Privacy Policy

1. Introduction

Welcome to Tlntly. We are committed to protecting your privacy and ensuring compliance with applicable data protection and artificial intelligence regulations. This Privacy Policy explains how we collect, use, and safeguard your information in accordance with the General Data Protection Regulation (GDPR) and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).

Tlntly is an AI-powered recruitment platform that uses artificial intelligence to parse, structure, score, and tailor candidate profiles against job vacancies. Under the EU AI Act, our candidate-vacancy scoring system is classified as a high-risk AI system (Annex III, Category 4: Employment, Workers Management and Access to Self-Employment). We take this classification seriously and have implemented measures to ensure transparency, fairness, and human oversight.

For any privacy-related questions, please contact: Contact Support

2. Data Controller & Processor Roles

Tlntly (operated by Future Visuals) acts as a data processor on behalf of its users (recruitment agencies, recruiters, and employers), who are the data controllers for the candidate data they upload to the platform. For account and billing data of our direct users, Tlntly acts as the data controller.

Under the EU AI Act, Tlntly is the provider of the high-risk AI system, and our users (recruiters/agencies) are deployers. Both parties have distinct obligations, detailed in this policy and our Terms of Service.

3. What We Collect

• Account Information: Collected via OAuth (Google/LinkedIn), including name and email.

• Uploaded Content: CVs, vacancies, and candidate data uploaded by users.

• Billing Information: Collected through Stripe (e.g., company name, VAT ID, address).

• AI Processing Data: Per-operation AI usage data, including tokens consumed, model used, task type, duration, and AI-generated outputs (scores, rationales, tailored content). This data is retained for a minimum of six months as required by the EU AI Act.

• AI Preferences: Custom AI instructions you configure (e.g., matching criteria, tailoring preferences, scoring priorities) are stored in your profile to personalize AI outputs.

• System Logs: Automatically generated logs of AI system operations, including input data references, output data, timestamps, and processing metadata. These logs support traceability, incident investigation, and regulatory compliance.

• Analytics & Tracking: Non-identifiable usage data via Plausible Analytics (no cookies), including UTM parameters and referral codes used during registration.

• Email Interactions: Sent via Resend for transactional and promotional emails. Promotional emails are sent only with explicit opt-in consent.

4. Purpose of Processing

We process your data to:

• Deliver core functionality (e.g., CV and vacancy parsing, candidate-vacancy matching and scoring, translation, motivation letter generation, anonymization, and editing)

• Enforce plan-based usage limits (e.g., token budgets, candidate and vacancy caps, export quotas)

• Personalize AI behavior based on your saved instructions and preferences

• Maintain system logs for traceability, incident investigation, and regulatory compliance

• Improve the service

• Handle payments and billing

• Send transactional and opt-in promotional emails

• Understand platform usage (non-identifiably)

5. AI Processing & High-Risk AI System

5.1 High-Risk Classification

Tlntly's candidate-vacancy scoring and matching system is classified as a high-risk AI system under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), Annex III, Category 4(a): “AI systems intended to be used for the recruitment or selection of natural persons, in particular to analyse and filter job applications, and to evaluate candidates.”

This classification applies because our system profiles natural persons (candidates) by evaluating their skills, experience, and qualifications against job vacancy requirements, producing a numerical compatibility score (0–100) that influences recruitment decisions.

5.2 What the AI System Does

Tlntly uses the Google Gemini API to perform the following AI operations:

• CV/Resume Parsing: Extracts structured data (experiences, education, skills, languages, certifications) from uploaded PDF documents. The AI performs strict 1:1 extraction without fabricating content.

• Vacancy Parsing: Extracts structured requirements, responsibilities, and criteria from job descriptions.

• Candidate-Vacancy Scoring: Evaluates candidate profiles against vacancy requirements, producing a score from 0 to 100. The scoring considers: skill-by-skill evaluation with duration analysis, experience depth, seniority matching, work type and location compatibility, and educational fit. Each score includes a written rationale with specific matches, mismatches, and interview preparation tips.

• Resume Tailoring: Creates vacancy-specific resume variants by reordering skills, adjusting descriptions to emphasize relevant experience, and rewriting summary sections. Preserves at least 80% of original phrasing and does not embellish or fabricate.

• Motivation Letter Generation: Generates cover letters tailored to candidate profiles and specific vacancies, using only factually supported claims.

• Resume Translation: Translates resume content between supported languages while maintaining professional tone.

• Candidate Anonymization: Removes identifying information (names, contact details, specific locations) while preserving qualifications and experience.

5.3 Data Inputs & Scoring Methodology

The candidate-vacancy scoring system evaluates the following data inputs:

• Candidate skills (technical and professional), with per-technology duration counted only from roles where actively used

• Work experience (roles, responsibilities, duration, and demonstrated competencies)

• Educational background and certifications

• Language proficiency levels

• Vacancy requirements (required skills, experience level, location, work type, contract type)

• User-defined scoring criteria and custom matching instructions (if configured)

The system does not use the following as scoring factors: age, gender, ethnicity, nationality, religion, sexual orientation, disability status, marital status, political opinions, trade union membership, or any other protected characteristic. The system is designed to evaluate professional qualifications and experience only.

