Lantern AI Logo

Lantern AI – Privacy Policy

Last updated: 9 September 2025

Who we are: Lantern Labs Limited (trading as Lantern AI) ("Lantern", "we", "us", or "our")

Registered address: Unit 314C, InnoCentre

Website: www.ourlanterns.com

Contact (privacy/DPO): Thomas Chan, Thomas.chan@ourlanterns.com

Lantern provides a voice-based AI interview service (the "Service") used by our enterprise customers ("Clients") to screen and assess job candidates ("Candidates" or "you"). This Privacy Policy explains how we handle personal data under (i) the EU/EEA GDPR, (ii) Hong Kong's Personal Data (Privacy) Ordinance (PDPO), and (iii) China's Personal Information Protection Law (PIPL).

Role of parties. For Candidate data processed in the Service, Lantern generally acts as a data processor/processor/personal information handler entrusted by Clients, and the Client is the data controller/data user/personal information handler responsible for the lawful basis and transparency to Candidates. For our website, support channels, billing and diagnostics, Lantern acts as an independent controller/data user.

If you are a Candidate, please read both this notice and your prospective employer's (our Client's) privacy notice.

1) What data we collect

From Candidates (via the Service):

  • Contact details: name, email.
  • Resume & professional background: CV, work/education history, skills, qualifications, certificates, portfolio links.
  • Interview data:
    • Audio and/or video recordings of interviews;
    • Transcripts and structured responses generated from your interview;
    • Scores/labels generated by our models and configured rubrics.
  • Usage & device data: IP address, browser type/version, device and OS metadata, pages visited, timestamps, session duration, basic telemetry.

From website visitors/prospects (controller context):

Contact info you submit (demo requests, forms), marketing preferences, cookies/analytics (see §11).

2) Why we process data & legal bases

Candidate data (processor context)

We process Candidate data on our Clients' documented instructions for purposes they define, typically:

  • Conducting and recording AI-assisted voice interviews;
  • Generating interview transcripts, summaries, scores, and shortlists;
  • Fraud/cheating detection and quality controls;
  • Technical delivery, security (logging, access controls), and support.

GDPR legal bases (set by Client): usually performance of a contract (pre-contractual steps) and/or legitimate interests (efficient assessment), and where required consent (e.g., recordings, certain analytics).

PIPL: lawful basis under Art. 13; separate consent for sensitive personal information, sharing, and cross-border transfers where required.

PDPO: consistent with DPP1–DPP6 for fair collection, purpose limitation, and security.

Lantern as independent controller (website, diagnostics, product improvement)

  • Operating www.ourlanterns.com, responding to enquiries;
  • Securing our services (fraud prevention, incident detection);
  • Aggregated/anonymised analytics and model safety/evaluation (without re-identifying you);
  • Legal, compliance, and accounting.

GDPR bases: legitimate interests, consent (where required, e.g., non-essential cookies), legal obligation.

PIPL: as permitted by PIPL (and separate consent where required).

PDPO: fair collection; limited to purposes notified or directly related.

3) Automated decision-making & profiling

Lantern's models generate interview summaries and scores from your voice responses. These outputs help Clients prioritise candidates. Lantern does not make hiring decisions, and our Clients are expected to conduct human review.

Your options: You may request human intervention and to express your point of view and contest automated outputs (GDPR Art. 22-style safeguards; similar protections under PIPL about automated decision-making fairness and right to refuse unreasonable targeting).

4) Cross-border transfers

Our primary infrastructure is located in Hong Kong. Where Candidates are in the EU/EEA or Mainland China, or where Clients/users are elsewhere, data may be accessed from or transferred to jurisdictions outside your own.

  • EU/EEA (GDPR): We use the European Commission's Standard Contractual Clauses (SCCs) for transfers to third countries, supplemented where appropriate by transfer impact assessments and additional safeguards.
  • Mainland China (PIPL): For outbound transfers subject to PIPL, we implement mechanisms permitted by law, including the CAC Standard Contract (and filings) and, where applicable, security assessments or certification. We also take account of the 2024 Provisions on Promoting and Regulating Cross-Border Data Flows which introduced certain exemptions/thresholds; we will use a compliant path as applicable to the data and volumes concerned.

