Privacy Policy

1. Introductions

SkillsCV B.V. (hereinafter: “SkillsCV,” “we,” “us”) operates The Talentpool Community (TPC), a professional platform that enables employers to find talent through AI-powered matching. This privacy notice explains how we handle personal data in accordance with the General Data Protection Regulation (GDPR), the EU AI Act, and other applicable laws.

1.1 Scope

This Notice applies to:

• The Talentpool Community: thetalentpoolcommunity.nl (employer platform)
• Related Services: SkillsCV candidate platform (for matching functionality)
• Mobile Apps: TPC mobile applications (if available)
• Communications: Emails, notifications, newsletters

1.2 Data Controller Contact Information

SkillsCV B.V.
Woestduinlaan 57
3941 ZJ Doorn
Nederland
Chamber of Commerce number: 77922190

Contact:
E-mail: [email protected]
Phone: +31 (0)6 2256 2671

Data Protection Officer::
E-mail: [email protected]
Postal: Attn: DPO at above address

2. What Personal Data Do We Collect?

2.1 Employer Data (Directly Provided)

A. Company and Contact Details

• Company Data: Company name, Chamber of Commerce and VAT numbers, address
• Contact person: name, role, email, phone
• User accounts: login details, preferences, permission levels
• Billing information: IBAN, billing address, payment history

B. Job and Recruitment Information

• Job postings: Descriptions, requirements, employment terms
• Skill requirements: experience and competencies
• Company culture:Values, work style, team descriptions
• Recruitment preferences:Location, salary, hours, contract type
• Contactinformatie:name, email, phone, other

C. Communication and Matching

• Messages: candidate communication through the platform
• Matching feedback: evaluations of suggested candidates
• Interview planning: scheduling, notes, evaluations
• Hiring decisions: recruitment outcomes

2.2 Candidate Data (Anonymized)

Based on The Matchbox algorithms: https://www.thematchbox.ai/nl/

A. Skills and Competencies (Anonymized)

Think about:

• Technical skills: programming, certifications, tools
• Soft skills: communication, leadership, teamwork
• Experience: years of experience by skill category (no company names)
• Education: level and field (without institutions)
• Availability: full-time/part-time, preferred location, start date

B. Matching Informations

• See: The Matchbox: https://www.thematchbox.ai/nl/

2.3 Automatically Collected Data

We may use tools like Google Analytics, Hotjar, and Amplitude to collect:

A. Platform Usage

• • Login activity: timestamps, session length, last activity
  • Feature usage: filters used, search behavior
  • Job post management: number of listings, views, responses
  • Matching activity: profile views, sent invitations

B. Technical Data

• Device info: IP, browser, OS
• Performance: load times, errors, system responses
• Security: login attempts, incidents
• Cookies: see separate Cookie Policy

2.4 Data from Third Parties

• ATS integrations (with consent)
• Social media: Publicly available LinkedIn company page data
• Market intelligence: salary benchmarks (anonymized)
• References: feedback about employer reputation (anonymized)

3. Purposes and Legal Bases of Processing

3.1 Core Functionalities (Legal basis: Performance of Contract – Art. 6(1)(b) GDPR)

A. Account and Subscription Management

• Purpose: Creating, managing, and billing TPC employer accounts
• Data: Company, contact, and payment details
• Retention: Duration of subscription + 7 years (for tax compliance)

B. AI Matching and Candidate Suggestions

• Purpose: Automated matching of job postings with suitable candidates
• Data: Job requirements vs. anonymized candidate profiles
• Technology: Machine learning algorithms (see Section 4)
• Retention: Active during job listing period

C. Talent Pool Access

• Purpose: Access to anonymized SkillsCV candidate profiles
• Data: Skills, experience, availability (fully anonymized)
• Safeguards: No identifiable data shown without candidate consent
• Retention: During active subscription

3.2 Communication Facilitation (Legal basis: Performance of Contract – Art. 6(1)(b) GDPR)

A. Employer-Candidate Contact

• Purpose: Enabling contact after mutual interest
• Condition: Explicit candidate consent required for identification
• Data: Full candidate details shared
• Retention: 2 years after last communication (for quality assurance)

B. Platform Messaging

• Purpose: In-platform messaging system for recruitment
• Data: Message content, timestamps, read receipts
• Encryption: End-to-end encryption
• Retention: Until user deletion or 3 years max

3.3 Credit System (Legal basis: Performance of Contract – Art. 6(1)(b) GDPR)

A. Credit Tracking

• Purpose: Tracking earned and spent credits
• Data: Candidate referrals, contact attempts, credit balance
• Transparency: Real-time credit transaction log
• Retention: 3 years (financial recordkeeping)

B. Fair-use Monitoring

• Purpose: Prevent misuse of the credit system
• Data: Usage patterns, contact frequency, success rates
• Retention: 1 year (trend analysis)

3.4 Service Optimization (Legal basis: Legitimate Interest – Art. 6(1)(f) GDPR)

A. Platform Improvement

• Purpose: Optimize algorithms and user experience
• Data: Aggregated usage stats, success rates, feedback
• Anonymization: Company-identifiable data removed
• Balancing Test: Improvement benefit vs. privacy impact
• Retention: 2 years (development purposes)

B. Market Research

• Purpose: Understand recruitment trends and skill demand
• Data: Anonymized job data, hiring statistics
• Output: Public labor market reports
• Retention: 3 years (longitudinal study)

3.5 Marketing and Communication (Legal basis: Consent – Art. 6(1)(a) GDPR)

A. Newsletters and Updates

• Purpose: Informing users about features and best practices
• Data: Email, company type, platform usage
• Opt-in: Consent at registration
• Opt-out: Unsubscribe via link in every message
• Retention: Until user unsubscribes

B. Personalized Recommendations

• Purpose: Provide relevant recruitment optimization tips
• Data: Job types, hiring success, platform behavior
• Retention: During active use of platform

3.6 Legal Obligations (Legal basis: Legal Obligation – Art. 6(1)(c) GDPR)

A. Tax Compliance

• Purpose: Compliance with tax regulations
• Data: Invoices, payments, subscription details
• Retention: 7 years (per Dutch Civil Code)

B. Anti-Discrimination Monitoring

• Purpose: Ensure fair hiring practices
• Data: Job descriptions, hiring patterns, complaints
• Monitoring: Automated detection of discriminatory patterns
• Retention: 5 years (labor law compliance)

4. AI Systems and Matching Technology

4.1 AI Matching System (EU AI Act Compliance)

This system relies on both TPC’s and The Matchbox’s compliance: https://www.thematchbox.ai/nl/

A. System Classification

• Risk level: Limited risk (Article 52, EU AI Act)
• Type:Supervised machine learning for skill-job matching
• Training data: Past successful matches, skill taxonomies
• Update frequency:: Weekly updates with new training data

B. How the Matching Algorithm Works

1. See The Matchbox

C. Transparency Measures (Article 52, EU AI Act)

• Notification: Users are informed about AI use upon first interaction
• Explanation: General explanation of matching criteria is available
• Human oversight: Employers can review all suggested matches
• Feedback integration: Matching algorithm evolves based on user feedback

4.2 Bias Prevention and Fairness

A. Protected Characteristics

The system does not use the following personal attributes:

• Gender, age, ethnicity


• Religion, political beliefs


• Family situation, pregnancy status


• Disability or health information


• Sexual orientation

B. Bias Detection

(via The Matchbox)

• Regular audits: Periodic bias-detection analysis
• Statistical parity: Equal matching chance for all demographics
• Equalized odds: Consistent accuracy across groups
• Calibration: Standardized interpretation of scores
• External review: Annual third-party fairness audits

C. Corrective Measures

• Data rebalancing: Representatieve training-datasets
• Algorithmic debiasing: Fairness constraints in model-training
• Post-processing: Adjusted output scoring for fairness
• Continuous monitoring: Real-time bias-detection systems

4.3 User Control over AI

A. Matching-preferences

Employers can customize matching criteria based on:

• Skills
• Role or job type
• Education level
• Location
• Availability
• Working style and flexibility
• Availability (full-time/part-time)
• Salary preferences

B. Algorithm Transparency

1. See The Matchbox

C. Human Override

• Manual search: Browse profiles outside AI recommendations
• Custom filters: Set your own matching criteria
• Blacklist skills: Exclude unwanted skill matches
• Expert mode: Advanced configuration of AI parameters

5. Candidate Privacy and Anonymization

5.1 SkillsCV Data Anonymization Proces

A. Data Minimization for TPC

Kandidaten hebben geheel zelf regie op de identificatoren die ze laten zien. By default staan ze uit. Think about:

• Personal details: Name, address, phone number, email


• Unique identifiers: Citizen Service Number (BSN), ID numbers, account IDs


• Employer-specific data: Company names, projects, references


• Timestamps: Specific dates or identifiable time data

The following non-identifiable data is retained for matching purposes:

• Skills and competency levels (aggregated)
• Experience categories (e.g., junior, medior, senior)
• Education level (without specifying institutions)
• Location preferences (at city or regional level)
• Availability and contract preferences (e.g., full-time, part-time)
• Preferences regarding working hours, flexibility, hybrid work, etc.

