Uptal logo
  • Solutionsexpand_more
  • Integrations
  • Automation
  • Training & Support
  • Customization
  • About Us
  • Request a Demo
  • I'm a Job Seeker
Uptal logo
  • Solutions expand_more
  • Integrations
  • Automation
  • Training & Support
  • Customization
  • About Us
Request a Demo I'm a Job Seeker
Privacy Policy

Privacy Policy

How Uptal collects, processes, stores, discloses, and protects personal data across all its services: Talent Search, interviews and assessments for employers, and Auto-Apply and CV Enhancer for job seekers.

Effective date: July 5, 2026Last updated: July 5, 2026Applicable law: Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia, Royal Decree No. M/19, as amended by Royal Decree No. M/148 Supervisory authority: Saudi Data and Artificial Intelligence Authority (SDAIA) / National Data Management Office (NDMO)

On this page

  1. Introduction
  2. Data controller
  3. Personal data we collect
  4. Legal basis for processing
  5. Purposes of processing
  6. Data collection methods
  7. Cookies & tracking technologies
  8. Data sharing & disclosure
  9. Cross-border data transfers
  10. Data retention
  11. Data security
  12. Your rights under the PDPL
  13. Sensitive personal data
  14. Children's data
  15. Direct marketing
  16. Automated decision-making & AI
  17. Third-party links
  18. Data protection contact
  19. Complaints
  20. Governing law
  21. Changes to this policy

1 Introduction

Uptal ("we", "us", "our") is committed to protecting your personal data and respecting your privacy in full compliance with the Personal Data Protection Law (PDPL) of the Kingdom of Saudi Arabia and its Implementing Regulations. This Privacy Policy explains how we collect, process, store, disclose, and protect personal data when you use the Uptal platform and services, including the recruitment management system, Talent Search, AI-powered interviews, assessments, Auto-Apply, CV Enhancer, and any other services accessible at https://uptal.com.

This policy applies to all users of Uptal, including: subscribers (employers, recruiters, and hiring managers); candidates whose profiles are accessible through the platform or who participate in interviews and assessments; and job seekers who use Auto-Apply or CV Enhancer.

By accessing or using any Uptal service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

2 Data controller

Uptal is the data controller responsible for determining the purposes and means of processing personal data collected through the Uptal platform and services.

3 Personal data we collect

We collect and process the following categories of personal data:

3.1 Subscriber data (employers, recruiters, hiring managers)

  • Identity data: full name, job title, company name, and national ID or commercial registration number where required.
  • Contact data: email address, phone number, and business address.
  • Account data: username, password (encrypted), account preferences, and subscription plan details.
  • Payment data: billing address, payment method details, and transaction history. Payment card data is processed by our third-party payment processor and is not stored on Uptal servers.
  • Usage data: search queries, filters applied, profiles viewed, profiles unlocked, IP address, browser type, device information, session duration, clickstream data, and session recordings and interaction data.
  • Service content: interview recordings, candidate resumes, job postings, assessment results, and other content you provide when using our services.

3.2 Candidate data (Talent Search)

Uptal provides access to verified candidate profiles sourced from publicly available data, direct candidate submissions, and authorized partner databases. Through Talent Search, candidate data may include:

  • Identity data: full name, nationality, gender, and city of residence.
  • Professional data: job title, employer, years of experience, industry, skills, education, certifications, and career history.
  • Compensation data: current salary, expected salary, and compensation preferences.
  • Contact data: verified email address and phone number (accessible only upon profile unlock by a subscriber).
  • Seniority classification: executive-level indicators for C-suite, VP, and director profiles.

3.3 Job seeker data (Auto-Apply and CV Enhancer)

When you use Auto-Apply or CV Enhancer, we collect and process:

  • CV and profile data: your CV and its contents, including identity, contact, education, work history, skills, and any other information it contains, together with your job preferences (target roles, cities, company types, and salary expectations).
  • Application data: the roles matched to you, the tailored versions of your CV generated for each role, the applications submitted on your behalf, their dates and destinations, and any status information we receive.
  • Account and subscription data: username, password (encrypted), preferences, subscription tier, and pause or cancellation history.
  • Payment data: billing details and transaction history. Payment card data is processed by our third-party payment processor and is not stored on Uptal servers.
  • Communications data: your correspondence with our support team and the notifications we send you.

