top of page

Privacy Policy

Booly Baby — Privacy Policy
Updated Effective Date: 2026-03-01

 

Booly Baby (“we,” “us,” or “our”) respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and share information when you use our services, including our website, forms, recruitment application, and audio transcription features.

 

1. Identity & Roles

  • Controller / Processor: Depending on how you use our service, either you (the recruiter/customer) or Booly Baby may be the data controller:

    • When a customer uploads candidate data (audio recordings, resumes, candidate details) for the customer’s own hiring activities, the customer is the data controller and Booly Baby acts as a data processor operating only on the customer’s documented instructions.

    • When Booly Baby collects data for account management, billing, or direct employment with Booly Baby, Booly Baby acts as the data controller.

  • Contact: jan@boolybaby.com
    Address: Cape Town, South Africa

 

2. Information We Collect

We collect and process the following categories of personal data when necessary to provide our services:

A. Personal & Account Data

  • Name, email address, phone number, billing details, account credentials, profile information.

B. Recruitment & Transcription Data

  • Audio recordings (candidate interviews / screening calls).

  • Transcripts derived from recordings (text output of speech-to-text).

  • Candidate-provided details mentioned during recordings (e.g., name, location, employment history, salary).

  • Recruiter notes, tags, and evaluation data produced via our platform.

C. Usage & Technical Data

  • Device and browser information, IP address, usage logs, timestamps, feature usage metrics.

D. Feedback & Support Data

  • Support tickets, survey responses, and feedback provided by users.

E. Sensitive / Special Category Data

  • Transcripts may incidentally include special category data (e.g., health details, religion, ethnicity). We request customers not to provide such sensitive data unless strictly necessary and only when lawful.

 

3. Lawful Bases for Processing (GDPR)

When processing personal data of data subjects in the EU/UK, we rely on one or more of the following legal bases:

  • Performance of a contract: To provide the services you request (e.g., transcription, reporting, document generation).

  • Legitimate interests: For platform operation, fraud prevention, security, product improvement, and to provide the service to customers (we balance these interests against user privacy).

  • Consent: For call recording and any processing that requires explicit consent under applicable law. When consent is used, it can be withdrawn.

  • Legal obligation: To comply with applicable laws and lawful requests from authorities.

If you are a customer/controller using our service, you must ensure you have an appropriate legal basis (e.g., consent or legitimate interest) for recording calls and uploading candidate data.

 

4. How We Use Personal Data

We use data to:

  • Provide and operate our platform and associated services (including transcription and AI-based summarisation).

  • Transcribe audio into text and create structured summaries and recruiter reports.

  • Generate recruitment insights, templates, and Boolean strings as requested.

  • Communicate with users about accounts, updates, or support.

  • Improve and analyze platform performance and usage.

  • Comply with legal obligations and enforce our Terms of Service.

Model training: We do not use customer-uploaded content to train our own machine learning models unless we obtain explicit, opt-in consent. Note: third-party subprocessors may process data in ways described in their terms; see “Processors & Subprocessors” below.

 

5. Automated Decision-Making & Profiling

  • Our platform uses AI to create structured candidate summaries, suggested recommendations, and other analytical outputs.

  • These AI outputs are advisory only. Final hiring or rejection decisions are the responsibility of the human recruiter/customer.

  • Data subjects have the right to request human review of any automated or profiling decision and to challenge the result. To request a review, contact jan@boolybaby.com.

 

6. Sharing and Disclosure

We do not sell or rent your personal information.

We may share data:

  • With subprocessors who provide services on our behalf (storage, transcription, AI analysis, hosting, analytics). We engage subprocessors under written agreements that require appropriate data protection safeguards.

    • Public policy note: We may disclose subprocessors by category in our public privacy policy (e.g., “speech-to-text provider,” “cloud storage provider,” “AI analysis provider”). A named list of subprocessors is available to customers on request.

  • When required by law or to respond to legal process.

  • To protect rights, property, or safety of Booly Baby, our users, or others.

  • In connection with a business transfer (e.g., merger, acquisition) — with notice to users where required.

 

7. International Transfers

Data may be processed or stored outside the European Economic Area (EEA). Where personal data is transferred outside the UK/EU/EEA, we implement appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms; or

  • Ensuring subprocessors maintain adequate protections.

