Privacy Policy

The Vultur service (“Vultur,” “the service”) is operated by Unmask AI, Inc., a Delaware corporation with its registered office in the State of Delaware, USA. In this policy, “we,” “us,” and “our” mean Unmask AI, Inc.

When your employer signs up for Vultur and invites you to connect your accounts, we process data on their behalf as part of their hiring workflows. In that arrangement your employer is the controller of the personal data in their workspace under GDPR, and Vultur is the processor. For product-level data (account sign-up, usage logs, billing) Vultur is the controller.

We collect the following categories of data:

• Account data. Name, work email, role, organisation, and profile photo, provided either by you when you sign up or by your employer when they invite you.
• LinkedIn data. When you connect LinkedIn through our integration partner Unipile, we receive your first-degree connections, profile headlines and summaries, mutual connections, and messages sent or received through Vultur campaigns. We do not read messages on threads that Vultur did not start or participate in.
• Gmail data. When you connect Gmail, we access message metadata (sender, recipient, subject, timestamps, thread IDs) and message content for email threads that Vultur is actively using for outreach, replies, or candidate conversations. We do not scan, index, or process emails that are unrelated to your Vultur activity. We do not access attachments unless they are part of a Vultur thread.
• Google Calendar data. When you grant calendar access, we read events that are relevant to Vultur-managed introductions and meetings so that we can capture follow-through on referrals. We do not access unrelated personal calendar events.
• Candidate and contact data. Names, titles, companies, public profile information, and enrichment data returned by third-party providers for people in your network who may be matched to open roles at your employer.
• Product usage data. Pages visited, features used, device and browser identifiers, IP address, and diagnostic logs needed to run, secure, and improve the service.
• Cookies and similar technologies. We use a small number of first-party cookies for authentication, session management, and remembering your preferences. We do not use advertising cookies or third-party tracking pixels.

We use the data described above to:

• Match people in your network to open roles at your employer.
• Send approved outreach on your behalf through LinkedIn and Gmail.
• Capture referral activity so you can collect referral bonuses.
• Detect replies and intro follow-through via email and calendar signals.
• Operate, secure, monitor, and improve the service.
• Communicate with you about your account, security, and product updates.
• Comply with legal obligations and respond to lawful requests.

We do not sell personal data. We do not use Google user data or LinkedIn data to serve advertisements, and we do not use it to train generalised machine-learning models.

Because Vultur uses sensitive and restricted Google OAuth scopes, we make the following specific commitments, in addition to the general rules above. Vultur's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• Limited purpose. We only use Google user data to provide or improve user-facing features of Vultur. We do not use Google user data for advertising, credit-worthiness, lending, or any purpose unrelated to delivering the service.
• No transfer. We do not transfer Google user data to third parties except (a) sub-processors listed below that provide infrastructure Vultur runs on, (b) as necessary to provide or improve the service with your permission, (c) for security purposes, or (d) to comply with applicable law.
• No human reading. We do not allow humans to read Google user data unless we have your explicit permission (e.g. for support), it is necessary for security investigations, to comply with law, or the data has been aggregated and anonymised for internal operations.
• No model training on personal data. We do not use Google user data to train or improve generalised machine-learning or AI models. Any ML features operate only within the boundaries of your workspace.
• Data minimisation. We store only the minimum Google user data needed to deliver the features you opted into, and retain it no longer than necessary to provide those features.

The Vultur Chrome extension is part of the Vultur service and is governed by this Privacy Policy.

When you view a LinkedIn profile with the extension installed, it reads the profile's public URL and on-page details (such as the person's name and profile photo) in order to identify that contact. It reads your Vultur authentication cookie so it can make authenticated requests to your own Vultur account, and it sends the LinkedIn profile identifier to Vultur's servers to retrieve your team's connection and interaction data for display.

Connecting your LinkedIn account. The extension can connect your LinkedIn account to Vultur in one step, from the extension popup. This flow is strictly user-initiated: nothing happens until you open the popup, read the consent screen that explicitly names the cookie involved, and click Allow & Connect. When you do, the extension reads your LinkedIn session cookie (named li_at) from your browser, transmits it once over TLS to api.vultur.ai, and discards it from extension memory. Vultur's servers forward the cookie to our LinkedIn integration sub-processor (Unipile) so Unipile can establish the account connection on your behalf. The li_at cookie is not stored in the extension at any tier of browser storage, and Vultur does not retain it in its own database — only the resulting Unipile account identifier and the standard linked- account metadata described in section 2. You can revoke the connection at any time by clicking Disconnect in the extension popup or in your Vultur dashboard, which also marks the underlying linked account as disconnected.

The extension operates only on LinkedIn profile pages and the LinkedIn domain cookie scoped above. It does not collect your browsing history, does not track your activity on other websites, and does not read the content of your emails or messages. All data handled by the extension is processed in accordance with this Privacy Policy.

We share personal data only with the following categories of parties, and only as needed to deliver the service. A current list of sub-processors is available on request from privacy@vultur.ai.

• Your employer. Matches, campaign activity, referral outcomes, and candidate pipeline data are visible inside your employer's Vultur workspace to users your employer authorises.
• Authentication. Clerk (user sign-in and session management).
• Application database. Convex (primary app database and server functions).
• Infrastructure and hosting. Vercel (web application hosting), AWS / Google Cloud (underlying cloud infrastructure used by our sub-processors).
• Integration providers. Unipile (LinkedIn, Gmail, and calendar connectivity), Stackone (ATS integrations).
• Enrichment. Apify (public LinkedIn profile enrichment).
• AI and embeddings. OpenAI (embeddings and content generation scoped to your workspace only; not used to train OpenAI's foundation models).
• Transactional email. Resend (account, invite, and system emails).
• Law enforcement or regulators. Only when compelled by valid legal process, and only to the minimum extent required.

We do not sell personal data and we do not share it with advertising networks. Each sub-processor is bound by a data processing agreement that restricts their use of data to providing services to Vultur.

We keep personal data for as long as your account is active or as needed to deliver the service. When you disconnect LinkedIn or Gmail, we stop fetching new data from that account and delete stored tokens. When your employer closes their workspace, we delete workspace data within 90 days, except where retention is required for legal, tax, or accounting reasons. Diagnostic logs are retained for up to 90 days.

Depending on where you live, you have specific rights over your personal data. To exercise any of the rights below, contact privacy@vultur.ai. We will verify your request and respond within 30 days (or 45 days under CCPA). You can also disconnect LinkedIn or Gmail from the Vultur dashboard at any time, which stops all further data collection from those accounts.

For users in the EU, EEA, UK, and Switzerland (GDPR)

• Right of access to the personal data we hold about you.
• Right to rectify inaccurate personal data.
• Right to erase personal data (the “right to be forgotten”).
• Right to restrict or object to processing based on legitimate interests.
• Right to data portability in a machine-readable format.
• Right to withdraw consent at any time, where processing is based on consent.
• Right to lodge a complaint with your local Data Protection Authority.

For California residents (CCPA / CPRA)

• Right to know what personal information we collect and how it is used.
• Right to delete personal information we collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of the “sale” or “sharing” of personal information (we do not sell or share personal information as defined by the CCPA).
• Right to limit the use of sensitive personal information.
• Right not to be discriminated against for exercising any of these rights.

We use encryption in transit (TLS) and at rest, least-privilege access controls, audit logging for administrative actions, and regular credential rotation. Production systems are accessible only to a small number of engineers through authenticated, audited channels. No system is perfectly secure. If you believe your account has been compromised, contact privacy@vultur.ai immediately.

Unmask AI, Inc. is incorporated in Delaware, USA, and personal data is stored in the United States. Vultur currently operates from the European Union, and data may be processed in both the EU and the US. Where personal data is transferred between the EEA and the US, we rely on Standard Contractual Clauses and equivalent safeguards.

Vultur is not directed to children under 16, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, contact privacy@vultur.ai and we will delete it.

We will post any material changes to this page and update the effective date above. If the change affects how we use Google user data, we will notify you before the change takes effect.

Questions, requests, or complaints about this policy or your personal data: privacy@vultur.ai.