Privacy Policy

Last updated: February 18, 2026

1. Introduction

Tally Software, Inc. (doing business as "Candid," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at trycandid.com, use our platform, or otherwise interact with our Services.

Candid is an autonomous sourcing platform that helps companies find, evaluate, engage, and schedule interviews with prospective job candidates. We source candidates from publicly available professional data, enrich their profiles, generate personalized outreach on behalf of our clients, and coordinate interview scheduling.

This Policy applies to all users of our Services, including companies and their authorized team members ("Clients"), as well as individuals whose professional information is processed through our platform ("Sourced Candidates"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Our Address:
Tally Software, Inc.
2261 Market Street STE 22950
San Francisco, CA 94114

2. Geographic Scope

Our Services are currently available only to users located in the United States and Canada. By using our Services, you represent and warrant that you are located in one of these jurisdictions. We do not knowingly collect or process personal information from individuals located outside of the United States and Canada.

3. Information We Collect

3.1 Information Provided by Clients

When companies register for an account or use our Services, we collect the following:

  • Contact information for authorized team members (name, email address)
  • Company name and business information
  • Job descriptions, role requirements, and hiring preferences
  • Company culture, values, and team information
  • Hiring criteria, deal-breakers, and ideal candidate profiles
  • Interview process details and scheduling preferences
  • Billing and payment information

3.2 Information About Sourced Candidates

To provide our sourcing services, we collect and process publicly available professional information about prospective job candidates, including:

  • Name, professional title, and current employer
  • Work history, education, skills, and certifications
  • LinkedIn profile URL and publicly available LinkedIn data
  • Professional email addresses (obtained through third-party data providers)
  • Location information (city, state, country)
  • Profile photographs from public professional profiles

3.3 Google User Data

When Clients connect their Google accounts to our platform, we collect the following Google user data:

  • Google Calendar data: Calendar events (including event times, titles, and attendee information) from your Google Calendar, used to check your real-time availability for scheduling interviews with candidates
  • Gmail data (via Nylas): Email message metadata, message content for outreach threads, and delivery/read status, used to send recruiting outreach emails on your behalf and track candidate replies
  • Google account profile information: Your name and email address, used to identify your connected account within our platform

3.4 Information Collected Automatically

When you access our Services, we automatically collect certain information, including:

  • Device information (device type, operating system, browser type and version)
  • IP address and approximate geographic location
  • Usage data (pages visited, features used, time spent on pages, click patterns)
  • Referral URLs and how you arrived at our Services
  • Session information and interaction logs

3.5 Information from Third-Party Sources

We collect information from third-party sources to enrich candidate profiles and verify contact information, including:

  • Publicly available professional profile data (such as LinkedIn)
  • Professional data enrichment services (such as CrustData and Pearch)
  • Email finding and verification services (such as ContactOut and Kickbox)

4. How We Use Your Information

4.1 Providing Our Sourcing Services

  • Creating and managing Client accounts
  • Sourcing and identifying prospective candidates matching role requirements
  • Enriching candidate profiles with publicly available professional data
  • Generating and sending personalized outreach emails to candidates on behalf of Clients
  • Tracking outreach engagement (email delivery, opens, clicks, and replies)
  • Classifying candidate reply sentiment to help Clients prioritize responses
  • Coordinating interview scheduling between Clients and candidates
  • Processing payments and managing subscriptions
  • Providing customer support

4.2 Artificial Intelligence and Automated Processing

We use artificial intelligence and machine learning technologies to enhance our Services. Specifically, we use AI for:

  • Candidate Sourcing: Searching for and identifying candidates whose professional backgrounds match role requirements and hiring criteria
  • Candidate Scoring: Evaluating candidate-role fit based on skills, experience, and Client-defined criteria
  • Outreach Generation: Creating personalized email sequences tailored to each candidate's background and the role being filled
  • Reply Classification: Analyzing candidate responses to determine sentiment (interested, not interested, out of office) and route them appropriately
  • Follow-up Planning: Determining optimal timing and content for follow-up outreach based on engagement signals
  • Calibration: Learning from Client feedback on candidate quality to improve sourcing accuracy over time

4.3 How We Use Google User Data

We use Google user data strictly to provide and improve the user-facing features of our application:

  • Google Calendar data is used solely to check interviewer availability and create interview calendar events when a candidate confirms a meeting time
  • Gmail data is used solely to send recruiting outreach emails on the Client's behalf through their connected mailbox, and to track delivery status and detect candidate replies
  • Google account profile information is used solely to display the connected account within our platform and associate it with the correct user

We do not use Google user data for any purpose other than providing or improving the user-facing features of our application. Specifically, we do not use Google user data for:

  • Targeted, personalized, retargeted, or interest-based advertising
  • Selling to or sharing with data brokers or information resellers
  • Determining credit-worthiness or for lending purposes
  • Training general-purpose AI or machine learning models
  • Any purpose unrelated to providing our sourcing and scheduling services to the user

4.4 Communications

  • Sending Clients notifications about sourcing activity, outreach engagement, and candidate replies
  • Delivering service-related announcements and updates
  • Sending marketing communications (with consent, where required)
  • Responding to inquiries and support requests

4.5 Legal and Compliance

  • Complying with applicable laws and regulations
  • Enforcing our Terms of Service and other agreements
  • Protecting against fraud, abuse, and security threats
  • Establishing, exercising, or defending legal claims

5. Information Sharing and Disclosure

5.1 Sharing with Clients

When we source candidates on behalf of a Client, we share the following information with that Client through our platform:

  • Candidate name, professional title, and current employer
  • Work history, education, skills, and relevant qualifications
  • LinkedIn profile URL
  • AI-generated candidate summaries and fit assessments
  • Outreach engagement data (whether a candidate opened, clicked, or replied to emails)
  • Reply content and sentiment classification

5.2 Sharing of Google User Data

We do not sell, share, or transfer Google user data to third parties except as strictly necessary to provide our Services:

  • Nylas: We share Gmail authentication credentials with Nylas, our email integration provider, solely for the purpose of sending outreach emails and tracking replies through the Client's connected mailbox. Nylas acts as a data processor on our behalf.

We do not transfer or disclose Google user data to any third party for purposes of targeted advertising, data brokering, information reselling, credit determination, lending, or any purpose other than providing or improving the user-facing features of our application.

5.3 Service Providers and Subprocessors

We share information with third-party service providers who perform services on our behalf. These providers are contractually obligated to protect your information and use it only for the purposes we specify. Our current subprocessors include:

  • Supabase: Database and authentication
  • Amazon Web Services (AWS): Cloud infrastructure
  • Google Cloud Platform: Cloud infrastructure and calendar integration
  • OpenAI: AI services
  • Anthropic: AI services
  • Pinecone: Database services
  • Nylas: Email integration
  • Stripe: Payment processing
  • Resend: Email delivery
  • Twilio: Messaging services
  • Merge: ATS integration
  • Cloudflare: Security and performance
  • Google Analytics: Website analytics
  • Slack: Workspace notifications

5.4 No Sale of Personal Information

We do not sell your personal information, including Google user data, to third parties for monetary or other valuable consideration. We do not share personal information with data brokers or information resellers.

5.5 Legal Requirements and Protection

We may disclose your information if required to do so by law or in response to valid legal process, including:

  • Complying with subpoenas, court orders, or other legal requirements
  • Responding to requests from government or regulatory authorities
  • Protecting our rights, privacy, safety, or property
  • Enforcing our Terms of Service
  • Investigating potential violations of law or our policies

5.6 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your personal information becomes subject to a different privacy policy.

6. Google User Data: Additional Protections

This section provides additional detail about how we handle data obtained through Google APIs, in compliance with Google API Services User Data Policy, including the Limited Use requirements.

6.1 Limited Use Compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Google user data to provide and improve the user-facing features of our application that are visible to the user
  • We do not transfer Google user data to third parties unless necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger/acquisition with adequate data protection
  • We do not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising
  • We do not allow humans to read Google user data unless we have the user's affirmative consent, it is necessary for security purposes, to comply with applicable law, or the data is aggregated and anonymized for internal operations

6.2 Data Storage and Encryption

Google user data, including OAuth tokens, calendar data, and email integration credentials, is stored in encrypted databases. All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 encryption. OAuth refresh tokens are stored securely and are only used to maintain the authorized connection.

6.3 Access Controls

Access to Google user data is restricted to authorized personnel who require it to operate and maintain the Services. We implement role-based access controls, audit logging, and the principle of least privilege to protect Google user data.

6.4 Retention and Deletion of Google User Data

We retain Google user data only for as long as necessary to provide the Services. When a Client disconnects their Google Calendar or Gmail integration, we delete the associated OAuth tokens and cached data promptly. Clients may also request deletion of all Google user data by contacting us at legal@trycandid.com. We will process such requests within thirty (30) days.

6.5 Revoking Access

You can revoke Candid's access to your Google data at any time by disconnecting the integration within our platform or by removing Candid from your Google Account permissions at myaccount.google.com/permissions.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

We use cookies and similar tracking technologies to collect and store information about your interactions with our Services. The types of cookies we use include:

  • Essential Cookies: Required for the operation of our Services, including authentication and security
  • Analytics Cookies: Help us understand how users interact with our Services (we use Google Analytics)
  • Preference Cookies: Remember your settings and preferences

7.2 Google Analytics

We use Google Analytics to analyze usage of our Services. Google Analytics uses cookies to collect information about your use of our website, including your IP address. This information is transmitted to and stored by Google. Google may use this information to evaluate your use of the website, compile reports on website activity, and provide other services relating to website activity and internet usage. For more information on how Google uses data, please visit Google's Privacy Policy.

