ZyvernoZyverno

Confidentiality Charter

Last updated: February 2026

At Zyverno, we take your privacy seriously and are committed to processing your personal data responsibly, securely, and transparently.

This Confidentiality Charter (the “Charter”) describes how Zyverno Limited (“Zyverno”, “we”, “us”) processes personal data in connection with the Zyverno cloud-based recruitment platform (the “Service”). It applies globally. Section 3 (Legal Framework) lists the data protection instruments we comply with on a per-jurisdiction basis (UK, European Union and member states, United States federal and state, Canada and Quebec, Australia, Gulf states, and other major markets). Section 19 (Jurisdiction Schedules) sets out the additional rights and obligations applicable to users connected to each specific jurisdiction; where a Section 19 schedule provides additional rights or imposes additional obligations under local law, those additional provisions apply for individuals connected to that jurisdiction.

For privacy enquiries from any jurisdiction, contact privacy@zyverno.app.

1. Controller Identity

This Confidentiality Charter is issued by:

  • Company name: Zyverno Limited
  • Legal form: Private limited company
  • Company No: 16987963
  • Jurisdiction of registration: England and Wales
  • Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
  • Platform: zyverno.app

2. Privacy Contact

Privacy contacts:

Data Protection Officer and equivalent appointments

Zyverno Limited has assessed its activities under Article 37 of the EU GDPR and Article 37 of the UK GDPR and determined that the formal designation of a Data Protection Officer is not currently mandatory. This assessment is documented internally and reviewed annually. The privacy contacts above handle all data protection matters and will direct enquiries to senior management as appropriate.

Zyverno processes personal data in compliance with the data protection laws of each jurisdiction in which it operates or in which Service users or Candidates are located. The principal applicable instruments include:

United Kingdom

  • UK GDPR — as incorporated into domestic law via the European Union (Withdrawal) Act 2018
  • Data Protection Act 2018
  • PECR — Privacy and Electronic Communications Regulations 2003
  • Applicable UK employment and equality legislation (including the Equality Act 2010)

European Union

  • EU GDPR — Regulation (EU) 2016/679
  • EU AI Act — Regulation (EU) 2024/1689
  • ePrivacy Directive — Directive 2002/58/EC
  • Applicable national data protection, employment and equality legislation in member states

United States

  • State comprehensive privacy laws (CCPA/CPRA, Virginia CDPA, Colorado Privacy Act, Connecticut Data Privacy Act, Utah CPA, Texas DPSA, Oregon CPA, Tennessee Information Protection Act, Indiana CDPA, Iowa CDPA, Montana CDPA, Delaware Personal Data Privacy Act, NJ Data Privacy Act, NH Privacy Act, Kentucky CDPA, Rhode Island Data Transparency, Minnesota CDPA, Maryland Online Data Privacy Act).
  • Federal: TCPA, CAN-SPAM Act, Title VII, ADA, ADEA, GINA, EEOC guidance, COPPA where applicable.
  • AI-specific: NYC Local Law 144, Illinois AI Video Interview Act, Illinois BIPA, Colorado AI Act (SB 24-205, in force February 2026).

Canada

  • PIPEDA (Personal Information Protection and Electronic Documents Act).
  • CASL (Canada’s Anti-Spam Legislation).
  • Provincial laws: Quebec Law 25, BC PIPA, Alberta PIPA.

Australia

  • Privacy Act 1988 (Cth) including the Australian Privacy Principles (APPs).
  • Spam Act 2003 (Cth) and applicable state and territory legislation.

Gulf states

  • UAE: federal PDPL (Federal Decree-Law No. 45 of 2021), DIFC Data Protection Law (DIFC Law No. 5 of 2020), ADGM Data Protection Regulations 2021.
  • Qatar: PDPL Law No. 13 of 2016. Bahrain: PDPL Law No. 30 of 2018. Oman: PDPL Royal Decree 6/2022.

4. Controller vs Processor Roles

4.1 As Data Processor

When a Customer uses Zyverno for recruitment activities, the Customer is the Controller of Candidate personal data and Zyverno Limited is the Processor. We process Candidate personal data only on documented instructions from the Customer, in accordance with the DPA between Zyverno and the Customer. The DPA template is available on request; an executed DPA is part of the Subscription onboarding for enterprise Customers.

