Privacy Policy

We are responsible for the processing of your personal data.

We may process:

• Account and contact information (e.g. name, email)
• Login and authentication data
• CV and profile information
• Job applications and preferences
• Usage and interaction data (e.g. clicks, searches, feature usage)
• AI interaction data (e.g. prompts, chat interactions, generated outputs)
• Payment and billing information
• Support communications
• Technical and diagnostic data (e.g. IP address, device information, logs, latency metrics)
• Marketing consent records

We only process data necessary to provide, secure, improve, and support our services.

We process personal data to:

• Provide and operate our services
• Manage user accounts and authentication
• Match users with relevant job opportunities
• Process payments and subscriptions
• Improve, monitor, debug, and secure our platform
• Provide customer support
• Generate AI-powered recommendations and insights
• Analyze service usage and reliability
• Prevent abuse, fraud, and unauthorized access
• Send marketing communications (with consent)

Legal basis:

• Contract performance (GDPR Art. 6(1)(b))
• Legal obligation (GDPR Art. 6(1)(c))
• Legitimate interests (GDPR Art. 6(1)(f))
• Consent (GDPR Art. 6(1)(a))

We use cookies and similar technologies to operate, secure, analyse, and improve our services.

Cookies may include:

• Necessary cookies required for the operation and security of the platform
• Analytics cookies used to understand usage and improve the service
• Functional cookies used to remember preferences and settings
• Marketing cookies used for communication and campaign measurement where applicable

Non-essential cookies are only used with consent.

Users may manage or withdraw cookie consent at any time through our cookie consent tools and settings. We use Cookiebot to manage cookie consent and preferences where applicable.

Limited session interaction telemetry may be processed to operate, secure, debug, and improve Skiftr, including for reliability, analytics, and usability purposes. Sensitive inputs and content are excluded or masked where technically feasible.

Skiftr uses artificial intelligence (“AI”) technologies to analyze profiles, match users with relevant opportunities, generate recommendations, improve CV relevance, and support labor market insights.

AI Providers and Infrastructure

We use selected third-party AI, analytics, and cloud providers to process certain user data in connection with our services, including:

• Google Gemini (default model: gemini-2.5-flash-lite) as AI model provider
• Google Cloud DLP for detection and de-identification of personal information before processing
• PostHog for analytics, observability, tracing, operational diagnostics, error monitoring, and quality assurance of AI-powered and platform functionality

Processing is primarily performed within European data regions, including europe-west1 where applicable.

Certain providers may nevertheless process or access limited data outside the EU/EEA for support, maintenance, security, or infrastructure purposes subject to appropriate safeguards such as Standard Contractual Clauses and the EU-U.S. Data Privacy Framework where applicable.

Processing of User Content

CVs, profile information, job-related data, prompts, chat interactions, AI-generated outputs, and other submitted content may be processed by AI systems in order to:

• generate recommendations
• improve profile matching
• identify relevant competencies
• optimize CV relevance
• analyze labor market fit
• generate salary and career insights
• monitor and improve AI-powered functionality
• debug, secure, and maintain platform reliability

Before certain data is processed by AI models or monitoring systems, automated de-identification and PII reduction measures may be applied using Google Cloud DLP.

AI Training

Skiftr does not use customer content to train general-purpose AI models.

Neither Skiftr nor its AI, analytics, observability, or infrastructure providers use customer content submitted through the platform to train general-purpose AI models.

Retention of AI and Observability Data

Certain AI interaction data and technical telemetry may be processed for analytics, monitoring, debugging, abuse prevention, operational reliability, security, and quality assurance purposes.

This may include prompts, chat history, generated outputs, token usage, latency metrics, operational traces, error diagnostics, and associated technical metadata.

Data processed through PostHog is stored on EU-based infrastructure.

Analytics, observability, and AI interaction data may be retained for up to 12 months unless shorter retention periods apply.

Certain short-lived diagnostic, replay, and operational monitoring data may be retained for shorter periods, typically up to 90 days.

Specific users and associated event data may be deleted upon request or through internal administrative tools and APIs.

Certain technical logs and secure backups may persist temporarily in accordance with backup retention cycles.

