LAST UPDATED: May 10, 2026

PhynAI, Inc., a Delaware corporation doing business as Stitch ("Stitch," "we," "us," or "our"), runs an AI-powered recruiting platform spanning candidate sourcing, outreach, interview recording and insights, and applicant tracking.

This Privacy Policy ("Policy") describes the personal information Stitch handles, the reasons we handle it, who else sees it, and the choices available to you. It applies to our website at https://hirestitch.com (the "Site") and to information we collect about job candidates while operating our recruiting platform (together with the Site, the "Services").

The Policy does not cover information that we handle strictly on behalf of a customer (for example, data a customer uploads into its workspace, or activity by the customer's authorized users of the product). For that data we act as a service provider / processor, governed by our customer agreement and our Data Processing Addendum rather than this Policy.

A condensed Notice at Collection sits at the bottom of this page. If you want to file a privacy request, head to the Privacy Center.

1. Personal Information We Collect and Sources of Information

a. Public information we collect about job candidates

If you have published professional information about yourself online, we and our data partners may collect that information so we can surface qualified candidates to our customers when they are hiring. Typical sources include resumes and CVs, professional profiles, code repositories and other open-source contribution platforms, patent filings, technical publications and conference materials, talks, podcasts, and other public video or audio content, awards and recognitions, personal websites and portfolios, and similar publicly accessible sources.

The candidate information we may hold includes:

First and last name
Education and credentials
Work history, job titles, and tenure
Professional or employment-related qualifications (years of experience, publications, patents, awards, languages, technical skills, etc.)
Geographic location (city, state/region, or country)
Public profiles, code repositories, portfolios, and links to publications, patents, talks, podcasts, and other public video or audio content
Contact information, including business and personal email addresses and phone numbers
Photographs that you have made publicly available on a profile. Photographs are not used for unique identification or face matching across profiles

We do not deliberately collect or infer special-category data (for example, health, political opinions, religion, race or ethnicity, sexual orientation, or trade union membership) from public sources.

From the professional information described above, our systems generate inferences such as seniority level, area of expertise, or estimated openness to a new role. These inferences are used inside the platform to support recruiting features such as candidate matching and scoring, outreach personalization, customer-facing review and shortlist surfaces (for example, quick review), and the AI-assisted features customers use to evaluate candidates throughout the recruiting workflow.

Candidate information reaches us through three routes: publicly accessible sources where you have made the information available, data and enrichment partners we work with, and customers who submit information about candidates they have already identified.

b. Information we collect directly from website visitors

When you request a demo, contact sales or support, or create a Stitch account, you tell us things like:

Identification and contact details: first and last name, business email, phone number, and company name.
Account and billing data: sign-in credentials, plan and subscription details, and the payment information our third-party payment processor needs to charge you (we do not store full card numbers ourselves).
Anything you write to us: the contents of support tickets, sales conversations, or any other correspondence you initiate.
Marketing preferences: what you have opted in or out of, plus how you have engaged with messages we have sent you.
Anything else you choose to share that is not in this list. We will handle it consistently with this Policy or with any notice given at the time you provided it.

c. Information we collect from our customers' users of the Services

When an authorized user of one of our customers signs in to the Services, we collect information necessary to operate the Services on the customer's behalf. That includes authentication credentials, communications sent through the Services, configuration data such as job descriptions and ideal candidate profiles, integration credentials for third-party services the customer authorizes us to access (typically their email and calendar accounts), and, where the customer enables interview recording, audio, video, and transcripts of interviews conducted through the Services along with the AI-generated summaries and insights derived from them.

Customers control whether to record interviews and are responsible for obtaining any consent or notice required from interview participants under applicable law, including state biometric and wiretap statutes such as the Illinois Biometric Information Privacy Act and the California Invasion of Privacy Act. The information described in this Section 1.c is processed under our customer agreements as a service provider/data processor, and is subject to those agreements rather than this Policy.

Stitch operates brand pages on third-party social platforms. If you follow, message, or otherwise engage with those pages, the platform may share information with us according to its own settings and terms.

e. Information about employees of prospective and current customer companies

To run our business-to-business sales and marketing, we and our partners collect limited professional information about people who work at companies that may be a fit for Stitch (or that already are). This typically includes name, employer, job title and seniority, business email and phone, networking profile, and other publicly available business-context information about that person's role.

Sources are similar in shape to those used for candidate sourcing in Section 1.a: publicly accessible professional sources, B2B data and enrichment vendors, marketing partners, and our own interactions with you (for example, when you visit the Site, request a demo, attend an event, or respond to our outreach).

