PRIVACY
POLICY
In accordance with the General Data Protection Regulation (GDPR) and the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD)
Introduction
At Xeito, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the General Data Protection Regulation (GDPR - EU 2016/679) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD).
By using our services, you accept the practices described in this policy. If you do not agree with our privacy practices, we recommend that you do not use our services.
This policy applies to all Xeito users, regardless of their geographic location.
Data Controller
Data We Collect
Personal Information
Full name and surname
Email address
Phone number (optional)
Geographic location and location preferences
Resume and related documents
Professional Information
Work experience and employment history
Academic education and certifications
Technical skills and competencies
Job preferences (type of work, salary, location)
Legal Basis for Processing
We process your personal data under the following legal bases per GDPR Art. 6:
| Purpose | Legal basis |
|---|---|
| Providing the service (job search, profile, alerts) | Contract performance — GDPR Art. 6(1)(b) |
| Account authentication and security | Legitimate interest — GDPR Art. 6(1)(f) |
| AI/ML job recommendations | Legitimate interest — GDPR Art. 6(1)(f) |
| Marketing communications and newsletter | Consent — GDPR Art. 6(1)(a) |
| Legal obligations (accounting, GDPR compliance) | Legal obligation — GDPR Art. 6(1)(c) |
| Fraud and abuse detection | Legitimate interest — GDPR Art. 6(1)(f) |
Recipients and Data Processors
We share your data only with the following processors, all subject to a Data Processing Agreement (DPA) under GDPR Art. 28:
| Processor | Role | Location / safeguard |
|---|---|---|
| Neon (Neon Inc.) | PostgreSQL database (hosting and backup) | USA — Standard Contractual Clauses (SCCs) |
| Cloudflare, Inc. | CDN, Workers (API and web runtime), security | USA — SCCs / EU–US Data Privacy Framework |
| Fly.io, Inc. | Application hosting for self-hosted services (GlitchTip error monitoring, n8n workflows, Forgejo source control) | USA HQ; data in EU (Amsterdam) — SCCs |
| Stripe (SPEL) | Payment and subscription processing | EU (Ireland) — SPEL SSA |
| Resend | Transactional emails and newsletter delivery | USA — SCCs |
| Groq, Inc. | AI inference (career assistant, CV analysis) | USA — SCCs |
We do not sell, rent, or transfer your personal data to third parties for commercial purposes.
International Data Transfers
Several processors operate in the United States. These transfers are covered by:
SCC: Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), Module 2 (controller → processor).
DPF: EU–US Data Privacy Framework (DPF) where the processor is certified.
You can request a copy of the applicable SCCs by emailing [email protected].
Automated Decisions and Profiling
Xeito uses automated systems that may significantly impact users:
AI Job Recommendations
Our ML recommendation engine analyses your profile, interaction history and similarity to other users to surface relevant jobs. You can disable personalised recommendations or request human review from your profile settings.
AI Semantic Search
Search results are re-ranked by a language model based on query relevance. No binding decisions are generated.
AI CV Analysis (ATS)
Compatibility scoring is advisory only; hiring decisions are made exclusively by the employer.
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Art. 22). To exercise this right, contact [email protected].
Data Retention Periods
We retain your data for the minimum period necessary, per GDPR Art. 5(1)(e):
| Data category | Retention period | Legal basis |
|---|---|---|
| Account data (email, name, hashed password) | Account lifetime + 30 days after deletion | Contract |
| Authentication sessions | Until expiry date | Legitimate interest (security) |
| Search history | 90 days | Legitimate interest (UX) |
| Job interaction history | 12 months | Legitimate interest (recommendations) |
| AI feature usage logs | 90 days | Legitimate interest (billing/abuse) |
| Subscription and purchase records | 7 years | Legal obligation (accounting) |
| Withdrawal and cancellation requests | 7 years | Legal obligation (consumer law) |
When you delete your account, we immediately erase all profile data, sessions, interactions and preferences. Accounting records and withdrawal requests are retained for 7 years as required by law.
Data Security
We apply appropriate technical and organisational measures per GDPR Art. 32:
Encryption in transit (TLS 1.2+) and at rest for all sensitive data
Multi-factor authentication (MFA) for employee access to internal systems
Principle of least privilege: only authorised staff can access user data
All processors are bound by DPAs with equivalent security obligations
Error monitoring and anomaly detection via self-hosted GlitchTip (Fly EU)
Regular security audits and vulnerability management
Children's Privacy
In line with LOPDGDD Art. 7, the minimum age to use Xeito is 16. We do not knowingly collect data from users under 16. If we discover that a user is under 16, we will delete their account and data without delay. If you are a parent or guardian and believe your child has created an account, please contact us at [email protected].
Your Rights under GDPR
According to GDPR and LOPDGDD, you have the following rights:
Right of Access (Art. 15 GDPR)
You can request a copy of all personal data we have about you
Right of Rectification (Art. 16 GDPR)
You can request correction of inaccurate or incomplete data
Right to Erasure (Art. 17 GDPR)
You can request deletion of your personal data under certain conditions
Right to Restriction of Processing (Art. 18 GDPR)
You can request that we limit the processing of your data
Right to Portability (Art. 20 GDPR)
You can request to receive your data in a structured, commonly used format
Right of Objection (Art. 21 GDPR)
You can object to the processing of your personal data
Right to Lodge a Complaint with the AEPD
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority:
Spanish Data Protection Agency (AEPD — Agencia Española de Protección de Datos)
C/ Jorge Juan, 6 — 28001 Madrid, Spain
You are also welcome to contact us first at [email protected] to resolve any concern before filing a formal complaint.
Advertising and Google AdSense
Xeito funds its free services by displaying ads on public blog and marketing pages through Google AdSense. Ads always appear on free pages — Premium and Job Tracker subscribers are the only users who never see them.
What Google Collects
By default we serve non-personalized ads (NPA): no advertising cookies are set and Google does not use your browsing data to choose which ad to show you. Only when you grant consent for personalized ads via the cookie banner does Google use advertising cookies (NID, IDE, doubleclick.net) and signals such as IP address and browsing history to tailor ads to your interests.
Your Consent
Ads run regardless of consent — that's how we keep the service free. The cookie banner controls personalization only: accept to allow tailored ads, reject to keep seeing only non-personalized ads. You can change your choice at any time via the "Cookie Settings" link in the footer. To stop seeing ads entirely, upgrade to a Premium or Job Tracker subscription.
How to Opt Out of Personalised Advertising
You can withdraw personalization consent at any time from the cookie banner — ads will downgrade to non-personalized on your next page view. You can also manage advertising preferences directly with Google at myadcenter.google.com, or turn off personalised advertising in your Google account at adssettings.google.com. To opt out of third-party advertising cookies across all participating sites, visit youronlinechoices.eu (EEA) or aboutads.info/choices (US).
Learn More
Google publishes detailed information about how it uses advertising data at policies.google.com/technologies/ads and policies.google.com/privacy.
Contact
If you have questions about this Privacy Policy or wish to exercise your rights, you can contact us:
Email: [email protected]
Data Protection Officer: [email protected]