B. Ensuring K-Anonymity

1. See The Matchbox

C. Re-identification Prevention

Technical measures:

• See The Matchbox

Organizational safeguards:

• See The Matchbox

5.2 Candidate Consent Management

A. Opt-in Process

Candidates using SkillsCV can choose their visibility and contact preferences:

• Fully anonymous: Only skills are shown, no contact possible
• Contact upon match: Contact information is shared only after a mutual match
• Direct contact allowed: Employers may reach out directly (with consent)

B. Granular Controls

• By job type: Different visibility levels for each type of vacancy
• By region: Limit visibility to certain geographic areas
• By time: Set temporary visibility (e.g., during active job search only)
• By seniority: Choose visibility based on career level
• Context- and skills-based: Additional logic governed by The Matchbox

C. Revocation Rights

• Immediate withdrawal: Profile visibility is stopped instantly
• Graceful degradation: Existing matches are finalized; new exposure stops
• Data deletion: Complete removal from the TPC database within 48 hours
• Audit trail: All changes in consent are logged and traceable

6. Sharing of Personal Data

6.1 Within the SkillsCV Ecosystem

A. SkillsCV ↔ TPC Data Exchange

• Anonymous Profiles: Transferred from SkillsCV to TPC (fully anonymized)
• Match Results: Matching scores from TPC are returned to SkillsCV
• Consent Status: Real-time updates of candidate permissions
• Analytics: Aggregated statistics on matching success

B. Shared Infrastructure

• Cloud providers: Amazon Web Services (EU-datacenters)
• Security services: Cloudflare for DDoS-bescherming
• Analytics: Google Analytics (IP-anonymization)
• Communication: SendGrid for transactional emails

6.2 With Service Providers (Processors)

A. Technical Service Providers

B. Analytics and Monitoring Providers

6.3 International Data Transfers

A. Adequacy Decisions

Data is only transferred to countries with adequate protection levels, including:

• United Kingdom (post-Brexit adequacy decision)


• Switzerland, Norway, Iceland (EEA-plus countries)


• Other countries recognized by the European Commission

B. Safeguards for US Transfers

• EU-US Data Privacy Framework: For providers certified under DPF
• Standard Contractual Clauses (SCCs): For providers not covered by DPF
• Binding Corporate Rules (BCRs): For multinationals with EU-approved BCRs
• Specific Exceptions: Art. 49 GDPR, where necessary

C. Monitoring and Review

• Quarterly Reviews: Evaluation of international transfer practices
• Legal Monitoring: Keeping track of adequacy decision changes
• Incident Response: Protocols in case protection levels change
• Contract Updates: SCCs are updated according to the latest legal versions

6.4 No Sale of Personal Data

We never sell personal data. Data is shared only:

• For delivering services to employers
• With explicit consent from candidates for contact
• When legally required (e.g., court orders)
• With processors under strict contractual safeguards

7. Security of Personal Data

7.1 Technical Security Measures

A. Data Encryption

• In transit: TLS 1.3 is used for all client-server communication
• At rest: AES-256 encryption is applied to database contents
• Application level: Additional encryption for sensitive data fields
• Key management: Centralized key management via AWS KMS

B. Access Controls

• Multi-factor authentication (MFA): Required for all TPC accounts
• Role-based access control (RBAC): Access based on the principle of least privilege
• Session management: Automatic timeouts, concurrent session limits
• API security: OAuth 2.0, rate limiting, request validation

C. Infrastructure Security

• Network segmentation: Logical separation between various platform services
• Firewall configuration: Restrictive rules, regular audits
• Intrusion detection: Real-time monitoring van suspicious activity
• DDoS protection: Cloudflare enterprise protection

7.2 Organizational Measures

A. Personnel and Training

• Background checks: Conducted for all staff with access to personal data
• Privacy training: Mandatory annual training for all employees
• Confidentiality agreements: Included in all employment contracts
• Access reviews: Quarterly audits of access rights

