Candidate

Privacy Policy

candidate.so | Effective Date: 2026-05-11 | Version 1.0

This Privacy Policy explains how oryx technologies Sàrl ("oryx," "we," "us") collects, uses, shares, and protects personal information through the candidate.so website, services, and email communications (the "Service"). candidate.so is a brand owned and operated by oryx technologies Sàrl, a Swiss limited liability company (UID CHE-340.626.495), registered at Avenue de Tivoli 19b, 1007 Lausanne, Switzerland.

This Policy is designed to satisfy U.S. state privacy laws applicable to our users (including the California Consumer Privacy Act as amended by the California Privacy Rights Act, and the comprehensive privacy laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Tennessee, Minnesota, Maryland, Rhode Island, Indiana, Kentucky, Nebraska, and Florida), as well as the Swiss Federal Act on Data Protection and, where applicable, the EU General Data Protection Regulation.

1. Quick Summary

  • You create an account and upload your resume. We organize your profile into a structured taxonomy so employers can find candidates whose background matches what they are hiring for.
  • Employers pay us to search the database. Employers do not receive your personal information from a search result; they receive only an anonymous count of how many candidates match their filters, broken out by how recently each candidate updated their resume.
  • If an employer chooses to reach out to candidates in a matching group, we deliver the employer's outreach email to those candidates. The employer is identified as the sender. You decide whether to respond.
  • We do not sell personal information for money. We may "share" limited identifiers with advertising partners; you can opt out at any time.
  • You can update or delete your profile, control whether you receive emails, and exercise privacy rights under your state law. See Sections 9 through 11.

2. Who We Are

The entity responsible for handling your personal information (the "data controller" under EU/Swiss law and the "business" under California law) is:

oryx technologies Sàrl

Avenue de Tivoli 19b, 1007 Lausanne, Switzerland

Email: info@oryx.so

3. Information We Collect

3.1 Information You Provide

  • Account information: name, email address, password (hashed), country/state, and (optionally) phone number.
  • Resume content: your work history, education, skills, certifications, languages, and any other information included in your uploaded resume.
  • Profile preferences: desired role types, seniority, industries, geography, work-authorization status, salary expectations, and similar preferences.
  • Communications: messages you send to our support team and survey responses.

Phone number — important: you may optionally provide a phone number when creating or updating your profile. In v1 of the Service, we do not send text messages (SMS) to any candidate. If we add SMS delivery in the future, we will not send you any SMS unless and until you separately and affirmatively opt in to SMS in your account settings, with a disclosure that meets the requirements of the U.S. Telephone Consumer Protection Act (TCPA) and applicable state laws. Providing your phone number now does not constitute consent to receive SMS.

3.2 Information Generated Automatically

  • Technical data: IP address, device identifiers, browser type, operating system, and approximate location derived from your IP address.
  • Usage data: pages and features used, search queries you make, session timestamps, and email engagement (delivery, open, click).
  • Cookies and similar technologies: see our Cookie Notice.

3.3 Information From Third Parties

  • If you use a third-party sign-in option (e.g., Google, LinkedIn), we receive only the fields you authorize.
  • Service providers and analytics vendors processing data on our behalf.

3.4 Information We Do Not Collect or Use

We do not collect government identifiers (e.g., Social Security number), financial account information from candidates, or biometric data. We do not require sensitive categories of information (e.g., race, religion, sexual orientation, health, union membership). If you choose to include such information in your resume, we treat it as sensitive and process it only for the purposes described in this Policy.

4. How We Categorize Your Profile

To make the Service work, we automatically organize the information in your resume into a structured taxonomy. This taxonomy classifies your skills, experience, role types, seniority, industries, and similar career attributes. Employers search the database using these classifications.

We do not use this taxonomy to make decisions about you. Employers, not we, decide which candidates to contact and which to consider. We do not score, rank, or filter candidates beyond matching your stated career attributes to the employer's search filters.

We do not categorize candidates by protected characteristics (race, ethnicity, sex, age, disability, religion, national origin, sexual orientation, gender identity, marital status, pregnancy, veteran status, genetic information, or other characteristics protected under federal, state, or local law). Employers cannot filter the database by these characteristics.

5. How We Use Information

We use personal information for the following purposes:

  • Operate the Service: host your profile, organize it in our taxonomy, and make it findable by employers based on their search filters.
  • Deliver employer outreach: when an employer chooses to send messages to candidates matching their filters, we deliver those messages to you by email, branded as coming from the employer.
  • Communicate with you: send transactional emails (account, security, password reset), service announcements, and (where you opt in) newsletters or product updates from candidate.so.
  • Improve and secure the Service: analyze usage, debug, prevent fraud and abuse, monitor performance, and develop new features.
  • Comply with law: respond to lawful requests, enforce our Terms, and protect rights, safety, and property.

6. How Search and Outreach Actually Work

This section explains the mechanics, because the model is different from a typical job board:

  • Employer search: an employer logs into the Service and configures filters (e.g., role, skills, location, seniority).
  • Anonymous count: the Service returns a count of how many candidate profiles match, broken into three groups based on resume recency: updated in the past month; updated 1 to 3 months ago; updated more than 3 months ago. The employer sees no personal information at this stage.
  • Outreach: if the employer wants to reach the candidates in one or more groups, they compose an outreach email. The Service delivers that message to the matching candidates, identifying the employer as the sender. The message includes a link to the employer's job-application URL.
  • Your information stays with us until you respond: employers do not receive your name, email, or resume from the search itself. They receive your information only if you choose to engage (e.g., reply or click their job link).
  • Channel control: you decide whether you receive employer outreach by email. Every employer outreach email contains an unsubscribe link, and you can disable employer outreach in your account settings at any time.