Automated Recommendations and Decision-Making

Skiftr uses automated systems to generate recommendations, rankings, and matching insights related to jobs, competencies, and career opportunities.

These systems are designed to support users and advisors and should not be interpreted as guarantees of employment outcomes or suitability.

We perform ongoing quality review and sample-based evaluation of recommendation systems before production deployment.

Skiftr’s automated systems present publicly available job listings based on the user’s profile and preferences. The systems do not make decisions about the user and have no direct impact on the user’s access to employment opportunities.

This processing therefore does not constitute automated decision-making with significant effects within the meaning of Article 22 of the GDPR.

Access Control and Security

Access to production systems and AI-related data is restricted through role-based access controls.

Only authorized administrative users may access production data where necessary for security, operational support, legal compliance, abuse prevention, or incident investigation purposes.

Analytics, Monitoring, and Service Providers

Certain analytics, observability, and operational tools may process technical and AI-related metadata in order to maintain, secure, and improve the platform, including:

• PostHog
• Google Cloud Logging and Trace
• Slack alerts
• Resend transactional email infrastructure
• Brevo newsletter and contact email infrastructure

We apply reasonable technical and organizational measures to minimize unnecessary personal data in logs and monitoring systems, including filtering, access controls, retention limitations, and data minimization practices where applicable.

We may share data with service providers such as:

• Cloud hosting (Google Cloud)
• Payment processing (Stripe)
• Analytics and observability providers
• Communication and email providers (Resend and Brevo)
• Support and CRM tools
• AI infrastructure providers

All providers act under data processing agreements where required.

We do not sell personal data.

Some providers may process or access data outside the EU/EEA, including for support, maintenance, security, and infrastructure purposes.

Where applicable, we rely on appropriate safeguards such as Standard Contractual Clauses and the EU-U.S. Data Privacy Framework.

We retain personal data only for as long as necessary to provide our services, comply with legal obligations, and fulfil the purposes described in this Privacy Policy.

Retention periods vary depending on the type of data:

• Account and profile data (including CV and user preferences): retained while the account is active and up to 90 days after deletion
• Authentication and session data: short-term retention, typically up to 90 days
• Job-related data (including job postings, saved jobs, and recommendations): retained while the account is active and up to 90 days after inactivity or deletion
• Usage, analytics, observability, and AI interaction data (including prompts, generated outputs, traces, token usage, and operational telemetry): retained for up to 12 months
• Session replay and short-lived diagnostic data: typically retained for up to 90 days
• Payment and transaction records: retained for up to 5 years in accordance with applicable accounting legislation
• Support communications: retained for up to 2 years after case closure
• Marketing consent records: retained for the duration of the account and up to 3 years after withdrawal
• Security and error logs: typically retained for up to 90 days
• Data subject requests: retained for up to 3 years after resolution
• Cookie consent records: typically retained for 12–24 months

Some data may remain in secure backups for a limited period before being permanently overwritten in accordance with system backup cycles.

We use appropriate technical and organisational measures to protect personal data, including encryption, access control, monitoring, logging safeguards, and infrastructure security controls.

Access to sensitive systems and production environments is restricted based on role and operational necessity.

Under applicable data protection law, including the GDPR, you may have the right to:

• Request access to your personal data
• Request correction of inaccurate or incomplete personal data
• Request deletion of your personal data
• Object to certain processing activities
• Request restriction of processing in certain circumstances where applicable under law
• Request portability of personal data you have directly provided to us where technically feasible
• Withdraw consent for processing activities based on consent, such as marketing communications and non-essential cookies
• Lodge a complaint with the Danish Data Protection Agency (Datatilsynet)

Certain rights may be limited where processing is necessary to provide the core functionality of the service, comply with legal obligations, exercise legal claims, or protect the rights and security of other users.

Certain personal data and profile information may be updated directly by users through the platform.

To exercise your rights, contact us at: privacy@skiftr.com

We may request verification of identity before responding to requests.

If you believe our processing of your personal data violates applicable law, you also have the right to lodge a complaint with:

Our services are only directed to individuals aged 18 or older.

We do not knowingly collect data from individuals under 18.

We may update this Privacy Policy from time to time.

The latest version will always be available on our website.