4.2 As Data Controller

Zyverno Limited is the Controller for:

  • User account data (registration data, organisational role, authentication information).
  • Operational data (analytics, performance data, billing data, audit logs of Service use).
  • Website visitor data (technical data captured when interacting with zyverno.app).
  • Aggregated and anonymised data derived from Candidate data, used for Service improvement and industry benchmarking, where the data has been processed such that no individual is identifiable.

4.3 As Joint Controller

In limited circumstances, Zyverno and the Customer may act as joint controllers. Where this arises, the parties’ respective responsibilities for compliance with Data Protection Laws are determined in the DPA or a separate joint controller arrangement.

5. Categories of Personal Data

Candidate Data (Processor)

  • Identity: name, date of birth, nationality
  • Contact: email, phone, address
  • Professional: CV, experience, education, skills
  • Recruitment: application status, interview notes, screening scores, pipeline stage
  • Communication: emails, SMS, invitations
  • AI-generated: screening transcripts, AI assessments, Lina AI scores

User Data (Controller & Processor)

  • Account: name, email, organisational role
  • Authentication: OTP tokens (not stored after verification), session tokens
  • Activity logs: login history, platform actions

Technical Data

  • IP address, browser type/version, OS, device type
  • Pages visited, features used, timestamps

Special-Category Data (Art. 9 GDPR)

CVs and application materials may incidentally contain special-category data such as photographs that may reveal racial origin, religion, or beliefs, references to disability, health information explaining career gaps, trade union membership, or political opinions. Zyverno’s position is as follows:

  • No special-category screening criteria: Customers are instructed via the Data Processing Agreement (DPA) not to configure Zyverno to use special-category data as a screening criterion.
  • Legal basis where present: Where incidental special-category data is processed, processing relies on Article 9(2)(b) GDPR (employment law obligations) for the limited purposes the Customer’s applicable employment law allows.
  • Excluded from AI scoring: Photographs and other obviously special-category content are not used as scoring inputs by Lina. The technical documentation reflects this exclusion.
  • Candidate rights: Candidates may request restriction or erasure of special-category data via the contact in Section 12.

Children’s Data (Art. 8 GDPR)

Zyverno is designed for adult recruitment. The platform is not intended for use with candidates under 18 years of age. Customers are required by the DPA to confirm that their use of Zyverno does not target under-18 candidates. Where a Customer’s use case requires processing of candidates aged 16 or 17 (for example, in jurisdictions where minors may apply for entry-level roles), the Customer must enable additional safeguards consistent with applicable local law, including parental consent flows, restricted scoring criteria, and shorter retention. Zyverno will decline configurations that would process data from candidates under 16.

6. Data Sources (Art. 14 GDPR)

  • Directly from data subjects: applications via public widget, user registration
  • From Customers: CV uploads, manual entries, bulk imports
  • Public application widget: embedded forms on Customer websites
  • Automated: technical data collected during platform use

7. Purposes & Legal Bases

PurposeLegal Basis (GDPR Art. 6)
Providing the ATS platformContract (Art. 6(1)(b))
AI screening & candidate assessmentLegitimate interest (Art. 6(1)(f)) with mandatory human oversight
Email/SMS communication with CandidatesContract / Legitimate interest (Art. 6(1)(b)/(f))
Service analytics and improvementLegitimate interest (Art. 6(1)(f)) — aggregated/anonymised where feasible
Security & fraud preventionLegitimate interest (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c))
Compliance with legal obligationsLegal obligation (Art. 6(1)(c)) — including AI Act provider obligations and tax/accounting
Billing & account managementContract (Art. 6(1)(b))
Bias monitoring and AI Act complianceLegal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)) — aggregated outputs only

8. Data Sharing & Recipients

Customer (Controller)

Candidate data is accessible to the Customer and its authorised Users via role-based access control.

Sub-Processors

Zyverno Limited engages a small set of sub-processors to deliver the platform. The categories below describe their function, region, and applicable safeguards. The full named list, with purposes, locations, and contractual safeguards, is provided to enterprise customers under NDA as part of our procurement Trust Pack and is also included in the sub-processor appendix to the Data Processing Agreement (DPA) executed at contract signature.

