Privacy Policy

1. Scope

This Policy applies to personal information processed by Jointl through our websites, applications, APIs, platform, communications, support, billing, integrations, Flows, assessments, reference checks, Verifications, Fraud Protection, Jointl Intelligence, Talent Pool, Autopilot links, and related services.

This Policy does not apply to third-party websites, services, integrations, source databases, or Customer systems that Jointl does not control. Those third parties may have their own terms and privacy policies.

2. Our Role and the Customer’s Role

Jointl processes information in different roles depending on context. When we process account data, billing data, website data, product analytics, support communications, security logs, fraud-prevention data, legal compliance data, or direct relationship data, Jointl may act as an independent controller or business under applicable privacy laws.

When a Customer uses Jointl to collect, evaluate, score, verify, reference, match, route, or manage Candidates, References, applicants, employees, contractors, tenants, program applicants, clients, partners, or other people, the Customer generally controls the purpose and means of that processing. In that context, Jointl generally acts as a processor, service provider, contractor, or similar service provider processing Customer Data on the Customer’s behalf and according to the Customer’s instructions.

Customers are responsible for providing required notices, obtaining required consents, establishing a lawful basis, configuring workflows lawfully, responding to individual rights requests where applicable, complying with adverse-action and dispute obligations, and making all final decisions. Jointl does not make hiring, employment, housing, lending, insurance, admission, engagement, onboarding, or eligibility decisions for Customers.

3. Information We Collect

The categories of personal information we collect depend on how Jointl is used. We may collect the following categories of information directly from you, from Customers, from Candidates, from References, from team users, from integrations, from service providers, from public or authorized sources, from verification partners, or automatically through the Services.

• Account and contact information

  Name, email address, phone number, password or authentication information, company name, job title, role, workspace, billing contact, support contact, and account settings.

• Organization and workspace information

  Company profile, company size, company type, location, departments, associated companies, client or brand workspaces, tags, jobs, templates, workflows, permissions, SSO settings, API settings, integrations, billing details, and usage plan information.

• Candidate, applicant, employee, contractor, tenant, client, partner, or program applicant information

  Name, email, phone number, role or opportunity, application details, profile details, eligibility details, availability, preferences, employment history, education history, qualifications, licenses, documents, work eligibility information, social links provided with consent, responses to questions, assessment answers, reference contacts, notes, files, and other information submitted through a Flow.

• Reference and third-party feedback information

  Reference name, email, phone number, relationship to the Candidate, employer or organization, title, LinkedIn authentication status where used, reference responses, conversational feedback, ratings, examples, comments, satisfaction feedback, timestamps, reminder status, and authenticity signals.

• Assessment, form, and data collection information

  Answers to screening questions, ratings, opinion scales, text responses, binary choices, multiple selections, question groups, custom forms, scoring criteria, custom scoring rules, skip-logic paths, validation status, progress bar status, language choices, and dynamic fields.

• Jointl Intelligence and evaluation outputs

  Matching Scores, attribute scores, automated scoring, summaries, highlights, tags, Deep Insights, Cross-Verified Insights, follow-up questions, interpreted themes, automated rule outcomes, routing status, progress updates, completion alerts, and evaluation reports.

• Verification inputs and results

  Identifiers used to run checks, such as name, alias, date of birth, email, location, professional identifiers, work authorization details where available and authorized, and results or statuses from configured sources such as sanctions, export controls, debarment, watchlists, securities enforcement, corporate registries, sex offender registries, inmate records, and work authorization checks.

• Fraud, security, and technical signals

  Device type, operating system, browser, IP address, approximate location, timestamps, digital fingerprint signals, anomaly indicators, email verification status, suspicious activity flags, unusual response patterns, login events, access logs, audit logs, and security event data.

• Communications information

  Emails, SMS messages, invitations, reminders, Autopilot link activity, Magic Link activity, delivery status, opt-out status, support messages, feedback, feature requests, legal inquiries, and other communications with Jointl or sent through Jointl.

• Integration and API information

  Data exchanged with ATS, HRIS, CRM, identity providers, billing systems, internal systems, developer APIs, webhooks, connected apps, and Customer-configured integrations.

• Website, usage, cookie, and analytics information

  Pages viewed, referring pages, device identifiers, browser type, approximate location, session events, clicks, preferences, cookie identifiers, diagnostics, performance data, and product usage metrics.

