Privacy Policy

The XpertDirect platform and related services are operated by the XpertDirect management team, part of CIS Electronics Engineering SL, a company incorporated under the laws of Spain (collectively, "XpertDirect", "we", "us", or "our").

This Privacy Policy applies to the XpertDirect website, platform, tools, and related services (collectively, the "Services"), as defined in the Terms of Use.

For the purposes of Regulation (EU) 2016/679 (GDPR):

• XpertDirect acts as a Data Controller for platform account data, user profiles, and operational platform data
• XpertDirect acts as a Data Processor when processing personal data on behalf of employer or client users

This Privacy Policy forms an integral part of the Terms of Use and must be read together with them.

Capitalised terms not defined in this Policy have the meaning given in the Terms of Use.

Nothing in this Privacy Policy alters XpertDirect's role as a technology platform only. XpertDirect does not act as an employer, recruiter, staffing agency, or employment intermediary, and is not a party to any agreement entered into between Users.

Depending on use of the Services, XpertDirect may process:

• Account and authentication data (name, email address, login credentials)
• Professional profile data submitted by Users
• Job descriptions, work packages, and project requirements
• CVs and documents voluntarily uploaded by Users
• Communications and platform interaction data
• Technical, security, and access logs

Specialists

Personal data may be obtained from:

• Direct registration on the platform
• Direct communication initiated by the individual
• Professional events and meetings
• Referrals and recommendations
• Lawful third-party sources where individuals have made their data available

Clients

Personal or business data may be obtained from:

• Platform registration
• Direct communication
• Professional events
• Publicly available professional sources
• Referrals and recommendations

If a data subject requests erasure, they acknowledge that XpertDirect may lawfully re-acquire the same data in the future from third-party sources where the data subject has made it available.

Personal data is processed solely to:

• Operate, maintain, and improve the Services
• Enable discovery, visibility, and communication between Users
• Structure and manage job descriptions, work packages, and profiles
• Ensure platform security, integrity, and compliance
• Comply with legal and regulatory obligations

XpertDirect does not sell personal data and does not provide personal data to third parties for advertising purposes.

As stated in the Terms of Use, XpertDirect uses AI-assisted systems solely to:

• Structure and classify user-submitted information
• Support discovery and matching functionality

AI systems:

• Do not make automated employment, hiring, or selection decisions
• Operate with human oversight by design
• Produce outputs that are subject to explicit user review, approval, and control
• All final actions remain under human decision-making.

AI Processing & Data Confidentiality

XpertDirect may use AI systems and third-party AI services to assist with the structuring and analysis of information submitted to the platform, including CVs uploaded by specialists and project descriptions submitted by clients.

Such processing is performed solely for the purpose of providing the platform's functionality, including structuring information and identifying potential technical matches between project requirements and user profiles.

XpertDirect does not use customer or user data submitted to the platform to train public or shared AI models.

Information processed through AI services is handled in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), and is subject to appropriate contractual and technical safeguards.

Where external AI service providers are used, such providers act as data processors or sub-processors and are contractually required to process data only for the purpose of providing the requested service.

AI Training & Data Protection

Information submitted to the XpertDirect platform may be processed by AI systems to structure technical data and assist with matching.

XpertDirect does not use platform data to train public or shared AI models.

All data is processed solely to provide platform functionality. External AI providers operate under strict contractual safeguards and process data only as instructed by XpertDirect.

Processing is carried out on the basis of:

• Performance of a contract or pre-contractual steps
• Legitimate interests in operating a skills-first technology platform
• Compliance with legal obligations
• User consent, where required by law

Personal data is retained only for as long as necessary for the purposes described in this Policy.

• Structured platform data is retained until deleted by the user or account termination
• Certain data may be retained where required to comply with legal obligations

Access to personal data is restricted to:

• Authorised XpertDirect personnel
• Users interacting within the platform under defined permissions
• Trusted service providers acting under GDPR-compliant agreements

Personal data is disclosed only where necessary for platform operation, legally required, or explicitly authorised by the data subject.

XpertDirect uses secure cloud infrastructure providers and third-party services (including AI service providers such as OpenAI) under GDPR-compliant data processing agreements.

Subprocessors:

• act only on XpertDirect's documented instructions
• are subject to contractual data protection obligations
• implement appropriate technical and organisational safeguards

Data is processed within the EU or subject to appropriate safeguards.

Where XpertDirect processes personal data on behalf of Clients:

• Clients act as Data Controllers
• XpertDirect acts as Data Processor

Processing may include:

• structured job, project, and candidate data submitted to the platform
• CVs and professional information uploaded by Users

XpertDirect shall:

• process personal data only on documented instructions from the Controller
• implement appropriate technical and organisational measures
• ensure confidentiality of authorised personnel
• assist Controllers in responding to data subject requests
• support compliance with GDPR obligations
• notify Controllers of personal data breaches without undue delay

XpertDirect implements appropriate technical and organisational measures, including:

• HTTPS encryption
• Logical account-level isolation
• Role-based access controls
• Audit logging
• Internal data protection policies and staff training
• Regular security reviews and system testing

XpertDirect will notify supervisory authorities and affected data subjects of any personal data breach in accordance with GDPR.

Where acting as a Data Processor, XpertDirect will notify the relevant Data Controller without undue delay.

Data subjects have the right to:

• Access
• Rectification
• Erasure
• Restriction of processing
• Objection
• Data portability

Requests may be submitted to: support@xpertdirect.io

Specialists remain in full control of the information they share on the platform.

Profile Control

Specialists decide what to upload, including:

• CVs
• skills and experience
• project history

Profiles can be updated at any time.

Voluntary Data Submission

XpertDirect only processes data voluntarily submitted by users. The platform does not:

• scrape external platforms
• collect data without consent

AI Processing of CVs

AI may structure CV content to identify skills and experience. This supports profile creation and matching but does not affect decisions.

No Automated Decisions

XpertDirect does not:

• hire or reject users
• make automated employment decisions

Control Over Opportunities

Specialists decide whether to engage with matching projects and client approaches.

AI Training & Data Use

Specialists' data is not used to train public AI models. It is processed only to:

• structure profiles
• enable matching
• support collaboration

XpertDirect's AI systems are designed as a limited-risk systems under the EU AI Act and incorporate:

• Transparency
• Human oversight
• User control

Where personal data is transferred outside the EU, appropriate safeguards are applied in accordance with GDPR.

This Privacy Policy may be updated from time to time. Continued use of the Services constitutes acceptance of the latest version.

For privacy-related enquiries: support@xpertdirect.io