3.4 Interview and assessment data

When candidates participate in interviews or assessments through the Uptal platform, we may additionally collect:

  • Interview recordings: video and audio recordings of interview sessions.
  • Assessment responses: answers to technical, psychometric, or competency-based assessments.
  • AI-generated analysis: transcripts, evaluation scores, and performance summaries generated by our AI systems.

4 Legal basis for processing

In accordance with Article 10 of the PDPL, we process personal data based on one or more of the following lawful bases:

  • Consent: where you have given explicit consent for the processing of your personal data for one or more specific purposes. You may withdraw your consent at any time by contacting us.
  • Contractual necessity: where processing is necessary for the performance of a subscription or service agreement to which you are a party, including providing access to the platform, matching and submitting job applications on your behalf (Auto-Apply), producing your enhanced CV (CV Enhancer), and processing payments.
  • Legitimate interest: where processing is necessary for our legitimate business interests (for example, fraud prevention, platform security, and service improvement), provided such interests do not override your rights and freedoms. This basis does not apply to the processing of sensitive data.
  • Legal obligation: where processing is necessary to comply with applicable laws and regulations of the Kingdom of Saudi Arabia, including tax, anti-money laundering, and regulatory reporting requirements.
  • Public interest: where processing is necessary for purposes of public interest as defined under the PDPL.

5 Purposes of processing

We process personal data for the following specific, clear, and explicit purposes:

  • Providing and operating the Uptal platform and its services, including Talent Search, interviews, assessments, recruitment management, Auto-Apply, and CV Enhancer
  • Creating and managing user accounts
  • Processing payments and issuing invoices
  • Enabling candidate profile search, filtering, ranking, and unlocking
  • Delivering AI-powered candidate matching and ranking results
  • Matching job seekers to suitable roles, generating tailored versions of their CVs, and submitting job applications on their behalf (Auto-Apply)
  • Enhancing and rewriting job seekers' CVs (CV Enhancer)
  • Analyzing and evaluating candidate interviews and assessments
  • Providing hiring recommendations and AI-generated insights
  • Personalizing your experience with Uptal
  • Communicating with users about their accounts, billing, applications, and service updates
  • Sending marketing communications (with opt-out available at any time)
  • Analyzing platform usage to improve our services, features, and user experience
  • Preventing fraud, unauthorized access, and ensuring platform security
  • Complying with legal, regulatory, and governmental obligations under KSA law
  • Responding to data subject requests in accordance with the PDPL

6 Data collection methods

  • Direct collection: information you provide when creating an account, uploading a CV, setting job preferences, subscribing to a plan, placing a CV Enhancer order, or contacting our support team.
  • Automated collection: usage data, cookies, and similar tracking technologies collected automatically when you interact with the platform.
  • Generated data: data our systems create in the course of providing the services, such as tailored CVs, match results, and AI evaluations.
  • Third-party sources: candidate profile data sourced from publicly available professional databases, authorized data partners, and direct candidate submissions.

Where personal data is collected indirectly (not directly from the data subject), we take necessary measures to inform the data subject within thirty (30) days or at the time of first contact, whichever is earlier, in accordance with the PDPL Implementing Regulations.

7 Cookies & tracking technologies

We use cookies and similar technologies to enhance your experience and analyze platform usage. These include:

  • Essential cookies: required for platform functionality, authentication, and security. These cannot be disabled.
  • Analytics cookies: used to understand how visitors interact with the platform, helping us improve performance and user experience.
  • Marketing cookies: used to deliver relevant advertisements and measure campaign effectiveness. These are only placed with your consent.

You may manage your cookie preferences through your browser settings or the cookie consent banner displayed on the platform. Disabling certain cookies may affect platform functionality.

8 Data sharing & disclosure

We do not sell personal data.

