Benchmark.games · GDPR Art. 13
Privacy notice for candidates
Last updated: 3 June 2026
About this notice
This page is the controller's disclosure to you under Article 13 of the EU General Data Protection Regulation (GDPR). It explains what personal data Benchmark.games processes when you create an account, apply, or participate in a video interview or assessment on this platform, why we process it, the legal basis for each purpose, who receives it, how long we keep it, and which rights you can exercise, and how. Read this together with the consent gate shown immediately before your video interview, which is the moment you give specific consent under Article 9(2)(a) for the processing of biometric data (your face and voice).
Scope: this notice covers candidate-side processing only. If you are an HR user, partner administrator, or platform operator, separate notices apply.
Who is the data controller
The controller of your personal data is:
- Legal entity: Gravitalent Kft.
- Registered office: 4400 Nyíregyháza, Nyár utca 7. 2/2., Hungary
- Company registration number (cégjegyzékszám): 15-09-063630
- Tax number (adószám): 11490096-2-15
- General contact: support@benchmark.games
In some cases, the HR organisation you applied to is a joint controller with us for the purposes of evaluating your application (Art. 26 GDPR). The HR organisation's identity is shown to you on the application page and in the consent gate before the video interview. The HR organisation is independently responsible for its hiring decision; Benchmark.games is responsible for the platform, the AI processing pipeline, and the audit trail.
Privacy contact and Data Protection Officer
The single privacy contact channel for all rights requests, complaints, and questions under this notice is:
privacy@benchmark.gamesGravitalent Kft. has not formally appointed a Data Protection Officer under GDPR Art. 37, on the basis that our core activities do not meet the criteria in Art. 37(1)(b)–(c). The general privacy contact for all data-subject requests under Articles 12–22 is the address above, which is monitored by trained staff.
We respond to substantive requests within 30 calendar days as required by Art. 12(3) GDPR, and will tell you in writing if we need to extend this by up to two further months for complex cases, with reasons (Art. 12(3)).
Why we process your data and on what legal basis
We process your personal data for four distinct purposes. Each purpose has its own legal basis under GDPR Art. 6 and, where applicable, Art. 9.
(a) Conducting the video interview or assessment itself.
We capture your video and audio response, your typed answers, your CV (if uploaded), and basic profile data so that you can complete the interview and so that the HR organisation can evaluate your application.
- Art. 6(1)(b) GDPR, performance of a contract with you (the candidate-platform agreement you enter when you start the assessment), and steps taken at your request prior to entering into a contract with the HR organisation.
- Art. 9(2)(a) GDPR, your explicit consent to the processing of biometric data (the recording of your face and voice). This consent is given at the consent gate immediately before the video interview begins. Without this consent, the video interview cannot proceed; however, refusing it does not prevent you from completing non-video assessment elements where they are offered.
(b) AI-assisted transcription and competency scoring for the HR organisation's evaluation.
We send your recorded answers to an EU-hosted large language model for automatic transcription and competency scoring. The output is an advisory report shown to the HR reviewer (glass-box: the reviewer sees the score, the underlying transcript, the prompts, and the model identity).
- Art. 9(2)(a) GDPR, your explicit consent to AI processing of biometric and personal data for scoring purposes. This consent is separate from the recording consent and can be withdrawn independently (see Section 10).
- Art. 6(1)(a) GDPR, your consent to the automated processing of the resulting scores. See Section 13 on automated decision-making safeguards.
(c) Compliance, audit trail, and integrity of the hiring process.
We retain a tamper-evident log of consents granted, scores generated, model versions used, who reviewed what, and what decision was made. This is necessary to meet our and the HR organisation's legal obligations (e.g. equal-treatment audit, anti-discrimination regulations, EU AI Act record-keeping) and to enable you to exercise your Art. 22(3) right to contest a decision.
- Art. 6(1)(c) GDPR, compliance with legal obligations to which the controller is subject.
(d) Fraud detection and assessment integrity.
We compute a suspicion score for each session using signals such as IP intelligence, device fingerprint, session timing, and behavioural patterns, in order to detect impersonation, multi-account abuse, and answer-leak attempts.
- Art. 6(1)(f) GDPR, legitimate interests pursued by us and by the HR organisation in safeguarding the integrity of the assessment process and preventing fraud. See Section 5 for the balancing test.
We do not process your data for any other purpose without first informing you and, where required, obtaining a fresh legal basis.
Legitimate-interest balancing test (fraud detection)
For purpose (d) above, we rely on Art. 6(1)(f), legitimate interests. The balancing test we performed is as follows.
