neutral placeholders (for example, PII_name, PII_email) before the data reaches the scoring stage of the pipeline. This is a technical safeguard intended to reduce the risk of identity-based bias in scoring outputs.

7.3 No Use of Your Data for Model Training

We do not use your account data, CVs, Job Descriptions, Scoring Output or any other content to train, fine-tune or improve any foundation model or AI system. Our use of AWS Bedrock and the xAI API is subject to those providers' published terms, under which we do not opt in to use of customer data for model improvement.

7.4 Decision-Support, Not Automated Decision-Making

Smart Sifty is a decision-support system. The Service produces informational scoring outputs that are presented to a qualified human recruiter for review. The Service does not make hiring decisions, does not contact Candidates, does not reject Candidates and does not take any action on Candidates without explicit human initiation by the Client.

Under our Terms of Service, Clients are required to ensure that meaningful human review of each Candidate is performed before any hiring, screening, rejection, progression or candidate-contact decision is made. On this basis, the Service is not intended to produce solely-automated decisions within the meaning of UK GDPR Article 22(1).

7.5 EU AI Act — High-Risk AI System

Smart Sifty operates in the recruitment and employment context, which falls within Annex III of the EU AI Act as a high-risk AI system. Where the EU AI Act applies, Clients using the Service act as Deployers and are responsible for fulfilling Deployer obligations in their jurisdiction, including human oversight (Article 14), informing affected Candidates (Article 86, applicable from 2 August 2026) and maintaining records of system use. We support our Clients in meeting these obligations by providing the technical safeguards described in this Policy and in the Terms of Service.

8. Data Storage, Hosting and International Transfers

8.1 Primary Data Storage

All Smart Sifty platform data (account data, CVs, Job Descriptions, Scoring Output, application logs) is stored on Amazon Web Services (AWS) infrastructure in the EU (London) — eu-west-2 region. This includes:

  • Application servers (AWS Lambda) — eu-west-2;
  • Object storage (AWS S3) — eu-west-2;
  • Database (AWS DynamoDB / MongoDB) — eu-west-2;
  • Email delivery (AWS SES) — eu-west-2.

8.2 AI Model Inference Regions

Foundation model inference for the Service is performed in EU regions:

  • Anthropic Claude (Meridian profile): via AWS Bedrock in EU regions;
  • xAI Grok (Aurora profile): via the xAI API in EU (Ireland) — eu-west-1.

8.3 International Transfers

While all primary processing occurs within the EU and UK, certain sub-processors are corporate groups with international operations. In particular:

  • Amazon Web Services: The Service uses AWS regions inside the EU/UK. AWS is a global organisation, and administrative and support functions may involve transfers outside the EU/UK. AWS implements Standard Contractual Clauses (SCCs) and additional safeguards under its GDPR Data Processing Addendum.
  • xAI Corp.: Headquartered in the United States. Inference for the Service is performed in EU (Ireland), and any transfers outside the EU/UK are subject to xAI's standard contractual safeguards.
  • Stripe: Payments are handled by Stripe Payments UK Ltd, with internal Stripe group transfers covered by Stripe's SCCs and DPA.

Where any transfer of Personal Data outside the UK / EEA occurs in connection with the Service, we ensure that appropriate safeguards are in place under UK GDPR Chapter V / EU GDPR Chapter V, including Standard Contractual Clauses and supplementary measures where required by Schrems II guidance.

9. Data Security

We implement appropriate technical and organisational measures to protect Personal Data from unauthorised access, alteration, disclosure or destruction, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS.
  • Encryption at rest: Data stored on AWS infrastructure (S3, DynamoDB, MongoDB) is encrypted at rest using AWS-managed encryption.
  • Access controls: Role-based access controls and least-privilege principles are applied to internal access to production systems.
  • Authentication: User accounts are protected by password (stored as a salted hash) and, where available, additional authentication factors.
  • API security: API access requires API keys, with domain authorisation, rate limiting, content validation and audit logging.
  • Bias-mitigation control: PII substitution is applied before AI scoring (see Section 7.2).
  • Audit logging: Service interactions and administrative actions are logged for security and audit purposes.
  • Penetration testing: The Platform is subject to periodic independent penetration testing.
  • Information security framework: Our security practices are aligned with the principles of ISO/IEC 27001 and ISO/IEC 42001. We are working towards formal certification for these standards.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We continuously review and improve our security measures.

10. Data Retention

We retain Personal Data only for as long as necessary for the purposes set out in this Policy or as required by applicable law.

  • Account Information: Retained for the duration of your account. Following account closure, account data will be deleted within 90 days, except where retention is required by law (for example, accounting records).
  • CVs, Job Descriptions and Scoring Output: Retained in the Client's workspace for the duration of the Client's account, so the Client can access historical processing results. Clients may delete specific records at any time. Following account closure, this data will be deleted within 90 days, unless the Client requests earlier deletion or longer retention is required by law.
  • Audit Logs: Retained for up to 12 months for security, audit and compliance purposes.
  • Payment Records: Retained for the period required by UK accounting and tax law (currently six years).
  • Communications and Support Records: Retained for up to 24 months after the last interaction, unless a longer period is necessary to resolve disputes or enforce agreements.
  • Anonymised / Aggregated Data: Data that has been irreversibly anonymised and no longer identifies any individual may be retained indefinitely for analytical and product-improvement purposes.

Where a Candidate or Client exercises a right to erasure (Section 11), we will process the request in accordance with applicable law.