We rely on the legitimate interests of Stitch and your employer in identifying relevant business opportunities. You can opt out of marketing or ask us to remove you from our records at any time through the Privacy Center.

f. What gets logged automatically

Loading a page on the Site causes Stitch and a small number of necessary providers to receive standard request metadata, including:

Device and connection data: operating system, browser type, IP address, language preference, and an approximate location (typically city or region).
Usage data: which pages you visited, how long you stayed, and when.
Session-replay captures: to reproduce and fix bugs, our error-monitoring tool records session replays, which include navigation, clicks, scrolls, and page interactions. Form input is masked by default. We sample these replays at high rates so we can investigate problems even when no error is thrown. Replays for signed-in users are also mirrored to our own Google Cloud Storage so we retain a copy for support and audit purposes.

We do not run third-party advertising or analytics cookies on the marketing website. The only cookies the Site sets are strictly necessary to render the page (for example, remembering whether you have dark mode on, or maintaining your session if you've signed in).

Once you are signed into the authenticated app, we use session cookies for authentication, plus product analytics (PostHog), error monitoring and session replay (Sentry, with replays mirrored to our Google Cloud Storage), and infrastructure logs to operate the Services and diagnose issues. None of this powers advertising and we do not share authenticated activity with ad networks.

2. How We Use Personal Information

Why we process candidate information

Stitch processes candidate information so customers can source, engage, interview, and hire people who may be a fit for their open roles. Under GDPR and equivalent laws, our lawful basis is the legitimate interests of Stitch and our customers in running an efficient recruiting platform that connects qualified professionals with relevant opportunities. We have weighed those interests against candidates' rights: we work only with information that has been published in a professional context, we do not deliberately collect or infer special-category data from public sources, and we honor the rights described in Section 4 (including the right to object) through our Privacy Center.

How customers themselves use the sourcing engine, the AI scoring features, the outreach tooling, and the rest of the product is governed by our Service Agreement with that customer.

Automated decision-making and profiling

Stitch uses artificial intelligence to score and recommend candidates for our customers' open roles. These scores and recommendations are decision-support tools intended to assist humans; they are not used to make decisions producing legal or similarly significant effects on candidates without human review. Customers remain responsible for any hiring decisions and for ensuring that any further automated decision-making they perform with our outputs complies with applicable law. If you are a job candidate and would like more information about how Stitch's AI evaluates candidates, or would like to object to such processing, please contact us through our Privacy Center.

Why we process information about visitors and customer representatives

For people who visit the Site, sign in to a Stitch account, or otherwise engage with us in a business context, we use personal information to:

Run the Services. Operate, secure, and maintain the Site and product, and meet our obligations under any Service Agreement we have with you or your employer.
Respond and support. Answer your messages, deliver customer support, and send the operational, security, and administrative notices that come with using the product.
Improve the Services. Diagnose bugs, study how features are used, and run product research. Where we can, we work with aggregated or de-identified data.
Market the product. Send you updates, announcements, and event invitations where you have not opted out (and, where consent is required, where you have opted in).
Comply and protect. Meet legal obligations, defend against claims, prevent fraud and abuse, and respond to lawful requests from regulators or law enforcement.

These activities rely on our legitimate interests in running and growing the Services, on the contract we have with you, on your consent where applicable, or on a separate legal duty.

AI providers

Several features of the Services are powered by third-party AI providers (for example, candidate evaluation, content generation, sourcing match-scoring, and interview summarization). Each of these vendors is contractually restricted to using the data we send them only to deliver the relevant feature, and is prohibited from training their underlying models on Stitch or customer data.

3. How We Disclose Personal Information

We may disclose personal information to:

Customers. Job candidate data is made available to customers through the Services so they can identify and engage potential hires. Where a customer instructs us to, we may also pass that data to the customer's own authorized service providers.
Service providers and sub-processors. Vendors that help us operate the business, in categories such as hosting and infrastructure, authentication, payment processing, email delivery, messaging and calendar integrations, meeting recording and transcription, data enrichment, AI model services, error monitoring, product analytics within the authenticated app, and internal team communications. Each is contractually limited to using personal information only to support the Services. The current sub-processor list is published inside the authenticated customer dashboard.
Professional advisors. Lawyers, accountants, auditors, bankers, and insurers when their work for us requires it.
Authorities and private parties. Government bodies, regulators, courts, and other parties when we have a good-faith belief that disclosure is necessary for the compliance and protection purposes set out above.
Counterparties in a corporate transaction. If Stitch or any affiliate is part of (or in negotiations for) a financing, merger, acquisition, asset sale, reorganization, or insolvency proceeding, we may share personal information with the other parties to that deal and their advisors as reasonably needed, subject to appropriate confidentiality.

Stitch does not exchange personal information with advertisers, brokers, or other parties for advertising revenue. However, candidate data is made available to customers through paid subscriptions to the Services, and laws like the California Consumer Privacy Act and equivalent state statutes treat that kind of disclosure as "selling" or "sharing." Candidates who would like us to remove them from the sourcing database (or stop displaying their information to customers) can request that through the Privacy Center.

4. Privacy Rights and Choices

Stop receiving marketing email

Every marketing email we send carries an unsubscribe link; clicking it pulls you off the relevant list. We may still need to send you operational or transactional notices (billing, security, product changes); those are not optional while you are an active user.

Submitting a privacy request

Depending on where you live and how you have used the Services, you may be able to ask us to:

Tell you what we hold. Provide a copy of the personal information we have about you, in a portable format where applicable. Most of what you can request is already disclosed in this Policy, so a request is not always necessary.
Fix something that is wrong. Correct information about you that is inaccurate or out of date.
Delete you. Remove personal information we no longer need to operate the Services or to meet a legal obligation.
Take you out of the candidate database. Remove your information from our sourcing database so it stops appearing to customers. File this through the Privacy Center.
Pause or object. Restrict what we do with your information, or object to a specific use of it (including direct marketing).
Appeal. If we deny a request, you can ask us to look at the decision again through the Privacy Center or by writing to us.

The fastest way to submit any of these is the Privacy Center. Email to privacy@hirestitch.com is also accepted, although we may redirect you to the form so we can verify and track the request properly. Statutory windows apply: 30 days under GDPR, 45 days under the CCPA. Before we act, we will ask for enough information to confirm you are the person whose data is at stake; we cannot fulfill a request we cannot verify.

Authorized agents

Some laws let a third party submit a request on your behalf. If you would like to use an authorized agent, the agent should provide a signed authorization (or a power of attorney), and we will still confirm your identity directly before acting. Exercising any of these rights will not change the way we treat you.

Filing a complaint

People in the European Economic Area, the United Kingdom, and Switzerland may also file a complaint with a data protection authority in their country of residence, their place of work, or where they believe an infringement has occurred.

Where these rights end

There are limits. We may not be able to act on a request that would compromise someone else's rights, prevent us from delivering a Service you have asked for, or conflict with a legal obligation we owe (a tax retention requirement, for example). If our response leaves you unsatisfied, please use the contact details below.

5. International Data Transfers

Stitch is based in the United States, and most of our infrastructure and service providers operate from the United States. Using the Services from outside the U.S. therefore involves transferring your personal information to, and processing it in, jurisdictions whose data protection laws may differ from those of your home country.

When EEA, UK, or Swiss personal data is transferred to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Modules 2 and 3) and the UK International Data Transfer Addendum. Both are built into our Data Processing Addendum and the agreements we maintain with each sub-processor.

If you want a closer look at how a particular transfer is safeguarded, email privacy@hirestitch.com.

6. Retention of Personal Information

We keep personal information only as long as we need it for the purposes set out in this Policy or as required by law.

How long we keep any given record depends on the type of information, how sensitive it is, the purpose it serves, whether that purpose can be met with less data, and any retention period we are legally required to observe.

Typical retention buckets:

Account and customer data: kept for the life of the customer agreement plus a reasonable wind-down window, then deleted or anonymized per the Data Processing Addendum.
Candidate information: kept while the candidate is reasonably suitable for an active or foreseeable customer recruiting campaign, then deleted or anonymized. Candidates can request earlier deletion through the Privacy Center.
Marketing data: kept until you opt out or until we no longer have a reason to hold it, whichever comes first.
Records we are legally required to keep (for tax, accounting, contract enforcement, etc.): kept for the periods required by the relevant law.

7. Stitch's Role: Controller and Processor

Our role with respect to personal information depends on the activity:

Stitch as controller (or business). When we source publicly available candidate information into our sourcing database and operate the recruiting platform, we act as a data controller (and a "business" under the California Consumer Privacy Act) for that processing. This Policy describes that processing.
Stitch as processor (or service provider). When our customers use the Services to upload, organize, evaluate, communicate with, or otherwise process personal information about candidates and other individuals within their workspace, we act as a data processor (and a "service provider" under the California Consumer Privacy Act) for that processing. The customer is the controller and is responsible for providing notices, establishing a lawful basis, and otherwise complying with applicable data protection laws. Our processing in this capacity is governed by our customer agreements and our Data Processing Addendum.

If you are a job candidate and a customer of Stitch has contacted you using the Services, you may also have rights with respect to that customer in addition to your rights with respect to Stitch. Please contact the relevant customer directly for requests about how that customer is processing your personal information.

