Uptal logo
Uptal logo
Request a Demo

Privacy Policy

Applicable Law: Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, Royal Decree No. M/19, as amended by Royal Decree No. M/148

Supervisory Authority: Saudi Data and Artificial Intelligence Authority (SDAIA) / National Data Management Office (NDMO)

  1. Introduction

    Uptal ("we," "us," "our") is committed to protecting your personal data and respecting your privacy in full compliance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia and its Implementing Regulations. This Privacy Policy explains how we collect, process, store, disclose, and protect personal data when you use the Uptal platform and services, including the recruitment management system, Talent Search, AI-powered interviews, assessments, and any other services accessible at https://uptal.com.

    This policy applies to all users of Uptal, including subscribers (employers, recruiters, and hiring managers) and candidates whose profiles are accessible through the platform or who participate in interviews and assessments.

    By accessing or using any Uptal service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

  2. Data Controller

    Uptal is the data controller responsible for determining the purposes and means of processing personal data collected through the Uptal platform and services.

  3. Personal Data We Collect

    We collect and process the following categories of personal data:

    3.1 Subscriber Data (Employers, Recruiters, Hiring Managers)

    • Identity data: full name, job title, company name, and national ID or commercial registration number where required.
    • Contact data: email address, phone number, and business address.
    • Account data: username, password (encrypted), account preferences, and subscription plan details.
    • Payment data: billing address, payment method details, and transaction history. Payment card data is processed by our third-party payment processor and is not stored on Uptal servers.
    • Usage data: search queries, filters applied, profiles viewed, profiles unlocked, IP address, browser type, device information, session duration, and clickstream data.
    • Service content: interview recordings, candidate resumes, job postings, assessment results, and other content you provide when using our services.

    3.2 Candidate Data

    Uptal provides access to verified candidate profiles sourced from publicly available data, direct candidate submissions, and authorized partner databases. Through Talent Search, candidate data may include:

    • Identity data: full name, nationality, gender, and city of residence.
    • Professional data: job title, employer, years of experience, industry, skills, education, certifications, and career history.
    • Compensation data: current salary, expected salary, and compensation preferences.
    • Contact data: verified email address and phone number (accessible only upon profile unlock by a subscriber).
    • Seniority classification: executive-level indicators for C-suite, VP, and director profiles.

    3.3 Interview and Assessment Data

    When candidates participate in interviews or assessments through the Uptal platform, we may additionally collect:

    • Interview recordings: video and audio recordings of interview sessions.
    • Assessment responses: answers to technical, psychometric, or competency-based assessments.
    • AI-generated analysis: transcripts, evaluation scores, and performance summaries generated by our AI systems.
  4. Legal Basis for Processing

    In accordance with Article 10 of the PDPL, we process personal data based on one or more of the following lawful bases:

    • Consent: where you have given explicit consent for the processing of your personal data for one or more specific purposes. You may withdraw your consent at any time by contacting us.
    • Contractual necessity: where processing is necessary for the performance of a subscription agreement or service agreement to which you are a party, including providing access to the Uptal platform and processing payments.
    • Legitimate interest: where processing is necessary for our legitimate business interests (e.g., fraud prevention, platform security, service improvement), provided such interests do not override your rights and freedoms. This basis does not apply to the processing of sensitive data.
    • Legal obligation: where processing is necessary to comply with applicable laws and regulations of the Kingdom of Saudi Arabia, including tax, anti-money laundering, and regulatory reporting requirements.
    • Public interest: where processing is necessary for purposes of public interest as defined under the PDPL.
  5. Purposes of Processing

    We process personal data for the following specific, clear, and explicit purposes:

    • Providing and operating the Uptal platform and its services, including Talent Search, interviews, assessments, and recruitment management
    • Creating and managing subscriber accounts
    • Processing subscription payments and issuing invoices
    • Enabling candidate profile search, filtering, ranking, and unlocking
    • Delivering AI-powered candidate matching and ranking results
    • Analyzing and evaluating candidate interviews and assessments
    • Providing hiring recommendations and AI-generated insights
    • Personalizing your experience with Uptal
    • Communicating with subscribers about their accounts, billing, and service updates
    • Sending marketing communications (with opt-out available at any time)
    • Analyzing platform usage to improve our services, features, and user experience
    • Preventing fraud, unauthorized access, and ensuring platform security
    • Complying with legal, regulatory, and governmental obligations under KSA law
    • Responding to data subject requests in accordance with the PDPL
  6. Data Collection Methods

    We collect personal data through the following methods:

    • Direct collection: information you provide when creating an account, subscribing to a plan, or contacting our support team.
    • Automated collection: usage data, cookies, and similar tracking technologies collected automatically when you interact with the platform.
    • Third-party sources: candidate profile data sourced from publicly available professional databases, authorized data partners, and direct candidate submissions.

