Privacy Policy

Protecting your personal data is a core concern for us. This privacy policy explains which personal data we process on talent.xenolu.ch and xenolu.ch (together, the «Platform»), for which purposes, and which rights you have. It is based on the Swiss Federal Act on Data Protection (revFADP) and — where applicable — the EU General Data Protection Regulation (GDPR).

This privacy policy applies to talents who register on the Platform. Separate terms apply to corporate clients who search for talents via the Platform.

Xenolu is based on anonymised double-blind matching: before a match, companies see only job-relevant information — never your name, gender, age, origin, photo or contact details. Identifying personal data is disclosed only after a mutual match and your explicit contact release (see Section 5).

1. Controller

The controller within the meaning of Art. 5 lit. j revFADP and Art. 4 No. 7 GDPR is:

Xenolu GmbH
Leueweg 10
8570 Weinfelden
Switzerland
Email: info@xenolu.ch

For any privacy-related matters, you can reach us at info@xenolu.ch.

2. Data we process

When you register as a talent, you upload your CV. From it, and from your manual input, we process the following personal data:

• Name, email address, phone number (if contained in your CV)
• Place of residence at city level — street addresses and postal codes are automatically removed before storage and are never saved
• Professional history (positions, employers, periods, responsibilities, achievements)
• Education (degrees, institutions, periods, grades)
• Professional skills and certifications
• Language skills including proficiency level
• Salary expectations and preferred work cantons or regions
• Industry background and availability
• The text content of your CV (address-redacted), file name and upload time
• The result of the AI analysis of your CV (structured profile data)
• Time of email confirmation and of your acceptance of this privacy policy

In addition, operating the Platform generates technical data (IP address, browser information, access time) required to provide and secure the service.

3. Purposes and legal bases

We process your data for the following purposes:

• Creating and operating your talent profile — based on your explicit consent given during registration (Art. 6(1)(a) GDPR; Art. 31(1) revFADP) and for the performance of the user agreement (Art. 6(1)(b) GDPR)
• AI-assisted analysis of your CV (see Section 4) — based on your consent
• Making your profile discoverable to searching companies (see Section 5) — the core purpose of the Platform, to which you agree upon registration
• Communication (confirmation emails, login links, job offers) — for the performance of the agreement
• Security and abuse prevention (bot protection, error monitoring) — based on our legitimate interest in a secure operation (Art. 6(1)(f) GDPR)

4. AI-assisted CV analysis

After upload, the text content of your CV is automatically read and converted into structured profile data (skills, experience, education, languages, etc.). For this we use a language model via the Azure OpenAI Service provided by Microsoft, operated in a data centre in Switzerland. The processing of your CV data takes place in Switzerland.

Importantly:

• This structuring serves solely to transfer your own information from your CV into your profile. It performs no assessment, no scoring, no ranking and no selection decision.
• You review and correct all results yourself before your profile is saved. No decision based solely on automated processing that produces legal effects concerning you takes place (Art. 22 GDPR, Art. 21 revFADP).
• The submitted content is not used to train any models and is not passed on to OpenAI.
• Profile summaries are deliberately written in gender-neutral language to help prevent discrimination.

5. Disclosure to searching companies

The purpose of the Platform is to connect you with suitable companies. Your confirmed profile is discoverable by registered companies anonymously: they see your qualifications, experience and skills, but not your name, photo, age, gender, origin, full address or contact details.

Your identity and contact details are disclosed to a company only once there is mutual interest (a match) and you have granted contact release. Beyond this, your data is not shared with third parties for advertising purposes.

6. Processors and international data transfers

We use carefully selected service providers (processors) to operate the Platform, with whom appropriate data processing agreements are in place:

The processing of your CV content to create the structured profile data takes place in Switzerland. The application is hosted in Frankfurt (EU). Where individual services transfer data to the USA (bot protection; fallback email delivery via Resend) or US providers could gain access, the transfer is based on the adequacy decision for the EU-US or Swiss-US Data Privacy Framework or on the Standard Contractual Clauses (SCCs) recognised by the EU Commission and the Swiss FDPIC.

7. Cookies and local storage

We use strictly necessary cookies only — no tracking or marketing cookies and no analytics services. For this reason, we do not display a cookie banner.

• xenolu_talent_session: session cookie for your login (HttpOnly, Secure), valid for 30 days
• sessionStorage: temporary storage of your CV analysis in your browser during registration; deleted when the tab is closed
• Google reCAPTCHA v3: protects the login function against abuse. Device and usage data may be transmitted to Google. Google's privacy policy applies.

8. Retention and deletion

• Your profile is stored until you delete it. You can remove it irrevocably at any time via the delete function in your profile, or request deletion by email to info@xenolu.ch. Upon deletion, all profile data (including CV text, skills, experience, education and sessions) is permanently removed.
• Unconfirmed registrations: if you do not confirm your email address within 24 hours, the confirmation link expires and the pending data is not converted into a profile.
• Technical server logs (IP address, browser information, access time) are retained for a maximum of 6 months to secure operations and then deleted.
• Login links are valid for 30 minutes and single-use; sessions expire after 30 days.

9. Your rights

Under the revFADP and — where applicable — the GDPR, you have the right to:

• obtain information about the data processed about you
• have inaccurate data corrected (directly in your profile or on request)
• have your data deleted («right to be forgotten»)
• restrict processing and object to processing
• receive your data in a commonly used, portable format
• withdraw consent with effect for the future — most easily by deleting your profile

To exercise your rights, simply email info@xenolu.ch. You also have the right to lodge a complaint with a supervisory authority: in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, the data protection authority responsible for you.

10. Data security

We take appropriate technical and organisational measures to protect your data, in particular:

• Encrypted transmission of all data (TLS)
• Passwordless login via single-use, time-limited login links
• Cryptographically hashed tokens (SHA-256) and signed, HttpOnly session cookies
• Double opt-in: your profile is only created after you confirm your email address
• Automatic removal of street addresses before storage

11. Minors

The Platform is intended for persons aged 18 and over. Persons under 18 may not register.

12. Changes to this privacy policy

We may amend this privacy policy as needed, for instance when the Platform or the legal situation changes. The version published on the Platform at the relevant time applies. We will inform registered talents of material changes by email.