• Billing and transaction information

  Plan information, subscription status, invoices, payment method metadata, tax information, transaction records, trial status, discounts, and billing history. Payment card details may be processed by payment providers rather than stored directly by Jointl.

4. Sensitive Information

Depending on the Customer’s configuration and the use case, Jointl may process information that could be considered sensitive, special category, protected, regulated, or high-risk under applicable laws. This may include government identifiers, work authorization information, background or public-record results, criminal watchlist or inmate record signals, sex offender registry signals, sanctions or export-control results, professional license information, financial or securities enforcement signals, social profile links, device and location signals, or other information submitted by Candidates, References, Customers, or public and authorized sources.

Jointl asks Customers to collect sensitive information only when necessary, proportionate, lawful, and supported by appropriate notices, consent, authorization, lawful basis, and policy controls. Customers should not configure Jointl to collect or use sensitive information that they are not legally permitted to collect or use.

5. Sources of Information

We may collect information from the person who provides it; from the Customer that configures a Flow or invites a participant; from team users and administrators; from Candidates, References, applicants, employees, contractors, tenants, clients, partners, or program applicants; from public Autopilot links; from forms, assessments, conversations, and files; from ATS, HRIS, CRM, API, SSO, and internal integrations; from LinkedIn authentication where used; from email verification, SMS, hosting, security, analytics, billing, and support providers; and from public, government, commercial, partner, or authorized verification sources.

When Customers use Jointl to request references or collect third-party feedback, the Reference decides what feedback to provide. When Customers enable social link collection, the Candidate or participant may provide links with consent. When Customers enable Verifications, Jointl may query configured sources using available identifiers.

6. Verifications and Public or Authorized Source Checks

Verifications provide supplemental screening signals from public, government, commercial, partner, or authorized sources. These features may be used for candidate screening, compliance review, identity-related review, risk review, or other Customer-configured workflows where lawful and appropriate.

Verification features may include sanctions screening; U.S. export-control screening; debarment screening; criminal watchlist screening; securities enforcement screening; corporate registry lookup; sex offender registry search; inmate records search; work authorization checks where available and authorized; and other checks added over time.

Configured sources may include OFAC SDN, OFAC Consolidated Non-SDN, UN Security Council Consolidated, EU Consolidated Financial Sanctions, UK Sanctions lists, BIS lists, State Department lists, World Bank Ineligible Firms and Individuals, SAM.gov Public Exclusions, FBI Wanted, Interpol notices, UN Special Notices, SEC litigation releases, CFTC enforcement actions, FINRA BrokerCheck, UK Companies House, Florida Sunbiz, NSOPW sex offender registry data, Federal BOP and state DOC inmate locators, and authorized DHS/SSA work authorization checks where available.

Verification results can be inaccurate, incomplete, outdated, unavailable, mismatched, or affected by source limitations. A possible match is not a finding that the person is the same person in a source record, committed wrongdoing, is ineligible, or should be rejected. A clear result is not a guarantee that no record exists. Customers must manually review source records where available, confirm possible matches, and comply with applicable consent, notice, adverse-action, dispute, anti-discrimination, consumer reporting, immigration, sanctions, export-control, and other legal requirements before using results in decisions.

Certain live lookup features, such as Corporate Registry lookup, are intended to display results from source systems without permanently storing the source registry record in Jointl. Jointl may still retain metadata, logs, status information, user notes, audit events, or temporary caches where needed for security, troubleshooting, abuse prevention, legal compliance, or service operation.

7. How We Use Information

We use personal information to provide, secure, maintain, support, improve, and administer Jointl. Depending on context, we may use information for the following purposes.