8. Data Security

Stitch runs a layered security program built around encryption (in transit and at rest), role-based access controls, mandatory multi-factor authentication for personnel, vendor due diligence, and continuous logging and monitoring. The full set of technical and organizational measures we apply to customer data sits in Annex II of our Data Processing Addendum.

If we ever discover a personal data breach affecting customer data, that is, data we handle as a processor on behalf of a customer, we are contractually obliged to alert affected customers without undue delay and, where the breach falls within Article 33 of the GDPR, within the 72-hour notification window. The full mechanics are set out in the Data Processing Addendum.

For personal data where Stitch is the controller, including the candidate sourcing database, information collected from website visitors, and information about customer representatives, we take on those notification obligations directly. If a breach is likely to result in a risk to the rights and freedoms of affected individuals, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in line with Article 33 of the GDPR (and equivalent obligations under the UK GDPR and other applicable laws). Where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected individuals without undue delay under Article 34, unless one of the exceptions in that Article applies (for example, where the data was rendered unintelligible by encryption, or where individual notice would involve disproportionate effort and a public communication is used instead).

No control surface is perfect. We cannot promise absolute security, and we encourage you to use a strong, unique password and to enable multi-factor authentication on your account.

9. Other Sites and Services

The Services sometimes link to or embed third-party websites and tools. A link is not an endorsement or a representation of affiliation, and Stitch is not responsible for the content, security, or privacy practices of any external service. Their policies, not this one, apply when you use them.

10. Children

The Services are intended for adult professionals. Stitch does not direct the Services at children, and we do not knowingly collect personal information from anyone under 16 without parental consent. If we discover that we have, we will delete the information promptly. If you believe a child's data has reached us, get in touch via the How to Contact Us section.

11. Changes to this Privacy Policy

We update this Policy from time to time. When we make a material change, we update the "Last Updated" date at the top of the page and, where required by law, give advance notice via email or in-product before the change takes effect. We recommend checking back periodically.

How to Contact Us

Who is the controller

PhynAI, Inc., doing business as Stitch, is the legal entity that determines how personal information is processed under this Policy. Where applicable law uses the term "controller" (or "business"), it refers to us.

Reaching us

For questions about this Policy, requests to exercise privacy rights, or anything else: the Privacy Center is the fastest path, and email to privacy@hirestitch.com is also fine.

If neither is workable for you, the postal addresses below are an option.

United States & Global

PhynAI, Inc.
1522 Western Ave STE 24101
Seattle, WA 98101
United States

EU Representative

Osano International Compliance Services Limited
ATTN: GXJU
25 North Wall Quay
Dublin 1
D01 H104
Ireland

UK Representative

Osano UK Compliance LTD
ATTN: GXJU
42-46 Fountain Street
Belfast
Antrim
BT1 - 5EF
United Kingdom

Notice at Collection

A condensed map of what we handle and why. The full picture is in the sections above.

Data Categories Collected	How We Collect	Primary Purposes of Processing	Key Recipients / Disclosures	Can You Limit Sharing?
Identifiers (name, alias, postal address, account or unique personal identifier, online identifier, IP address, email address)	Directly from you, from our data partners, from publicly accessible sources, or if you apply for a job at Stitch	Operating the Services; product improvement and personalization; communicating with you; research; marketing; recruiting	Service providers; customers	Yes, for sharing with customers. See Privacy Center
Internet and network activity (browsing on the Site, activity inside the Services)	Captured automatically when you use the Site or product	Operating and improving the Services; security and fraud prevention	Service providers	No
Commercial information (records of subscriptions purchased, considered, or in use)	Captured during your use of the product	Delivering the Services; billing and account administration	Service providers	No
California Customer Records statute categories (such as name and contact details)	Directly from you, from publicly accessible sources, or if you apply for a job at Stitch	Operating the Services; communicating with you; recruiting	Service providers; customers	Yes, for sharing with customers
Professional or employment-related information	Publicly accessible professional sources, our data partners, or your job application	Operating, improving, and personalizing the Services; research; recruiting	Service providers; customers	Yes, for sharing with customers
Inferences (e.g., seniority level, area of expertise)	Generated by the Services from the categories above	Improving match quality and outreach relevance	Service providers; customers	Yes, for sharing with customers

Stitch does not deliberately collect or infer special-category, sensitive, or biometric personal information, and does not knowingly collect data from anyone under 16.

Cookies on the Site are limited to those strictly necessary to render the page; cookies inside the authenticated app are limited to authentication, product analytics, and error monitoring. We run no advertising cookies, no cross-context behavioral advertising, and we do not share personal information with ad networks.

Privacy Policy