Privacy Policy

1. Introduction

NextMatch LLC ("NextMatch," "we," "us," or "our"), a Delaware limited liability company, operates a recruitment and talent matching platform that enables staffing agencies and their clients to manage candidate applications and optimize the hiring process.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our services, whether as a staffing agency employee, client company employee, or job candidate.

2. Scope and Applicability

This Privacy Policy applies to:

• Agency Staff Members: Employees of staffing agencies using our platform
• Client Company Staff: Employees of companies that hire through agencies on our platform
• Candidates: Individuals who upload CVs/resumes or apply for positions through our platform
• Website Visitors: Anyone who accesses our public website

This policy covers data processing activities for our core services, including CV analysis, talent matching, and interview coordination.

3. Information We Collect

3.1 Information You Provide Directly

Account Information

• Full name
• Email address
• Company affiliation
• Job title and role
• Password (encrypted)
• Preferred language
• Physical address
• VAT number (for business accounts)

Candidate CV/Resume Data

• Contact information (name, phone, email, LinkedIn profile)
• Professional experience and employment history
• Education background and qualifications
• Skills and certifications
• Location and nationality
• Languages spoken
• Career achievements and references

Application Data

• Job descriptions and requirements
• Application submissions and status
• Interview scheduling information
• Assessment results and feedback
• Communication between candidates and recruiters
• Notes and comments on applications

Payment Information

• Billing details for subscription services
• Payment processing handled by Stripe (we do not store full payment card details)

3.2 Information Collected Automatically

Usage Data

• IP address and device information
• Browser type and operating system
• Pages visited and features used
• Search queries and filters applied
• Time spent on platform
• Referring/exit pages

Cookies and Similar Technologies

• Essential cookies for platform functionality
• Analytics cookies (Google Analytics, Customer.io)
• Session management cookies
• Preference cookies

System Logs

• API access logs
• Error logs and diagnostic data
• Security event logs
• Audit trails of document access

3.3 Information from Third Parties

Third-Party Integrations

• Google Sign-In authentication data (email, name, profile picture)
• Video call transcriptions from BAAS (note-taking service during interviews)
• Phone communication records via Twilio

Public Sources

• Publicly available professional information (e.g., LinkedIn profiles) only when candidates explicitly provide links

4. How We Use Your Information

4.1 Primary Purposes

For Candidates

• Process and analyze your CV/resume to match you with suitable job opportunities
• Generate AI-powered CV optimizations and recommendations
• Facilitate communication between you and recruiters
• Track your application status and interview scheduling
• Provide personalized job recommendations
• Create transcripts of interview conversations (with consent)

For Agency and Client Staff

• Enable talent search and candidate matching
• Provide analytics on recruitment pipeline
• Facilitate collaboration between agencies and clients
• Generate interview assessments and reports
• Manage user accounts and access controls
• Capture meeting notes during video interviews

Platform Operations

• Provide, maintain, and improve our services
• Authenticate users and prevent fraud
• Respond to support requests
• Send transactional emails (application updates, interview invitations)
• Comply with legal obligations

4.2 AI Processing and Analysis

We use artificial intelligence (OpenAI GPT models) to:

• Extract structured data from CV documents
• Analyze candidate skills and experience
• Match candidates to job descriptions
• Generate interview questions
• Provide CV optimization suggestions
• Score candidate-job fit
• Analyze interview transcripts

4.3 Communication

We will contact you:

• To send interview invitations and application updates (transactional)
• For account security notifications (transactional)
• With your explicit consent for marketing communications (opt-in only)

You can opt out of marketing emails at any time using the unsubscribe link.

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

For candidates in the EU/EEA: When we rely on legitimate interest, you have the right to object (see Section 11).

6. Data Sharing and Disclosure

6.1 Within the Platform

Candidate Data Visibility

• Your CV is visible to: The specific staffing agency you applied through and their authorized client companies for relevant job openings
• Not shared with: Other agencies, third parties, or the general public without your explicit consent
• Control: Candidates can delete their profile and data at any time

Multi-Tenant Isolation

• Each staffing agency operates in an isolated environment
• Agencies cannot access each other's candidate data
• Client companies only see candidates submitted by their contracted agencies

6.2 Service Providers (Subprocessors)

We share data with carefully selected service providers who assist in operating our platform:

All subprocessors are bound by Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) for international transfers outside the EU.

6.3 Legal Requirements

We may disclose your information if required by law:

• In response to valid legal process (subpoenas, court orders)
• To comply with employment or tax regulations
• To protect our rights, safety, or property
• In connection with fraud investigation
• To comply with national security or law enforcement requirements

6.4 Business Transfers

If NextMatch is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you and ensure continued protection under this policy or obtain your consent if required.

