Phaedra Solutions · Rubrily
Candidate Privacy Notice
Effective: 11 July 2026Last updated: 11 July 2026Version: 1.0
You applied for a job with an employer that uses Rubrily. This notice explains — in plain language — what data the platform processes about you, how the AI scoring works, who controls your data (the employer), and how to exercise your rights. It is worth two minutes of your time before your interview.
Looking for how we treat website visitors and customers instead? That is the Privacy Policy.
1. Who does what with your data
In short: The employer you applied to controls your data and makes every hiring decision. We run the software on their instructions.
You applied for a job with an employer that uses Rubrily to run its screening. That employer decided to collect your application, decided what to ask you, and will decide the outcome. In data protection terms, the employer is the controller of your data.
Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]) builds and operates Rubrily. We are the employer’s processor: we handle your data only on the employer’s documented instructions, under a Data Processing Agreement that binds us to confidentiality, security and assistance duties. [CONFIRM: whether candidate-portal account basics (login email, sign-in records) are processed controller-side by Phaedra Solutions — this notice assumes processor-only]
Practically, that means two addresses matter: the employer for anything about your application, your data or your rights, and privacy@rubrily.com for anything about Rubrily itself.
2. What data is processed
In short: Your application, your CV, your screening answers, your interview recordings and transcripts, and the scores the system produces about you.
Depending on which features the employer enabled for the role, the Service processes:
- Application data — the form you filled in: name, email, and any fields the employer added.
- Your CV and the information in it.
- Pre-screening answersto the employer’s short questions.
- Async interview responses — your spoken answers, recorded as audio/video, plus automatic transcripts. [CONFIRM: shipped recording formats (audio, video, or both) against the current product]
- Interview integrity signals, where the employer enabled them — tab switches, extended absence from camera, and indicators that an answer may be AI-generated. These are shown to the employer as flags for a human to weigh; they never reject you automatically.
- Scores and evidence — per-criterion scores from 0–10 with a written justification, overall scores, strengths and gaps, and a blended Fit Score.
- Technical data needed to run the interview — device checks (camera/microphone), language preference, and security logs.
The Service does not ask you for special-category data (such as health, religion or political opinions), and employers are instructed not to solicit it through the platform. [CONFIRM: product stance on free-text fields and special-category data]
3. How the AI scoring actually works
In short: Everything is scored against a rubric the employer wrote, criterion by criterion, with a written reason for every number. No signal? It says "Cannot evaluate" instead of guessing.
The employer defines what a great hire looks like as weighted criteria — a rubric. The AI reads your CV and listens to your interview answers against that rubric, one criterion at a time. Each criterion gets a score from 0 to 10 with a written justification citing the evidence — what you said or what your CV shows. Those scores combine, using weights the employer chose, into a single Fit Score from 0–100%.
Two honesty rules are built in. First, every score is explainable: the employer can open your report and read exactly why each number is what it is, next to your transcript and recording. Second, when there is not enough evidence to judge a criterion — a missing CV section, an unanswered question — the system returns “Cannot evaluate” instead of a guess, and unscored criteria are excluded from the maths rather than counted as zero. Missing data is treated as missing, not as failure.
The same rubric, weights and process apply to every candidate for the role. Your score does not depend on which reviewer opens your file or what time of day it is.
4. Automated decision-making and human review
In short: Rubrily produces decision-support scores. A human at the employer decides. Ask the employer about how they review scores for your role.
Rubrily produces decision-support scores— it ranks and explains, and it flags integrity signals for a human to weigh. Nothing in the platform automatically rejects a candidate, and hiring decisions rest with the employer’s people.
How much human review happens between your score and a decision is the employer’s choice, and employers’ processes differ. [CONFIRM: whether employers can configure any automated stage progression (e.g. auto-send rejection emails triggered by manual stage moves is shipped; confirm no score-threshold automation exists)] If you are in the EU or UK, Article 22 GDPR gives you rights around decisions based solely on automated processing that significantly affect you — including the right to obtain human intervention and to contest the decision. Those rights are exercised against the employer, who controls the decision: ask them how your application was reviewed and by whom. We support employers with the explainability information (per-criterion scores, justifications, transcripts) that makes real review possible.