7.3 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can typically set your browser to refuse cookies or delete certain cookies. However, if you block or delete cookies, some features of our Services may not function properly.

7.4 Do Not Track

Our Services do not currently respond to "Do Not Track" signals from web browsers. However, you can opt out of certain tracking as described above.

8. Data Retention and Deletion

8.1 Client Data

We retain Client account data for as long as the Client maintains an active account or as needed to provide our Services. When a Client deactivates or closes their account, we will retain their data for up to ninety (90) days to allow for reactivation, after which it will be deleted unless retention is required by law.

8.2 Sourced Candidate Data

We retain sourced candidate profile data for as long as it is relevant to active sourcing engagements. Candidate data associated with closed roles or inactive Client accounts is deleted within one hundred and eighty (180) days. Sourced candidates may request deletion of their data at any time by contacting us.

8.3 Google User Data

Google user data (calendar events, email data, and OAuth tokens) is retained only for as long as the integration remains connected and active. When a user disconnects their Google integration, we delete the associated Google user data, including cached calendar events, email tokens, and OAuth credentials, within thirty (30) days. Outreach email content that was sent through the connected mailbox is retained as part of the outreach record for the duration described in Section 8.2.

8.4 Requesting Deletion

You may request deletion of your personal information at any time by contacting us at legal@trycandid.com. We will process your request within thirty (30) days in accordance with applicable law. Please note that we may retain certain information as required by law or for legitimate business purposes, such as:

  • Completing any pending transactions
  • Complying with legal obligations
  • Resolving disputes
  • Enforcing our agreements
  • Maintaining records required for tax, legal, or audit purposes

When the retention period expires for a given type of data, we will delete or destroy it securely.

8.5 Aggregated and De-identified Data

We may retain aggregated or de-identified data that cannot reasonably be used to identify you for analytics, research, and service improvement purposes.

9. Data Security

We implement appropriate technical and organizational security measures designed to protect your personal information, including Google user data, against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and authentication requirements
  • OAuth token storage with industry-standard encryption
  • Regular security assessments and monitoring
  • Audit logging for access to sensitive data
  • Employee training on data protection
  • Incident response procedures

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, and you provide information at your own risk.

10. Your Privacy Rights

10.1 Access and Portability

You have the right to request access to the personal information we hold about you. You may also request a copy of your personal information in a portable, machine-readable format.

10.2 Correction

You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.

10.3 Deletion

You have the right to request deletion of your personal information, subject to certain exceptions required by law.

10.4 Opt-Out of Communications

You can opt out of receiving marketing communications from us by following the unsubscribe instructions in those communications or by adjusting your notification preferences in your account settings. Please note that you may still receive transactional or service-related communications.

10.5 Withdraw Consent

Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

10.6 Rights for Sourced Candidates

If you are a candidate who has been contacted through our platform on behalf of one of our Clients and wish to exercise any privacy rights, opt out of further communications, or request deletion of your data, please contact us at legal@trycandid.com or use the unsubscribe link included in any outreach email.

10.7 Exercising Your Rights

To exercise any of these rights, please contact us at legal@trycandid.com. We will respond to your request within the timeframes required by applicable law. We may need to verify your identity before processing your request.

11. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), including:

  • The right to know what personal information we collect, use, disclose, and sell
  • The right to request deletion of your personal information
  • The right to opt out of the sale or sharing of your personal information (note: we do not sell personal information)
  • The right to correct inaccurate personal information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us at legal@trycandid.com.

12. Canadian Privacy Rights

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy laws, including:

  • The right to access your personal information
  • The right to challenge the accuracy and completeness of your information
  • The right to withdraw consent (subject to legal or contractual restrictions)
  • The right to complain to the Office of the Privacy Commissioner of Canada

To exercise these rights, please contact us at legal@trycandid.com.

13. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If you are under 18 years of age, please do not use our Services or provide any personal information to us. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 18, please contact us at legal@trycandid.com.

14. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you access through our platform.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last updated" date at the top of this Policy
  • Notify you by email or through a notice on our Services
  • Where required by law, obtain your consent to material changes

If we make changes to how we use Google user data, we will notify affected users and, where required, obtain new consent before applying the changes. We encourage you to review this Privacy Policy periodically to stay informed about our privacy practices. Your continued use of our Services after any changes constitutes your acceptance of the updated Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Tally Software, Inc.
2261 Market Street STE 22950
San Francisco, CA 94114
Email: legal@trycandid.com

We will respond to your inquiry as promptly as possible and within any timeframes required by applicable law.