Privacy Policy

This Privacy Policy explains how xxi.careers collects, uses, and protects your personal data.

Version: 1.0
Effective date: 28 November 2025

Controller: xxi.careers™ (Zurich, Switzerland)
Contact for privacy matters: privacy@xxi.careers

1. Introduction

This Privacy Policy explains how xxi.careers™ (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use the xxi.careers platform powered by HumCap OS (the “Platform”).

It applies to:

• MVP Private Testing (invited testers)
• Public Beta (complimentary early access)
• Product v1.0 (paid plans and add-ons)

We are committed to data minimisation and user control. The Platform is designed so that core functionality does not require personally identifiable information (PII).

2. Data Controller & Contact

Controller:
xxi.careers™
Zurich, Switzerland

Contact for privacy matters:
privacy@xxi.careers

You may contact us at this address for any questions, access requests, or concerns related to your personal data.

3. Data We Process

3.1 Account & Authentication Data

• Email address (required for account creation and sign-in)
• Technical authentication tokens (e.g., from our identity provider)
• Basic security logs (e.g., successful/failed sign-in attempts)

We do not require you to set a traditional password; we may use one-time codes or similar secure, passwordless methods.

3.2 Optional Profile Data

You may optionally choose to add:

• Your name
• Preferred job title or headline
• Region or location
• Other voluntary profile fields

These fields are optional and can be edited or deleted at any time.

3.3 Career & Content Data

To use the Platform’s core features, you may upload or enter:

• CV / résumé content
• Work history (roles, employers, dates)
• Education and qualifications
• Skills, capabilities, and interests
• Reflections, notes, or responses to prompts

You may upload fully or partially redacted documents.
The Platform does not require PII in the CV (such as full name, address, phone number) to function.

3.4 Usage & Telemetry Data

We may collect minimal usage data, such as:

• pages or features accessed,
• approximate timestamps,
• non-identifying technical information about your browser or device.

This is used to understand feature usage and improve performance, not for advertising or profiling.

4. No PII Required for Core Features

Core Platform functionality — including parsing CV content, structuring career data, generating STAR/CAR stories, and maintaining your “always-ready record” — does not require personally identifiable information (PII).

You are free to upload redacted CVs and to avoid entering PII in free-text fields.

We do not infer your identity from the content of your CV. Any personal information you add (e.g., name, contact details) is your choice and under your control.

5. Purposes & Legal Bases

We process data in accordance with:

• the Swiss Federal Act on Data Protection (revDSG/FADP),
• the EU and UK General Data Protection Regulation (GDPR) where applicable.

5.1 Purposes of Processing

We process your data to:

1. Provide and operate the Platform
   • Account creation, authentication, security
   • Parsing and structuring CV content
   • Generating summaries and STAR/CAR stories
   • Displaying your data in dashboards and exports
2. Improve and develop the Platform
   • Monitor system performance and errors
   • Analyse anonymised usage patterns
   • Improve prompts, models, and features
3. Communicate with you
   • Service emails (e.g., login codes, important notices)
   • Optional product updates or feedback requests
4. Billing & administration (Product v1.0)
   • Process subscription payments and invoices
   • Maintain records for accounting and audit

5.2 Legal Bases

Our main legal bases under GDPR are:

• Consent (Art. 6(1)(a) GDPR)
  For Public Beta and MVP participation, where you explicitly agree to testing and data processing.
• Contract performance (Art. 6(1)(b) GDPR)
  For Product v1.0 and paid plans, where processing is necessary to deliver the service you subscribed to.
• Legitimate interests (Art. 6(1)(f) GDPR)
  For security, fraud prevention, product improvement, and minimal necessary logging, provided these interests are not overridden by your rights and freedoms.

For users in the United States and other jurisdictions, we apply equivalent standards and extend similar rights (access, correction, deletion, and objection) regardless of location.

6. Data Storage & Location

6.1 Region

All Platform data is processed and stored within European cloud infrastructure operated by Amazon Web Services (AWS).

Data remains under European jurisdiction. AWS may internally route encrypted data between availability zones within Europe for resilience and service continuity.

6.2 International Transfers

We do not transfer your data outside Europe unless:

• you explicitly select a paid plan offering region-specific deployment in another jurisdiction, or
• it is strictly necessary for a clearly documented feature that you choose to use (which will be transparently explained if/when introduced).

In all such cases, we will ensure appropriate safeguards (such as standard contractual clauses or equivalent mechanisms) consistent with GDPR and revDSG requirements.

7. Data Sharing & Processors

We do not sell, rent, or trade your personal data.

Your data may be processed by:

• Amazon Web Services (AWS) – as our cloud infrastructure provider (database, storage, compute, AI services, authentication).

These providers act as data processors under our instructions and are bound by appropriate data protection agreements.

We do not share your personal data with:

• employers or recruiters,
• advertising networks,
• social media platforms,

unless you explicitly choose to export or share content yourself.

8. Retention & Deletion

8.1 Retention

We retain your data for as long as you maintain an active account, and for a limited period thereafter where required for:

• security and incident investigation,
• legal or regulatory obligations (e.g., accounting, tax),
• resolving disputes.

There is no automatic data purge at the end of MVP or Beta. You may choose to:

1. Delete all data, or
2. Keep your profile and migrate to the next phase (MVP → Beta → Product v1.0).

8.2 Deletion

You may request deletion at any time via in-app controls or by emailing privacy@xxi.careers.

When you request deletion:

• active data is removed from primary systems within approximately 30 days;
• certain minimal logs may be retained for a limited period (typically up to 90 days) for security, fraud detection, and legal compliance purposes;
• once deleted from active systems, your data cannot be restored.

9. Security Measures

We implement appropriate technical and organisational measures to protect your data, including:

• encryption in transit (TLS) and at rest;
• role-based access control and least-privilege principles;
• secure identity and access management across AWS resources;
• monitoring and logging of service activity;
• periodic security reviews.

No system can be guaranteed 100% secure, but we continuously work to reduce risk and respond quickly to potential issues.

10. Your Rights

Depending on your jurisdiction (including Switzerland, the EU, the UK and similar regimes), you may have the following rights:

• Right of access – to know whether we process your data and to receive a copy.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure – to request deletion of your data, subject to certain legal limitations.
• Right to restriction – to restrict certain types of processing.
• Right to data portability – to receive your data in a structured, commonly used format where applicable.
• Right to object – to object to processing based on legitimate interests or direct marketing.

You may exercise these rights by contacting privacy@xxi.careers. We aim to respond within 30 days, subject to verification of your identity.

You also have the right to lodge a complaint with your local data protection authority if you believe your rights are being infringed.

11. Cookies & Analytics

The Platform aims to use minimal, privacy-preserving analytics.

• We do not use third-party advertising or tracking cookies.
• Any analytics are used solely to understand feature usage and improve the service.

You can configure your browser to reject cookies. However, some core functionality may rely on strictly necessary cookies for security and sign-in.

12. Payments & Third-Party Billing (Product v1.0)

When paid plans become available, payments may be processed by providers such as Stripe.

• Card details are processed by the payment provider and are not stored by xxi.careers.
• We receive limited billing information (e.g., last four digits of your card, expiry date, and billing country) as needed for accounting and fraud prevention.

The payment provider operates under its own privacy policy, which will be made available at the time of payment.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in:

• the Platform,
• applicable law,
• our data practices.

We will indicate the effective date at the top of the Policy. For material changes, we will provide a clear notice within the Platform or via email where appropriate.

Continued use of the Platform after an updated Policy takes effect constitutes acceptance of the changes.

14. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact:

Email: privacy@xxi.careers

© 2025 xxi.careers™ • All rights reserved.