7. Data Retention

7.1 Candidate Data

Active Accounts

• CV and application data: Retained indefinitely while your account remains active
• We do not automatically delete CVs based on time periods
• You can delete your documents at any time through your account settings

Inactive Accounts

• Accounts with no activity and lapsed subscription for 6 months will be deleted
• We will notify you 30 days before deletion
• You can prevent deletion by logging in or renewing subscription

After Manual Deletion Request

• Immediate removal from active systems (within 2 business days)
• Database backups: Up to 7 days (AWS RDS automatic backup retention)
• Audit logs (anonymized): May be retained for compliance as required by law

Interview Recordings/Transcripts

• Retained according to the agency's retention policy
• Deleted upon request or when account is deleted

7.2 Account Data

Agency/Client Accounts

• Active account data: Retained while account is active and subscription is current
• After account closure: Contact us to request data deletion
• You control retention through manual deletion

Inactive Agency Accounts

• Accounts with no activity and lapsed subscription for 6 months will be deleted
• We will notify you 30 days before deletion

7.3 System Logs and Operational Data

• CloudWatch logs: 14 days
• Search results cache: 30 days (automatically expired)
• Candidate invitations: 30 days default expiration (configurable up to 100 days)
• Audit trails: Retained for compliance purposes (minimum 7 years for financial records)
• Session data: Deleted when session ends or after 30 days of inactivity

8. Data Security

8.1 Technical Safeguards

Encryption

• Data in transit: TLS 1.2+ encryption for all data transmission
• Data at rest: AES-256 encryption for database and file storage using AWS KMS
• Encrypted backups with separate encryption keys
• End-to-end encryption for sensitive communications

Access Controls

• Role-based access control (RBAC) limiting data access by job function
• API authentication using secure tokens
• Automatic session timeout after inactivity
• Principle of least privilege for all system access

Infrastructure Security

• AWS cloud infrastructure in EU region (Paris)
• Regular security patching and updates
• DDoS protection via AWS Shield
• Standard AWS infrastructure security controls
• DDoS protection via AWS Shield Standard
• Encrypted database connections

Application Security

• Third-party penetration testing Q1 2026
• Automated vulnerability scanning
• Secure software development lifecycle (SSDLC)
• Code review and security testing before deployment
• Input validation and sanitization
• Protection against common attacks (SQL injection, XSS, CSRF)

8.2 Organizational Safeguards

• Data protection training for all employees
• Confidentiality agreements for staff and contractors
• Incident response plan with 24-hour breach notification procedures
• Regular security audits and compliance reviews
• Background checks for employees with access to sensitive data
• Secure disposal procedures for data deletion
• Physical security controls at office locations

8.3 Backup and Disaster Recovery

• Weekly encrypted backups via AWS RDS
• 30-day backup retention for recovery purposes
• Backups stored in EU region with encryption
• Disaster recovery procedures
• Business continuity plan in place

9. International Data Transfers

9.1 Data Storage Locations

Primary Data Storage

• EU region (Paris, France - eu-west-3) for all users
• Data residency compliance for GDPR

Data Transfers Outside EU

Some service providers are located in the United States. We ensure adequate protection through:

Standard Contractual Clauses (SCCs)

• Approved by the European Commission (2021 version)
• Binding contracts with all non-EU processors
• Additional safeguards (encryption, access controls, data minimization)
• Regular audits of processor compliance

Data Processing Agreements

• All processors sign comprehensive DPAs
• Include security requirements and breach notification obligations
• Right to audit and inspect compliance

Your Rights

• You can request a copy of the SCCs we use
• You can object to transfers (may limit service functionality)
• You will be notified of any changes to transfer mechanisms

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

Strictly Necessary Cookies

• Session authentication
• Security features (CSRF protection)
• Load balancing
• Storage duration: Session-based or up to 30 days

Analytics Cookies

• Google Analytics (anonymized IP)
• Customer.io engagement tracking
• Platform usage metrics
• Storage duration: Up to 2 years
• Purpose: Improve user experience, identify bugs, measure feature adoption

Preference Cookies

• Language selection
• UI preferences (theme, layout)
• Search filter preferences
• Storage duration: Up to 1 year

10.2 Third-Party Cookies

• Google OAuth: For Sign-In with Google functionality
• Stripe: For payment processing
• Customer.io: For email engagement tracking

10.3 Your Cookie Choices

Browser Controls

• Most browsers allow you to refuse cookies or delete existing cookies
• Disabling necessary cookies may affect platform functionality
• Instructions: Check your browser's help section

Opt-Out Tools

• Google Analytics Opt-out
• Do Not Track: We honor DNT signals where technically feasible

Cookie Consent

• For EU users, we obtain consent for non-essential cookies via a consent banner
• You can withdraw consent at any time in your account settings
• Essential cookies are used regardless of consent (required for service operation)

11. Your Privacy Rights

11.1 Rights Under GDPR (EU/EEA Users)

11.3 How to Exercise Your Rights

16. Contact Us

22. Acknowledgment

By using NextMatch services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

Important Notice: This Privacy Policy is provided in English. If translated to other languages, the English version prevails in case of conflicts.

© 2024 NextMatch LLC. All rights reserved.