Talent · Privacy Policy
Talent Privacy Policy
This policy covers the AI Insiders Talent pool (candidate resume submission, the public anonymized directory, and the recruiter dashboard) — a separate, richer data relationship from our general newsletter privacy policy. It explains what we collect, why, who sees it, how long we keep it, and how to exercise your rights.
1. Who we are
AI Insiders operates the Talent pool as a free service for candidates and a paid, invoice-billed service for recruitment agencies. For Talent data, we act as the data controller. Contact us at hello@searchengineoptimization.blog for any privacy question or to exercise the rights described in section 6.
2. What we collect
When you post a resume, we collect the fields you submit, which may include:
- Contact and identity details: email, full name, phone, location, timezone, languages, profile photo (optional), work authorization/visa status.
- Career details: headline, current title, seniority, years of experience, employment history, education, certifications, portfolio/social links.
- Skills: a normalized list of skills with proficiency and years, and up to 8 "top skills" shown publicly.
- Compensation and logistics: current/desired compensation, notice period, earliest start date, relocation preferences.
- Your uploaded resume file (PDF or DOCX), stored privately.
- Consent records: whether you agreed to store your data, to be shown to recruiters, and to our retention period — each recorded separately, with a timestamp, IP, and user agent.
We deliberately do not collect or ask for protected-characteristic data — no age, race/ethnicity, gender, religion, disability status, or similar. If any such field ever appears in free-text fields you choose to write (e.g. a bio), we do not use it for filtering or decision-making of any kind.
3. Lawful basis: your explicit, unbundled consent
We rely on your explicit consent (GDPR Art. 6(1)(a)) as the lawful basis for processing your Talent data. Consent is unbundled: you separately opt in to (a) us storing your profile, (b) showing your profile to recruiters, and (c) our retention period. All three are required to submit a profile, but each is recorded as its own ledger entry — we can point to exactly when and how you agreed to each one. You may withdraw consent at any time by deleting your profile (section 7).
4. Who sees your data
The public. Anyone browsing AI Insiders Talent's public directory sees only an anonymized "highlight card": your headline, seniority, years of experience, primary specialization, top skills, general location (country/region, never city), timezone, languages, remote preference, availability, and a short bio. Your name, email, phone, exact location, compensation, and resume are never shown publicly.
Recruitment agencies. Once your profile is approved AND you have consented to being shown to recruiters, your full profile — every field, including contact details, compensation, and your resume file — becomes visible to recruitment agencies who have paid for pool access. Every one of these agencies has:
- Signed a Data Processing Agreement (DPA) limiting use to genuine, active recruitment engagements — no resale, no bulk export outside a specific search, no re-contacting you outside the details in your profile.
- Been individually provisioned and vetted by us (invoice-based; no self-serve signup).
- Time-boxed, revocable access — we can and do deactivate accounts.
Every recruiter search, profile unlock, resume download, and pool export is logged in an audit trail with a timestamp and actor, so access is always accountable (GDPR Art. 5(2) accountability principle). This is a data "sharing" relationship, disclosed here for CCPA-style transparency.
We do not use any AI, machine-learning, or automated scoring system to rank, rate, or filter candidates. Search and filtering are deterministic — plain keyword and field matches only, never a model-generated score.
5. Retention
Your profile is retained for 18 months from your last update, after which it automatically expires: it is hidden from the public directory and from recruiter search, and its status changes to "expired." We do not currently email an automated re-consent reminder before expiry (a manual/operator-driven check for now — noted here so this policy stays accurate); an expired profile is not deleted outright, but it is no longer visible to anyone until you log back in and update it. Consent, once withdrawn via deletion, is honored immediately and irreversibly (section 7).
6. Your rights
Under GDPR (and equivalent rights under the UK GDPR/CCPA), you can:
- Access & export your data — download a complete copy of everything we hold about you, including your consent history, at My profile → Export my data.
- Rectify your data — log in and edit any field of your profile at any time via the profile form.
- Erase your data — permanently delete your profile, resume file, and all associated records via My profile → Delete my profile. This also deletes you from recruiter search immediately.
- Withdraw consent — the same deletion action above withdraws all three consents at once; there is no partial-withdrawal path because show-to-recruiters consent is what makes a profile useful at all.
You may also contact hello@searchengineoptimization.blog to exercise any of these rights manually, or to file a complaint with your local data protection authority.
7. How deletion works
Deleting your profile removes every database row associated with your account — your profile, employment history, education, skills, resume metadata, consent ledger, and active sessions — and deletes your uploaded resume file from storage. The action is logged in our audit trail (so we can demonstrate the erasure happened) but the audit entry itself does not contain your profile data. Deletion is immediate and irreversible.
8. Security
Resume files are stored privately and are never publicly reachable; the only access path is a short-lived, signed link minted for an authenticated, active, DPA-accepted recruiter. Session cookies are HttpOnly, Secure, and SameSite-scoped. Passwords (for recruiter accounts) are hashed, never stored in plain text.
9. Changes to this policy
If we materially change what we collect or who we share it with, we will update the effective date above and, where required, ask for renewed consent.