Privacy Notice
Last updated: June 2026 · GDPR Articles 13 & 14
1. Who we are (Data Controller)
TalentX is operated by TalentX Ltd. Your organisation ("Tenant") may also act as a separate data controller for data processed within their TalentX workspace. For questions about your organisation's use of your data, contact your HR or IT administrator.
For platform-level enquiries: privacy@talentx.app
2. What personal data we collect (Art. 13(1)(d))
- Identity data: full name, email address, job title, department
- Professional data: skills, proficiency levels, years of experience, career change preferences
- Usage data: login events, actions taken within the platform, session information
- Technical data: IP address, browser type, timestamps (collected automatically)
- Azure AD data (optional): object identifier (OID) when SSO is enabled
3. Why we process your data and the legal basis (Art. 13(1)(c))
| Purpose | Legal basis |
|---|---|
| Providing the talent marketplace service | Contract (Art. 6(1)(b)) |
| Matching employees to internal positions | Legitimate interest (Art. 6(1)(f)) |
| Sending platform notifications | Legitimate interest (Art. 6(1)(f)) |
| Audit logging for compliance & security | Legal obligation (Art. 6(1)(c)) |
| Consent-based features (e.g. career signals) | Consent (Art. 6(1)(a)) |
4. How long we keep your data (Art. 13(2)(a)) — Storage limitation
Your personal data is retained for the duration of your account's activity plus 30 days after deactivation, unless a longer or shorter period is required by law or configured by your organisation's administrator. Audit logs are retained for the period set by your organisation (default: 365 days).
After retention periods expire, data is anonymised or securely deleted.
5. Your rights (Art. 13(2)(b–d))
Under GDPR you have the following rights regarding your personal data:
- Right of access (Art. 15): Download all your data from My Data.
- Right to rectification (Art. 16): Edit your profile from Edit Profile.
- Right to erasure (Art. 17): Submit a deletion request from My Data. Your admin will action it within 30 days.
- Right to restrict processing (Art. 18): Contact your admin or privacy@talentx.app.
- Right to data portability (Art. 20): Use the JSON export on My Data.
- Right to object (Art. 21): Contact privacy@talentx.app.
You also have the right to lodge a complaint with your national supervisory authority.
6. International transfers (Art. 13(1)(f))
Data is processed within the EU/EEA by default. Where processors operate outside the EU, we ensure appropriate safeguards (Standard Contractual Clauses or adequacy decision) are in place.
7. Automated decision-making (Art. 13(2)(f))
TalentX uses algorithmic fit scoring to rank employees against positions. This is not a fully automated decision — all matches are presented to a human (hiring manager or admin) who makes the final decision. You can view and correct your skills profile at any time.
8. Data breach notification (Art. 33/34)
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, as required by GDPR Article 34. We will also notify the relevant supervisory authority within 72 hours of becoming aware of a breach.
9. Cookies
TalentX uses a single session cookie (strictly necessary) to maintain your authenticated session. No tracking, advertising, or analytics cookies are used. This cookie expires when you close your browser or sign out.
No cookie consent is required for strictly necessary cookies under GDPR Recital 25 and ePrivacy Directive Art. 5(3).
10. Records of Processing Activities & Sub-processors
Our full Article 30 Records of Processing Activities (RoPA) document is publicly available: View RoPA
Our Article 28 sub-processor list is also publicly available: View Sub-processors
11. Contact & Data Protection Officer
For any privacy-related questions, to exercise your rights, or to contact our Data Protection Officer:
- Email: privacy@talentx.app
- DPO: Data Protection Officer, TalentX Ltd.
- Response time: We aim to respond within 30 days as required by GDPR Art. 12(3).
You also have the right to lodge a complaint with your national supervisory authority (e.g. ICO in the UK, UODO in Poland, BfDI in Germany).