B. Procedures and Protocols

• Data handling procedures: Documented processes for data operations
• Incident response plan: 24/7 security incident response team
• Change management: Controlled deployment procedures
• Vendor management: Due diligence and monitoring of all service providers

C. Compliance and Auditing

• Internal audits: Monthly audits for both security and privacy compliance
• External audits: Annual security reviews by third-party experts
• Penetration testing: Ethical hacking tests conducted quarterly
• Compliance monitoring: Continuous review of compliance requirements

7.3 Data Breach Procedures

A. Detection and Containment

• Automated monitoring: Real-time alerts for unusual access or data anomalies
• Incident classification: Rapid assessment of the severity and scope of a breach
• Containment measures: Immediate isolation of affected systems
• Forensic preservation:Evidence collection of evidence for investigation

B. Notification Procedures

Notification timeline (depending on severity and legal obligation):

• Within 1 hour: Internal incident response team activation
• Within 24 hours: Completion of initial assessment and containment
• Within 72 hours: Notification to the Dutch Data Protection Authority (if high risk)
• Without delay: Notification to affected individuals (if high risk)

C. Recovery and Lessons Learned

• System restoration: Secure recovery of affected systems from clean backups
• Root cause analysis: Thorough investigation of breach origin and contributing factors
• Process improvements: Adjustments to procedures based on findings
• Staff retraining: Additional training based on the nature of the breach

8. Your Rights as a Data Subject

8.1 Rights of Employers

A. Right of Access (Article 15 GDPR)

You may request access to:

• An overview of all processed company and contact person data
• The purposes of processing and the applicable legal grounds
• Recipients of the data (e.g. service providers, authorities)
• Retention periods per data category
• Origin of the data (whether provided directly or by third parties)

Procedure:

• Directly via your account settings (immediate access)
• By emailing [email protected] (response within 1 month)
• Please include a copy of the contact person’s ID for verification

B. Right to Rectification (Article 16 GDPR)

You may request correction of:

• Company information (name, address, Chamber of Commerce number)


• Contact person details (name, title, email, phone number)


• Billing details (IBAN, invoice address)


• Account preferences and settings

How to update:

• Direct via TPC account dashboard
• Bulk updates via CSV upload (for enterprise customers)
• Complex changes can be requested via [email protected]

C. Right to Erasure (Article 17 GDPR)

You may request deletion in cases such as:

• Termination of your subscription (after financial obligations are fulfilled)
• Withdrawal of consent for marketing purposes
• Objection to processing (if no overriding legitimate interest exists)

Exceptions include:

• Legal retention requirements (e.g. 7 years for invoices)


• Ongoing contractual obligations


• Legal claims or disputes (until resolved)


• Anonymized statistics (no longer personal data)

D. Other Rights

• Restriction of processing: During disputes or data verification
• Data portability: Export of structured data
• Objection: To processing based on legitimate interest
• Withdrawal of consent: For marketing and optional features

8.2 Candidate Rights (via SkillsCV)

Although candidates exercise their rights directly through the SkillsCV platform, they may also contact The Talentpool Community (TPC) for:

1. Information about anonymization

• Explanation of which data is visible to employers
• Insight into matching algorithms and scoring logic
• Details on re-identification prevention measures.

2. Control over Visibility

• Adjust visibility settings through the SkillsCV account


• Blacklist specific employers within the TPC platform


• Temporarily hide profiles or set availability periods

3. Complaints about Employers

• Report inappropriate contact attempts from employers


• File complaints about potential discrimination


• Provide feedback on match quality or algorithmic bias

9. Retention Periods

9.1 Active Employers

9.2 Matching and AI-data

9.3 Compliance and Legal

9.4 Automatic Deletion Procedures

• Daily cleanup: Removal of expired sessions and temporary files
• Weekly purge: Cleanup of outdated logs and cache data
• Monthly review: Assessment of compliance with retention schedules
• Annual audit: Full review of all retention periods

10. Specific Aspects of TPC

10.1 Credit System Privacy

A. Credit-tracking

• Transparency: Real-time insights into credit earnings and usage
• Audit trail: Complete transaction history of all credit activity
• Privacy: No credit data is shared with third parties
• Portability: Ability to export credit balance when migrating accounts

B. Fair-use Monitoring

• Pattern detection: Automated monitoring for unusual or abusive usage
• Privacy-preserving: Monitoring is conducted on an aggregated level
• Human review: Manual assessment of flagged accounts
• Due process: Clear escalation procedure for policy violations

