Back to Home

GDPR Compliance

Last updated: April 2026

At StormInterview, operated by Aetherwave Holdings LLC, we are committed to protecting the privacy and rights of individuals in the European Union and European Economic Area. This page describes how we comply with the General Data Protection Regulation (GDPR) and how we handle personal data of EU residents.

1. Our Commitment to GDPR

StormInterview is designed with data protection in mind. We implement technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. Our commitment includes:

  • Processing personal data only for specified, explicit, and legitimate purposes
  • Minimizing the data we collect to what is necessary for the Service
  • Keeping personal data accurate and up to date
  • Retaining personal data only for as long as necessary
  • Implementing appropriate security measures to protect personal data
  • Being transparent about our data processing activities

2. Legal Basis for Processing

We process personal data under the following legal bases as defined by Article 6 of the GDPR:

2.1 Performance of a Contract

We process Customer account data, billing information, and usage data as necessary to perform our contractual obligations, including providing the Service, managing subscriptions, and delivering customer support.

2.2 Legitimate Interest

We process certain data based on our legitimate interest in operating, securing, and improving the Service. This includes usage analytics, fraud prevention, and security monitoring. We conduct balancing tests to ensure our interests do not override the rights of data subjects.

2.3 Consent

Where required, we obtain explicit consent before processing personal data. This applies particularly to Candidates who participate in video interviews, where consent is obtained for recording, transcription, and AI analysis. Consent can be withdrawn at any time.

2.4 Legal Obligation

We may process personal data to comply with legal obligations, such as tax reporting, regulatory requirements, or lawful requests from authorities.

3. Data Controller vs Data Processor

Understanding roles and responsibilities is important under the GDPR:

StormInterview as Data Controller

We act as the data controller for data we collect directly, including Customer account information, billing data, and website usage data. We determine the purposes and means of processing this data.

StormInterview as Data Processor

For Candidate data (video recordings, transcripts, AI scores), the Customer is the data controller and StormInterview acts as the data processor. We process Candidate data only on behalf of and under the instructions of the Customer.

Customer as Data Controller

Customers are responsible for ensuring they have a lawful basis to collect and process Candidate data, including obtaining appropriate consent and providing required notices to Candidates.

4. Data Processing Agreement (DPA)

We offer a Data Processing Agreement (DPA) to all Customers who process personal data of EU residents through our Service. The DPA establishes the obligations of both parties with respect to the processing of personal data and includes:

  • The subject matter, duration, nature, and purpose of processing
  • The types of personal data processed and categories of data subjects
  • The obligations and rights of the data controller
  • Security measures and confidentiality obligations
  • Sub-processor engagement terms
  • Data breach notification procedures
  • Data return and deletion upon termination
  • Standard Contractual Clauses (SCCs) for international transfers

To request a copy of our DPA, please contact us at support@storminterview.com.

5. Sub-processors

We use the following sub-processors to deliver the Service. Each sub-processor has been evaluated for GDPR compliance, and appropriate data processing agreements are in place.

Sub-processorPurposeLocationData Processed
Cloudflare (R2)Video and file storage, CDNGlobal (US primary)Video recordings, uploaded files
Anthropic (Claude)AI scoring and analysisUnited StatesInterview transcripts
DeepgramSpeech-to-text transcriptionUnited StatesAudio from video recordings
OpenAI (Whisper)Speech-to-text transcription (fallback)United StatesAudio from video recordings
StripePayment processingUnited States / IrelandPayment and billing information
MailgunTransactional email deliveryUnited States / EUEmail addresses, message content
Daily.coLive video interview infrastructureUnited StatesLive video/audio streams

We will notify Customers of any changes to our sub-processor list at least 30 days in advance. Customers may object to a new sub-processor by contacting us within that period.

6. Data Subject Rights

Under the GDPR, individuals in the EU and EEA have the following rights:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and to access a copy of that data.

Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.

Right to Restriction of Processing (Article 18)

You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. AI-generated scores in StormInterview are advisory tools for Customers and are not used as the sole basis for hiring decisions.

7. How to Exercise Your Rights

For Customers

If you are a Customer, you can exercise your data rights by contacting us directly at support@storminterview.com. Many data management actions (such as data export, account deletion, and preference changes) are also available through your account settings.

For Candidates

If you are a Candidate, your data is processed on behalf of the Customer who invited you to the interview. Please contact that Customer (the company or organization that conducted your interview) to exercise your data rights. The Customer, as the data controller, is responsible for responding to your request.

If you are unable to reach the Customer or if your request is not resolved, you may contact us at support@storminterview.com, and we will assist you in coordination with the Customer.

We will respond to all valid data subject requests within 30 days. If additional time is needed due to the complexity of the request, we will inform you within the initial 30-day period and provide an estimated timeline.

8. Data Protection Contact

For questions or concerns about our data protection practices, or to submit a data subject request, please contact our data protection team:

Data Protection Team

Aetherwave Holdings LLC

1209 Mountain Road PL NE, STE R

Albuquerque, NM 87110, United States

Email: support@storminterview.com

If you are unsatisfied with our response to your data protection concern, you have the right to lodge a complaint with your local data protection supervisory authority.

9. Cross-Border Transfers and Safeguards

StormInterview is operated from the United States. When personal data of EU/EEA residents is transferred outside the EU/EEA, we implement the following safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as the primary mechanism for data transfers to the United States and other countries outside the EU/EEA.
  • Sub-processor agreements: All our sub-processors are bound by data processing agreements that include appropriate transfer mechanisms.
  • Data encryption: Personal data is encrypted both in transit (TLS 1.2+) and at rest using industry-standard encryption algorithms.
  • Access controls: Strict access controls ensure that only authorized personnel can access personal data, following the principle of least privilege.
  • Regular assessments: We conduct transfer impact assessments to evaluate the legal framework in recipient countries and implement supplementary measures where necessary.

10. Data Breach Notification

In the event of a personal data breach, we follow these procedures in compliance with Articles 33 and 34 of the GDPR:

  • Detection and assessment: We maintain monitoring systems to detect potential data breaches promptly. Upon detection, we assess the scope, severity, and potential impact of the breach.
  • Notification to Customers: We will notify affected Customers without undue delay and no later than 72 hours after becoming aware of a breach that is likely to affect the security of their data.
  • Notification to supervisory authorities: When acting as a data controller, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to data subject rights.
  • Notification to data subjects: When a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
  • Documentation: We document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification is required.

11. Cookie Policy

In compliance with the ePrivacy Directive and GDPR requirements, we use cookies as follows:

Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. They include session cookies, authentication tokens, and security-related cookies. No consent is required for these cookies.

Functional Cookies

These cookies remember your preferences (such as language and display settings) to enhance your experience. They are set based on your actions and do not track you across other websites.

Analytics Cookies

If used, analytics cookies help us understand how visitors interact with our website. These cookies are only set with your consent. You can manage your cookie preferences at any time through your browser settings.

We do not use advertising or third-party tracking cookies.

12. Contact Information

For any questions, concerns, or requests related to our GDPR compliance, please contact us:

Aetherwave Holdings LLC

1209 Mountain Road PL NE, STE R

Albuquerque, NM 87110, United States

Email: support@storminterview.com

You may also consult our Privacy Policy and Terms of Service for additional details on our data practices.