1 Introduction
Uptal ("we", "us", "our") is committed to protecting your personal data and respecting your privacy in full compliance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia and its Implementing Regulations. This Privacy Policy explains how we collect, process, store, disclose, and protect personal data when you use the Uptal platform and services, including the recruitment management system, Talent Search, AI-powered interviews, assessments, Auto-Apply, CV Enhancer, and any other services accessible at https://uptal.com.
This policy applies to all users of Uptal, including: subscribers (employers, recruiters, and hiring managers); candidates whose profiles are accessible through the platform or who participate in interviews and assessments; and job seekers who use Auto-Apply or CV Enhancer.
By accessing or using any Uptal service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.
2 Data controller
Uptal is the data controller responsible for determining the purposes and means of processing personal data collected through the Uptal platform and services.
3 Personal data we collect
We collect and process the following categories of personal data:
3.1 Subscriber data (employers, recruiters, hiring managers)
- Identity data: full name, job title, company name, and national ID or commercial registration number where required.
- Contact data: email address, phone number, and business address.
- Account data: username, password (encrypted), account preferences, and subscription plan details.
- Payment data: billing address, payment method details, and transaction history. Payment card data is processed by our third-party payment processor and is not stored on Uptal servers.
- Usage data: search queries, filters applied, profiles viewed, profiles unlocked, IP address, browser type, device information, session duration, clickstream data, and session recordings and interaction data.
- Service content: interview recordings, candidate resumes, job postings, assessment results, and other content you provide when using our services.
3.2 Candidate data (Talent Search)
Uptal provides access to verified candidate profiles sourced from publicly available data, direct candidate submissions, and authorized partner databases. Through Talent Search, candidate data may include:
- Identity data: full name, nationality, gender, and city of residence.
- Professional data: job title, employer, years of experience, industry, skills, education, certifications, and career history.
- Compensation data: current salary, expected salary, and compensation preferences.
- Contact data: verified email address and phone number (accessible only upon profile unlock by a subscriber).
- Seniority classification: executive-level indicators for C-suite, VP, and director profiles.
3.3 Job seeker data (Auto-Apply and CV Enhancer)
When you use Auto-Apply or CV Enhancer, we collect and process:
- CV and profile data: your CV and its contents, including identity, contact, education, work history, skills, and any other information it contains, together with your job preferences (target roles, cities, company types, and salary expectations).
- Application data: the roles matched to you, the tailored versions of your CV generated for each role, the applications submitted on your behalf, their dates and destinations, and any status information we receive.
- Account and subscription data: username, password (encrypted), preferences, subscription tier, and pause or cancellation history.
- Payment data: billing details and transaction history. Payment card data is processed by our third-party payment processor and is not stored on Uptal servers.
- Communications data: your correspondence with our support team and the notifications we send you.
3.4 Interview and assessment data
When candidates participate in interviews or assessments through the Uptal platform, we may additionally collect:
- Interview recordings: video and audio recordings of interview sessions.
- Assessment responses: answers to technical, psychometric, or competency-based assessments.
- AI-generated analysis: transcripts, evaluation scores, and performance summaries generated by our AI systems.
4 Legal basis for processing
In accordance with Article 10 of the PDPL, we process personal data based on one or more of the following lawful bases:
- Consent: where you have given explicit consent for the processing of your personal data for one or more specific purposes. You may withdraw your consent at any time by contacting us.
- Contractual necessity: where processing is necessary for the performance of a subscription or service agreement to which you are a party, including providing access to the platform, matching and submitting job applications on your behalf (Auto-Apply), producing your enhanced CV (CV Enhancer), and processing payments.
- Legitimate interest: where processing is necessary for our legitimate business interests (for example, fraud prevention, platform security, and service improvement), provided such interests do not override your rights and freedoms. This basis does not apply to the processing of sensitive data.
- Legal obligation: where processing is necessary to comply with applicable laws and regulations of the Kingdom of Saudi Arabia, including tax, anti-money laundering, and regulatory reporting requirements.
- Public interest: where processing is necessary for purposes of public interest as defined under the PDPL.
