Open Referral Open Referral Open Referral

Privacy Policy

Last updated: July 5, 2026

1. Introduction

This privacy policy (the "Policy") describes how Open Referral SAS (hereinafter "we", "our" or "the Company"), a simplified joint stock company (SAS) with its registered office located in Paris, France, collects, uses and protects your personal data when you use our Open Referral platform (the "Service").

We are committed to respecting your privacy and protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and French Data Protection Act No. 78-17 of January 6, 1978, as amended.

2. Data Collected

2.1. Data Collected Directly

We collect personal data that you provide directly to us when:

2.2. Automatically Collected Data

When you use the Service, we automatically collect certain technical data:

3. Purposes of Processing

We use your personal data for the following purposes:

4. Legal Basis for Processing

The processing of your personal data is based on:

5. Data Retention

We retain your personal data only for the period necessary for the purposes for which it was collected:

6. Data Sharing

6.1. Service Providers

We may share your data with service providers who assist us in operating the Service:

All our service providers are subject to strict confidentiality and security obligations.

6.2. International Transfers

Some of our service providers may be located outside the European Union. In such cases, we ensure that appropriate safeguards are in place, in accordance with the GDPR.

6.3. Legal Obligations

We may be required to disclose your data if required by law or in response to a judicial or administrative request.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, destruction or alteration:

8. Your Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

To exercise these rights, you can contact us at: support@openreferral.io or by mail at the address indicated above.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL) if you believe that the processing of your data constitutes a violation of the GDPR.

9. Cookies

We use cookies and similar technologies to improve your experience on the Service. Cookies are small text files stored on your device.

Types of cookies used:

You can manage your cookie preferences via your browser settings or our preference center.

10. Candidate and Referral Data

As a B2B platform, we also process data relating to candidates and referred individuals. This data is processed in accordance with the GDPR and only in the context of providing the Service. User companies are responsible for processing this data and must ensure they have obtained the necessary consents.

11. AI Assistant Connector (MCP)

Open Referral offers an optional connector that lets you access your referral program from third-party AI assistants (such as Claude, ChatGPT, Le Chat or Gemini) through the Model Context Protocol (MCP), hosted at https://mcp.openreferral.io. This section describes how that connector processes data. It applies only if you choose to connect an AI assistant.

11.1. Data collected and sent to the AI assistant

The connector exposes read-only tools. When you — or an AI assistant acting on your instruction — call one of these tools, we return:

Privacy by design: candidate identities are minimised to a first name plus a single initial before any data leaves our systems. Candidate email addresses, phone numbers and other direct identifiers are never exposed to the AI assistant.

11.2. Use and storage

The connector performs read-only queries against our own database. It does not write to, modify or delete any of your data, and it makes no automated decisions. Each tool call is logged (calling user, organisation, tool name, parameters, success status and duration) for security and audit purposes.

11.3. Authentication and access control

Access requires an Open Referral account with an Admin or Recruiter role on an eligible plan. Authentication uses OAuth 2.0/2.1 with a first-party consent screen; access is restricted to the organisations where you hold that role.

11.4. Third-party sharing

Once data is returned to the AI assistant you connected, it is processed by that assistant’s provider (for example Anthropic, OpenAI, Mistral or Google) under that provider’s own privacy policy and your agreement with them. Open Referral does not control how those providers process the data. The connector itself makes no other third-party calls — it queries only our own database.

11.5. Retention

The connector stores no separate copy of your data beyond the tool-call audit logs described above, which follow the retention periods set out in Section 5. Data returned to an AI assistant is retained by that assistant’s provider under its own terms.

11.6. Contact

For questions about the connector or to report a security issue, contact support@openreferral.io.

12. Policy Modifications

We reserve the right to modify this Policy at any time. Modifications take effect upon publication on the Service. We will inform you of significant changes by email or via a notification in the Service.