Privacy Policy

Last updated: 2026-01-13

1) Who we are (Controller)

Controller (Art. 4(7) GDPR):

Xpreso

Merantix AI Campus

Max-Urich-Straße 3

13355 Berlin, Germany

E: hq@xpreso.ai

W: www.xpreso.ai

Privacy contact: privacy@xpreso.ai

Internal privacy owner (privacy lead): Patrick Böert (reachable via privacy@xpreso.ai)

If we appoint a formal Data Protection Officer (DPO), we will publish their contact details here.

2) What data we collect

We process personal data you provide, data generated through your use of Xpreso, and data you choose to import.

2.1 Account & contact data

  • Name, email address, phone number
  • Communication preferences

2.2 Candidate profile & career data

  • CV/resume, work history, education, skills, certifications
  • Links (e.g., LinkedIn, GitHub, portfolio), if you add them
  • Preferences (roles, industries, location/remote, availability, compensation expectations)
  • Any other information you voluntarily share

2.3 Conversation and transcription data (voice/calls)

We do not store call recordings by default.

We transcribe your voice input in real time and store:

  • transcripts,
  • structured extracts (e.g., preferences, constraints),
  • summaries and signals produced during the conversation.
  • Metadata (e.g., time, duration, channel, flow step).

How you start it: you actively click a "Start Call" button.

2.4 Usage and device data (platform + website)

  • IP address, device/browser information, log files
  • Usage events (feature use, clicks, session info)

2.5 Communications

  • Messages you send us
  • Our messages to you (support, process updates, product updates if opted in)

2.6 Special category data (Art. 9 GDPR)

If you voluntarily share sensitive information (e.g., health, religion), we only process it when a valid legal basis applies — typically explicit consent.

3) What we use your data for

3.1 Provide and run the Xpreso service

  • Create and manage your account and profile
  • Enable platform features (career conversations, profile building, recommendations)

3.2 Match you with opportunities (only with your opt-in)

  • Identify potentially relevant roles/companies
  • Prepare structured candidate profiles / shortlists
  • Share your profile with an employer only after you opt in (see Section 6)

3.3 Communicate with you

  • Support, troubleshooting, onboarding
  • Process updates (e.g., "Employer X wants an intro")

3.4 Security, abuse prevention, and quality assurance

  • Prevent fraud/misuse
  • Maintain service integrity and reliability

3.5 Analytics, product development, and improvement of our systems (including AI)

We use data to:

  • measure performance of flows and features,
  • improve candidate experience and matching quality,
  • debug, test, and monitor service quality,
  • build aggregated statistics (non-identifying),
  • improve our internal models, prompts, heuristics, and evaluation processes.

We prefer aggregated/anonymized data where feasible. Where we use personal data, we apply minimization, access controls, and (where appropriate) pseudonymization.

4) Legal bases (GDPR Art. 6)

We process data under one or more of these legal bases:

  • Contract / pre-contract steps (Art. 6(1)(b))
    To provide the platform and requested services.
  • Consent (Art. 6(1)(a))
    For example: newsletters/product updates (double opt-in), and where required for specific processing.
  • Legitimate interests (Art. 6(1)(f))
    Security, service improvement, analytics, quality assurance, and product development.
  • Legal obligations (Art. 6(1)(c))
    Where we must comply with applicable law.

Special-category data is processed only when an Art. 9 GDPR condition applies (typically explicit consent).

5) Cookies and similar technologies

We may use cookies or similar technologies:

  • for essential functionality,
  • for analytics and performance measurement (where legally permitted/consented).

We provide cookie choices via a consent mechanism where required.

6) Sharing your data with others

6.1 Employers (your opt-in is required)

We share your profile with an employer only after you opt in.

Before sharing, we will tell you at least:

  • the employer name,
  • the role context,
  • the type of data to be shared.

You can withdraw your opt-in at any time going forward.

6.2 Service providers (processors)

We use vendors to operate Xpreso. They process data on our instructions under GDPR-compliant agreements.

Key vendors include:

  • OpenAI (AI processing / language features)
  • ElevenLabs (voice-related services / speech features)

6.3 No external ATS sharing

Candidate data is not sent to external Applicant Tracking Systems (ATS) by Xpreso.

6.4 Legal disclosure

We may disclose data if required by law or to protect our rights, users, and platform security.

7) International transfers

Some vendors may process data outside the EEA (e.g., the United States). Where this happens, we rely on appropriate safeguards such as EU Standard Contractual Clauses and, where needed, supplementary measures.

8) Data retention

We keep personal data only as long as needed for the purposes described.

Retention approach:

  • While your account is active, we retain data to provide the service.
  • After inactivity or account closure, we may retain data for up to 48 months to:
    • enable reactivation and continued matching (if you return),
    • maintain security and prevent abuse,
    • improve the product and service quality (including analytics).
  • We may retain some data longer if legally required or necessary for legal claims.

9) Your rights (GDPR)

You have the right to:

  • access (Art. 15),
  • rectification (Art. 16),
  • erasure (Art. 17),
  • restriction (Art. 18),
  • portability (Art. 20),
  • object (Art. 21) — especially to processing based on legitimate interests,
  • withdraw consent at any time (Art. 7(3)).

To exercise rights: email privacy@xpreso.ai. We generally respond within one month.

Complaints

You can lodge a complaint with a supervisory authority. In Germany, this is typically the authority of your federal state (Bundesland), e.g. Berlin.

10) Profiling and automated decision-making

Xpreso may use automated methods to generate structured insights (e.g., matching suggestions, fit signals).

We do not make solely automated decisions that produce legal or similarly significant effects on you without appropriate safeguards. Where applicable, you can request human review and contest outcomes.

11) Security

We use appropriate technical and organizational measures to protect data (e.g., access controls, encryption in transit where applicable, logging, minimization). No system is perfectly secure, but we take security seriously.

12) Children

Xpreso is not intended for users under 16. If you are under 16, please do not use Xpreso.

13) Changes to this policy

We may update this policy to reflect product, legal, or operational changes. If changes are material, we will notify you via the platform or email.

14) Marketing: product updates and newsletters

We send product updates/newsletters only if you opt in via double opt-in during onboarding (or later). You can unsubscribe anytime via the link in the email or by contacting us at privacy@xpreso.ai.