Details about the locations and safeguards applicable to transfers are available on request or via the DPA.

 

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in line with lawful basis and our contractual obligations.

Typical retention periods (examples — customers may request custom retention in a DPA):

  • Raw uploaded audio (temporary processing files): Deleted automatically after successful transcription and processing, typically within 7 days unless customer requests longer retention.

  • Transcripts (text outputs): Retained for 30 days by default to allow customer review and downloads. Customers may configure shorter/longer retention via DPA.

  • Generated reports / documents (e.g., DOCX): Retained for 30 days by default.

  • Account & billing data: Retained for the duration of the account and as required for legal or tax purposes (typically up to 7 years where necessary).

  • Backups / logs: Retained in secure, limited form for operational and legal compliance reasons for a reasonable period.

Customers may request deletion of transcripts or recordings earlier; we will act in accordance with the DPA and applicable law.

 

9. Security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encrypted transport (HTTPS/TLS) for data in transit.

  • Access controls and role-based permissions.

  • Secrets management for API credentials and keys.

  • Secure storage practices and regular security reviews.

  • Prompt patching and vulnerability management.

  • Isolation of temporary processing files and automatic cleanup.

While we use commercially reasonable methods to secure data, no system is 100% secure. If a data breach occurs that affects personal data and triggers notification requirements, we will notify affected customers and regulators as required by law.

 

10. Data Subject Rights (EU/UK)

Where applicable, data subjects have the following rights:

  • Right of access: Request a copy of personal data we hold.

  • Right to rectification: Request correction of inaccurate data.

  • Right to erasure: Request deletion of personal data (subject to law and contractual obligations).

  • Right to restrict processing: Temporarily limit processing of certain personal data.

  • Right to data portability: Receive personal data in a structured, commonly used format.

  • Right to object: Object to processing based on legitimate interests (including profiling), or direct marketing.

  • Right to withdraw consent: Where processing is based on consent.

  • Right to lodge complaint: With a supervisory authority in your country (e.g., ICO in the UK, or your local EU DPA).

Exercise of rights: To exercise your rights, contact jan@boolybaby.com. We may ask for proof of identity and will respond without undue delay and in any event within one month, or longer where permitted by law (we will inform you if an extension is required).

 

11. Data Processing Agreement (DPA) & Subprocessor Transparency

  • For customers who are data controllers and engage us as a processor, we provide a Data Processing Agreement (DPA) that sets out processing details, security measures, subprocessors, and roles.

  • The DPA includes a named list of subprocessors, their processing purposes, and information on data transfers. If you require the named list before contracting, we will provide it on request.

  • Customers may request to review or object to new subprocessors in line with the DPA.

 

12. Special Category Data & Minimisation

  • Avoid uploading special category data (sensitive data) unless necessary and lawful.

  • We apply data minimisation: only process the minimum data necessary to fulfil the requested service.

  • If processing special category data is necessary, customers must ensure a lawful basis exists and provide explicit instructions in a DPA.

 

13. Cookies & Tracking

We use cookies and similar technologies for essential functionality, analytics, and product improvement. For EU/UK visitors, we provide controls for non-essential cookies and track consent in accordance with applicable law. You may manage cookie preferences via your browser settings.

 

14. Children’s Privacy

Our service is not directed at minors under 18. We do not knowingly collect personal data from children under 18. If we learn we have collected data from a child without appropriate consent, we will take steps to delete it.

 

15. Changes to this Privacy Policy

We may update this Privacy Policy periodically. Changes will be published on our website with the effective date. Material changes affecting data subject rights will be communicated with notice.

 

16. Contact & Complaints

If you have questions, requests, or complaints:

If you believe we have violated data protection laws, you can also lodge a complaint with the relevant supervisory authority (e.g., ICO in the UK, or your local EU authority).

 

17. Requests for Subprocessor List, DPA, or Data Deletion

To request:

  • A current list of subprocessors, or

  • A copy of our Data Processing Agreement, or

  • Deletion of data (subject to contractual terms)

Please contact jan@boolybaby.com. We will respond to verified requests in accordance with the DPA and applicable data protection laws.

bottom of page