- Interest pursued: detecting and preventing assessment fraud (impersonation, account sharing, automated answer-bot use, answer-leak). Fraud undermines the validity of every candidate's score, damages the integrity of hiring outcomes, and creates discriminatory effects against honest candidates.
- Necessity: no less intrusive measure achieves the same outcome. Manual human review of every session is not scalable; behavioural and device signals are the established industry method.
- Impact on the candidate: the signals we use (IP geolocation at country/city granularity, device fingerprint hash, session timing, behavioural patterns) are not used for advertising, profiling for any external party, or any decision other than the suspicion score itself. The suspicion score is one input to the HR reviewer, never the sole basis for a hiring decision.
- Safeguards: (i) the suspicion score has a calibrated threshold (60) above which manual human review is triggered and an "under review" status is shown to you; (ii) you may object to this processing under Art. 21(1) GDPR (see Section 9); (iii) raw fraud signals are retained for the shorter of 30–90 days at the processor (FingerprintJS: 90 days; IPQS: 30 days) or the session retention period; (iv) the score itself is part of the audit trail and disclosable to you on request.
Conclusion: the interest is overriding, but conditional on the safeguards listed.
Who receives your data
Your personal data is shared only with the following categories of recipients.
(a) The HR organisation you applied to.
The HR organisation named on the consent gate and the application page receives your CV, your interview responses (video, audio, transcript), your AI-generated competency scores, and the reviewer's notes. The HR organisation is a joint or independent controller (depending on the contractual setup) and is independently bound by GDPR.
(b) Microsoft Ireland Operations Limited (Azure OpenAI).
Microsoft acts as our data processor under a Data Processing Agreement. Your audio and transcript are sent to an Azure OpenAI deployment in the Sweden Central Azure region for transcription (Whisper-class model) and scoring (GPT-4o-class model). Microsoft is contractually prohibited from using your data to train its models and is bound by EU Standard Contractual Clauses where applicable.
(c) Benchmark.games internal staff.
A limited number of trained staff at Benchmark.games may access your data to provide platform support, investigate disputes, respond to your rights requests, and audit AI behaviour. All access is logged in the audit trail.
(d) Platform infrastructure processors.
The following sub-processors host or transmit your data on our behalf under data processing agreements:
- Supabase (Supabase Inc.), primary database and storage; EU region eu-central-1 (Frankfurt, Germany).
- Vercel (Vercel Inc.), application hosting; EU edge. Compute region pinned to fra1 (Frankfurt, Germany) in vercel.json.
- SendGrid (Twilio Inc.), transactional email delivery (sub-processor: US).
- Trigger.dev, background job orchestration. Your video, audio, transcript, and CV never leave the EU: media stays in Supabase Frankfurt and is sent only to Azure OpenAI Sweden Central for AI inference. However, run-orchestration metadata (job IDs, task names, payload references, log lines) transits Trigger.dev's managed cloud, which is operated outside the EEA under EU Standard Contractual Clauses.
- Sentry / BetterStack: error monitoring and uptime; only pseudonymised diagnostic data.
- FingerprintJS, IPQS, Matomo, fraud detection signals (see also our fairness and bias monitoring report).
(e) Disclosures required by law.
Where we are legally compelled to disclose data (e.g. a court order or a competent supervisory authority's request), we will do so to the minimum extent necessary and will notify you unless legally prohibited.
We do not sell your data. We do not share your data with advertising networks. We do not disclose your data to third parties beyond the categories listed above.
International transfers of data
Your interview recordings, transcripts, scores, and CVs are stored and processed in the European Union. Specifically:
- Primary database and object storage: EU region eu-central-1 (Frankfurt, Germany).
- AI transcription and scoring: Azure OpenAI Sweden Central (EU).
- Application hosting: EU edge regions.
Transfers outside the EEA:
- SendGrid (US): transactional email metadata (your email address, subject, delivery status). Twilio relies on EU Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where applicable.
- FingerprintJS (US) and IPQS (US): fraud-detection lookup payloads (IP, device fingerprint hash). SCCs in place; retention 30–90 days at the processor.
- Sentry: error monitoring is configured against Sentry's EU instance (Frankfurt; ingest.de.sentry.io), so diagnostic data remains in the EEA. Pseudonymised diagnostic data only.
We do not transfer your video, transcript, CV, or AI scores outside the EEA. Where transfers occur for the metadata above, we rely on Art. 46 GDPR safeguards (EU SCCs) and, where available, Art. 45 adequacy decisions.