• Create and manage accounts, workspaces, companies, plans, billing, roles, permissions, SSO, API access, and integrations.
• Create, configure, publish, run, and manage Flows, Autopilots, forms, assessments, references, questions, templates, reminders, and automated rules.
• Collect, organize, score, summarize, tag, route, and display responses, Candidate profiles, Reference feedback, verification signals, fraud signals, and evaluation results.
• Operate Jointl Intelligence, including adaptive follow-up questions, AI-moderated checks, Deep Insights, Cross-Verified Insights, Matching Scores, automated scoring, summaries, themes, and reports.
• Run configured Verifications, email verification, LinkedIn identity verification, Fraud Protection, device and IP checks, anomaly detection, and other authenticity, security, and risk signals.
• Send invitations, reminders, SMS messages, emails, progress updates, completion alerts, support messages, billing notices, security alerts, and product communications.
• Support Customers, troubleshoot issues, migrate data, provide integration assistance, respond to inquiries, and improve workflows.
• Monitor, prevent, detect, investigate, and respond to fraud, abuse, security incidents, unauthorized access, spam, system misuse, legal claims, and policy violations.
• Analyze usage, maintain service reliability, improve product quality, develop features, test workflows, measure performance, and create aggregated or de-identified insights.
• Comply with legal obligations, enforce agreements, protect rights, respond to lawful requests, maintain records, and support audits, disputes, investigations, or regulatory inquiries.

8. Jointl Intelligence and Automated Processing

Jointl Intelligence may process responses, comments, ratings, assessments, verification signals, fraud signals, Customer criteria, scoring rules, and other Customer Data to ask follow-up questions, extract themes, summarize evidence, tag responses, calculate Matching Scores, identify Cross-Verified Insights, generate Deep Insights, apply automated rules, and help Customers review information more efficiently.

Jointl Intelligence is decision support. It does not make final hiring, employment, tenancy, lending, insurance, admission, onboarding, or eligibility decisions for Customers. Customers are responsible for human review, explaining decisions where required, validating Outputs, handling disputes, providing accommodations, and following applicable notice and adverse-action requirements.

Automated outputs may be incomplete, inaccurate, biased, or not suitable for a particular decision. Customers should review the underlying information and should not rely solely on automated scores, rankings, fraud flags, or verification statuses for consequential decisions.

Jointl does not sell Customer Data for third-party advertising. Jointl may use aggregated, anonymized, or de-identified data to improve service quality, security, analytics, and product functionality, subject to applicable law and contractual restrictions.

9. Legal Bases for Processing

Where laws such as the GDPR or UK GDPR apply, our legal bases may include performance of a contract, legitimate interests, consent, compliance with legal obligations, protection of rights, and, where applicable, other bases permitted by law.

For Customer Data processed on behalf of a Customer, the Customer is responsible for determining and documenting the applicable lawful basis for the Customer’s processing. Jointl processes Customer Data according to Customer instructions, the agreement with the Customer, and applicable law.

Where consent is required, Customers are responsible for obtaining valid consent unless Jointl expressly agrees in writing to handle a specific consent process. A person may be able to withdraw consent, but withdrawal may not affect processing that occurred before withdrawal or processing required by law, contract, legitimate interests, dispute handling, security, or recordkeeping.

10. How We Share Information

We share personal information only as needed to provide the Services, follow Customer instructions, operate our business, protect rights and security, comply with law, or as otherwise described in this Policy.

• With Customers and authorized users: Candidate, Reference, Flow, verification, fraud, score, profile, and workflow information may be visible to the Customer and its authorized users based on roles and permissions.
• With Candidates and References: Certain information may be shown to the person completing a Flow, to the person who invited them, or to other participants where configured by the Customer or required by law.
• With service providers and subprocessors: We may use hosting, storage, security, analytics, email, SMS, support, billing, payment, verification, identity, data processing, and infrastructure providers that process information for us.
• With verification sources and partners: When a Customer runs a Verification, we may submit identifiers to configured public, government, commercial, partner, or authorized sources and receive matching results, statuses, or records.
• With integrations: We may share information with ATS, HRIS, CRM, SSO, API, webhook, internal system, or other integrations enabled by Customer.
• With professional advisors, regulators, courts, law enforcement, or other parties: We may disclose information when reasonably necessary to comply with law, respond to lawful requests, protect rights, prevent harm, enforce agreements, investigate abuse, or defend claims.
• In business transactions: Information may be disclosed or transferred in connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to appropriate protections where required.

11. Customer-Controlled Disclosures

Customers control many disclosures within Jointl. For example, Customers choose which users are invited, which roles and permissions apply, which companies or clients can access results, which integrations receive data, which Candidates or References are contacted, what questions are asked, what public links are shared, what templates are used, and whether results are exported, shared, or retained.