5 Purposes of processing
We process personal data for the following specific, clear, and explicit purposes:
- Providing and operating the Uptal platform and its services, including Talent Search, interviews, assessments, recruitment management, Auto-Apply, and CV Enhancer
- Creating and managing user accounts
- Processing payments and issuing invoices
- Enabling candidate profile search, filtering, ranking, and unlocking
- Delivering AI-powered candidate matching and ranking results
- Matching job seekers to suitable roles, generating tailored versions of their CVs, and submitting job applications on their behalf (Auto-Apply)
- Enhancing and rewriting job seekers' CVs (CV Enhancer)
- Analyzing and evaluating candidate interviews and assessments
- Providing hiring recommendations and AI-generated insights
- Personalizing your experience with Uptal
- Communicating with users about their accounts, billing, applications, and service updates
- Sending marketing communications (with opt-out available at any time)
- Analyzing platform usage to improve our services, features, and user experience
- Preventing fraud, unauthorized access, and ensuring platform security
- Complying with legal, regulatory, and governmental obligations under KSA law
- Responding to data subject requests in accordance with the PDPL
6 Data collection methods
- Direct collection: information you provide when creating an account, uploading a CV, setting job preferences, subscribing to a plan, placing a CV Enhancer order, or contacting our support team.
- Automated collection: usage data, cookies, and similar tracking technologies collected automatically when you interact with the platform.
- Generated data: data our systems create in the course of providing the services, such as tailored CVs, match results, and AI evaluations.
- Third-party sources: candidate profile data sourced from publicly available professional databases, authorized data partners, and direct candidate submissions.
Where personal data is collected indirectly (not directly from the data subject), we take necessary measures to inform the data subject within thirty (30) days or at the time of first contact, whichever is earlier, in accordance with the PDPL Implementing Regulations.
9 Cross-border data transfers
Uptal primarily stores and processes personal data within the Kingdom of Saudi Arabia on Oracle Cloud Infrastructure (OCI) in the Jeddah region. In the event that personal data needs to be transferred outside the Kingdom (including where an Auto-Apply application is submitted to an employer located outside the Kingdom at your direction), we ensure that:
- The transfer serves a specific and legitimate purpose as permitted under the PDPL.
- The recipient country or entity provides an adequate level of personal data protection, as assessed by SDAIA, or appropriate safeguards are in place.
- Appropriate transfer mechanisms are used, including Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) where required.
- The protections afforded under the PDPL continue to apply to the transferred data.
10 Data retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention practices are as follows:
- Account data (subscribers and job seekers): retained for the duration of the active account or subscription and for five (5) years following account closure, as required for record-keeping and legal compliance.
- Payment and transaction data: retained for the minimum period required by Saudi Arabian tax and commercial law.
- Candidate profile data: retained as long as the data remains relevant and accurate, subject to periodic review. Candidates may request deletion at any time.
- CV, application, and tailored-CV data (Auto-Apply and CV Enhancer): retained for the duration of your account and as needed to evidence the applications submitted on your behalf; you may request deletion at any time, subject to legal record-keeping requirements. Copies of applications already delivered to employers are held by those employers under their own policies.
- Usage and analytics data: retained in anonymized or aggregated form for service improvement purposes.
- Records of processing activities: maintained for the duration of processing activities and for an additional five (5) years thereafter, in accordance with the PDPL Implementing Regulations.
When personal data is no longer needed, we securely destroy or anonymize it such that re-identification of the data subject is not possible.
11 Data security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Encryption of personal data in transit (TLS/SSL) and at rest
- Saudi-hosted infrastructure on Oracle Cloud Infrastructure (OCI), Jeddah region
- Role-based access controls and multi-factor authentication for internal systems
- Regular security assessments, vulnerability scanning, and penetration testing
- Employee data protection training and confidentiality agreements
- Incident response procedures aligned with NDMO and SDAIA guidelines
- NDMO-aligned data governance framework
While we take commercially reasonable precautions, no method of electronic transmission or storage is completely secure. In the event of a personal data breach, we will notify SDAIA within seventy-two (72) hours and inform affected data subjects without undue delay, as required by the PDPL.
