Legal

Privacy Policy

Last updated: March 19, 2026 · Effective: March 19, 2026

1. Who We Are

(un)hire is operated by Squidler AB, a company registered in Sweden (collectively, "(un)hire", "we", "us", or "our"). We operate the website at unhire.ai and the associated platform that provisions personal AI agent instances for users.

For privacy and legal inquiries, contact us at legal@squidler.io.

2. What We Collect

We collect and process the following categories of personal data:

  • Account Data: Email address, name, and profile information provided during registration and authentication.
  • API Keys and Credentials: Third-party API keys (e.g., Anthropic, OpenAI) that you provide to power your AI agent. These are encrypted at rest using industry-standard encryption (AES-256) and are never shared with any party other than the respective AI provider when making API calls on your behalf.
  • Messaging Channel Credentials: Authentication tokens and configuration data for messaging platforms (Telegram, Signal, WhatsApp) that you connect to your agent.
  • Agent Conversation Logs: Messages and data exchanged between you (and third parties you communicate with) and your AI agent. These logs are stored to enable the agent's functionality, including memory and context.
  • Usage Data: Platform interaction data, feature usage, error logs, and performance metrics.
  • Payment Data: Payment information is processed by Stripe. We do not store your full credit card details; we receive only limited billing identifiers from Stripe.
  • Technical Data: IP addresses, browser type, device information, and access timestamps collected automatically when you use our platform.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): Processing account data, API keys, and conversation logs is necessary to provide the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)): Usage data and technical data are processed for platform security, fraud prevention, service improvement, and troubleshooting. Our legitimate interest does not override your fundamental rights.
  • Consent (Art. 6(1)(a)): Where required, such as for optional marketing communications. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain data for tax, accounting, or regulatory purposes under Swedish or EU law.

4. GDPR Roles

For account data (your email, name, payment information), Squidler AB acts as the data controller.

For agent data (conversation logs, any data you share with or through your AI agent, and data generated by your agent), you are the data controller and Squidler AB acts as the data processor. We process this data solely on your behalf and according to your instructions (i.e., your use of the platform). A Data Processing Agreement (DPA) is available for download — see Section 15 below.

5. API Keys and Credentials

Your API keys are treated as highly sensitive credentials. We implement the following safeguards:

  • All API keys are encrypted at rest using AES-256 encryption.
  • Keys are transmitted only over encrypted connections (TLS 1.2+).
  • Access to stored keys is strictly limited to automated systems that require them to execute AI provider API calls on your behalf.
  • We do not log, inspect, or use your API keys for any purpose other than operating your agent as instructed by you.

6. Third-Party Data Flows

In the course of providing the Service, your data may be shared with or processed by the following categories of third parties:

  • AI Providers (e.g., Anthropic, OpenAI): Conversation content is sent to AI providers using your API keys to generate agent responses. These providers process data under their own terms and privacy policies. You are responsible for reviewing those terms.
  • Stripe: Payment processing. Stripe acts as an independent data controller for payment data.
  • Auth0 (Okta): Authentication services.
  • Messaging Platforms (Telegram, Signal, WhatsApp): Messages are routed through these platforms based on your configuration. Each platform has its own privacy policy and terms.
  • Hetzner Online GmbH: Infrastructure hosting. Data is stored in the EU.

A current list of sub-processors is maintained at legal@squidler.io. We will notify you of any material changes to sub-processors at least 14 days in advance.

7. Your Responsibility for Data Shared with Your Agent

You are solely responsible for all data you share with, send to, or make accessible to your AI agent. This includes data shared by third parties who communicate with your agent through connected messaging channels.

As the data controller for agent data, you are responsible for:

  • Ensuring you have a lawful basis to process any personal data shared with your agent.
  • Informing third parties who interact with your agent about how their data is processed.
  • Not sharing sensitive personal data (such as Swedish personal identity numbers, passwords, financial credentials, medical or health information, or other special category data under GDPR Article 9) with your agent unless you fully understand and accept the associated risks.

Warning: Data shared with your agent may be transmitted to third-party AI providers for processing. We strongly advise against sharing sensitive personal data with your agent. If you choose to do so, you do so entirely at your own risk.

8. Data Retention and Deletion

  • Active accounts: Data is retained for as long as your account is active and as needed to provide the Service.
  • Account deletion: Upon account deletion or cancellation, we will delete or anonymize your personal data, including agent conversation logs and stored API keys, within 30 days. Certain data may be retained longer where required by law.
  • Backups: Residual copies in encrypted backups will be overwritten in accordance with our backup rotation schedule (no longer than 90 days). Backup data is not actively processed and is subject to the same access controls as production data.

9. International Data Transfers

Our primary infrastructure is hosted within the European Union (Hetzner, Germany). However, certain third-party services (AI providers, Stripe, Auth0) may process data outside the EU/EEA. Where such transfers occur, they are safeguarded by:

  • European Commission adequacy decisions;
  • Standard Contractual Clauses (SCCs) approved by the European Commission; or
  • Other legally recognized transfer mechanisms under GDPR Chapter V.

By providing your API keys for third-party AI providers, you acknowledge that conversation data will be transferred to the servers of those providers, which may be located outside the EU/EEA.

10. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether we process your personal data and request a copy.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data.
  • Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18): Request restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format. You may export your conversation logs and agent data through the platform or by contacting us.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at legal@squidler.io. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or another competent supervisory authority.

11. Automated Decision-Making

Your AI agent may take automated actions based on your instructions, including sending messages, browsing websites, and managing tasks. You maintain full control over your agent and can override, correct, or reverse any agent action at any time.

(un)hire does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you without human involvement.

12. Cookies and Tracking

We use strictly necessary cookies for authentication and session management. We do not use analytics, advertising, or behavioral tracking cookies. Because we only use strictly necessary cookies, no consent banner is required under the ePrivacy Directive.

13. Children

The Service is intended for users aged 18 and above. We do not knowingly collect personal data from children and do not provide parental consent mechanisms. If you believe a child has provided us with personal data, please contact us at legal@squidler.io and we will promptly delete such data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 30 days before they take effect. Your continued use of the Service after such notice constitutes acceptance of the updated policy. We encourage you to review this page periodically.

15. Contact and DPA

For all privacy-related inquiries, data subject requests, or to obtain a Data Processing Agreement (DPA):

Squidler AB (operating as (un)hire)
Email: legal@squidler.io

A signed DPA is available upon request. For B2B customers who act as data controllers, we recommend executing a DPA before processing begins.