We may share personal data with the following categories of recipients, solely for the purposes described in this policy:

  • Employers and job platforms (Auto-Apply): when Auto-Apply submits an application on your behalf, your application details and tailored CV, including the personal data they contain, are disclosed to the prospective employer or the job platform hosting the role. This disclosure is the core function of the service you subscribe to.
  • Subscribers (Talent Search): candidate contact data (email and phone number) is disclosed to subscribers only upon profile unlock, subject to the subscriber's plan allowance.
  • Service providers: third-party providers who assist with payment processing, cloud hosting (Oracle Cloud Infrastructure, Jeddah region), analytics, email delivery, messaging, and customer support. All service providers are contractually bound to protect personal data in accordance with the PDPL.
  • Partners and affiliates: we share personal data with our partners and affiliates for marketing purposes only with your prior consent. You may withdraw that consent at any time.
  • Legal and regulatory authorities: where disclosure is required by law, regulation, court order, or governmental request issued by competent authorities in the Kingdom of Saudi Arabia.
  • Business transfers: in connection with a merger, acquisition, or sale of all or substantially all of our assets, subject to the acquiring entity's obligation to honor this Privacy Policy.

Where the PDPL restricts disclosure, for example where disclosure would threaten national security or the safety of individuals, we apply those restrictions.

9 Cross-border data transfers

Uptal primarily stores and processes personal data within the Kingdom of Saudi Arabia on Oracle Cloud Infrastructure (OCI) in the Jeddah region. In the event that personal data needs to be transferred outside the Kingdom (including where an Auto-Apply application is submitted to an employer located outside the Kingdom at your direction), we ensure that:

  • The transfer serves a specific and legitimate purpose as permitted under the PDPL.
  • The recipient country or entity provides an adequate level of personal data protection, as assessed by SDAIA, or appropriate safeguards are in place.
  • Appropriate transfer mechanisms are used, including Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) where required.
  • The protections afforded under the PDPL continue to apply to the transferred data.

10 Data retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our retention practices are as follows:

  • Account data (subscribers and job seekers): retained for the duration of the active account or subscription and for five (5) years following account closure, as required for record-keeping and legal compliance.
  • Payment and transaction data: retained for the minimum period required by Saudi Arabian tax and commercial law.
  • Candidate profile data: retained as long as the data remains relevant and accurate, subject to periodic review. Candidates may request deletion at any time.
  • CV, application, and tailored-CV data (Auto-Apply and CV Enhancer): retained for the duration of your account and as needed to evidence the applications submitted on your behalf; you may request deletion at any time, subject to legal record-keeping requirements. Copies of applications already delivered to employers are held by those employers under their own policies.
  • Usage and analytics data: retained in anonymized or aggregated form for service improvement purposes.
  • Records of processing activities: maintained for the duration of processing activities and for an additional five (5) years thereafter, in accordance with the PDPL Implementing Regulations.

When personal data is no longer needed, we securely destroy or anonymize it such that re-identification of the data subject is not possible.

11 Data security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of personal data in transit (TLS/SSL) and at rest
  • Saudi-hosted infrastructure on Oracle Cloud Infrastructure (OCI), Jeddah region
  • Role-based access controls and multi-factor authentication for internal systems
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Employee data protection training and confidentiality agreements
  • Incident response procedures aligned with NDMO and SDAIA guidelines
  • NDMO-aligned data governance framework

While we take commercially reasonable precautions, no method of electronic transmission or storage is completely secure. In the event of a personal data breach, we will notify SDAIA within seventy-two (72) hours and inform affected data subjects without undue delay, as required by the PDPL.

12 Your rights under the PDPL

In accordance with the PDPL and its Implementing Regulations, you have the following rights with respect to your personal data:

  • Right to be informed: to know our identity, the purpose for collecting your data, the methods of collection, and with whom your data may be shared.
  • Right of access: to request access to the personal data we hold about you and to receive a copy of such data.
  • Right to correction: to request correction of any inaccurate, incomplete, or outdated personal data.
  • Right to destruction: to request the destruction of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw your consent.
  • Right to withdraw consent: to withdraw your consent to processing at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal, and it does not recall applications already submitted to employers on your instructions.
  • Right to restrict processing: to request limitation of processing in certain circumstances and for a limited duration.
  • Right to data portability: to obtain your personal data in a structured, commonly used, machine-readable format, and to request transmission to another controller.
  • Right to object: to object to processing based on legitimate interest.

