Privacy Policy for MatchLyn.AI
1. Controller
The controller responsible for the processing of personal data on this website and within the MatchLyn.AI platform is:
Top Tier Talent Recruiting FZCO
Building A1, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates
Represented by: Jamila Meßerschmidt
Email: jamila@toptiertalentrecruiting.com
No data protection officer has been appointed. Under both the UAE Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR), we are not currently required to appoint one for our processing activities.
1.1 Applicability of UAE and EU Law
We are established in the United Arab Emirates and are subject to Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), which is the main federal data protection law in the UAE.
Where we process personal data of individuals in the European Union or European Economic Area (EU/EEA), we do so in accordance with the EU General Data Protection Regulation (GDPR).
If there is any conflict between applicable laws, we apply the higher standard of protection.
This Privacy Policy explains how we process personal data of:
- Candidates (job seekers, talent pool members, platform users), and
- Companies (clients, company representatives, platform users)
in connection with the use of our website MatchLyn.AI and our platform and services.
2. Categories of Data We Process
2.1 Candidates
We process in particular the following categories of personal data about candidates:
Basic Data
- First and last name
- Contact details (e-mail address, phone number)
- Place of residence (city/region)
- Place of birth, date of birth
Career-related data
- Work experience, roles, responsibilities
- Qualifications, skills, certificates, language skills
- Other professional information included in your CV or profile
- Where provided: availability, salary expectations
Documents
- CV / résumé
- References, certificates and other supporting documents (if uploaded)
Profile and usage data on the platform
- Log-in data (e-mail address, password – stored only in hashed/encrypted form)
- Session tokens / authentication cookies (e.g.
better-auth.session_token) - Language settings (
locale) - Last login / last activity
- Matches to job postings and suggestions shown to you
Internal evaluation data
- Notes and call summaries created by our recruiters
- Matching scores and ratings (e.g. fit scores against job criteria)
We do not process applications without a CV.
We do not intentionally use special categories of data (e.g. health, religion) for matching or evaluation. If such information appears in a CV, it is not actively used in our automated processes.
2.2 Company Representatives / Clients
For companies and their representatives we process:
Company data
- Company name, address, industry
- Company logo
- Link to the company website
- Job postings (titles, descriptions, requirements, locations, etc.)
Contact person data
- Name, position / role
- E-mail address, phone number (where provided)
Platform access and usage
- User account (e-mail address, password – stored only in hashed form, or via Google login)
- Session tokens / authentication
- Usage data on the platform (e.g. created job postings, viewed candidates, matches)
3. Purposes of Processing and Legal Bases
We process personal data only where we have a lawful basis under PDPL and, where applicable, GDPR.
3.1 Operating the Website and Platform
We process personal data to:
- provide and operate our website and platform,
- enable user registration and log-ins,
- maintain sessions (session tokens),
- store your chosen language setting (
locale), - perform basic technical analysis and error diagnostics (e.g. via Vercel Analytics).
Legal basis (GDPR, where applicable):
- Art. 6(1)(b) GDPR – performance of a contract or steps prior to entering into a contract (use of the platform as a registered user),
- Art. 6(1)(f) GDPR – our legitimate interest in the secure, stable and efficient operation of the website and platform.
Legal basis (PDPL, where applicable):
- Processing necessary for the performance of a contract or to take steps at your request prior to entering into a contract, and
- Other PDPL-permitted grounds for processing, including ensuring the security and functionality of our services.
3.2 Job Matching and Candidate-Company Introduction
Our core purpose is to match candidates with suitable job opportunities and companies with suitable candidates. This includes capturing and evaluating CVs, matching candidate profiles with job postings, internal assessment, and presenting candidates to companies.
- collecting and analysing CVs and profile data,
- matching candidate profiles with job postings,
- internal evaluation (scores, notes),
- presenting candidates to companies.
Important principle:
Candidate profiles are not shared with companies unless the candidate has agreed and indicated interest in the company and/or specific position.