    Where personal data is collected indirectly (not directly from the data subject), we take necessary measures to inform the data subject within thirty (30) days or at the time of first contact, whichever is earlier, in accordance with the PDPL Implementing Regulations.

  7. Cookies and Tracking Technologies

    We use cookies and similar technologies to enhance your experience and analyze platform usage. These include:

    • Essential cookies: required for platform functionality, authentication, and security. These cannot be disabled.
    • Analytics cookies: used to understand how visitors interact with the platform, helping us improve performance and user experience.
    • Marketing cookies: used to deliver relevant advertisements and measure campaign effectiveness. These are only placed with your consent.

    You may manage your cookie preferences through your browser settings or the cookie consent banner displayed on the platform. Disabling certain cookies may affect platform functionality.

  8. Data Sharing and Disclosure

    We do not sell personal data. We may share personal data with the following categories of recipients, solely for the purposes described in this policy:

    • Service providers: third-party providers who assist with payment processing, cloud hosting (Oracle Cloud Infrastructure, Jeddah region), analytics, email delivery, and customer support. All service providers are contractually bound to protect personal data in accordance with the PDPL.
    • Subscribers: candidate contact data (email and phone number) is disclosed to subscribers only upon profile unlock, subject to the subscriber's plan allowance.
    • Partners and affiliates: we may share personal data with our partners and affiliates for marketing purposes. You may opt out of such sharing at any time.
    • Legal and regulatory authorities: where disclosure is required by law, regulation, court order, or governmental request issued by competent authorities in the Kingdom of Saudi Arabia.
    • Business transfers: in connection with a merger, acquisition, or sale of all or substantially all of our assets, subject to the acquiring entity's obligation to honor this Privacy Policy.

    We do not disclose personal data in any manner that would threaten national security, obstruct the detection or investigation of crimes, or compromise the safety of individuals, in accordance with the PDPL.

  9. Cross-Border Data Transfers

    Uptal primarily stores and processes personal data within the Kingdom of Saudi Arabia on Oracle Cloud Infrastructure (OCI) in the Jeddah region. In the event that personal data needs to be transferred outside the Kingdom, we ensure that:

    • The transfer serves a specific and legitimate purpose as permitted under the PDPL.
    • The recipient country or entity provides an adequate level of personal data protection, as assessed by SDAIA, or appropriate safeguards are in place.
    • Appropriate transfer mechanisms are used, including Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) where required.
    • The protections afforded under the PDPL continue to apply to the transferred data.

    We will not transfer personal data to any jurisdiction that does not meet the PDPL's adequacy or safeguard requirements.

  10. Data Retention

    We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention practices are as follows:

    • Subscriber account data: retained for the duration of the active subscription and for five (5) years following account closure, as required for record-keeping and legal compliance.
    • Payment and transaction data: retained for the minimum period required by Saudi Arabian tax and commercial law.
    • Candidate profile data: retained as long as the data remains relevant and accurate, subject to periodic review. Candidates may request deletion at any time.
    • Usage and analytics data: retained in anonymized or aggregated form for service improvement purposes.
    • Records of processing activities: maintained for the duration of processing activities and for an additional five (5) years thereafter, in accordance with the PDPL Implementing Regulations.

    When personal data is no longer needed, we will securely destroy or anonymize it such that re-identification of the data subject is not possible.