FunctionRegionSafeguards
AI / large language model providerUS (EU API endpoint)CV text anonymised before transmission (email, phone, and address redacted); zero data retention requested on API calls; provider may retain API data up to 30 days for abuse monitoring under its DPA, then automatic deletion; Standard Contractual Clauses (SCCs) and supplementary technical measures.
Speech-to-textUSSCCs and supplementary technical measures.
Text-to-speechUSSCCs and supplementary technical measures.
Object storage and file hostingEU (France)Primary candidate data storage in the EU.
Transactional emailUSSCCs.
SMS messagingUSSCCs.
Background job orchestrationUSSCCs.
Payment processingUS (EU entity)Standard payment-processor safeguards.
Independent recruitment analytics — TFO Recruit IQ (Joint Industry Council)United KingdomReceives pseudonymised candidate identifiers, stage-event timestamps, and screening outcomes from tenants that have enabled the integration. Used for sector-level funnel and time-to-hire benchmarking. No CV content, audio, or raw contact details are shared.

Notification of changes: material additions or changes to the sub-processor list are notified to enterprise customers at least thirty (30) days in advance, with a right to object. Customers may subscribe to sub-processor change notifications at privacy@zyverno.app. Where a Customer reasonably objects on documented compliance grounds, Zyverno will use commercially reasonable efforts to provide an alternative; if no alternative is feasible, the Customer may terminate the Subscription with respect to the affected functionality.

No sale of data: Zyverno Limited does not sell, rent, or trade personal data. “Sale” is interpreted in accordance with the broader definitions in the California Consumer Privacy Act and other US state laws, which include sharing for cross-context behavioural advertising. Zyverno does not engage in such sharing.

Disclosures required by law: Zyverno may disclose personal data where required by applicable law, court order, or binding regulatory instruction. Where legally permitted, Zyverno will inform the Customer or affected data subject in advance and will challenge disclosure orders that are inconsistent with applicable Data Protection Laws.

9. SMS Communications

SMS Communications

When candidates provide their phone number during a job application processed through our platform, they may receive SMS messages from the recruiting company. These messages are limited to interview invitations and reminders related to the application process.

Data Collected

We store the candidate’s phone number, SMS delivery status, and opt-out preferences. We do not share phone numbers with third parties beyond our SMS delivery sub-processor.

Opt-Out Rights

Candidates can opt out of SMS communications at any time by replying STOP to any message received. Once opted out, no further SMS messages will be sent to that number. To resume messages, reply START. For assistance, reply HELP.

Customer Obligations

Customers using our platform are responsible for obtaining proper consent from candidates before enabling SMS communications. Customers must comply with all applicable telecommunications regulations, including the Telephone Consumer Protection Act (TCPA) in the United States and equivalent regulations in other jurisdictions.

10. International Transfers

Primary Candidate data storage is located within the European Union (France). Some Sub-Processors operate from the United States or other jurisdictions outside the European Economic Area, the United Kingdom, and other jurisdictions whose data protection laws are recognised as adequate.

Where personal data is transferred to a country not recognised as providing adequate protection, Zyverno relies on the following transfer mechanisms and supplementary measures:

  • Standard Contractual Clauses (SCCs) issued by the European Commission, supplemented by the UK International Data Transfer Agreement (IDTA) or the UK IDTA Addendum to the EU SCCs for UK transfers.
  • Pseudonymisation or anonymisation of personal identifiers before transfer where feasible. CV content is anonymised before transmission to the AI assessment provider; email, phone, and postal address are redacted prior to processing.
  • Encryption in transit using TLS, with EU-controlled keys for primary storage.
  • Contractual commitments by Sub-Processors to challenge incompatible disclosure orders and to notify Zyverno where legally permitted.
  • Transfer Impact Assessments (TIAs) documented for each non-EEA Sub-Processor.

Specific transfer mechanisms applicable to particular jurisdictions are set out in Section 19 (Jurisdiction Schedules). The United Arab Emirates and certain other Gulf jurisdictions impose additional transfer-out and transfer-in restrictions; see the Gulf states schedules.