12 Your rights under the PDPL
In accordance with the PDPL and its Implementing Regulations, you have the following rights with respect to your personal data:
- Right to be informed: to know our identity, the purpose for collecting your data, the methods of collection, and with whom your data may be shared.
- Right of access: to request access to the personal data we hold about you and to receive a copy of such data.
- Right to correction: to request correction of any inaccurate, incomplete, or outdated personal data.
- Right to destruction: to request the destruction of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent.
- Right to withdraw consent: to withdraw your consent to processing at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal, and it does not recall applications already submitted to employers on your instructions.
- Right to restrict processing: to request limitation of processing in certain circumstances and for a limited duration.
- Right to data portability: to obtain your personal data in a structured, commonly used, machine-readable format, and to request transmission to another controller.
- Right to object: to object to processing based on legitimate interest.
To exercise any of these rights, contact us at support@uptal.com or through uptal.com/contact-us. We will respond within thirty (30) calendar days. In complex cases, this period may be extended by an additional thirty (30) days, and we will notify you of the extension and the reason for it. We may request identity verification before processing your request.
13 Sensitive personal data
Uptal does not intentionally collect or process sensitive personal data as defined under the PDPL, which includes health data, biometric data, genetic data, data revealing racial or ethnic origin, or criminal records. If your CV contains such information, we recommend removing it before upload. If we become aware that sensitive data has been inadvertently collected, we will promptly take steps to delete it or obtain the required explicit consent.
14 Children's data
Uptal is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take immediate steps to delete such data.
15 Direct marketing
We may use your contact data to send you marketing communications about Uptal products, features, and promotions. You may opt out at any time by:
- Clicking the unsubscribe link in any marketing email
- Contacting us at support@uptal.com
- Updating your communication preferences in your account settings
Opting out of marketing communications does not affect transactional or service-related communications (for example, billing notices, application updates, security alerts, and subscription confirmations).
16 Automated decision-making & AI
Uptal uses artificial intelligence and automated processing across its services, including:
- Ranking and matching candidate profiles in Talent Search based on criteria such as skill match, salary fit, seniority level, and role relevance
- Matching job seekers to roles in Auto-Apply based on their CV and the preferences they set, generating tailored versions of their CV for each role, and submitting applications on their behalf
- Analyzing and evaluating candidate interview recordings and scoring assessment responses
- Generating hiring recommendations and AI-generated insights
These automated processes assist recruiters in identifying suitable candidates and assist job seekers in applying at scale. Automated results, including candidate rankings, interview evaluations, assessment scores, and role matches, are recommendations only and do not constitute binding decisions. Hiring decisions remain solely with employers. In Auto-Apply, you control the targeting preferences that drive matching, and you can review your application history, adjust preferences, or pause the service at any time. If you believe an automated process has adversely affected your rights, you may contact us to request a review.
17 Third-party links
The Uptal platform may contain links to third-party websites or services, including employer sites and job platforms to which applications are submitted. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party service you interact with.
18 Data protection contact
In accordance with PDPL requirements, Uptal has designated a point of contact for data protection matters. For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us at support@uptal.com.
19 Complaints
If you believe that your personal data has been processed in violation of the PDPL, you have the right to file a complaint with:
- Uptal: by contacting us at support@uptal.com. We will investigate and respond within thirty (30) days.
- SDAIA: the Saudi Data and Artificial Intelligence Authority, the competent supervisory authority for data protection matters in the Kingdom of Saudi Arabia. Complaints may be submitted through the National Data Governance Platform (NDGP).
20 Governing law
This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its Implementing Regulations. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the competent courts in Riyadh, Saudi Arabia.
21 Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Post the updated policy on our website with a revised effective date
- Notify active users via email of significant changes
- Where required by the PDPL, obtain your consent before applying material changes that affect how your personal data is processed
We encourage you to review this Privacy Policy periodically. Except where the PDPL requires us to obtain your consent, your continued use of Uptal after any changes constitutes acceptance of the revised policy.
This Privacy Policy was last updated on July 5, 2026.