  11. Data Security

    We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

    • Encryption of personal data in transit (TLS/SSL) and at rest
    • Saudi-hosted infrastructure on Oracle Cloud Infrastructure (OCI), Jeddah region
    • Role-based access controls and multi-factor authentication for internal systems
    • Regular security assessments, vulnerability scanning, and penetration testing
    • Employee data protection training and confidentiality agreements
    • Incident response procedures aligned with NDMO and SDAIA guidelines
    • NDMO-aligned data governance framework

    While we take commercially reasonable precautions, no method of electronic transmission or storage is completely secure. In the event of a personal data breach, we will notify SDAIA within seventy-two (72) hours and inform affected data subjects without undue delay, as required by the PDPL.

  12. Your Rights Under the PDPL

    In accordance with the PDPL and its Implementing Regulations, you have the following rights with respect to your personal data:

    • Right to be informed: the right to know our identity, the purpose for collecting your data, the methods of collection, and with whom your data may be shared.
    • Right of access: the right to request access to the personal data we hold about you and to receive a copy of such data.
    • Right to correction: the right to request correction of any inaccurate, incomplete, or outdated personal data.
    • Right to destruction: the right to request the destruction of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent.
    • Right to withdraw consent: the right to withdraw your consent to the processing of your personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
    • Right to restrict processing: the right to request limitation of processing of your personal data in certain circumstances and for a limited duration.
    • Right to data portability: the right to obtain your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit your data to another controller.
    • Right to object: the right to object to the processing of your personal data where processing is based on legitimate interest.

    To exercise any of these rights, please contact us at support@uptal.com or through our contact page at https://uptal.com/contact-us. We will respond to your request within thirty (30) calendar days. In complex cases, this period may be extended by an additional thirty (30) days, and we will notify you of the extension and the reason for it.

    We may request identity verification before processing your request to ensure the security of your personal data.

  13. Sensitive Personal Data

    Uptal does not intentionally collect or process sensitive personal data as defined under the PDPL, which includes health data, biometric data, genetic data, data revealing racial or ethnic origin, or criminal records. If we become aware that sensitive data has been inadvertently collected, we will promptly take steps to delete it or obtain the required explicit consent.

  14. Children's Data

    Uptal is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take immediate steps to delete such data.

  15. Direct Marketing

    We may use your contact data to send you marketing communications about Uptal products, features, and promotions. You may opt out of marketing communications at any time by:

    • Clicking the unsubscribe link in any marketing email
    • Contacting us at support@uptal.com
    • Updating your communication preferences in your account settings

    Opting out of marketing communications does not affect transactional or service-related communications (e.g., billing notices, security alerts, and subscription confirmations).

  16. Automated Decision-Making and AI

    Uptal uses artificial intelligence and automated processing across its services, including: ranking and matching candidate profiles in Talent Search based on criteria such as skill match, salary fit, seniority level, and role relevance; analyzing and evaluating candidate interview recordings; scoring assessment responses; and generating hiring recommendations. These automated processes are designed to assist recruiters in identifying suitable candidates more efficiently.

    All automated results — including candidate rankings, interview evaluations, and assessment scores — are provided as recommendations only and do not constitute binding decisions. Hiring decisions remain solely with the subscriber. If you believe an automated process has adversely affected your rights, you may contact us to request a review.

  17. Third-Party Links

    The Uptal platform may contain links to third-party websites or services. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party service you interact with.

  18. Data Protection Officer

    In accordance with PDPL requirements, Uptal has designated a point of contact for data protection matters. For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us at support@uptal.com.

  19. Complaints

    If you believe that your personal data has been processed in violation of the PDPL, you have the right to file a complaint with:

    • Uptal: by contacting us at support@uptal.com. We will investigate and respond within thirty (30) days.
    • SDAIA: the Saudi Data and Artificial Intelligence Authority, the competent supervisory authority for data protection matters in the Kingdom of Saudi Arabia. Complaints may be submitted through the National Data Governance Platform (NDGP).
  20. Governing Law

    This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its Implementing Regulations. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the competent courts in Riyadh, Saudi Arabia.

  21. Changes to This Privacy Policy

    We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

    • Post the updated policy on our website with a revised effective date
    • Notify active subscribers via email of significant changes
    • Where required by the PDPL, obtain your consent before applying material changes that affect how your personal data is processed

    We encourage you to review this Privacy Policy periodically. Your continued use of Uptal after any changes constitutes acceptance of the revised policy.