Deciml ("we", "us", "our") operates the Deciml recruitment platform at deciml.io. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our platform, in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) where applicable, and the Data Protection Act 2018.
1. Data Controller
The data controller responsible for your personal data is Deciml. If you have questions about this policy or wish to exercise your rights, please contact us at privacy@deciml.io.
2. What personal data we collect
2.1 Candidate data
When you create a profile on our platform, we collect:
- Name, email address and password (hashed)
- Professional information: job title, location, bio, work experience, education
- Skills and proficiency levels
- Career preferences: desired role, work type (remote/hybrid/onsite), salary expectations, preferred location and company stage
- Availability status (actively looking, open to opportunities, not looking)
- Social and messaging handles: Telegram, Discord, GitHub, Twitter/X
- CV/resume documents you upload
- Profile photograph
- Application history and cover notes
- Communication preferences (email and Telegram notification settings)
2.2 Data from CVs
When you upload a CV, we use AI-powered text extraction to parse your document and pre-populate your profile with information including your name, title, skills, work history and education. You can review and edit all extracted data before it is saved.
2.3 Technical and usage data
- IP address, browser type and version
- Pages visited, time spent on pages, referral source
- Device information (operating system, screen resolution)
2.4 Data from third-party integrations
- Telegram chat ID (when you link your Telegram account for notifications)
- Job data synced from our CRM system (Manatal) for the roles listed on the platform
3. How we use your data
We process your personal data for the following purposes:
- Account creation and authentication: to create and manage your account on the platform (legal basis: contract performance)
- Profile and job matching: to match your profile to relevant job opportunities using our automated matching engine, and to display your profile to our recruitment team (legal basis: contract performance and legitimate interests)
- Application processing: to process your job applications and manage your candidacy through the recruitment pipeline (legal basis: contract performance)
- Communications: to send you notifications about application status updates, new job matches, and weekly job digests via email and/or Telegram (legal basis: consent and legitimate interests)
- Platform improvement: to analyse usage patterns and improve our platform and matching algorithms (legal basis: legitimate interests)
- Security: to protect the platform against fraud, abuse and security incidents (legal basis: legitimate interests)
- Legal compliance: to comply with applicable laws and regulations (legal basis: legal obligation)
4. Automated decision-making
Our platform uses automated processing to match candidate profiles to job opportunities and to score the quality of matches. This processing uses a combination of rules-based classification (matching your skills, experience and preferences against job requirements) and AI-powered scoring (using large language models to assess match quality).
These automated matches are used to surface relevant opportunities to you and to assist our recruitment team in identifying suitable candidates. No automated decision produces legal effects or similarly significant effects on you without human review. All hiring decisions involve human assessment by our recruitment team and the hiring client.
You have the right to request human review of any automated matching decision, to express your point of view, and to contest the outcome. Contact us at the email address above to exercise this right.
5. Who we share your data with
- Hiring clients: When you apply for a role or we identify you as a potential match, we share relevant profile information (name, title, skills, experience, location, CV) with the hiring company for that specific role. We do not share your salary expectations or availability status with clients without your consent.
- Service providers: We use the following third-party processors to operate the platform:
- Supabase (database hosting and authentication, EU/US)
- Vercel (application hosting, global CDN)
- OpenRouter/Anthropic (AI-powered matching and CV parsing)
- Resend (transactional email delivery)
- Telegram (messaging notifications, where you have opted in)
- Upstash (rate limiting infrastructure)
- Legal requirements: We may disclose your data where required by law, regulation or court order.
We do not sell your personal data to third parties. We do not share your data with advertisers.
6. International data transfers
Some of our service providers process data outside the UK and EEA (including in the United States). Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office or the European Commission, or reliance on an adequacy decision.
7. Data retention
We retain your personal data for as long as your account is active on the platform. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain certain records for legal, regulatory or legitimate business purposes (such as records of placements made).
Inactive accounts (no login for 24 months) will be flagged, and we will contact you to ask whether you wish to keep your account. If we receive no response within 30 days, the account and associated data will be deleted.
Job application records may be retained for up to 3 years after the application date for the purpose of responding to any disputes or claims related to the recruitment process.
8. Your rights
Under UK GDPR and EU GDPR (where applicable), you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data (subject to legal retention requirements).
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests, including profiling for matching purposes.
- Right to withdraw consent: Where processing is based on consent (e.g. marketing communications), you may withdraw consent at any time via your profile notification settings.
- Right not to be subject to automated decision-making: Request human review of automated matching decisions (see Section 4).
To exercise any of these rights, contact us at privacy@deciml.io. We will respond within one month. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or, if you are in the EU, your local supervisory authority.
9. Data security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords are hashed using bcrypt and never stored in plain text
- All data in transit is encrypted via HTTPS/TLS
- Database access is restricted to authorised services only
- API endpoints are protected by authentication and rate limiting
- Security headers (CSP, HSTS, X-Frame-Options) are enforced on all pages
- Access to candidate data by our recruitment team is limited to those who need it for their role
10. Children
Our platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or via a notice on the platform. The date at the top of this policy indicates when it was last updated.