Customers are responsible for ensuring that their disclosures are lawful, necessary, proportionate, and consistent with their privacy notices, contracts, company policies, and applicable laws. If you are a Candidate, Reference, employee, applicant, tenant, client, partner, or program applicant and have questions about a Customer’s use of your information, you should contact the Customer directly.

12. Communications, Email, SMS, and Choices

Jointl may send transactional, operational, security, billing, support, invitation, reminder, completion, and account-related communications. Customers may also configure messages sent through Jointl to Candidates, References, and other participants.

Recipients may be able to opt out of certain non-essential communications. Some communications are necessary to provide the Services, complete a Flow, verify identity, maintain security, confirm account activity, or comply with law, and may continue even if marketing messages are disabled.

Customers are responsible for ensuring that they have the right to send emails, SMS messages, invitations, reminders, and other communications through Jointl and for honoring opt-outs where required.

13. Cookies and Similar Technologies

Jointl may use cookies, pixels, local storage, device identifiers, and similar technologies to operate the website and Services, remember preferences, authenticate users, improve performance, analyze usage, prevent fraud, secure accounts, and support product analytics.

You may be able to control cookies through your browser settings or consent tools where available. Some cookies are necessary for security, authentication, or service operation and disabling them may affect functionality.

14. Data Retention

We retain personal information for as long as reasonably necessary to provide the Services, fulfill Customer instructions, maintain accounts, support Flows, preserve Talent Pool records configured by Customer, operate integrations, comply with legal obligations, resolve disputes, enforce agreements, prevent fraud, maintain security, support audits, and improve the Services.

Customers may configure, export, delete, or request deletion of certain Customer Data depending on plan settings, permissions, feature limitations, legal obligations, and applicable agreements. Deleted information may remain in backups, logs, archives, or audit records for a limited period or longer where required for legal, security, dispute, compliance, or operational reasons.

For certain live lookup features Jointl is not intended to store source registry records permanently, but may retain lookup metadata, status information, logs, temporary caches, user notes, or audit events as described in this Policy.

15. Security

Jointl uses administrative, technical, and organizational measures designed to protect personal information, including secure hosting, encryption in transit, password hashing and salting, access controls, permission-based workspaces, monitoring, backups, and security-conscious development practices.

No method of transmission, storage, authentication, or processing is completely secure. We cannot guarantee that unauthorized access, disclosure, alteration, loss, or misuse will never occur. Customers and users should use strong authentication, configure roles carefully, protect credentials, secure devices, rotate API keys, disable unused links and accounts, and promptly report suspected security issues.

16. International Transfers

Jointl is operated by a U.S. company and may process information in the United States and other countries where Jointl, its service providers, subprocessors, Customers, users, or integration providers operate. These countries may have data protection laws different from those in your location.

Where required, Jointl uses appropriate safeguards for international transfers, such as contractual protections, data processing agreements, standard contractual clauses, or other lawful transfer mechanisms. Customers are responsible for ensuring that their own transfers and instructions are lawful.

17. Privacy Rights and Requests

Depending on your location and relationship with Jointl, you may have rights to access, correct, delete, restrict, object to, port, or receive information about certain personal information. You may also have rights to opt out of certain processing, sale or sharing, targeted advertising, profiling, automated decision-making, or limit the use of sensitive personal information where applicable.

If Jointl processes your information on behalf of a Customer, we may refer your request to the Customer or ask you to contact the Customer directly, because the Customer controls the relevant workflow and decision. We may still assist the Customer in responding to your request as required by law or contract.

We may need to verify your identity or authority before responding to a request. We may decline or limit requests where permitted by law, including when information is controlled by a Customer, needed for security, fraud prevention, legal compliance, disputes, recordkeeping, consumer reporting, employment records, or where the request is not verifiable.

18. California Privacy Rights

If you are a California resident and the California Consumer Privacy Act or similar law applies, you may have the right to know what personal information is collected, used, disclosed, sold, or shared; the right to request deletion; the right to correct inaccurate personal information; the right to opt out of sale or sharing; the right to limit use and disclosure of sensitive personal information; and the right not to be discriminated against for exercising privacy rights.

Jointl does not sell personal information for money and does not share personal information for cross-context behavioral advertising as those terms are commonly used under the CCPA. Jointl does not use sensitive personal information for purposes other than providing and securing the Services, complying with law, preventing fraud, or other purposes permitted by applicable law unless otherwise disclosed and authorized.