11. Your Rights Under UK GDPR / EU GDPR

Subject to applicable law, you have the following rights regarding your Personal Data:

  • Right of Access: To request a copy of the Personal Data we hold about you.
  • Right to Rectification: To request correction of inaccurate or incomplete Personal Data.
  • Right to Erasure ("Right to be Forgotten"): To request deletion of your Personal Data, subject to certain legal exceptions.
  • Right to Restrict Processing: To request limitation of how your Personal Data is processed.
  • Right to Data Portability: To receive your Personal Data in a structured, commonly used, machine-readable format.
  • Right to Object: To object to Processing based on legitimate interests or for direct marketing.
  • Rights Related to Automated Decision-Making: Although Smart Sifty is designed as a decision-support system requiring human review (Section 7.4), you have the right to request human intervention, express your point of view, and contest any decision that may nonetheless have been made based solely on automated processing.
  • Right to Withdraw Consent: Where Processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.
  • Right to Lodge a Complaint: You may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or your local EU supervisory authority.

11.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@smartsifty.com. We will respond within one month of receiving your request, in accordance with UK GDPR. We may need to verify your identity before processing the request.

Where you are a Candidate whose CV has been submitted to the Service by a Client, please contact the Client (the Data Controller) in the first instance. If you cannot identify the Client, contact us at privacy@smartsifty.com and we will assist where possible.

11.2 No Fee

Exercising your rights is generally free of charge, except where requests are manifestly unfounded, excessive or repetitive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.

12. Cookies and Tracking Technologies

We use a minimal set of cookies and tracking technologies on smartsifty.com and app.smartsifty.com. The categories we use are:

  • Strictly necessary cookies: Required for the operation of the Service, including session management, authentication and security. These cookies do not require consent.
  • Privacy-preserving analytics: We use Vercel Analytics to understand aggregated patterns of website use. Vercel Analytics is designed to be cookieless and does not track individual visitors across sessions or websites.
  • Functional cookies (Crisp support chat): Our customer support chat is provided by Crisp and sets functional cookies needed to maintain a chat session and deliver messages. Crisp is only loaded after you accept cookies via our cookie banner; you can use the Service without it.

We do not use Google Analytics or any third-party advertising, retargeting or cross-site tracking technologies on our Website or platform.

We obtain your consent for non-essential cookies through a cookie banner shown on first visit. The banner offers three equally prominent options — Accept all, Reject all, or Preferences for category-by-category control — in line with UK ICO guidance against dark patterns. Your choice is remembered in a strictly necessary first-party cookie (@smartsifty.cookieConsent) that persists for one year, and you can review or change it at any time via the link available in the application header, profile menu and settings, and at this point in the Policy. Cookies are scoped per domain: consent given on app.smartsifty.com (the Platform) is separate from consent given on smartsifty.com (the Website); each domain presents its own banner.

13. Sub-processors

We engage the following sub-processors to provide the Service. Each sub-processor is contractually bound by data-protection obligations equivalent to those set out in this Policy and the DPA:

  • Amazon Web Services EMEA SARL — cloud infrastructure (compute, storage, database, email delivery) and Bedrock model inference, EU/UK regions.
  • xAI Corp. — Grok foundation model inference (EU/Ireland).
  • Stripe Payments UK Ltd — payment processing.
  • Vercel Inc. — front-end hosting and privacy-preserving (cookieless) analytics.
  • Crisp IM SARL — customer support chat (live-chat sessions and message delivery), based in Nantes, France (EU). Loaded only after you accept the Crisp category in our cookie banner.

An up-to-date list of sub-processors is available on request at privacy@smartsifty.com. Where we introduce new sub-processors, we will update this list and, where required by the DPA, provide notice to Clients.

14. Third-Party Services and Links

The Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.

15. Children's Privacy

The Service is intended for professional users aged 18 or over and is not directed to children. We do not knowingly collect Personal Data from anyone under 18. If we become aware that we have collected Personal Data from a child without verifiable parental consent, we will take steps to delete such information promptly.

16. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, we will notify the relevant supervisory authority (such as the UK ICO) within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify them without undue delay.

17. Data Protection Impact Assessments (DPIAs)

Where Processing activities are likely to result in a high risk to the rights and freedoms of Data Subjects, we conduct Data Protection Impact Assessments in accordance with UK GDPR Article 35. As Smart Sifty operates in the recruitment context — a high-risk area under both UK GDPR and the EU AI Act — DPIA is part of our compliance and governance framework.

18. Data Processing Agreements

Where we act as a Data Processor on behalf of a Client (in respect of Candidate data), we enter into a Data Processing Agreement (DPA) with the Client setting out the scope, nature and purpose of Processing, the categories of Personal Data, the duration of Processing and the obligations of both parties under UK GDPR Article 28. Our DPA is available on request at privacy@smartsifty.com.

19. Data Minimisation and Purpose Limitation

We adhere to the GDPR principles of data minimisation and purpose limitation. We collect and Process only the Personal Data that is necessary for the specified purposes set out in this Policy, and we do not Process Personal Data in ways that are incompatible with those purposes.

20. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the "Last Updated" date at the top of this Policy and, where appropriate, provide additional notice (for example, via in-app notification or email). Your continued use of the Service after the changes become effective constitutes acceptance of the updated Policy.

21. Contact Us

For any questions about this Policy, our data practices, or to exercise your rights, please contact us at:

CORTX AI LIMITED
Privacy and data protection: privacy@smartsifty.com
Security incidents: security@smartsifty.com
Legal and contractual matters: legal@smartsifty.com
General support: support@smartsifty.com
Phone: 0843 122 8260