Privacy Policy

Xpreso Recruiting GmbH | Last updated: April 2026

This Privacy Policy (Datenschutzerklärung) explains how Xpreso Recruiting GmbH collects, uses, stores, and protects personal data in connection with the Xpreso platform and website. It applies to all individuals who interact with us: job seekers and candidates ('Talents'), companies and employers ('Companies'), and website visitors. We process personal data in accordance with the EU General Data Protection Regulation (GDPR / DSGVO), the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), and the German Telecommunications and Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG).

IMPORTANT NOTICE — YOUR RIGHT TO OBJECT (Art. 21 GDPR)

Where we process your personal data on the basis of a legitimate interest (Art. 6(1)(f) GDPR), you have the right to object to that processing at any time, on grounds relating to your particular situation.

Where we process your personal data for direct marketing purposes, you have an unconditional right to object at any time.

To exercise your right to object, contact: privacy@xpreso.ai

This notice is provided separately and prominently in accordance with Art. 21(4) GDPR.

1. Who We Are (Data Controller)

The data controller (Verantwortlicher) pursuant to Art. 4(7) GDPR is:

Xpreso Recruiting GmbH

Merantix AI Campus, Max-Urich-Straße 3, 13355 Berlin, Germany

General: hq@xpreso.ai

Privacy: privacy@xpreso.ai

Website: www.xpreso.ai

Internal Privacy Lead: Patrick Böert (reachable via privacy@xpreso.ai). We have not yet formally appointed a Data Protection Officer (Datenschutzbeauftragter – DSB). If a formal DSB is appointed, their details will be published here.

2. What Data We Collect

2.1 Talent and Candidate Data

When you register and use Xpreso as a job seeker or candidate, we process:

  • Account and contact data: name, email address, phone number, communication preferences
  • Career and profile data: CV/resume, work history, education, skills, certifications, links to professional profiles (e.g. LinkedIn, GitHub, portfolio), job preferences (roles, industries, location, availability, salary expectations)
  • Conversation and transcription data: when you use voice or chat features, we transcribe your input in real time and store transcripts, structured extracts (e.g. career preferences, constraints), AI-generated summaries, and metadata (time, duration, channel). You actively initiate voice interactions via a 'Start Call' button; we do not use always-on listening.
  • Usage and device data: IP address, browser and device information, log files, feature usage events, session data
  • Communications: messages you send us, support exchanges, our communications to you
  • Special category data (Art. 9 GDPR): we do not seek to collect special category data. If you voluntarily share sensitive information (e.g. health, disability, religion), we process this only with your explicit consent. Please see Section 2.4 for full details, including our approach to voice data.

2.2 Company and Employer Data

When a company registers and uses Xpreso as an employer, we process:

  • Account and contact data: company name, registered address, contact persons' names, job titles, work email addresses, phone numbers
  • Billing and payment data: invoicing details, payment information, VAT identification numbers
  • Hiring requirements: role descriptions, salary ranges, hiring criteria, and related information you provide
  • Communication data: messages exchanged with us, meeting notes, feedback on candidates
  • Usage data: login and activity data, feature usage events

2.3 Website Visitor Data

When you visit www.xpreso.ai without registering, we may collect:

  • Technical data: IP address, browser type, device information, referring URL, pages visited, session duration
  • Cookie and tracking data: see Section 10 (Cookies)

2.4 Special Category Data and Voice Data

We do not actively seek to collect special category data (Art. 9 GDPR) such as health data, disability, ethnic or racial origin, religion, or sexual orientation.

Important regarding voice transcripts: voice recordings can incidentally contain or reveal special category information. Our AI systems are designed not to extract, profile, or act on special category attributes from voice transcripts. If you voluntarily share such information and it is transcribed, we process it only to the minimum extent necessary to deliver the service, on the basis of your explicit consent (Art. 9(2)(a) GDPR). You may withdraw consent at any time.

If we were ever to introduce processing of special category data for any other purpose, we would seek fresh explicit consent before doing so.

3. How and Why We Use Your Data

For each processing activity below, we identify the purpose and legal basis. For all processing based on legitimate interest (Art. 6(1)(f) GDPR), we have conducted a Legitimate Interest Assessment (LIA / Interessenabwägung), available on request at privacy@xpreso.ai.

