Privacy Policy

At-a-glance summary

This is a layered notice consistent with the guidance issued by the Spanish Data Protection Agency. We strongly recommend reading the detailed information that follows.

Our key commitments to you

• We do not train models on your data. Wiselook does not use your personal data to train third-party language models or any other AI systems beyond the operation of the Service.
• We do not sell your personal data. Wiselook does not sell, rent or trade your personal data, under any circumstance.
• We minimise the data we collect. The only directly identifying information required is your email address (for login) and, optionally, your name. See Section 4.

1. Who we are and who this policy applies to

Wiselook Talent Lab, S.L. ("Wiselook", "we", "us", "our") is a Spanish company that develops conversational, AI-powered competency assessment technology, scientifically validated through academic partnerships.

This Privacy Policy explains how we handle personal data in connection with:

• Assessed individuals ("you"): people who take an assessment through the Wiselook platform (the "Service"), whether on their own initiative or because a company, educational institution or other organisation ("Business Client") has invited them to do so.
• Visitors to wiselook.ai and its sub-domains.
• Contact persons of Business Clients, partners and suppliers, and candidates applying for a position at Wiselook.

If you have any questions about this policy, please write to privacy@wiselook.ai.

2. Data Controller

Unless expressly stated otherwise, Wiselook acts as the Data Controller in respect of the personal data described in this policy. In some scenarios Wiselook acts as a Data Processor on behalf of a Business Client (see Section 3).

Wiselook has designated a Data Protection Officer (DPO) as a dedicated point of contact for any matter relating to the protection of your personal data. You can reach the DPO at dpo@wiselook.ai.

3. Roles: when we are Controller and when we are Processor

Depending on the context in which you use the Service, Wiselook may act in two different capacities:

3.1. Wiselook as Processor (default for B2B)

Where a Business Client engages Wiselook to assess its candidates, employees or students, the Business Client acts as Controller and Wiselook acts as Processor under Article 28 GDPR and the corresponding data processing agreement.

In these scenarios:

• The Business Client determines the specific purposes of the assessment process (recruitment, development, training, etc.).
• The Business Client is responsible for informing you and, where applicable, for securing the appropriate legal basis under its own privacy notice.
• Wiselook processes the data following the documented instructions of the Business Client.
• To exercise your rights regarding the specific assessment process you participated in, you should first contact the Business Client. If they do not respond, Wiselook will cooperate in handling your request.

3.2. Wiselook as Controller

Wiselook is the Controller — meaning that we determine the purposes and means of the processing — in the following cases:

• When you access the Service directly, without an intermediating Business Client (self-service or individual evaluations).
• For purposes that are Wiselook's own — including product improvement based on de-identified data, scientific research, and legal compliance — even where the underlying data was originally collected on behalf of a Business Client.
• For the operation of our website and apps, marketing, and the management of relationships with Business Clients, partners, suppliers and job candidates.

Clarity on each transaction. Before you start an assessment, the Service will let you know whether a Business Client has invited you and, if so, identify it. If you have any doubt about who the Controller is for a given processing activity, write to privacy@wiselook.ai.

4. What data we process, why, and on what legal basis

Below we set out the categories of data, purposes and legal bases under Article 13 GDPR.

4.1. Assessed individuals

The Service is designed around strict data minimisation. The only directly identifying information we collect about you is the email address used to access the Service and, optionally, your name. We do not collect professional or academic background data, behavioural tracking, browsing data or cookies in connection with the Service.

4.2. Business Client, partner and supplier contacts

We do not proactively collect identification or professional data (such as name, role, phone or company) from Business Client, partner or supplier contacts. The only personal data processed in this context is the following:

4.3. Website visitors

4.4. Candidates applying to join Wiselook

We do not process special categories of data (Art. 9 GDPR: health, ethnic origin, political opinions, identifying biometric data, etc.) unless you voluntarily include them in your responses. We expressly ask you not to include sensitive data that is not strictly necessary. Voice is processed for transcription and linguistic analysis of your response and is not used for biometric identification within the meaning of Art. 9 GDPR.

5. Human oversight and decision-making

Wiselook's outputs are intended to assist, not replace, human judgement. Outputs are reviewed under our internal quality-control procedures.

Wiselook does not take decisions producing legal effects on you, or similarly significantly affecting you, based solely on automated processing within the meaning of Article 22 GDPR. Where a Business Client uses our outputs as an input for a decision (for example, in a recruitment process), the final decision rests with the Business Client, which must ensure meaningful human involvement.

You have the right to:

• Request human intervention by Wiselook (where we act as Controller) or by the Business Client (where we act as Processor).
• Express your point of view and provide additional context.
• Contest any outcome and request review.

To exercise these rights: privacy@wiselook.ai.

6. Recipients of your data

Personal data may be disclosed to the following categories of recipients.