5) Who we share data with

  • Clients (controllers/data users): interview results, transcripts, and signals are disclosed to the Client that invited you.
  • Sub-processors/service providers: cloud hosting, speech-to-text, analytics, email/SMS delivery, customer support tools—each bound by confidentiality and data processing agreements.
  • Affiliates & professional advisors: for compliance, audits, and corporate governance.
  • Authorities: where legally required (e.g., lawful requests, to protect rights and safety).

We do not sell personal data.

6) Data retention

Unless our Client instructs otherwise or law requires a different period, we apply the following defaults (measured from the interview date):

  • Raw audio/video: 12 months
  • Transcripts & derived interview metrics: 24 months
  • System logs & security records: 12–24 months
  • Aggregated or anonymised data: retained without a fixed limit (non-personal)

Clients may shorten or extend these periods in their settings or contract. We securely delete or anonymise data after retention expires or upon verified deletion requests (see §8).

7) Security

  • Encryption in transit and at rest;
  • Role-based access control, MFA, least-privilege;
  • Network isolation, vulnerability management, and audit logging;
  • Secure development lifecycle, data minimisation, and regular testing;
  • Sub-processor due diligence and contractually imposed security controls.

We maintain incident response procedures. Where required by law, we will notify Clients and/or authorities, and affected individuals (e.g., GDPR 72-hour authority notice; PIPL and PCPD guidance-aligned notifications).

8) Your rights

Because our Clients are usually the controllers/data users, please first contact your prospective employer for Candidate requests. You can also contact us (see top of policy) and we will assist the controller.

EU/EEA (GDPR)

Access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making; right to lodge a complaint with your local supervisory authority.

Mainland China (PIPL)

Right to know/decide, limit or refuse processing, access/copy, portability (where conditions met), rectification, deletion, explanation of automated decision-making, and withdrawal of separate consent for sensitive data and cross-border transfers.

Hong Kong (PDPO)

Data access and correction rights under DPP6; right to object to direct marketing; complaints to the PCPD.

We will respond without undue delay and generally within 30 days (or as required by local law).

9) Sub-processors

We maintain an up-to-date list of key sub-processors used to deliver the Service. Clients will be notified of material changes per our Data Processing Agreement.

10) Children & minors

Our Service is designed for job applicants and is not intended for children or individuals below the minimum employment age in their jurisdiction. We do not knowingly collect such data. If you believe a minor's data was submitted in error, contact us for deletion.

11) Cookies & similar technologies (website)

We use essential cookies (security, session management) and, with consent where required, analytics and performance cookies to improve the site. You can manage preferences via our cookie banner/settings or your browser.

12) International specific notices

  • EU/EEA: If we rely on legitimate interests, we perform a balancing test and can provide key findings upon request. International transfers use SCCs and supplementary measures as needed.
  • Mainland China: For cross-border transfers, we follow an appropriate path (e.g., CAC Standard Contract with required filings, or other permitted route considering the 2024 Provisions). We will obtain separate consent where required for sensitive data and outbound transfers.
  • Hong Kong: Although PDPO Section 33 is not yet in force, we adopt PCPD recommended model clauses to ensure comparable protection for overseas transfers.

13) How to contact us or lodge a complaint

  • Lantern (privacy/DPO): Thomas Chan, Thomas.chan@ourlanterns.com
  • EU/EEA: Contact your local supervisory authority; we can help identify the appropriate authority.
  • Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD).
  • Mainland China: You may also raise concerns with the Cyberspace Administration of China or relevant regulators.

14) Changes to this Policy

We may update this Policy to reflect changes to our practices or legal requirements. Material changes will be notified via the Service, our website, or to Clients directly. The "Last updated" date shows the latest version.