7. How We Share Information

7.1 With Employers

As described in Section 6, employers receive your contact information only when you choose to engage. If you click the apply link in an employer's outreach, you leave the Service and proceed to the employer's own application page; what happens next is governed by the employer's privacy practices, not this Policy.

7.2 With Service Providers

We share information with vendors who process data on our behalf, including hosting, email delivery, analytics, customer support, and payment processing. These vendors are contractually required to process information only as instructed and to apply appropriate security.

7.3 For Legal Reasons

We may disclose information when we believe in good faith that disclosure is required by law, regulation, legal process, or a governmental request, or is necessary to protect the rights, property, or safety of oryx, our users, or others.

7.4 In Corporate Transactions

If oryx is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction, subject to confidentiality terms and continued application of this Policy (or an equivalent).

7.5 With Your Consent

We share with other parties when you direct us to do so.

We do not sell personal information for monetary consideration. Some uses of cookies and similar technologies may qualify as "sharing" or "selling" for cross-context behavioral advertising under California and similar state laws. You can opt out at any time (see Section 11).

8. Email Communications

If you have an active account, you may receive the following types of email:

  • Transactional emails: account and security messages necessary to operate your account. These cannot be disabled while your account is active.
  • Employer outreach: messages from employers who want to invite you to apply to a role. You can disable employer outreach at any time in your account settings, and every employer outreach email contains an unsubscribe link.
  • candidate.so updates and marketing: we will send these only if you opt in. You can unsubscribe at any time.

Future SMS: we do not send SMS in v1 of the Service. If we add SMS delivery in the future, we will require a separate, affirmative SMS opt-in (with TCPA-compliant disclosure) before any SMS is sent to you. Your phone number on file will not be used for SMS without that future opt-in.

Compliance. We comply with the CAN-SPAM Act for all commercial emails. Employers using the Service are contractually required to comply with applicable email-marketing laws and to use the Service only for bona fide invitations to apply to real job openings.

9. Data Retention

We keep personal information only as long as needed for the purposes described, then delete or de-identify it. Specifically:

  • Active profiles: retained while your account is active. If you do not log in or update your profile for 24 months, we will email you, and absent response within 60 days, the profile will be deleted.
  • Deleted profiles: most personal information is deleted within 30 days; limited records may be retained for legal, accounting, or fraud-prevention purposes.
  • Email engagement logs: retained for up to 24 months for service improvement and compliance.
  • Unsubscribe and opt-out records: retained indefinitely as required by CAN-SPAM and state privacy laws.

10. Security

We use administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include encryption in transit, access controls, and regular security review. No system is perfectly secure; we cannot guarantee absolute security.

11. Your Privacy Rights

11.1 Rights Under U.S. State Laws

Depending on your state of residence, you may have the following rights:

  • Right to know — what categories and specific pieces of personal information we have collected, sources, purposes, and recipients.
  • Right to delete — request deletion of personal information collected from you, subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to portability — receive a copy of your personal information in a portable format.
  • Right to opt out of sale or sharing — direct us not to "sell" or "share" your personal information for cross-context behavioral advertising. We honor Global Privacy Control (GPC) signals as a valid opt-out.
  • Right to limit use of sensitive personal information — restrict use of sensitive data beyond what is needed to deliver the Service.
  • Right to non-discrimination — we will not deny you the Service or charge different prices because you exercised a privacy right.
  • Right to appeal (Virginia, Colorado, Connecticut, and others) — if we deny a request, you may appeal by replying to our decision.

To exercise these rights, email info@oryx.so or visit candidate.so/privacy/requests. We will verify your identity using information already in your account. You may use an authorized agent if permitted by your state; written authorization is required.

11.2 Categories of Information (CCPA / CPRA Disclosures)

In the prior 12 months we have collected the following categories of personal information about California residents: identifiers (name, email, phone if provided, IP), professional and employment information (resume content, work history, skills), education information, geolocation (approximate), internet activity (usage), and inferences (taxonomy classifications derived from your resume). We have disclosed these categories to the recipients listed in Section 7. We have not sold personal information for monetary consideration. We may have "shared" online identifiers with advertising partners; you may opt out at any time.

11.3 Notice of No Financial Incentive

We do not offer financial incentives in exchange for personal information.

11.4 Rights Under GDPR and Swiss FADP

If you are in the EEA, UK, or Switzerland, you also have rights under GDPR or the Swiss FADP, including access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority.

12. Children

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a person under 18 has provided us personal information, contact info@oryx.so and we will delete it.

13. International Transfers

oryx is based in Switzerland. We and our service providers may process information in Switzerland, the United States, and other jurisdictions. For transfers from the EEA, UK, or Switzerland to the United States, we use appropriate safeguards including the European Commission's Standard Contractual Clauses and reliance on Data Privacy Framework certifications where applicable.

14. Changes to This Policy

We may update this Policy. Material changes will be communicated by email or by prominent notice on the Service before they take effect. The "Effective Date" at the top reflects the most recent revision.

15. Contact

oryx technologies Sàrl

Attn: Privacy Team

Avenue de Tivoli 19b, 1007 Lausanne, Switzerland

info@oryx.so