Privacy Policy

Account data — name, email, profile image, organization, plan tier, and authentication identifiers from your sign-in provider (Google, LinkedIn, or email).

Product data — natural-language queries you submit, candidate searches, pipelines you save, outreach drafts, and chat transcripts that the agent generates on your behalf.

Candidate data — public profile information surfaced from third-party sources (LinkedIn, GitHub, AngelList, Crunchbase, and similar) in response to your queries. We only retain the candidates you actively save to a pipeline.

Usage data — IP address, user agent, page paths, request timestamps, errors, and feature interactions, used for security and product analytics.

Communications — the contact form on imast.ai and any email you send to us.

To run the agent: searching, ranking, scoring, drafting outreach, persisting your pipelines, and showing you relevant history.

To operate the service: authentication, billing, error monitoring, abuse prevention, and customer support.

To improve the product in aggregate: anonymised usage metrics that do not identify you or any candidate.

We do not sell personal data and we do not use the contents of your chats or pipelines to train third-party models.

Contract — to provide the imast product to you, deliver paid plans, and process billing.

Legitimate interest — to operate the service securely, prevent abuse, run aggregate product analytics, and surface candidate profiles from public sources to authorised recruiter users. You can ask us to explain how we balanced this interest against your rights at privacy@imast.ai.

Legal obligation — for tax, accounting, and lawful requests from public authorities.

Consent — for any optional marketing communication you opt into. You can withdraw consent at any time without affecting prior processing.

Sub-processors we rely on today: Google Cloud (Cloud Run application hosting and Cloud SQL Postgres in europe-west1, Belgium), Cloudflare (marketing-site hosting and edge compute), Google Workspace (OAuth and Gmail API for transactional email), OpenRouter and the underlying LLM providers (Anthropic, OpenAI), Exa.ai (people search), and Polar.sh (billing as Merchant of Record).

We disclose data only as needed to deliver the service or to comply with law. We do not disclose your queries or pipelines to other customers.

If we are ever acquired, your data transfers under the same terms; we will notify you in advance.

Primary application data is stored in Google Cloud SQL (Postgres 16) in the europe-west1 region (Belgium). Edge marketing-site traffic is served globally via Cloudflare. Transactional email and OAuth flows are processed by Google.

When personal data is processed by a sub-processor outside the EEA (for example, US-based LLM inference), we rely on the sub-processor’s contractual data-protection commitments and on encryption in transit and at rest. We will document the specific transfer mechanism in a future revision once the operating entity is formalised.

Account and product data are retained for the life of your account plus 30 days. Backups roll off within 90 days.

Anonymised usage logs are retained for up to 13 months.

You can request earlier deletion at any time — see Your rights below.

Candidate profiles surfaced by imast originate from publicly available sources (LinkedIn, GitHub, and similar). Because we do not collect this data directly from the candidate, this section serves as our notice to candidates: imast processes your professional information so that authorised recruiter users can discover talent for legitimate hiring purposes.

We minimise: we retain only what a recruiter actively saves to a pipeline; we do not enrich with non-professional data; we do not infer protected characteristics; we do not crawl behind paywalls or against published platform terms.

Candidate rights: you can access, correct, or request deletion of your data, and object to processing. Email privacy@imast.ai with the public URL of the profile in question. We aim to suppress and propagate within 30 days.

imast scores and ranks candidates against a recruiter's criteria using large language models. This is profiling. It is not a solely automated decision producing legal or similarly significant effects: a human recruiter reviews every output and is the sole decision-maker on outreach, interviewing, and hiring.

Hiring decisions, even when informed by imast scores, must be made by a human and must not rely on protected attributes. Recruiters are contractually responsible (see Terms §3, §6) for ensuring their use complies with equal-opportunity and anti-discrimination law applicable to them.

You can request a manual review of any score that affects you and an explanation of the factors that fed into it.

You can ask us to: access the personal data we hold about you, correct inaccurate data, delete your data, restrict or object to processing, and receive your data in a portable machine-readable format. Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

Send requests to privacy@imast.ai. We aim to respond within 30 days; complex requests may take longer and we will keep you informed.

If you are based in the EEA, the UK, or another region with a data-protection authority, you may lodge a complaint with your local supervisory authority. Once our operating entity is formalised we will name the lead authority here.

We use a small number of strictly necessary cookies for authentication and CSRF protection. We do not use advertising or third-party tracking cookies on our marketing site.

imast is a B2B product for recruiters. It is not directed at children under 16 and we do not knowingly collect their data.

Privacy questions and rights requests: privacy@imast.ai.

General support: hello@imast.ai.

This document describes our current practice in plain language. The legal entity that operates imast.ai is being formalised; jurisdiction, supervisory authority, and any operating-entity references will be added in a future version once incorporation is complete. Email privacy@imast.ai if you need an interim Data Processing Agreement.