5.4 Known Limitations & Risks

As with any AI system, our scoring and matching system has limitations:

• AI-generated scores are recommendations, not decisions. Scores should never be used as the sole basis for hiring, rejection, or any employment decision. Human review is always required.

• Potential for bias: The underlying AI model (Google Gemini) may reflect biases present in its training data. While we apply assessment principles to mitigate bias (e.g., evidence-based evaluation, no embellishment, similar-tool matching), we cannot guarantee the complete absence of bias.

• Accuracy limitations: Scores depend on the quality and completeness of both the uploaded CV and vacancy description. Incomplete or poorly formatted documents may lead to inaccurate assessments.

• Context limitations: The AI system cannot assess soft skills, cultural fit, motivation, or other qualitative factors that are important in recruitment decisions.

5.5 Training Data

Tlntly does not train its own AI models. We use Google Gemini API as a third-party foundation model. As a paid API customer, user data is not used to train Google's models. Tlntly provides structured prompts and assessment principles that guide the model's behavior within each operation.

6. Automated Decision-Making (GDPR Article 22)

Tlntly employs automated processing that produces candidate-vacancy compatibility scores. Under GDPR Article 22, data subjects have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect them.

6.1 Nature of Automated Processing

Our AI system generates numerical scores (0–100) and written rationales that evaluate how well a candidate's profile matches a job vacancy. This constitutes profiling as defined under GDPR Article 4(4), as it involves automated processing of personal data to evaluate aspects relating to a natural person's professional performance and reliability.

6.2 Safeguards

The following safeguards are in place to protect the rights of data subjects (candidates):

• Human oversight required: AI scores are presented as recommendations only. Our Terms of Service require deployers (recruiters/agencies) to maintain meaningful human oversight and to never use AI scores as the sole basis for employment decisions.

• Transparency: Every score is accompanied by a detailed rationale explaining specific matches, mismatches, and areas for further evaluation.

• Right to explanation: Candidates may request an explanation of how their data was processed and how any score or recommendation was derived. Requests should be directed to the recruiting organization that uploaded the candidate's data, who may contact Tlntly for technical details.

• Right to contest: Candidates have the right to contest any automated assessment and to request human review of any decision influenced by AI-generated scores.

• Right to express their point of view: Candidates may express their views about any automated assessment to the recruiting organization.

7. Human Oversight & Risk Management

7.1 Human Oversight Measures

In accordance with Article 14 of the EU AI Act, Tlntly implements the following human oversight measures:

• AI-generated scores and recommendations are always presented alongside detailed rationales, enabling informed human review

• The platform displays visible disclaimers on all AI-generated scores indicating they are recommendations requiring human review

• Users (deployers) retain full control over all recruitment decisions and can override, disregard, or adjust any AI-generated output

• No automated actions are taken based on scores — all candidate interactions require explicit human initiation

7.2 Risk Management

In accordance with Article 9 of the EU AI Act, Tlntly maintains a risk management system that includes:

• Identification and analysis of foreseeable risks to health, safety, and fundamental rights

• Assessment principles that enforce evidence-based evaluation, prohibit embellishment or fabrication, and require specific gap identification

• Monitoring of AI system outputs for quality, accuracy, and potential discriminatory patterns

• Content safety checks on all uploaded materials before AI processing

• Incident reporting and response procedures for AI system malfunctions or harmful outputs

Detailed risk management documentation is available upon request for regulatory authorities and deployers conducting their own compliance assessments.

8. User Responsibility & Deployer Obligations

As a user of Tlntly, you act as a deployer of a high-risk AI system under the EU AI Act and as a data controller under the GDPR for the candidate data you upload. You are responsible for:

• Lawful basis: Obtaining a valid legal basis (e.g., legitimate interest, consent) from data subjects (candidates) before uploading their CVs or personal data to Tlntly

• Candidate notification: Informing candidates that their data will be processed by an AI system for recruitment purposes, including that an AI-generated compatibility score may be produced

• Human oversight: Ensuring that AI-generated scores and recommendations are reviewed by a competent human before any employment decision is made

• Non-discrimination: Ensuring that AI scores are not used in a manner that discriminates against candidates on the basis of protected characteristics

• DPIA: Conducting a Data Protection Impact Assessment (GDPR Article 35) where required, using the information provided in this policy and our Instructions for Use documentation

• Incident reporting: Promptly notifying Tlntly of any suspected malfunction, discriminatory output, or incident related to the AI system

• Candidate rights: Facilitating candidate requests for explanation, contestation, or human review of AI-generated assessments

Tlntly provides Instructions for Use documentation to support deployers in fulfilling their obligations. This documentation is available upon request and within the platform.