6.1. The Business Client that invited you

Where the assessment is run as part of a process driven by a Business Client, the results (and, depending on the configuration set by the Business Client, the underlying response data) are made available to that Business Client for the relevant purpose. The Business Client processes this data as an independent Controller under its own privacy notice.

6.2. Processors (technology suppliers)

Wiselook applies strict data minimisation across its supplier relationships. Before any assessment content is transmitted to AI model providers or third-party processing services, identifying information is filtered out through technical guardrails, so that those suppliers receive only de-identified content. If you happen to mention personal information during an assessment, our pipelines are designed to strip that information before any external processing.

Categories of suppliers include:

• Cloud infrastructure and data hosting (in the EEA; see Section 6.5).
• Generative AI and natural language processing model providers (LLMs, voice transcription). These suppliers process only de-identified content and, under our contractual terms with them, do not use that content to train their own models.
• Real-time voice communication infrastructure.
• Transactional email, customer support and CRM tools.
• Product and technical observability services.

All suppliers operate under data processing agreements compliant with Article 28 GDPR, with safeguards equivalent to ours.

List of subprocessors. Wiselook maintains an up-to-date list of subprocessors that we keep confidential for security and commercial reasons. The list is shared with Business Clients under the relevant data processing agreement. If you are an assessed individual, you may request to review it under reasonable confidentiality undertakings by writing to privacy@wiselook.ai.

6.3. Competent authorities

Where there is a legal obligation — for example, judicial, administrative or law-enforcement requests.

6.4. Professional advisors

Legal counsel, tax advisors and auditors bound by confidentiality, strictly to the extent necessary.

6.5. Location of data processing

All processing of personal data takes place within the European Economic Area. Wiselook does not currently engage processors that process personal data outside the EEA. If this changes in the future, we will update this policy and ensure that appropriate safeguards under Chapter V GDPR are in place before any international transfer takes place.

7. Retention periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Once these periods expire, data is deleted or irreversibly anonymised. Anonymisation may take place earlier for product improvement and scientific research purposes (see Section 8).

8. Scientific research and product improvement

Scientific validation and continuous improvement of the Service are essential to Wiselook. To that end we may use data that has been irreversibly anonymised beforehand (no re-identification possible) for:

• Internal improvement of psychometric and AI models.
• Validation studies with academic partners (in particular Universidad Autónoma de Madrid and other universities).
• Independent bias and quality audits.

Once data has been anonymised, it is no longer personal data within the meaning of GDPR, and its further processing therefore does not affect your rights as a data subject.

9. Your rights

Under Articles 15 to 22 GDPR, you have the following rights:

9.1. How to exercise them

By writing to privacy@wiselook.ai, indicating which right you wish to exercise and attaching, where necessary to verify your identity, a copy of an identification document.

We will respond within one month of receiving your request, extendable by a further two months where the complexity or volume of requests makes it necessary.

9.2. Right to lodge a complaint

You have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) — C/ Jorge Juan, 6, 28001 Madrid; www.aepd.es — particularly if you consider that we have not properly addressed your rights.

10. Information security

Wiselook has implemented appropriate technical and organisational measures to ensure a level of security suited to the risk, including:

• Encryption of data in transit (TLS) and at rest.
• Access control under the principle of least privilege and strong authentication.
• Segregation of development, test and production environments.
• Monitoring, event logging and incident management.
• Backup and business continuity procedures.
• Regular staff training on data protection and security.
• Periodic assessment of suppliers and subprocessors.

Wiselook is progressively aligning its controls with the ISO/IEC 27001 framework as a maturity benchmark for information security.

In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects, Wiselook will notify the AEPD within 72 hours (Art. 33 GDPR) and, where the risk is high, will also notify affected individuals (Art. 34 GDPR).

11. Children

The Service is not directed to children under the age of 14. Where a Business Client — for example, an educational institution — uses the Service with individuals over 14 but under 18, that Business Client is responsible for securing the appropriate legal basis under Article 7 of Spanish Organic Law 3/2018 (LOPDGDD) and Article 8 GDPR, including consent of the holders of parental responsibility where applicable.

If you become aware that a minor is using the Service without the appropriate legal basis, please notify us at privacy@wiselook.ai so that we can take appropriate action.

12. Applicable legal framework

This policy is governed by:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
• Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD).
• Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act).
• Spanish Act 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).
• All other applicable Spanish and EU laws.

13. Changes to this policy

Wiselook may update this policy to reflect legal, technical or business changes. Where the changes are material, we will inform you through an appropriate channel (email, in-Service notice, or website notice) with reasonable advance notice. The date of the latest update appears at the top of this document.

Where changes affect processing based on your consent, we will request your renewed consent.

14. Contact

For any matter relating to this policy or to the processing of your personal data: