GDPR Compliance
Last updated: April 2026
At StormInterview, operated by Aetherwave Holdings LLC, we are committed to protecting the privacy and rights of individuals in the European Union and European Economic Area. This page describes how we comply with the General Data Protection Regulation (GDPR) and how we handle personal data of EU residents.
1. Our Commitment to GDPR
StormInterview is designed with data protection in mind. We implement technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. Our commitment includes:
- Processing personal data only for specified, explicit, and legitimate purposes
- Minimizing the data we collect to what is necessary for the Service
- Keeping personal data accurate and up to date
- Retaining personal data only for as long as necessary
- Implementing appropriate security measures to protect personal data
- Being transparent about our data processing activities
2. Legal Basis for Processing
We process personal data under the following legal bases as defined by Article 6 of the GDPR:
2.1 Performance of a Contract
We process Customer account data, billing information, and usage data as necessary to perform our contractual obligations, including providing the Service, managing subscriptions, and delivering customer support.
2.2 Legitimate Interest
We process certain data based on our legitimate interest in operating, securing, and improving the Service. This includes usage analytics, fraud prevention, and security monitoring. We conduct balancing tests to ensure our interests do not override the rights of data subjects.
2.3 Consent
Where required, we obtain explicit consent before processing personal data. This applies particularly to Candidates who participate in video interviews, where consent is obtained for recording, transcription, and AI analysis. Consent can be withdrawn at any time.
2.4 Legal Obligation
We may process personal data to comply with legal obligations, such as tax reporting, regulatory requirements, or lawful requests from authorities.
3. Data Controller vs Data Processor
Understanding roles and responsibilities is important under the GDPR:
StormInterview as Data Controller
We act as the data controller for data we collect directly, including Customer account information, billing data, and website usage data. We determine the purposes and means of processing this data.
StormInterview as Data Processor
For Candidate data (video recordings, transcripts, AI scores), the Customer is the data controller and StormInterview acts as the data processor. We process Candidate data only on behalf of and under the instructions of the Customer.
Customer as Data Controller
Customers are responsible for ensuring they have a lawful basis to collect and process Candidate data, including obtaining appropriate consent and providing required notices to Candidates.
4. Data Processing Agreement (DPA)
We offer a Data Processing Agreement (DPA) to all Customers who process personal data of EU residents through our Service. The DPA establishes the obligations of both parties with respect to the processing of personal data and includes:
- The subject matter, duration, nature, and purpose of processing
- The types of personal data processed and categories of data subjects
- The obligations and rights of the data controller
- Security measures and confidentiality obligations
- Sub-processor engagement terms
- Data breach notification procedures
- Data return and deletion upon termination
- Standard Contractual Clauses (SCCs) for international transfers
To request a copy of our DPA, please contact us at support@storminterview.com.
5. Sub-processors
We use the following sub-processors to deliver the Service. Each sub-processor has been evaluated for GDPR compliance, and appropriate data processing agreements are in place.
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Cloudflare (R2) | Video and file storage, CDN | Global (US primary) | Video recordings, uploaded files |
| Anthropic (Claude) | AI scoring and analysis | United States | Interview transcripts |
| Deepgram | Speech-to-text transcription | United States | Audio from video recordings |
| OpenAI (Whisper) | Speech-to-text transcription (fallback) | United States | Audio from video recordings |
| Stripe | Payment processing | United States / Ireland | Payment and billing information |
| Mailgun | Transactional email delivery | United States / EU | Email addresses, message content |
| Daily.co | Live video interview infrastructure | United States | Live video/audio streams |
We will notify Customers of any changes to our sub-processor list at least 30 days in advance. Customers may object to a new sub-processor by contacting us within that period.
6. Data Subject Rights
Under the GDPR, individuals in the EU and EEA have the following rights:
Right of Access (Article 15)
You have the right to obtain confirmation as to whether your personal data is being processed and to access a copy of that data.
Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data when it is no longer necessary for the purpose it was collected, or when you withdraw consent.
Right to Restriction of Processing (Article 18)
You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
Right Not to Be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects. AI-generated scores in StormInterview are advisory tools for Customers and are not used as the sole basis for hiring decisions.
7. How to Exercise Your Rights
For Customers
If you are a Customer, you can exercise your data rights by contacting us directly at support@storminterview.com. Many data management actions (such as data export, account deletion, and preference changes) are also available through your account settings.
For Candidates
If you are a Candidate, your data is processed on behalf of the Customer who invited you to the interview. Please contact that Customer (the company or organization that conducted your interview) to exercise your data rights. The Customer, as the data controller, is responsible for responding to your request.
If you are unable to reach the Customer or if your request is not resolved, you may contact us at support@storminterview.com, and we will assist you in coordination with the Customer.
We will respond to all valid data subject requests within 30 days. If additional time is needed due to the complexity of the request, we will inform you within the initial 30-day period and provide an estimated timeline.
8. Data Protection Contact
For questions or concerns about our data protection practices, or to submit a data subject request, please contact our data protection team:
Data Protection Team
Aetherwave Holdings LLC
1209 Mountain Road PL NE, STE R
Albuquerque, NM 87110, United States
Email: support@storminterview.com
If you are unsatisfied with our response to your data protection concern, you have the right to lodge a complaint with your local data protection supervisory authority.
9. Cross-Border Transfers and Safeguards
StormInterview is operated from the United States. When personal data of EU/EEA residents is transferred outside the EU/EEA, we implement the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses as the primary mechanism for data transfers to the United States and other countries outside the EU/EEA.
- Sub-processor agreements: All our sub-processors are bound by data processing agreements that include appropriate transfer mechanisms.
- Data encryption: Personal data is encrypted both in transit (TLS 1.2+) and at rest using industry-standard encryption algorithms.
- Access controls: Strict access controls ensure that only authorized personnel can access personal data, following the principle of least privilege.
- Regular assessments: We conduct transfer impact assessments to evaluate the legal framework in recipient countries and implement supplementary measures where necessary.
10. Data Breach Notification
In the event of a personal data breach, we follow these procedures in compliance with Articles 33 and 34 of the GDPR:
- Detection and assessment: We maintain monitoring systems to detect potential data breaches promptly. Upon detection, we assess the scope, severity, and potential impact of the breach.
- Notification to Customers: We will notify affected Customers without undue delay and no later than 72 hours after becoming aware of a breach that is likely to affect the security of their data.
- Notification to supervisory authorities: When acting as a data controller, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to data subject rights.
- Notification to data subjects: When a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected data subjects without undue delay.
- Documentation: We document all breaches, including the facts, effects, and remedial actions taken, regardless of whether notification is required.
11. Cookie Policy
In compliance with the ePrivacy Directive and GDPR requirements, we use cookies as follows:
Strictly Necessary Cookies
These cookies are essential for the Service to function and cannot be disabled. They include session cookies, authentication tokens, and security-related cookies. No consent is required for these cookies.
Functional Cookies
These cookies remember your preferences (such as language and display settings) to enhance your experience. They are set based on your actions and do not track you across other websites.
Analytics Cookies
If used, analytics cookies help us understand how visitors interact with our website. These cookies are only set with your consent. You can manage your cookie preferences at any time through your browser settings.
We do not use advertising or third-party tracking cookies.
12. Contact Information
For any questions, concerns, or requests related to our GDPR compliance, please contact us:
Aetherwave Holdings LLC
1209 Mountain Road PL NE, STE R
Albuquerque, NM 87110, United States
Email: support@storminterview.com
You may also consult our Privacy Policy and Terms of Service for additional details on our data practices.