9. Rights of Candidates (Data Subjects)

If you are a job candidate whose data has been uploaded to Tlntly by a recruiting organization, you have the following rights:

• Right to be informed: You must be informed by the recruiting organization that your data is being processed by an AI system. This includes being told that an AI-generated score may be produced.

• Right to explanation: You may request a meaningful explanation of how the AI system assessed your profile, including what data was used and how the score was derived.

• Right to contest: You may contest any decision influenced by AI-generated scores and request that a qualified human review the assessment.

• Right to express your view: You may express your point of view regarding any automated assessment to the recruiting organization.

• Right to access: You may request access to the personal data held about you.

• Right to rectification: You may request correction of inaccurate data.

• Right to erasure: You may request deletion of your data.

• Right to object: You may object to the processing of your data.

To exercise these rights, please contact the recruiting organization that uploaded your data. The recruiting organization (data controller) is responsible for facilitating your requests. If you are unable to reach the recruiting organization, you may contact Tlntly directly and we will use reasonable efforts to assist: Contact Support

10. Data Storage & Security

• Storage Locations: AWS S3 (eu-west-1), Neon PostgreSQL (Frankfurt), Vercel (EU).

• Security Measures: Data is transmitted over HTTPS and stored using secure, encrypted services. Access controls are enforced at the application and infrastructure level.

• AI System Security: In accordance with Article 15 of the EU AI Act, our AI system is designed to be resilient against errors and inconsistencies. Input validation and content safety checks are performed before AI processing.

11. Data Retention & Deletion

• Uploaded content is retained until manually deleted by the user.

• AI system logs (including processing records, scores, and rationales) are retained for a minimum of six months as required by Article 26(6) of the EU AI Act, unless a longer retention period is required by applicable law.

• Account deletion must be requested via email.

• Deletion is permanent from our systems and cannot be reversed. However, you may request confirmation of deletion or logs associated with your request.

12. Third-Party Services and Subprocessors

We use the following subprocessors to help deliver our services:

• Google (Gemini API) – AI-powered CV parsing, scoring, matching, tailoring, translation, and content generation

• Stripe – Payment processing

• Plausible Analytics – Privacy-focused analytics (no personal data collected)

• Resend – Transactional and promotional emails (may include anonymized open and click tracking)

• Trigger.dev – Background task processing and orchestration

• Vercel – Application hosting and serverless infrastructure (EU region)

• Neon – PostgreSQL database hosting (Frankfurt, EU)

• AWS S3 – File storage (eu-west-1)

All subprocessors are contractually bound to GDPR-compliant data protection obligations under Article 28. We do not sell or share personal data for marketing purposes. A current list of subprocessors is maintained and available upon request.

13. Legal Basis for Processing

We process data based on the following legal grounds:

• Account creation and billing: Contractual necessity (GDPR Article 6(1)(b))

• CV parsing, scoring, matching, tailoring, and all AI operations: Contractual necessity (GDPR Article 6(1)(b)) — these operations are core to the service our subscribers pay for and are necessary to fulfill our contractual obligations

• System logging and compliance records: Legal obligation (GDPR Article 6(1)(c)) — required by the EU AI Act for high-risk AI systems

• Marketing emails: Consent (GDPR Article 6(1)(a)) — you may unsubscribe at any time

• Analytics (Plausible): Legitimate interest (GDPR Article 6(1)(f)) — no personal data is collected

• Service improvement and security: Legitimate interest (GDPR Article 6(1)(f))

For the processing of candidate data by deployers (recruiters/agencies), the deployer is responsible for establishing their own legal basis as data controller.

14. International Data Transfers

Some data may be processed outside the EEA, primarily through Google Gemini API. We ensure that all providers apply appropriate safeguards for such transfers, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, and where applicable, supplementary technical and organizational measures to protect your data. All primary data storage (database, file storage, application hosting) is located within the EU.

15. Data Processing Agreement

The use of Tlntly is governed by our Data Processing Agreement (DPA) under GDPR Article 28. The DPA details the scope of processing, processor obligations, security measures, subprocessor management, breach notification procedures, data subject rights facilitation, and data deletion. The full DPA is available at here.

16. Your Rights (GDPR)

As a data subject, you have the right to:

• Access your personal data

• Request rectification of inaccurate data

• Request erasure of your data

• Restrict processing of your data

• Object to processing

• Request data portability (where technically feasible)

• Not be subject to decisions based solely on automated processing (see Section 6)

• File a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority

To exercise your rights, please contact us. We will respond to valid requests within 30 days as required by the GDPR.

17. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours where required under GDPR Article 33. Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

For AI system incidents (malfunctions, harmful outputs, or safety concerns), we will additionally follow the incident reporting procedures required under the EU AI Act.

18. Age Restrictions

Tlntly is not intended for users under the age of 16. If we become aware that a minor has registered, we will delete their data promptly.

19. Policy Updates

We may revise this Privacy Policy at any time. Substantial changes will be communicated by email or in-app notification at least 30 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.