PRIVACY_PROTOCOL

PRIVACY
POLICY

> LAST_UPDATED: 7/15/2026

In accordance with the General Data Protection Regulation (GDPR) and the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD)

Introduction

At Xeito, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the General Data Protection Regulation (GDPR - EU 2016/679) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD).

By using our services, you accept the practices described in this policy. If you do not agree with our privacy practices, we recommend that you do not use our services.

This policy applies to all Xeito users, regardless of their geographic location.

🏢

Data Controller

> Abellan Labs, S.L.U.
> Data Protection Officer (DPO): [email protected]
💾

Data We Collect

Personal Information

Full name and surname

Email address

Phone number (optional)

Geographic location and location preferences

Resume and related documents

Professional Information

Work experience and employment history

Academic education and certifications

Technical skills and competencies

Job preferences (type of work, salary, location)

⚖️

Legal Basis for Processing

We process your personal data under the following legal bases per GDPR Art. 6:

Purpose Legal basis
Providing the service (job search, profile, alerts) Contract performance — GDPR Art. 6(1)(b)
Account authentication and security Legitimate interest — GDPR Art. 6(1)(f)
AI/ML job recommendations Legitimate interest — GDPR Art. 6(1)(f)
Marketing communications and newsletter Consent — GDPR Art. 6(1)(a)
Legal obligations (accounting, GDPR compliance) Legal obligation — GDPR Art. 6(1)(c)
Fraud and abuse detection Legitimate interest — GDPR Art. 6(1)(f)
🤝

Recipients and Data Processors

We share your data only with the following processors, all subject to a Data Processing Agreement (DPA) under GDPR Art. 28:

Processor Role Location / safeguard
Neon (Neon Inc.) PostgreSQL database (hosting and backup) USA — Standard Contractual Clauses (SCCs)
Cloudflare, Inc. CDN, Workers (API and web runtime), security USA — SCCs / EU–US Data Privacy Framework
Fly.io, Inc. Application hosting for self-hosted services (GlitchTip error monitoring, n8n workflows, Forgejo source control) USA HQ; data in EU (Amsterdam) — SCCs
Stripe (SPEL) Payment and subscription processing EU (Ireland) — SPEL SSA
Resend Transactional emails and newsletter delivery USA — SCCs
Groq, Inc. AI inference (career assistant, CV analysis) USA — SCCs

We do not sell, rent, or transfer your personal data to third parties for commercial purposes.

🌐

International Data Transfers

Several processors operate in the United States. These transfers are covered by:

SCC: Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), Module 2 (controller → processor).

DPF: EU–US Data Privacy Framework (DPF) where the processor is certified.

You can request a copy of the applicable SCCs by emailing [email protected].

🤖

Automated Decisions and Profiling

Xeito uses automated systems that may significantly impact users:

AI Job Recommendations

Our ML recommendation engine analyses your profile, interaction history and similarity to other users to surface relevant jobs. You can disable personalised recommendations or request human review from your profile settings.

AI Semantic Search

Search results are re-ranked by a language model based on query relevance. No binding decisions are generated.

AI CV Analysis (ATS)

Compatibility scoring is advisory only; hiring decisions are made exclusively by the employer.

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). To exercise this right, contact [email protected].

🗓️

Data Retention Periods

We retain your data for the minimum period necessary, per GDPR Art. 5(1)(e):

Data category Retention period Legal basis
Account data (email, name, hashed password) Account lifetime + 30 days after deletion Contract
Authentication sessions Until expiry date Legitimate interest (security)
Search history 90 days Legitimate interest (UX)
Job interaction history 12 months Legitimate interest (recommendations)
AI feature usage logs 90 days Legitimate interest (billing/abuse)
Subscription and purchase records 7 years Legal obligation (accounting)
Withdrawal and cancellation requests 7 years Legal obligation (consumer law)

When you delete your account, we immediately erase all profile data, sessions, interactions and preferences. Accounting records and withdrawal requests are retained for 7 years as required by law.

🔒

Data Security

We apply appropriate technical and organisational measures per GDPR Art. 32:

Encryption in transit (TLS 1.2+) and at rest for all sensitive data

Multi-factor authentication (MFA) for employee access to internal systems

Principle of least privilege: only authorised staff can access user data

All processors are bound by DPAs with equivalent security obligations

Error monitoring and anomaly detection via self-hosted GlitchTip (Fly EU)

Regular security audits and vulnerability management

👶

Children's Privacy

In line with LOPDGDD Art. 7, the minimum age to use Xeito is 16. We do not knowingly collect data from users under 16. If we discover that a user is under 16, we will delete their account and data without delay. If you are a parent or guardian and believe your child has created an account, please contact us at [email protected].

Your Rights under GDPR

According to GDPR and LOPDGDD, you have the following rights:

Right of Access (Art. 15 GDPR)

You can request a copy of all personal data we have about you

Right of Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete data

Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data under certain conditions

Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit the processing of your data

Right to Portability (Art. 20 GDPR)

You can request to receive your data in a structured, commonly used format

Right of Objection (Art. 21 GDPR)

You can object to the processing of your personal data

🏛️

Right to Lodge a Complaint with the AEPD

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority:

Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos)

C/ Jorge Juan, 6 — 28001 Madrid, Spain

www.aepd.es

https://sedeagpd.gob.es

You are also welcome to contact us first at [email protected] to resolve any concern before filing a formal complaint.

📣

Advertising and Google AdSense

Xeito funds its free services by displaying ads on public blog and marketing pages through Google AdSense. Ads always appear on free pages — Premium and Job Tracker subscribers are the only users who never see them.

What Google Collects

By default we serve non-personalized ads (NPA): no advertising cookies are set and Google does not use your browsing data to choose which ad to show you. Only when you grant consent for personalized ads via the cookie banner does Google use advertising cookies (NID, IDE, doubleclick.net) and signals such as IP address and browsing history to tailor ads to your interests.

Your Consent

Ads run regardless of consent — that's how we keep the service free. The cookie banner controls personalization only: accept to allow tailored ads, reject to keep seeing only non-personalized ads. You can change your choice at any time via the "Cookie Settings" link in the footer. To stop seeing ads entirely, upgrade to a Premium or Job Tracker subscription.

How to Opt Out of Personalised Advertising

You can withdraw personalization consent at any time from the cookie banner — ads will downgrade to non-personalized on your next page view. You can also manage advertising preferences directly with Google at myadcenter.google.com, or turn off personalised advertising in your Google account at adssettings.google.com. To opt out of third-party advertising cookies across all participating sites, visit youronlinechoices.eu (EEA) or aboutads.info/choices (US).

Learn More

Google publishes detailed information about how it uses advertising data at policies.google.com/technologies/ads and policies.google.com/privacy.

📧

Contact

If you have questions about this Privacy Policy or wish to exercise your rights, you can contact us:

Email: [email protected]

Data Protection Officer: [email protected]