Legal basis (GDPR, where applicable):
- Art. 6(1)(b) GDPR – processing necessary to take steps at the request of the data subject prior to entering into an employment contract (recruitment and matching),
- Art. 6(1)(f) GDPR – our legitimate interest in operating an efficient, technology-supported matching and recruitment platform,
- Art. 6(1)(a) GDPR – your consent where you upload your CV and agree to its use in our talent pool and its sharing with companies.
Legal basis (PDPL, where applicable):
- Your consent where required (especially for using your data in the talent pool and sharing it with companies), and
- Processing necessary to conclude or perform a contract (or to take steps at your request) in the context of recruitment.
3.3 Talent Pool
If you upload your CV or create a profile and agree to be part of our talent pool, we also use your data to contact you for other suitable positions in the future or to share your profile with companies.
- identify future roles that match your profile,
- contact you regarding suitable opportunities,
- propose you to companies if you express interest.
Legal basis (GDPR, where applicable):
- Art. 6(1)(a) GDPR – your consent.
Legal basis (PDPL, where applicable):
- Your consent, which you may withdraw at any time in accordance with the PDPL.
You may withdraw your consent at any time with effect for the future (see “Your rights” below).
3.4 Client Relationships with Companies
For companies we process personal data in order to:
- provide access to the MatchLyn.AI platform,
- enable the creation and management of job postings,
- suggest suitable candidates,
- manage the ongoing business relationship (including communication and, where applicable, invoicing).
Legal basis (GDPR, where applicable):
- Art. 6(1)(b) GDPR – performance of a contract and steps prior to entering into a contract,
- Art. 6(1)(f) GDPR – our legitimate interest in customer acquisition, customer care and operating the platform where no direct contract is yet in place.
Legal basis (PDPL, where applicable):
- Processing necessary to conclude or perform contracts with companies and to manage the business relationship, in accordance with PDPL.
3.5 Communication
We use contact details (e-mail, phone) to:
- respond to enquiries from candidates and companies,
- coordinate meetings and (video) calls,
- send relevant information about roles or candidates.
Legal basis (GDPR, where applicable):
- Art. 6(1)(b) GDPR – performance of a contract or pre-contractual measures,
- Art. 6(1)(f) GDPR – our legitimate interest in efficient communication with users, customers and interested parties.
Legal basis (PDPL, where applicable):
- Processing necessary for contract performance or permitted under PDPL for communication with data subjects and clients.
We do not currently operate a marketing newsletter.
3.6 Use of AI for CV and Job Parsing & Matching
We use AI models (for example, via OpenAI within n8n workflows) to:
- parse and structure CVs and job descriptions,
- extract relevant content (skills, experience, keywords),
- compute matching scores between candidates and job postings,
- generate suggestions for suitable roles or candidates.
Key points:
- AI is used as a tool to support our recruiters.
- We do not rely on fully automated decisions that produce legal effects or similarly significant effects for individuals within the meaning of Art. 22 GDPR or the PDPL.
- A human always reviews AI results before decisions are taken (e.g. presenting you to a company, inviting you to an interview).
- AI providers are configured, where possible, so that your content is not used to train general models.
Legal basis (GDPR, where applicable):
- Art. 6(1)(b) GDPR – as part of the recruitment and matching process,
- Art. 6(1)(f) GDPR – our legitimate interest in efficient and modern candidate evaluation.
Legal basis (PDPL, where applicable):
- Processing necessary for contract performance or otherwise permitted by PDPL.
- We ensure that human review is included, as required when automated processing could significantly affect individuals.
3.7 Sourcing via LinkedIn, Instagram and Other Public Sources
To identify potential candidates and business partners, we use:
- LinkedIn,
- Instagram,
- publicly available information on company websites and job boards.
We may process personal data that is publicly available or made available within these services, in order to assess whether a profile fits open roles or our services and to contact individuals where appropriate.
Legal basis (GDPR, where applicable):
- Art. 6(1)(f) GDPR – our legitimate interest in efficient recruiting and business development.