11. Data Retention

Data CategoryRetention Period
Candidate personal dataSubscription duration plus 30-day Customer export window. Earlier deletion on Candidate erasure request, subject to Customer legal-basis exceptions.
Lina AI screening sessions and assessmentsSubscription duration, then deleted with Candidate data
Voice recordings (where voice mode used)Subscription duration where retained by Customer; transcripts retained, voice files deleted earlier where Customer-configured
Soft-deleted records30 days recoverable, then permanent deletion
User account dataSubscription duration plus 30 days following termination
AI Sub-Processor API data (anonymised CV text, screening conversations)Up to 30 days at Sub-Processor for abuse monitoring per their DPA, then automatic deletion. Zero-data-retention requested where supported.
Security and access logs12 months. Where AI Act Article 12 requires longer retention for high-risk AI system logs (six months minimum, with longer periods where required by sector law), the longer period applies.
Billing and invoicing records7 years following the end of the relevant accounting period (UK and EU statutory tax retention)

Candidate-initiated erasure: the retention periods above describe contractual retention. They do not override individual rights. Candidates may request erasure under Article 17 GDPR at any time, either via the employing Customer (Controller) or directly to privacy@zyverno.app. We will action erasure requests within 30 days unless the Customer has documented a legal basis to retain (for example, an active legal claim or regulatory record-keeping obligation). Where retention is required by the Customer, we will restrict further processing in line with Article 18 GDPR and inform the candidate of the basis and expected duration of the retention.

12. Data Subject Rights (Art. 15–22 GDPR)

  • Access (Art. 15): obtain confirmation and copy of your data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): request deletion (“right to be forgotten”)
  • Restriction (Art. 18): restrict processing
  • Portability (Art. 20): receive data in machine-readable format
  • Object (Art. 21): object to legitimate-interest processing
  • Automated decisions (Art. 22): not be subject to solely automated decisions with legal effects
  • Withdraw consent: at any time where consent is the basis
  • Lodge complaint: with a supervisory authority (Section 16)

For Candidates: contact the Customer (employer) first. If unresolved, contact privacy@zyverno.app.

Response time: 30 days, extendable by 60 days for complex requests.

13. Automated Decision-Making & AI (Art. 22 + EU AI Act)

Lina AI — Screening Assistant

  • Advisory only: all AI scores and assessments are advisory. No hiring decision is made by AI alone.
  • Human oversight (Art. 22(3) GDPR): a qualified recruiter must review every AI-influenced outcome before any candidate-affecting communication is sent. Customers are contractually required by the Data Processing Agreement (DPA) to enforce human review, and the platform exposes a configuration setting that gates rejection communications on a recorded human-reviewer action. Where a Customer disables this safeguard, the responsibility for Article 22 compliance rests with the Customer as Controller.
  • Right to explanation (Art. 22(3) GDPR): candidates who have been screened by Lina may request meaningful information about how their assessment was produced. Requests should be made first to the employing Customer (Controller), which holds the role-specific scoring criteria. If unresolved, candidates may contact privacy@zyverno.app. We will respond within 30 days with information about the categories of input considered, the structure of the scoring (skills, experience, language, structured questions), and the human review applied to the outcome. We will not disclose Customer-specific scoring weights that constitute the Customer’s confidential configuration.
  • Bias and fairness monitoring: Zyverno conducts periodic disparate-impact testing on Lina screening outcomes across protected characteristics where data is available. The methodology, testing frequency, and aggregate results are documented in our AI Act technical documentation, available to enterprise Customers on request under NDA. Zyverno does not claim that Lina is “bias-free” or “unbiased”; the platform is structured and tested to reduce variance versus unstructured human screening.
  • High-risk classification (EU AI Act): Lina is a high-risk AI system under Annex III(4) of Regulation (EU) 2024/1689 (recruitment). Zyverno Limited is the provider of Lina under Article 16 of the EU AI Act.
  • Provider obligations status: Zyverno maintains a dedicated programme covering the provider obligations under Articles 9 to 21 (risk management, data governance, technical documentation, logging and traceability, transparency to deployers, human oversight, accuracy and robustness, cybersecurity, quality management) and the placement-on-market obligations (conformity assessment, CE marking, EU high-risk AI database registration), as well as post-market monitoring (Art. 72) and serious incident reporting (Art. 73). Current status against each obligation is published in our AI Act technical documentation, available to enterprise Customers on request under NDA, and will be made enforceable by the August 2026 deadline.
  • Deployer support (Art. 26 EU AI Act): Zyverno provides Customers with the artifacts needed to meet their deployer obligations: instructions for use, a Fundamental Rights Impact Assessment (FRIA) template under Article 27, a worker notification template, a candidate transparency notice, a human oversight protocol document, and audit log export.
  • Data minimisation: CV text is anonymised (email, phone, and address redacted) before being sent to AI sub-processors for parsing. Only the candidate’s name and professional content are transmitted. The AI sub-processor may retain API data for up to 30 days for abuse monitoring under its Data Processing Addendum, after which it is automatically deleted. Zero data retention is requested on all API calls.
  • Vision extraction (scanned PDFs): when text extraction fails for scanned or image-based CVs, document page images may be sent to the AI sub-processor for optical analysis. These images may contain visible personal information (name, photo, address). Vision extraction is used only as a last resort when standard text extraction yields insufficient content.