10.2 Employer Reputation Management

A. Review System (Planning)

• Anonymous feedback: Candidates can review employers anonymously
• Aggregated scores: Public reputation scores based on multiple reviews
• Bias prevention: Anti-manipulation measures to block fake reviews
• Right of reply: Employers may respond to received feedback

B. Compliance Scoring

• Diversity metrics: Tracking vof inclusive hiring practices
• Response rates: How quickly employers respond to candidate messages
• Success rates: Completion rates of hiring processes
• Reputation impact: Scores can influence priority in candidate matching

10.3 Integration Management

A. ATS-Connectivity

• Data minimization: Only essential data is synchronized
• Encryption: End-to-end encryption for API communication
• Access controls: Role-based access to integration-features
• Audit logging: Complete traceability of all data exchanges

B. Third-party Compliance

• Vendor assessment: Due diligence on privacy and security measures
• Contractual requirements: Strict data processing agreements with all integration partners
• Regular audits: Periodic evaluations of third-party compliance
• Incident coordination: Joint procedures for responding to data breaches

11. Changes to the Privacy Statement

11.1 Reasons for Updates

• Legal updates: Changes in legislation (e.g., new AI Act provisions, amendments to the GDPR)
• Service expansion: Introduction of new TPC features and functionalities
• Technical changes: Updates to infrastructure or security measures
• User feedback: Improvements based on input from users

11.2 Communication-procedure

For significant changes (announced at least 30 days in advance):

• Email notification to all account owners
• Dashboard notification upon login
• A detailed changelog available on the website
• Option to terminate account if user disagrees with the changes

Minor updates:

• Notification on the website


• Updated version date


• Mention in quarterly newsletter

11.3 Consent Management

• Implicit consent: Continued use of the platform constitutes acceptance of the updated policy
• Explicit consent: Required for any material changes that impact user privacy
• Granular choice: Users can opt out of specific changes
• Grace period: 30 days to review and evaluate the changes before they take effect

12. Contact and Complaints

12.1 Privacy Contact

For all privacy-related questions:

Primary contact:
E-mail: [email protected]
Response time: Within 3 business days

Data Protection Officer:
E-mail: [email protected]
For complex privacy issues or GDPR interpretation

Executive escalation:
For unresolved issues: info @skillscv.nl

12.2 Employer Support

For account and billing questions:
E-mail: [email protected]
Phone: +31 (0)6 2256 2671

Technical integration support:
E-mail: [email protected]
For API, ATS connectivity, troubleshooting

12.3 Complaints Procedure

1. First line:Contact via [email protected]
2. Escalation:DPO via [email protected] If unsatisfied
3. External complaint: File a complaint with the Dutch Data Protection Authority:

• Website: www.autoriteitpersoonsgegevens.nl
• Phone: 0900-200 0020
• Postal address: Postbus 93374, 2509 AJ Den Haag

12.4 Candidate Complaints

Candidates can file complaints regarding:

• Inappropriate employer contact: Via SkillsCV platform
• Suspected discrimination: [email protected]
• Technical matching issues: [email protected]
• Re-identification attempts: Immediate escalation to [email protected]

13. Relationship with the SkillsCV Platform

13.1 Shared Responsibility Model

• SkillsCV: Responsible for candidate data and consent management
• TPC: Responsible for employer data and the matching platform
• Shared: Anonymization of candidate data and security of cross-platform data transfers and processes

13.2 Data Flow Governance

• Consent propagation: Real-time updates of candidate permissions across platforms
• Anonymization pipeline: Automated sanitization of data before use in TPC
• Audit coordination: Synchronized logging and monitoring across SkillsCV and TPC
• Incident response: Joint procedures protocols for any cross-platform data incidents

13.3 User Rights Coordination

• Cross-platform requests: All privacy rights apply to both services (SkillsCV and TPC)
• Unified response: One point of contact for handling privacy requests
• Consistent policies: Aligned procedures and standards across both platforms
• Data portability: Seamless export across platform-boundaries

Last modified: 13 juni 2025

Effective from: 13 juni 2025
Volgende evaluatie: Ongoing

For the most current version of this privacy policy, please visit: www.thetalentpoolcommunity.nl/privacybeleid

Related documents:

• Privacy Statement SkillsCV
• Cookie Policy
• TPC Terms of Use