Legal basis (PDPL, where applicable):
- Processing in accordance with PDPL in the context of legitimate business outreach, and where required, based on consent when individuals engage with our processes.
We do not accept applications via WhatsApp. Applications may, however, originate from Instagram ads and are then processed only via our forms and workflows with a CV.
4. Registration, Login and Authentication
4.1 Candidate Accounts
Candidates can:
- upload their CV via online forms, and
- create a personal profile on the platform.
We process:
- e-mail address and name,
- password (stored only in encrypted/hashed form),
- optional Google sign-in (Google acts as a separate service provider),
- double opt-in with verification e-mail for new accounts.
4.2 Company Accounts
Companies receive:
- their own login to the platform,
- access only to their own job postings and related candidate matches.
Passwords are stored only in hashed form. Login is possible via e-mail/password or via Google (where enabled).
4.3 Role-Based Access / Role Level Security
We implement Role Level Security, meaning:
Candidate accounts
- can only access their own profile and data,
- can only see matches relevant to them.
Company accounts
- can only see their own job postings,
- and candidate profiles matched to those postings for which the candidate has agreed to be introduced.
Internal admins (Matchlyn / Top Tier Talent Recruiting)
- have broader access where necessary for platform operation, support, matching and administration.
- No external freelancers are given direct system access. Recruiting agencies can be clients; they see only the data they are authorised to see under the same role model.
5. Cookies and Similar Technologies
We use limited cookies and similar technologies on our platform.
5.1 Authentication and Session Management
Cookie name (example: better-auth.session_token)
- Purpose: Maintains your login session and keeps you signed in for a certain period.
- Storage period: approx. 7 days, unless you actively log out.
- Legal basis (GDPR, where applicable): Art. 6(1)(b) GDPR (strictly necessary for account functionality).
- Legal basis (PDPL, where applicable): Necessary to provide the service you requested (account access).
5.2 Language Settings
Cookie name: locale
- Purpose: Stores the language you selected for the interface.
- Legal basis (GDPR, where applicable): Art. 6(1)(f) GDPR – our legitimate interest in a user-friendly interface.
- Legal basis (PDPL, where applicable): Necessary for providing a suitable user experience.
5.3 Vercel Analytics
We use Vercel Analytics for technical performance monitoring:
- Purpose: analysing page performance and stability (e.g. load times, errors),
- We do not use Google Analytics or marketing pixels,
- We do not conduct behaviour-based advertising or retargeting.
Legal basis (GDPR, where applicable):
- Art. 6(1)(f) GDPR – our legitimate interest in basic, privacy-friendly performance and error monitoring.
Legal basis (PDPL, where applicable):
- Our legitimate need (under PDPL) to ensure secure, reliable and effective operation of our services.
We currently do not use a cookie banner because we do not rely on non-essential marketing or tracking cookies.
6. Service Providers and Data Transfers
We use various service providers (processors) to operate our platform and processes. These providers are bound by contracts and process data only on our documented instructions.
6.1 Hosting and Database
Amazon Web Services (AWS), Region Europa (Frankfurt)
- Stores our platform data: candidate profiles, company profiles, login data, hashed passwords, CVs, etc.
Neon.com (managed PostgreSQL)
- Provides the database layer on top of AWS infrastructure, with the database hosted in the AWS Europe (Frankfurt) region.
Where processing involves third countries, we implement appropriate safeguards (e.g. Standard Contractual Clauses) in line with GDPR and PDPL requirements for cross-border data transfers.
6.2 CRM und Forms
Bitrix24
- Used as a CRM for storing client and candidate data, including online forms and CV uploads.
6.3 Workflow Automation and Parsing
n8n
- Used for workflow automation (e.g. CV parsing, job parsing, matching workflows).
Apify
- Used within n8n workflows to parse job postings.
6.4 AI / OpenAI
OpenAI
- Used to analyse and structure text from CVs and job descriptions, and to support matching logic (via API).
- We configure OpenAI so that your content is not used to train general models, as far as supported by our plan and settings.