3.1 For Talents and Candidates

Purpose: Providing the Xpreso service

Legal basis: Art. 6(1)(b) GDPR (performance of contract); §26 BDSG (processing in the context of identifying employment opportunities)

  • Creating and managing your profile and account
  • Enabling voice and AI-driven career conversations
  • Building your candidate profile and generating match signals
  • Identifying potentially relevant roles and employers

Purpose: Employer introductions — only with your explicit opt-in

Legal basis: Art. 6(1)(a) GDPR (your explicit consent). Consent can be withdrawn at any time. §26(2) BDSG applies where consent is given in the context of identifying employment.

  • Sharing your profile with a specific employer only after you explicitly opt in for that employer
  • You can withdraw any Employer Opt-In at any time going forward

Purpose: Communication and support

Legal basis: Art. 6(1)(b) GDPR (contract performance)

  • Sending service-related updates and notifications
  • Responding to requests and troubleshooting

Purpose: Product improvement and AI quality improvement

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — improving matching quality and platform reliability). LIA conducted. Where individual personal data is used for AI model training beyond service improvement, we will seek your explicit consent.

  • Analysing anonymised and aggregated usage data
  • Improving AI matching and conversation quality

3.2 For Companies and Employers

Purpose: Providing the Xpreso recruitment service

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

  • Setting up and managing your company account
  • Facilitating introductions to Talents who have opted in
  • Processing fees and invoices

Purpose: Communication and billing

Legal basis: Art. 6(1)(b) GDPR (contract); Art. 6(1)(f) GDPR (legitimate interest — LIA conducted)

  • Sending candidate shortlists and match notifications
  • Service updates, invoicing, and support

3.3 For Website Visitors

Purpose: Operating and improving the website

Legal basis: Art. 6(1)(f) GDPR (legitimate interest — LIA conducted) or Art. 6(1)(a) GDPR (consent, where required by TTDSG)

  • Technical operation and security of the website
  • Analytics to understand how the website is used (consent required for non-essential analytics cookies)

4. Automated Decision-Making and Profiling (Art. 22 GDPR)

We use AI and automated systems to create candidate profiles, generate match signals, and identify potential role fits. These outputs support human decisions — they do not replace them.

Pursuant to Art. 22 GDPR, you are not subject to decisions based solely on automated processing that produce significant legal effects without human review. Any employer introduction requires your explicit opt-in and is reviewed by the Xpreso team.

You have the right to:

  • Request human review of any automated assessment of your profile
  • Express your point of view and contest any AI-generated output
  • Obtain a meaningful explanation of the logic involved in AI matching and its significance

To exercise these rights, contact privacy@xpreso.ai. We will respond within one month.

5. Data Sharing

We do not sell your personal data. We share data only as follows:

  • With employers / companies:Talent profile data is shared only after explicit Employer Opt-In. We inform Talents of the employer's identity and data categories shared before any opt-in.
  • With service providers and processors (Auftragsverarbeiter): we use third-party providers for hosting, analytics, communication tools, and AI services. All process data on our behalf under written data processing agreements (Art. 28 GDPR). The full sub-processor list is set out in Section 8.
  • For legal compliance: where required by applicable law, court order, or governmental authority, to the extent strictly necessary.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, data may transfer to a successor entity under equivalent data protection obligations. Affected individuals will be notified.

6. International Data Transfers

We do not routinely transfer personal data outside the European Economic Area (EEA). All sub-processors listed in Section 8 are configured to process data within their EU regions. Any incidental access to personal data from outside the EEA (for example, vendor support personnel) is covered by EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, supplemented by appropriate technical and organisational safeguards. Details of safeguards for any specific transfer are available on request at privacy@xpreso.ai.

7. Retention Periods

We retain personal data only as long as necessary for the relevant purpose or as required by law.

  • Talent account and profile data: retained for the duration of your active account. After a period of inactivity or account closure, data is retained for up to 48 months to enable reactivation, for security purposes, and for product improvement, unless you request earlier deletion. Some data may be retained longer where legally required or necessary for the establishment, exercise, or defence of legal claims.
  • Conversation transcripts and AI-generated summaries: maximum 48 months from creation, on a rolling basis unless earlier deletion is requested.
  • Company account and billing data: for the duration of the contractual relationship, plus 10 years pursuant to German commercial and tax law (§§ 238, 257 HGB; § 147 AO).
  • Website visitor logs: maximum 30 days for security purposes.
  • Data subject request records: 3 years from closure.