14. Security Measures

Technical controls

  • Encryption in transit: TLS 1.2+ for all data transmission.
  • Encryption at rest: server and object storage encryption.
  • RBAC: role-based access control with least-privilege defaults.
  • Tenant isolation: logical data separation enforced at application and database level.
  • Authentication: passwordless OTP authentication with secure session cookies (HttpOnly, Secure, SameSite).

Organisational controls

  • Employee access: production access is limited to named engineers, granted on a least-privilege basis, and reviewed quarterly. All staff with access to candidate data sign confidentiality undertakings and complete data protection training.
  • Vendor management: sub-processors are subject to written Data Processing Agreements with documented security commitments and transfer safeguards (see Section 8 and Section 10).
  • Change management: all production changes are reviewed and version-controlled.

Assurance and testing

  • Vulnerability disclosure: security researchers may report vulnerabilities to security@zyverno.app. We commit to acknowledge reports within 5 business days and to a coordinated disclosure timeline.
  • Penetration testing: annual external penetration testing is scheduled, with summary results available to enterprise Customers under NDA.
  • Certifications: SOC 2 Type II — Pending; ISO 27001 — Pending.
  • Vulnerability scanning: automated dependency and container scanning runs continuously; findings are triaged according to documented severity SLAs.

Incident response

  • Documented plan: Zyverno maintains an incident response plan, a business continuity plan, and a disaster recovery plan covering detection, containment, eradication, recovery, and post-incident review.
  • Breach notification: supervisory authority within 72 hours of awareness (Art. 33 GDPR); affected individuals without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR).
  • Customer notification: affected enterprise Customers are notified concurrently and provided with the information needed to meet their own controller obligations.

15. Cookies & Tracking

Only essential cookies: session cookies and security cookies (CSRF). No third-party analytics or advertising cookies. localStorage is used for theme preference only (stays on device).

16. Changes to This Charter

Material changes communicated at least 30 days in advance via email and platform notice. Updated effective date shown at top.

17. Supervisory Authorities

Data subjects may lodge a complaint with the supervisory authority in their country of residence. Selected authorities are listed below; the full list of relevant authorities by jurisdiction is set out in Section 19 (Jurisdiction Schedules).

  • United Kingdom — Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; www.ico.org.uk; +44 (0)303 123 1113.
  • France — CNIL: 3 Place de Fontenoy, 75007 Paris; www.cnil.fr.
  • Belgium — APD/GBA: Rue de la Presse 35, 1000 Bruxelles; www.autoriteprotectiondonnees.be.
  • Germany — BfDI and Land-level data protection authorities.
  • Spain — AEPD: www.aepd.es.
  • Netherlands — AP: www.autoriteitpersoonsgegevens.nl.
  • Sweden — IMY: Box 8114, 104 20 Stockholm; www.imy.se.
  • United States — California Privacy Protection Agency (CPPA): cppa.ca.gov; with state Attorneys General as alternative regulators.
  • Canada — Office of the Privacy Commissioner (OPC): www.priv.gc.ca; Quebec — CAI: www.cai.gouv.qc.ca.
  • Australia — OAIC: GPO Box 5288, Sydney NSW 2001; www.oaic.gov.au; 1300 363 992.
  • UAE: UAE Data Office (federal); DIFC Commissioner of Data Protection; ADGM Office of Data Protection as applicable.

