Privacy Policy

Munchkins AI LLC — Last Updated: May 20, 2026 — Effective Date: May 20, 2026

Munchkins AI LLC (“Munchkins,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy is designed to comprehensively detail how we collect, use, disclose, and safeguard personal data across three distinct populations:

  • Authorized Users: Employees and staff of the medical practices (our Customers) who access our dashboard.
  • Candidates: Individuals who participate in AI voice interviews facilitated by our Service on behalf of our Customers.
  • Website Visitors: Individuals who browse our marketing website.

1. Our Roles Under Privacy Law

The legal obligations governing our processing depend on your relationship with us:

  • For Candidates: Munchkins acts exclusively as a Data Processor / Service Provider. We process your personal information, audio recordings, and transcripts entirely upon the instructions of the medical practice (the Customer) you applied to. The Customer is the Data Controller / Business.
  • For Authorized Users and Website Visitors: Munchkins acts as the Data Controller / Business.

2. Information We Collect

A. From Authorized Users

  • Identifiers: Name, business email, business phone number.
  • Account Data: Encrypted passwords, professional roles, organization identifiers.
  • Telemetry: IP address, device fingerprints, login logs, and application usage analytics.

B. From Candidates (Collected on behalf of the Customer)

  • Identifiers: Name, email, phone number.
  • Application Data: Resumes, work history, education, licenses, and metadata imported from Applicant Tracking Systems (e.g., Indeed, ZipRecruiter).
  • Audio Data & Interview Content: The raw voice audio recordings of the interview and the text transcriptions generated from that audio. This includes any and all spoken content, which may inadvertently contain sensitive categories of personal data (health information, religious beliefs, demographic details) volunteered by the Candidate.
  • AI-Generated Derivatives: Sentiment analysis, speaking time, behavioral summaries, and scoring rubrics generated by evaluating the transcript against the Customer’s job description.
  • Technical Data: Browser type, microphone hardware IDs, network latency, and connection telemetry.

C. Automatically Collected (Cookies & Tracking)

We utilize strictly necessary, functional, and analytics cookies. We use tools such as Google Analytics and PostHog. We do not deploy marketing cookies or cross-context behavioral tracking pixels on the Candidate interview interface.

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes:

  • Providing the Service: Operating the voice interview platform, generating transcripts, and applying LLM analysis. (Legal Basis: Contractual necessity for Authorized Users; Legitimate interest/Processor obligation for Candidate data).
  • Security & Authentication: Preventing fraud, unauthorized access, and DDOS attacks. (Legal Basis: Legitimate interest).
  • Product Improvement: We do not train foundational AI models on identifiable Candidate audio or transcripts. We utilize aggregated, de-identified telemetry data for system optimization. (Legal Basis: Legitimate interest).
  • Compliance with Legal Obligations: Responding to subpoenas, bias-audit laws (e.g., NYC LL 144), and exercising legal defense.

4. Disclosures and Sharing of Information

We do not “sell” Candidate personal data or “share” it for cross-context behavioral advertising, as defined by the CCPA/CPRA. We disclose information to:

  • The Customer: The medical practice receives all Candidate audio, transcripts, and AI summaries.
  • Service Providers (Sub-processors): Cloud infrastructure (AWS), specialized transcription endpoints (Deepgram), LLM providers (Anthropic, OpenAI via zero-retention APIs), and telephony providers (Twilio). We execute strict Data Processing Agreements with all sub-processors.
  • Government Authorities: When mandated by lawful subpoena or court order.

5. Voice and Biometric Data Policies

While Munchkins captures voice audio to generate text transcripts, we do not perform speaker identification, voice fingerprinting, or biometric identity verification. We do not extract “voiceprints” as defined by the Illinois Biometric Information Privacy Act (BIPA), Texas CUBI, or the Washington Biometric Privacy Act.

If Customer configuration requires biometric retention in the future, Munchkins contractually requires the Customer to obtain separate written informed consent, provide a written retention schedule, and strictly prohibits the sale of such data, deleting it no later than 30 days after the Candidate’s request or the fulfillment of the employment purpose, whichever is earlier.

6. Information Retention

We retain personal information according to the following schedule:

  • Candidate Audio and Transcripts: Retained by default for a period designated by the Customer (acting as Controller), after which it is securely deleted. Under the Illinois AIVIDA, video/audio interviews of Illinois residents are destroyed within 30 days of a Candidate’s direct request.
  • Authorized User Account Data: Retained for the life of the Customer contract, plus up to 7 years for legal, tax, and audit obligations.
  • System Backups: Rolling 30-day overwrites.

7. Data Subject and Consumer Privacy Rights

Depending on your jurisdiction, you have specific rights regarding your personal data. Candidates must route their requests through the Customer (the employer/practice) who controls their data. Munchkins will assist Customers in fulfilling these requests.

A. Universal Rights

Subject to verification, you may request: Access to your data, Correction of inaccuracies, Deletion of your data, and a portable copy of your records.

B. California (CCPA/CPRA)

California residents have the Right to Know specific pieces of information collected, the Right to Delete, the Right to Correct, the Right to Limit the Use of Sensitive PI, and the Right to Non-Discrimination. We do not sell your personal information. We honor the Global Privacy Control (GPC) signal for website visitors.

C. Connecticut (CTDPA), Colorado (CPA) & Virginia (VCDPA)

Residents have the right to access, correct, delete, and port their data. You may opt out of targeted advertising. If a request is denied, you possess the right to appeal our decision within 60 days by emailing support@munchkins.ai. We process sensitive data strictly with affirmative consent.

D. Washington My Health My Data Act (MHMDA) & Nevada SB 370

The Service is designed for employment interviewing, not healthcare delivery. However, should a Candidate volunteer consumer health data during an interview, we process this exclusively as a processor on behalf of the Customer. We do not sell or independently share consumer health data.

E. EEA, UK, and Swiss Residents (GDPR)

You have the right to access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and the right to object. You possess the right not to be subject to solely automated decision-making (Art. 22). Munchkins utilizes Standard Contractual Clauses (SCCs) and the UK Addendum for the cross-border transfer of data to the United States.

8. Automated Processing and AI Transparency

Munchkins uses automated analysis to produce summaries and scores based on interview transcripts. These outputs are intended to assist Customers and do not replace human review.

  • Human Review: The automated outputs are informational only. Customers must apply human review before making any adverse employment or hiring decisions.
  • Training Sourcing: Munchkins does not use identifiable Candidate audio or transcripts to train third-party foundational models.

9. Contact Information

Munchkins AI LLC

Email: support@munchkins.ai