Privacy Policy

Last updated: March 2026

1. Who we are

Ztex ("we", "us", "our") is a recruitment intelligence platform operated by Ztex Ltd, registered in England and Wales. We are the data controller for the personal data described in this policy.

Contact: [email protected]

2. What data we collect

  • Account data: Email address, company name, IP address (collected at signup)
  • CV/resume content: Names, contact details, work history, education, skills (uploaded by recruiters using our platform)
  • Usage data: API calls, feature usage, login activity
  • Payment data: Processed by Stripe/Razorpay — we never store card numbers

3. How we process data

  • CV parsing: AI-powered extraction of structured data from uploaded documents
  • Skill extraction: Mapping candidate skills to our ontology for intelligent matching
  • Candidate matching: Comparing parsed profiles against job requirements

All processing is automated. No human reviews CV content unless explicitly requested by the uploading recruiter.

4. Legal basis for processing

  • Free tier: Consent — explicitly granted at signup and before each CV upload
  • Paid tier: Contract — processing is necessary to provide the subscribed service
  • All tiers: Legitimate interest — platform security, fraud prevention, service improvement

5. Data retention

Parsed CV data is retained for up to 24 months from the date of upload, or until the recruiter or data subject requests deletion — whichever is earlier. Account data is retained for the duration of the account plus 30 days.

6. Your rights (GDPR / UK GDPR / DPDPA)

You have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data ("right to be forgotten")
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interest
  • Withdraw consent — at any time, without affecting prior processing

To exercise any of these rights, submit a data request or email [email protected]. We respond within 30 days.

7. Data sharing

We do not sell personal data. We share data only with:

  • Cloud infrastructure: Google Cloud Platform (processing and storage)
  • Payment processors: Stripe (UK/EU/US), Razorpay (India)
  • Email service: Resend (transactional emails only)
  • Authentication: Auth0 (identity and access management)

All sub-processors are GDPR-compliant with appropriate data processing agreements in place.

8. Security

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is controlled via row-level security with tenant isolation. API keys are stored as SHA-256 hashes — we never store plaintext keys.

9. Cookies

We use only essential cookies for authentication session management. No tracking cookies, no advertising cookies, no third-party analytics.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to registered users. The "last updated" date at the top indicates the most recent revision.