How long we keep your data
Each data category has its own retention period.
| Data category | Default retention | Notes |
|---|---|---|
| Video recording | 365 days from session completion | Per-project configurable by the HR organisation; minimum 30 days, maximum 730 days, default 365 days if the HR organisation does not set a value. Values outside the 30–730 day range are silently clamped to the nearest bound. |
| Audio + transcript | Same as video | Deleted together with the video. |
| AI-generated competency scores | Same as video | Retained as long as the underlying recording exists. |
| CV / uploaded documents | Same as video, or until you withdraw, whichever is sooner | - |
| Email address + name (account) | Until you delete your account, plus a 30-day grace period | - |
| Audit log (consents, decisions, model versions, reviewer access) | Up to 5 years from event date | Retained on the basis of Art. 6(1)(c) for legal-obligation compliance (anti-discrimination audit, EU AI Act record-keeping). Scoring audit entries are append-only at the database level (no UPDATE or DELETE permitted, per EU AI Act Art. 12) and outlive the underlying media: once the video and transcript are deleted at the end of the retention period, the pseudonymised audit metadata survives so the historical hiring record can be reconstructed. |
| Fraud / suspicion-score signals (raw) | 30–90 days at the processor (FingerprintJS: 90 days; IPQS: 30 days) | Shorter of the figure and the session retention. |
| Fraud / suspicion score (computed) | Same as audit log | Part of the decision record. |
After the retention period we apply anonymisation in line with Art. 17(3)(b) GDPR, identity-linking columns (name, email, IP, CV) are deleted or hashed beyond reversibility, but the pseudonymised audit-trail entry survives so that the integrity of the historical hiring record (for legal-obligation purposes) is preserved.
Per-project overrides: the HR organisation can choose a shorter retention than the default, never a longer one. The active retention setting for your session is shown on your data-export download under "Active retention".
Your rights and how to exercise them
You have the following rights under the GDPR. To exercise any of them, write to privacy@benchmark.games with your name, the email address associated with your account, and a description of your request. We respond within 30 calendar days (Art. 12(3)).
- Art. 15, Right of access. You can request a copy of all personal data we hold about you, including AI-generated scores, transcripts, the reviewer's notes (where lawful), and the audit trail. A self-service export is also available at /api/v1/candidates/{candidateId}/export-data (Settings → Privacy → Download my data).
- Art. 16, Right to rectification. You can ask us to correct inaccurate personal data and to complete incomplete personal data (e.g. CV details, email address). For the AI-generated score itself, which is an opinion, not a fact, please use the contest channel in Section 13.
- Art. 17, Right to erasure ("right to be forgotten"). You can request deletion of your video, transcript, scores, and CV at any time.
Carve-out: once a session has reached a scored, under_review, or decided state, the audit trail entry (consent grants, decision metadata, pseudonymised score) is retained on the basis of Art. 6(1)(c) and Art. 17(3)(b), legal-obligation and public-interest archiving exemption, but the underlying video, audio, transcript, and CV will be deleted. This carve-out is also explained in Section 8.
- Art. 18, Right to restriction. You can ask us to suspend processing while we verify the accuracy of your data, while we examine an Art. 21 objection, or while you contest the lawfulness of processing.
- Art. 20, Right to data portability. Where processing is based on consent or contract (Sections 4(a) and 4(b)), you can receive your data in a structured, commonly used, machine-readable format (JSON), and have it transmitted to another controller where technically feasible.
- Art. 21, Right to object. You can object at any time, on grounds relating to your particular situation, to processing based on legitimate interests, specifically the fraud detection in Section 4(d). If you object, we will cease that processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Art. 22(3), Right to human review of automated decisions. Even though every hiring decision on this platform is made by a human, the AI-generated score is an automated input. You have the right to request human review of the AI-generated score by a Benchmark.games staff member independent of the original review; to express your point of view in writing; and to contest the score. See Section 13 for the procedure.
How to exercise any right: email privacy@benchmark.games, or use the self-service tools in your candidate settings. We do not charge for processing rights requests except in the case of manifestly unfounded or excessive requests (Art. 12(5)). We may ask you to verify your identity before disclosing data.
Withdrawing your consent
Where processing is based on your consent (Sections 4(a) and 4(b), biometric data and AI scoring), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).
You can withdraw in two ways:
- Self-service: Candidate dashboard → Settings → Privacy → "Delete my video interview data". This deletes your video, audio, transcript, and AI scores. The audit trail entry (consent grant + withdrawal record + decision metadata) is retained on the basis described in Section 8.