To exercise any of these rights, contact us at support@uptal.com or through uptal.com/contact-us. We will respond within thirty (30) calendar days. In complex cases, this period may be extended by an additional thirty (30) days, and we will notify you of the extension and the reason for it. We may request identity verification before processing your request.

13 Sensitive personal data

Uptal does not intentionally collect or process sensitive personal data as defined under the PDPL, which includes health data, biometric data, genetic data, data revealing racial or ethnic origin, or criminal records. If your CV contains such information, we recommend removing it before upload. If we become aware that sensitive data has been inadvertently collected, we will promptly take steps to delete it or obtain the required explicit consent.

14 Children's data

Uptal is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take immediate steps to delete such data.

15 Direct marketing

We may use your contact data to send you marketing communications about Uptal products, features, and promotions. You may opt out at any time by:

  • Clicking the unsubscribe link in any marketing email
  • Contacting us at support@uptal.com
  • Updating your communication preferences in your account settings

Opting out of marketing communications does not affect transactional or service-related communications (for example, billing notices, application updates, security alerts, and subscription confirmations).

16 Automated decision-making & AI

Uptal uses artificial intelligence and automated processing across its services, including:

  • Ranking and matching candidate profiles in Talent Search based on criteria such as skill match, salary fit, seniority level, and role relevance
  • Matching job seekers to roles in Auto-Apply based on their CV and the preferences they set, generating tailored versions of their CV for each role, and submitting applications on their behalf
  • Analyzing and evaluating candidate interview recordings and scoring assessment responses
  • Generating hiring recommendations and AI-generated insights

These automated processes assist recruiters in identifying suitable candidates and assist job seekers in applying at scale. Automated results, including candidate rankings, interview evaluations, assessment scores, and role matches, are recommendations only and do not constitute binding decisions. Hiring decisions remain solely with employers. In Auto-Apply, you control the targeting preferences that drive matching, and you can review your application history, adjust preferences, or pause the service at any time. If you believe an automated process has adversely affected your rights, you may contact us to request a review.

17 Third-party links

The Uptal platform may contain links to third-party websites or services, including employer sites and job platforms to which applications are submitted. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party service you interact with.

18 Data protection contact

In accordance with PDPL requirements, Uptal has designated a point of contact for data protection matters. For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us at support@uptal.com.

19 Complaints

If you believe that your personal data has been processed in violation of the PDPL, you have the right to file a complaint with:

  • Uptal: by contacting us at support@uptal.com. We will investigate and respond within thirty (30) days.
  • SDAIA: the Saudi Data and Artificial Intelligence Authority, the competent supervisory authority for data protection matters in the Kingdom of Saudi Arabia. Complaints may be submitted through the National Data Governance Platform (NDGP).

20 Governing law

This Privacy Policy is governed by and construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its Implementing Regulations. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the competent courts in Riyadh, Saudi Arabia.

21 Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

  • Post the updated policy on our website with a revised effective date
  • Notify active users via email of significant changes
  • Where required by the PDPL, obtain your consent before applying material changes that affect how your personal data is processed

We encourage you to review this Privacy Policy periodically. Except where the PDPL requires us to obtain your consent, your continued use of Uptal after any changes constitutes acceptance of the revised policy.

This Privacy Policy was last updated on July 5, 2026.

Footer

Uptal logo

The perfect enterprise solution for your recruitment needs.

LinkedInTwitter

Solutions

  • Resume Evaluation
  • Interviews
  • Technical Assessments
  • Psychometric Assessments
  • Headhunting
  • For job seekers

Quick Links

  • Home
  • Integrations
  • Automation
  • Training & Support
  • Customization
  • About Us

Support

  • Contact Us
  • Terms & Conditions
  • Privacy Policy
  • Refund Policy
  • Data & Security

News & Events

  • Press

Copyright © 2026 Uptal, All Rights Reserved.