5. You will know when you are talking to AI
In short: The interview tells you it's an AI interviewer before you start, and nothing is recorded before you agree.
The interview invitation and the interview screens identify the interviewer as an AI. Before anything is recorded you see the monitored-interview conditions and tick separate consent boxes for the conditions and for the recording — no consent, no recording. You can take a free practice walkthrough first, so the graded interview is never your first contact with the tool. [CONFIRM: exact in-product AI-disclosure wording, for EU AI Act Art 50 transparency alignment]
If the employer enabled optional paid practice, it is clearly labelled, never required, and skipping it does not affect your interview. A charge only ever happens if you choose an add-on and start it.
6. Your rights and how to exercise them
In short: Route requests to the employer first — they control your data. We're bound to help them answer you, and we handle anything about Rubrily itself.
Depending on your location you may have rights to access, correct, delete, restrict or receive a copy of your data, to object to processing, and to complain to a supervisory authority (Articles 15–21 GDPR, or their local equivalents).
Fastest route: contact the employer you applied to. They control your data and decide on requests; under our DPA we are contractually bound to assist them — including finding, exporting and erasing your data. Erasure is a built-in workflow: when you (or the employer on your behalf) request deletion, your profile, CV, recordings and transcripts are erased in line with GDPR.
If your request is about Rubrily itself — or you cannot reach the employer — email privacy@rubrily.com and we will help route it. We will not ignore you because you emailed the “wrong” party.
One control worth knowing: employers keep candidates in an org-wide talent pool for future roles, and each candidate row carries a discoverability setting — you can ask the employer to turn yours off.
7. How long your data is kept
In short: The employer sets the clock, because it's their hiring process. Ask them for their schedule.
Retention is set by the employer that controls your data — employment law on keeping application records differs by country, and the employer’s schedule governs. When an employer deletes your data, or their retention period ends, we erase it from the Service. [CONFIRM: platform default retention for candidate data when an employer sets none] If the employer’s account closes, their data — including yours — is deleted after the export window described in the DPA.
8. Where your data goes
In short: Our providers run in several countries; EU/UK transfers are covered by Standard Contractual Clauses.
We are headquartered in Lahore, Pakistan, and the Service runs on the providers listed at rubrily.com/subprocessors, including providers in the United States. Where EU/UK data protection law applies, transfers are protected by the European Commission’s Standard Contractual Clauses (2021/914) and the UK Addendum. We are not certified under the EU–US Data Privacy Framework and do not claim to be. Your data is stored in the employer’s isolated tenant and is never shared with, or matched against, other employers’ data.
9. Contact
In short: Employer first for your application; privacy@ for the platform.
For your application, your data or your rights: the employer named in your interview invitation. For Rubrily the platform: privacy@rubrily.com. We have appointed an internal privacy contact. We have not appointed a statutory Data Protection Officer (none is currently required for our processing). [CONFIRM: DPO requirement re-assessment as processing scales]. Not yet appointed. If you are in the EU/EEA, contact privacy@rubrily.com and we will route your request. [CONFIRM: appoint or formally waive an EU (Art 27 GDPR) representative before EU enterprise sales] Not yet appointed. If you are in the UK, contact privacy@rubrily.com and we will route your request. [CONFIRM: appoint or formally waive a UK (Art 27 UK GDPR) representative]
Contact
Phaedra Solutions ([CONFIRM: exact registered legal form, e.g. “Phaedra Solutions (Private) Limited”]), Lahore, Pakistan · [CONFIRM: full registered company address]
Privacy: privacy@rubrily.com · Legal: legal@rubrily.com · General: contact@rubrily.com