- By email: privacy@benchmark.games with the subject "Consent withdrawal, video interview". We will action your request within 30 days.
Withdrawal is granular. You can withdraw consent for AI scoring (Section 4(b)) without withdrawing consent for the recording itself (Section 4(a)), although the practical effect is similar because the AI score is the primary output the HR organisation evaluates. Withdrawing recording consent also withdraws AI-scoring consent.
Consequences of withdrawal: the HR organisation will no longer have an AI-generated score or video for you. Depending on the HR organisation's evaluation process, this may mean your application cannot be assessed using this platform. This consequence is purely procedural, there are no fines or penalties.
Right to lodge a complaint with a supervisory authority
If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority under Art. 77 GDPR.
Hungarian supervisory authority (lead authority for Benchmark.games):
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: Falk Miksa utca 9–11, 1055 Budapest, Hungary
Postal: 1363 Budapest, Pf. 9
Phone: +36 1 391 1400
Email: ugyfelszolgalat@naih.hu
Web: https://naih.hu
You can also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, your place of work, or the place of the alleged infringement. For Hungary, that is NAIH; for Germany, the BfDI; for Poland, the UODO; etc. A full list is published by the European Data Protection Board at https://edpb.europa.eu.
Lodging a complaint with a supervisory authority does not affect any other administrative or judicial remedy you may have.
Is providing your data mandatory?
Providing your personal data and giving consent to biometric and AI processing is entirely voluntary. There is no statutory or contractual obligation that requires you to participate in the video interview on this platform.
Consequence of not providing data or refusing consent: the HR organisation may not be able to assess your application using this platform's video interview and AI-scoring features. The HR organisation may offer alternative assessment paths (e.g. text-only assessment, in-person interview); whether such alternatives are available depends on the HR organisation and the role you applied to, not on Benchmark.games.
There are no penalties. Refusing consent does not result in fines, blacklisting on this platform, automatic rejection for other roles, or any consequence beyond the procedural one described above.
You can still complete non-video parts. If you decline biometric consent, you may still be able to complete text-based assessment elements where they are offered, and you retain the ability to apply directly to the HR organisation through any channel they make available outside this platform.
Automated processing and your right to human review
Scope. Benchmark.games uses an AI system to transcribe your video answers and to generate competency scores on a defined competency rubric. The AI outputs are advisory, every hiring decision on this platform is made by a human reviewer at the HR organisation. The AI does not autonomously accept, reject, or rank candidates without human involvement (so Art. 22(1) does not strictly apply on its face), but because the AI output strongly informs the human decision, we apply Art. 22 safeguards as a matter of policy.
Logic involved. The AI used for scoring is a large-language-model (GPT-4o class) hosted on Azure OpenAI Sweden Central. Inputs: your transcript and the HR organisation's competency rubric. Outputs: a score per competency on a defined scale, supporting evidence excerpts from your transcript, and a short reasoning paragraph. The model identity, prompt version, and rubric version are recorded in the audit trail.
Significance and consequences for you. The score directly informs the HR reviewer's evaluation of your fit for the role. A low score does not by itself reject your application; a high score does not by itself accept it. The human reviewer sees the score, the transcript, your CV, and the reasoning paragraph (glass-box).
Safeguards under Art. 22(3): you have the right to -
- Request human review by a Benchmark.games staff member independent of the original review. We will re-examine the AI score against the underlying transcript and the rubric and produce a written outcome.
- Express your point of view in writing, your statement will be added to the candidate record and shared with the HR reviewer.
- Contest the AI score. If we agree the score was generated in error (e.g. transcription error, rubric misapplication, model malfunction), we will correct it and notify the HR organisation. If the HR organisation has already made a final hiring decision based on an erroneous score, we will inform them and recommend reconsideration; the HR organisation is independently responsible for the final outcome.
How to invoke these safeguards. Email privacy@benchmark.games with the subject "Art. 22(3), request for human review". Include your name, the session identifier (visible in your candidate dashboard), and a brief description of your concern. We respond within 30 days (Art. 12(3)).
Profiling. We do not profile you for marketing, advertising, credit-scoring, insurance-underwriting, or any other purpose unrelated to the assessment you are taking.
AI-assisted interview preparation. With a recruiter's explicit action, we may generate suggested interview questions and a one-page interview companion from your CV and assessment results, to help a human interviewer prepare. These are suggestions for a person, they are not automated decisions and do not determine any outcome. You can request a copy of any such material generated about you under your right of access.
See also: our fairness and bias monitoring report.