18. Effective Date & Version History

This Confidentiality Charter is effective as of 1 February 2026.

Version history

VersionEffective fromSummary of changes
2.01 February 2026DPO assessment formalised; right to explanation operationalised; Article 22 enforcement clarified; bias and fairness methodology referenced; AI Act provider obligations status added; special-category and children’s data handling documented; candidate-initiated erasure made explicit; security section restructured (technical, organisational, assurance, incident response); sub-processor disclosure moved to a tiered model with named list under NDA.
1.0February 2026 (initial publication)Initial publication.

Prior versions are retained internally and may be requested at privacy@zyverno.app for audit purposes.

19. Jurisdiction Schedules

This Section contains the schedules that supplement or override Sections 1-18 for users connected to specific jurisdictions. A user is “connected to” a jurisdiction where the user is established in, resident in, or where the data subject’s data is processed in connection with that jurisdiction.

19.1 United Kingdom

  • UK GDPR, Data Protection Act 2018, PECR.
  • Supervisory authority: Information Commissioner’s Office (ICO).
  • International transfers: UK IDTA or IDTA Addendum to the EU SCCs.
  • AI in recruitment: ICO guidance, Equality Act 2010, Article 22 UK GDPR safeguards.
  • Children: minimum employment age generally 16; for under-18 Candidates, working time and age-restricted role rules apply.

19.2 European Union (general)

  • EU AI Act (Regulation (EU) 2024/1689): Lina AI is high-risk (Annex III(4)). Zyverno is the provider (Art. 3). Provider obligations Articles 9-21 addressed in AI Act compliance documentation, updated quarterly.
  • Deployer obligations (Article 26): instructions for use, human oversight competence, representative input data, monitoring, log retention 6 months minimum, worker information, FRIA under Article 27, cooperation with authorities.
  • GDPR Article 22: solely automated decisions with legal effects prohibited save exceptions; Lina AI does not produce solely automated decisions.
  • ePrivacy Directive: Customer responsibility for marketing communications.
  • Cross-border transfers: EU SCCs (Decision (EU) 2021/914) plus supplementary measures and TIAs.
  • EU Whistleblower Directive (2019/1937) and consumer protection law.

19.3 EU Member States — specific provisions

  • France: CNIL, Loi Informatique et Libertés, Loi Toubon (French-language documents), CSE consultation before AI deployment.
  • Germany: BfDI + Land authorities, BDSG §26, Betriebsrat co-determination, German materials.
  • Spain: AEPD, LOPDGDD, Rider Law transparency, regional languages on request.
  • Belgium: APD/GBA, materials in Dutch/French/German per region.
  • Netherlands: AP, Uitvoeringswet AVG.
  • Sweden: IMY, Co-Determination Act union consultation rights.

19.4 United States (general)

  • Federal: TCPA (47 U.S.C. § 227), CAN-SPAM Act, Title VII, ADA, ADEA, GINA, EEOC guidance, COPPA where applicable.
  • EEOC and AI hiring: validate criteria against Uniform Guidelines (29 CFR Part 1607), reasonable accommodations, periodic adverse-impact review.
  • State privacy laws: 19 US states have enacted comprehensive privacy laws as of the date of this Charter.
  • No sale or share of personal information for cross-context behavioural advertising; opt-out mechanisms still provided.

19.5 California (CCPA/CPRA)

  • Rights: know, delete, correct, opt-out of sale/sharing, limit sensitive PI, non-discrimination, ADM access.
  • Notice at collection (1798.100), sensitive PI (1798.140(ae)), CPPA ADMT regulations (Lina AI is ADMT).
  • FEHA / CRD compliance, Global Privacy Control honoured, exercising rights at privacy@zyverno.app; 45-day response (+45 extension).

19.6 New York City — Local Law 144

  • Lina AI is an Automated Employment Decision Tool (AEDT) when used by a Customer for hiring in NYC.
  • Annual bias audit by independent auditor under DCWP rules (35 RCNY § 5-300 et seq.); public summary on request.
  • Candidate notice 10 business days before AEDT use; alternative selection process available on request.