Where we process information as a service provider, contractor, processor, or subprocessor for a Customer, the Customer may be responsible for responding to California privacy requests. You may contact us and we will route or handle the request as appropriate.

• Identifiers

  Name, email, phone number, IP address, account identifiers, Candidate identifiers, Reference identifiers, public source identifiers, and similar information.

  Account management, Flow operation, communications, verification, fraud prevention, support, security, billing, and compliance.

• Customer records and submitted information

  Application data, employment or education information, references, assessments, documents, eligibility details, preferences, and Customer-configured form responses.

  Evaluation workflows, scoring, matching, reference checking, verification, reporting, and Customer-controlled decisions.

• Protected classification or sensitive information, if submitted or configured

  Information that may reveal age, work authorization, government identifiers, location, criminal/public-record signals, or other sensitive information depending on workflow. Jointl discourages unnecessary sensitive data collection.

  Providing configured Services, verification, legal compliance, fraud prevention, security, and Customer-directed workflows where lawful.

• Internet, device, and network activity

  Device, browser, operating system, IP address, timestamps, logs, usage events, cookie identifiers, and anomaly signals.

  Security, fraud prevention, product operation, analytics, troubleshooting, and account protection.

• Professional, employment, education, and credential information

  Job history, title, qualifications, licenses, skills, assessments, work eligibility information, reference feedback, and related Candidate or Reference data.

  Evaluation, matching, scoring, verification, references, and Customer-controlled review.

• Inferences and automated outputs

  Matching Scores, attribute scores, summaries, tags, Cross-Verified Insights, Deep Insights, fraud flags, risk indicators, and recommendations.

  Decision support, workflow automation, evidence organization, Customer review, and service improvement.

19. EEA, UK, Swiss, and Similar Privacy Rights

Where GDPR, UK GDPR, Swiss data protection law, or similar laws apply, you may have rights to access, rectify, erase, restrict, object to processing, data portability, withdraw consent, and lodge a complaint with a supervisory authority. These rights may be limited by applicable law, Customer instructions, legal obligations, employment record requirements, dispute needs, or other exceptions.

Where Jointl acts as a processor, requests should generally be directed to the Customer. Where Jointl acts as a controller, you may contact Jointl through the Legal Affairs or privacy contact channel on our website.

20. Consumer Reporting, Background Screening, and Adverse-Action Rights

Some uses of Jointl, including public-record checks, background dossiers, algorithmic scores, employment screening, tenancy screening, or similar reports, may be subject to the Fair Credit Reporting Act, state consumer reporting laws, employment laws, housing laws, or other screening rules. Whether these laws apply depends on the feature, Customer configuration, use case, jurisdiction, data source, and decision being made.

Customers are responsible for determining whether a particular workflow requires disclosures, authorization, certification, permissible purpose, pre-adverse action notice, copy of the report, summary of rights, adverse-action notice, dispute handling, individualized assessment, or other process. Jointl may provide tools or support for these workflows but does not replace Customer’s legal obligations.

If you believe information in a Jointl-generated report or verification result is inaccurate, incomplete, outdated, or mismatched, you may contact the Customer that requested the check and may contact Jointl through our Legal Affairs or privacy contact channel. If a consumer reporting law applies, additional rights and procedures may be available.

21. Children and Minors

Jointl is not intended for use by children without appropriate authorization. Customers must not use Jointl to collect information from minors unless they have a lawful basis, obtain any required parental, guardian, school, or institutional consent, provide required notices, and determine that the workflow is appropriate and lawful for the minor’s age, location, and use case.

If you believe a child’s information was submitted to Jointl without appropriate authorization, contact us through the Legal Affairs or privacy contact channel on our website.

22. Changes to This Policy

We may update this Privacy Policy from time to time. The updated Policy will be posted or made available through the Services. If we make material changes, we will use reasonable efforts to notify Customers or users through the Services, by email, or by another reasonable method. Continued use of the Services after an update means the updated Policy applies.

23. Contact Us

Questions or requests about this Privacy Policy may be sent through Jointl’s Legal Affairs or privacy contact channel on the Jointl website. Jointl Inc.’s registered office is 600 N Broad St Ste 5, Middletown, DE 19709, United States.