8. Third-Party Tools and Sub-Processors

We engage the following sub-processors to operate our Platform. All process personal data strictly on our behalf pursuant to written data processing agreements under Art. 28 GDPR. All sub-processors are configured to operate within the European Economic Area (EEA).

Sub-ProcessorCategoryPurposeTransfer Safeguard
Vercel, Inc.Hosting & InfrastructureNext.js application hosting (EU region)EU region; SCCs for incidental support access
Supabase, Inc.Database, Auth & StoragePostgreSQL database, user authentication, file storage (EU region)EU region; SCCs for incidental support access
Google LLC (Gemini API)AI ProcessingGenerative AI / large language model processing for matching and conversations (EU region)EU region; SCCs
ElevenLabs, Inc.AI VoiceConversational voice AI and real-time transcription (EU region)EU region; SCCs for incidental support access
Langfuse GmbHAI ObservabilityLLM observability, tracing, and performance monitoring (EU region)EU region; German entity
Mem0 AI, Inc.AI MemoryMemory layer for AI personalisation (EU region)EU region; SCCs for incidental support access
PostHog, Inc.Product AnalyticsProduct analytics and usage tracking (EU region; consent-gated for non-essential cookies)EU region; SCCs for incidental support access
Functional Software, Inc. (Sentry)Error MonitoringApplication error monitoring and session correlation (EU region)EU region; SCCs for incidental support access
Mailgun Technologies, Inc.Transactional EmailTransactional and notification emails (EU region)EU region; SCCs for incidental support access
LinkedIn Ireland Unlimited CompanyOAuth / IntegrationsLinkedIn OAuth authentication for profile importEU entity (Ireland)

We maintain a current sub-processor list. If we engage new sub-processors that materially affect your data, we will update this policy and notify registered users.

9. Your Rights Under GDPR

You have the following rights under Art. 15–22 GDPR at any time:

  • Right of access (Art. 15 GDPR): request a copy of your data and information about how it is processed
  • Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17 GDPR): request deletion, subject to legal retention obligations
  • Right to restriction (Art. 18 GDPR): request that we restrict processing in certain circumstances
  • Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interest or for direct marketing — see the prominent notice at the top of this policy
  • Right to withdraw consent (Art. 7(3) GDPR): withdraw consent at any time without affecting prior processing
  • Rights regarding automated decisions (Art. 22 GDPR): see Section 4

Contact privacy@xpreso.ai to exercise any right. We will respond within one month (extendable by two months in complex cases, with notice). Requests are free of charge unless manifestly unfounded or excessive.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our website and Platform in accordance with the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG). We distinguish the following categories:

Strictly necessary cookies (no consent required):

Supabase authentication session cookies: required to maintain your logged-in session and secure access to your account. These cannot be disabled without preventing you from using the Platform.

Analytics and performance cookies (consent required):

  • PostHog: sets analytics cookies and uses local storage to measure how the Platform is used (page views, feature usage, session data). This helps us improve the product. Analytics tracking is only activated after you give consent via our cookie banner.
  • Sentry: may set a session identifier cookie for error correlation, helping us diagnose technical issues. This is activated only with your consent where not strictly necessary for security purposes.

Marketing and advertising cookies:

We do not use marketing, advertising, or retargeting cookies or pixels.

You can review and change your cookie preferences at any time via the cookie settings link in the footer of our website. Withdrawing consent does not affect the lawfulness of any processing carried out prior to withdrawal.

11. Data Security

We implement appropriate technical and organisational measures (TOMs) pursuant to Art. 32 GDPR, including encryption in transit and at rest, role-based access controls, regular security assessments, and access logging.

In the event of a personal data breach posing a risk to your rights and freedoms, we will notify the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) within 72 hours (Art. 33 GDPR) and inform affected individuals where required (Art. 34 GDPR).

12. Supervisory Authority

You have the right to lodge a complaint with the competent data protection supervisory authority at any time (Art. 77 GDPR):

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)

Friedrichstraße 219, 10969 Berlin, Germany

Website: https://www.datenschutz-berlin.de

13. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or legal requirements. Registered users will be notified of material changes by email or in-platform notice. The current version is always at www.xpreso.ai/privacy.

Last updated: April 2026 | Xpreso Recruiting GmbH, Berlin