19.7 Illinois

  • AI Video Interview Act (820 ILCS 42): notification, information, consent, 30-day deletion on request.
  • BIPA (740 ILCS 14): written informed consent for voiceprint collection; Zyverno provides consent template.

19.8 Colorado

  • Colorado AI Act (SB 24-205, in force February 2026): Lina AI is high-risk; developer obligations (Zyverno) and deployer obligations (Customer).
  • Colorado Privacy Act: profiling opt-out for legal/significant effects; alternative selection process required.

19.9 Other US states

  • Texas (TDPSA, Texas Capture or Use of Biometric Identifier Act).
  • Virginia, Connecticut, Utah, Oregon, Tennessee, Indiana, Iowa, Montana, Delaware, NJ, NH, KY, RI, Minnesota, Maryland.
  • Maryland Online Data Privacy Act (in force October 2025): stricter data minimisation, opt-in for sensitive data.
  • Maryland HB 1202: facial recognition restriction in pre-employment.

19.10 Canada (federal)

  • PIPEDA, BC PIPA, Alberta PIPA where substantially similar.
  • CASL: express consent required; Zyverno provides unsubscribe handling.
  • AIDA (proposed) — Zyverno will adapt when it becomes law.
  • Office of the Privacy Commissioner of Canada (OPC), 1-800-282-1376.

19.11 Quebec

  • Quebec Law 25 (Act respecting the protection of personal information in the private sector, modernised).
  • Quebec residents may exercise rights under Quebec Law 25 by contacting privacy@zyverno.app.
  • Article 12.1 automated decisions: notice template provided in French and English. Lina AI does not produce solely automated decisions.
  • Privacy Impact Assessment (Article 3.3) template provided.
  • Article 17 cross-border transfer: documented assessment maintained.
  • Charter of the French Language (Bill 96): French-language Customer/Candidate materials. French version prevails for Quebec residents.
  • Supervisory authority: Commission d’accès à l’information du Québec (CAI).

19.12 Australia

  • Privacy Act 1988 (Cth), Australian Privacy Principles (APPs).
  • APPs of particular relevance: APP 1, 3, 5, 6, 8, 11, 12, 13.
  • Sensitive information per Section 5 of this Charter.
  • APP 8 cross-border disclosure: reasonable steps for compliance.
  • Notifiable Data Breaches scheme (Part IIIC).
  • Spam Act 2003: Customer-side consent management.
  • Anti-discrimination law (Sex/Racial/Age/Disability Discrimination Acts and state equivalents).
  • Office of the Australian Information Commissioner (OAIC).

19.13 Gulf states (general)

  • Substantive groundwork required for Gulf operations: counsel review, data localisation analysis, Arabic-language materials, nationality-based screening configuration.
  • Sharia-influenced contract interpretation: judicial discretion on liability caps, liquidated damages, force majeure, good faith.
  • Nationality-based screening (Emiratisation, Omanisation, Bahrainisation, Qatarisation, Kuwaitisation): platform configuration available where required by local law.
  • Arabic-language Customer-facing and Candidate-facing materials.

19.14 United Arab Emirates

  • Three concurrent regimes: federal PDPL, DIFC Data Protection Law, ADGM Data Protection Regulations.
  • Cross-border transfers: adequacy, contractual safeguards, or limited exceptions.
  • Emiratisation: nationality-filtering configuration available.
  • Supervisory authorities: UAE Data Office (federal), DIFC Commissioner, ADGM Office.

19.15 Other Gulf states

  • Qatar (Law No. 13 of 2016, Qatarisation).
  • Bahrain (Law No. 30 of 2018, GDPR-influenced).
  • Kuwait (no comprehensive law; sectoral rules; counsel review required).
  • Oman (Royal Decree 6/2022).

19.16 Other major markets

  • Switzerland (revFADP, FDPIC, German/French/Italian materials).
  • Norway, Iceland, Liechtenstein (EEA, GDPR).
  • Singapore (PDPA, PDPC).
  • Japan (APPI, mutual EU adequacy, PPC).
  • South Korea (PIPA, PIPC) — among strictest globally.
  • Brazil (LGPD, ANPD), Portuguese-language materials.
  • Mexico (LFPDPPP, INAI).
  • South Africa (POPIA, Information Regulator).
  • India (Digital Personal Data Protection Act 2023, Data Protection Board of India).