6.5 Voice-Bot / Call-Bot
Vapi
- Used to host and operate an AI-driven call bot (if active), e.g. for initial screening calls.
- The bot is configured and used in a manner designed to comply with GDPR and PDPL (including appropriate contractual arrangements and technical settings).
6.6 Frontend Hosting and Analytics
Vercel
- Hosts the frontend of the MatchLyn.AI platform,
- Provides Vercel Analytics for technical performance metrics.
6.7 Communication
Google Workspace (G Suite)
- Used for e-mail communication and, where necessary, document storage (e.g. candidate or client-related files).
We only disclose personal data to third parties beyond these service providers if:
- it is necessary to present candidates to companies in the recruitment process and the candidate has agreed,
- you have expressly consented,
- we are legally obliged to do so, or
- it is necessary to establish, exercise or defend legal claims.
7. Sharing Data with Companies (Clients)
We only share candidate data with a company when:
- the candidate has actively provided their CV or created a profile with us, and
- the candidate has agreed to use of their data for job matching and talent pooling, and
- the candidate has expressed interest in the specific company and/or role.
Only then will we share relevant information (e.g. CV, contact details, match summaries) with the respective company.
We do not send applications or profiles to companies without a CV.
8. Retention Periods
We retain personal data only for as long as necessary for the purposes described, or as required by applicable law (e.g. statutory retention periods).
8.1 Candidates
Talent pool and platform profile
- We store your data as long as your consent is valid and you do not request deletion.
- You can request deletion of your profile or withdraw your consent at any time.
Upon a valid deletion request or withdrawal of consent, we will remove your data:
- from our platform database,
- from our CRM (e.g. Bitrix) and
- from other tools involved in processing (e.g. Vapi, n8n),
unless we are legally required to keep certain data longer (e.g. to comply with statutory retention obligations or to defend legal claims). In such cases, data will be restricted to the minimum necessary and blocked for other uses.
8.2 Companies / Clients
- Client data (accounts, contact persons, contract information) is stored for the duration of the business relationship.
- When a client terminates the contract, data relating to the client and associated platform accounts will be deleted, provided no legal retention obligations (e.g. commercial or tax laws) apply.
9. Your Rights
9.1 Rights Under GDPR (EU/EEA Data Subjects)
If the GDPR applies to you (e.g. if you are in the EU/EEA), you have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
You also have the right to lodge a complaint with a data protection supervisory authority in the EU/EEA.
9.2 Rights Under UAE PDPL (Data Subjects in the UAE)
If the PDPL applies to you (e.g. if you are in the UAE), you have rights that are broadly similar to GDPR, including the right to:
- request information about how your data is processed,
- access your personal data,
- request correction or deletion of your data,
- request restriction or cessation of processing in certain cases,
- object to certain types of automated processing,
- complain to the UAE Data Office, which is the federal data regulator and supervisory authority under the PDPL.
9.3 How to Exercise Your Rights
To exercise any of your rights under GDPR or PDPL, you can contact us at any time:
E-Mail: jamila@toptiertalentrecruiting.com
We will review and respond to your request in accordance with the applicable legal framework (GDPR or PDPL, depending on your situation).
10. No Fully Automated Individual Decision-Making
We do not use fully automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of Art. 22 GDPR or corresponding provisions under PDPL.
AI-based tools may generate scores and suggestions, but final decisions (e.g. whether to present you to a company, invite you to an interview) are always made by humans.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include in particular:
- hosting in professional data centres (e.g. AWS Europe, Frankfurt),
- role-based access control (Role Level Security),
- limiting access to authorised internal staff only,
- hashing of passwords,
- contractual safeguards with our processors.
We do not grant direct system access to external freelancers. Recruiting agencies that are our customers only see the data they are entitled to see under the same access model as other company users.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example if we introduce new features, use additional tools or if legal requirements change.
The latest version is always available on MatchLyn.AI. If the changes are material, we will inform you in an appropriate manner (e.g. via notice on the website or in your user account).
Last updated: November 2025