This policy explains how i-TalentAI collects, uses, stores, and protects your personal data in compliance with the Saudi Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR).
Last updated: April 12, 2026
i-TalentAI (“we”, “us”, or “our”) is the data controller responsible for your personal data. We are incorporated and operating in the Kingdom of Saudi Arabia.
This Privacy Policy applies to all users of the i-TalentAI platform, including candidates, recruiters, and visitors to our website at i-talentai.com. It covers personal data collected through our website, mobile interface, API integrations, and any associated services.
This policy is designed to satisfy the requirements of both the Saudi Personal Data Protection Law (PDPL) (Royal Decree No. M/19 of 1443H, as amended) and the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) for users located in the European Economic Area.
We collect the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Identity Data | Full name, profile photo, nationality | Account creation, identity verification |
| Contact Data | Email address, phone number | Communication, notifications |
| Professional Data | CV/résumé, work experience, education, skills | Interview preparation, job matching |
| Interview Data | Voice recordings, video recordings, AI-generated transcripts and scores | AI interview assessment, feedback generation |
| Biometric Indicators | Facial presence detection (camera feed during interview) | Interview integrity verification (anti-cheat) |
| Technical Data | IP address, browser type, device identifiers, cookies | Platform security, analytics, fraud prevention |
| Payment Data | Billing name, payment method type (processed by Stripe; card numbers are never stored by us) | Subscription and plan management |
| Usage Data | Pages visited, features used, session duration | Platform improvement, personalised experience |
We do not collect sensitive personal data (e.g., health, religion, political opinions) unless you voluntarily provide it in your CV or interview responses. If such data is provided, it is processed solely to fulfil the interview service.
We process your personal data on the following legal bases:
| Legal Basis | When We Rely on It |
|---|---|
| Contract Performance | Processing necessary to provide the interview platform service you have signed up for |
| Legitimate Interests | Platform security, fraud prevention, AI model improvement (aggregated/anonymised), service analytics |
| Consent | Marketing communications, optional cookies, biometric processing for interview integrity |
| Legal Obligation | Compliance with Saudi PDPL, ZATCA tax requirements, NCA cybersecurity regulations, and applicable court orders |
Under the PDPL, we rely on contractual necessity and legitimate interest as primary bases. For GDPR purposes, we additionally rely on explicit consent for biometric indicators and optional analytics cookies.
| Data Type | Retention Period |
|---|---|
| Account data (name, email, role) | Duration of account + 3 years after deletion request |
| Interview recordings (audio/video) | 90 days from interview date, then permanently deleted |
| Interview transcripts and AI scores | 2 years from interview date |
| CV files | Duration of account + 1 year after deletion request |
| Payment records | 7 years (ZATCA / Saudi tax law requirement) |
| Server and access logs | 90 days |
| Cookie consent records | 3 years |
You may request earlier deletion of your data at any time (see Section 9 — Your Rights). Certain data may be retained longer where required by law or for the establishment, exercise, or defence of legal claims.
We share personal data only with trusted third parties who are contractually bound to protect it:
| Recipient | Purpose | Location |
|---|---|---|
| OpenAI | AI interview question generation, voice transcription (Whisper), TTS, CV rewriting | USA (Standard Contractual Clauses applied) |
| Stripe | Payment processing | USA (Standard Contractual Clauses applied) |
| Amazon Web Services (S3) | Secure file and media storage | Configurable region; data stored in compliant regions |
| Manus Platform | Hosting infrastructure, OAuth authentication | Singapore |
| Resend | Transactional email delivery | USA (Standard Contractual Clauses applied) |
We do not sell, rent, or trade your personal data to any third party for marketing purposes. Recruiters who access candidate interview reports do so only for candidates who have applied to their job postings.
Cross-border data transfers to countries outside Saudi Arabia and the EEA are governed by appropriate safeguards including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable, in accordance with PDPL Article 29 and GDPR Chapter V.
We use cookies and similar technologies to operate the platform and improve your experience. You can manage your cookie preferences at any time via the cookie consent banner.
| Cookie Type | Purpose | Consent Required |
|---|---|---|
| Essential / Functional | Session authentication, security tokens, language preference | No (necessary for service) |
| Analytics | Aggregated usage statistics to improve the platform (no personal profiling) | Yes |
| Preference | Remembering your settings (e.g., dark mode, language) | Yes |
We do not use advertising or cross-site tracking cookies. You may withdraw cookie consent at any time by clearing your browser cookies or contacting us.
Under the PDPL and GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Right of Access | Request a copy of all personal data we hold about you. |
| Right to Rectification | Request correction of inaccurate or incomplete data. |
| Right to Erasure | Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations. |
| Right to Restriction | Request that we limit processing of your data in certain circumstances. |
| Right to Data Portability | Receive your data in a structured, machine-readable format (GDPR users). |
| Right to Object | Object to processing based on legitimate interests, including profiling. |
| Right to Withdraw Consent | Withdraw consent at any time where processing is consent-based (e.g., marketing emails, analytics cookies). |
| Right to Lodge a Complaint | File a complaint with the Saudi National Data Management Office (NDMO) or, for EEA users, your local Data Protection Authority (DPA). |
To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days (PDPL) or one month (GDPR). Identity verification may be required before we process your request.
We implement technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by PDPL and GDPR.
The i-TalentAI platform is intended for users aged 18 years and older. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, please contact us immediately at [email protected] and we will delete the data promptly.
For users in the Kingdom of Saudi Arabia, the following additional provisions apply under the Personal Data Protection Law (PDPL):
For users located in the European Economic Area (EEA), the following additional provisions apply under the General Data Protection Regulation (GDPR):
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (if you have an account) and update the “Last updated” date at the top of this page. Continued use of the platform after the effective date of any changes constitutes acceptance of the updated policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Privacy team:
For PDPL complaints, you may also contact the National Data Management Office (NDMO) at ndmo.gov.sa.
For GDPR complaints (EEA users), you may contact your local Data Protection Authority. A directory is available at edpb.europa.eu.