This is the operational companion to the privacy notice: a concrete inventory of what Prism collects, where it lives, for how long, who can look at it, and how to get rid of it. The privacy notice is the legal document; this page is the engineering-side commitment.
Data inventory
| What | Where it lives | Retention |
|---|---|---|
| Recruiter session (name, organisation, position, conversation reference) | PostgreSQL on Clever Cloud (Paris, EU) | Link validity + 30 days |
| Session cookie (signed JWT) | Recruiter’s browser | Expires with the link |
| Usage counters (questions used, rate window, visit days, active seconds) | PostgreSQL (session row) | Link validity + 30 days |
| Pseudonymised access log (session id, action, timestamp) | PostgreSQL (access_log) | 90 days, auto-deleted |
| Agent intent rows (category + anonymised paraphrase, never raw question) | PostgreSQL (agent_intents) | 2 years — already anonymised |
| Uploaded documents (CV, certificates) | Cellar object storage on Clever Cloud (Paris, EU) | Controlled by Steffen; removed on request |
What is NEVER stored
- Raw agent question text. Each question is sent to Anthropic transiently to generate an answer, then discarded. A second, separate Claude Haiku call classifies the question into a fixed taxonomy and produces an anonymised paraphrase (no proper nouns, no companies, no locations); only the classification and paraphrase are written to the database.
- Agent answer text.
- Recruiter names in the access log — stored pseudonymised.
- IP addresses, device fingerprints, or cross-site identifiers.
- Any analytics data. Prism ships with no analytics vendor, no pixel, no tag manager.
Access
Steffen is the only person with access to the admin console, the database, and the object storage bucket. Access is gated by a bcrypt-hashed password and separate JWT; there is no shared credential and no vendor support portal with read access.
Sub-processors
Two: Clever Cloud SAS (hosting + database + storage, EU) and Anthropic PBC (generative-AI API, USA, under DPA + SCCs + commercial no-training). The full list and contact details are on the Data Processing Agreement page.
Transfers outside the EU
Only one: deep-dive agent requests and intent-classifier requests go to Anthropic in the United States. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in providing the agent feature), covered by Anthropic’s DPA and SCCs and by the EU-US Data Privacy Framework. No document content, session records, or access-log rows are transferred.
Deletion & rights
Deletion requests are one e-mail away — steffen@heidrich.ai. A recruiter session is a single database row and is removed the same working day. Art. 15 / 16 / 17 / 18 / 20 / 21 GDPR rights are exercised directly with Steffen; see the privacy notice for the formal wording and the competent supervisory authority.
Changes
Substantive changes are tagged in the public git history of the Prism repository. The last revision of this page is whatever the latest commit to src/app/data-policy/page.tsx says.