Privacy Policy

Version 2.5.6 Effective: 10 April 2026 Last updated: 20 June 2026

This Privacy Policy explains what personal data Kidab collects, why we collect it, how long we keep it, who we share it with, and what rights you have over your data. We are committed to protecting your privacy and handling your data transparently and lawfully.

1. Who manages your data

The company responsible for your data is:

OrganisationSentinel Mesh
AddressErbil, Republic of Iraq
PlatformKidab (kidab.io)
Privacy contactUse the form at kidab.io/contact and select "Privacy & Data", "Delete My Account", or "Export My Data" as the issue type.

Kidab follows international privacy standards and applicable Iraqi data protection obligations. Where these standards apply to you, you have the rights described in section 8.

2. What Personal Data We Collect

Account data

When you create an account, we collect your email address, chosen username, display name, and account role (for example: job seeker, employer, or agency). We also record whether your email address has been verified and the date your account was created.

Profile data

If you choose to build a profile, we store what you provide: your headline, biography, location, work experience, education history, skills, languages spoken, portfolio link, and profile photo. All of this is optional beyond what you decide to share. Your visibility setting controls who can see your profile.

Job and application data

Employers who post jobs provide: job title, description, requirements, location, salary range, and work type. Job seekers who apply provide a cover letter. We record the status and stage of each application.

Employer evaluation notes

Employers may write private evaluation notes about candidates during the hiring process. We store this data in a field called employer notes (employer_notes). These notes are visible only to the employer who created them and are never displayed to the candidate under any circumstances.

About your right to see employer notes: If you submit a data access request, we will confirm that employer notes about you exist and tell you how long they are kept. However, under GDPR Article 15(4), we are not required to disclose their content. We will always tell you these records exist; we just cannot share what they say.

We process employer notes on the basis of legitimate interests in enabling employers to manage their recruitment process effectively.

Company data

Employers who create a company profile provide the company name, industry, size, location, description, website, and optionally a logo. This information is displayed on the public company page.

Device and connection information

When you use Kidab, we automatically collect technical information for security and operational purposes: your IP address, browser type, and the country your request comes from. We also record login events, account changes, and other significant actions in a security log.

We also use the country detected from your IP address to suggest a starting location for your job search. This happens only when generating the page: your country code is not stored, not logged, and not shared with anyone.

Early access request data

If you submitted your email address to request early access to Kidab, we collected your email address and your consent to contact you about your access. This data is held separately and used only for communications about your access request.

What we do not collect

  • We do not ask for or store sensitive personal details such as ethnicity, religion, political views, health conditions, or sexual orientation
  • We do not collect payment card details
  • We do not store your password — only a secure, irreversible transformation of it
  • We do not track you across other websites
  • We do not sell your data to third parties

3. Why We Use Your Data

PurposeData usedLegal basis
Create and manage your accountEmail address, username, and your sign-in credentialsContract
Provide matching and job marketplace servicesProfile, jobs, applications, company dataContract
Send verification and transactional emailsEmail addressContract
Prevent fraud, abuse, and unauthorised accessIP address, browser type, security logLegitimate interests
Enable employers to evaluate and manage candidatesEmployer notes — employer-visible onlyLegitimate interests
Communicate with early access requestorsEarly access email addressConsent
Comply with legal obligationsSecurity logsLegal obligation
Suggest a starting location for your job searchYour country detected from your IP address (used to generate the page only; not stored)Legitimate interests

4. How Long We Keep Your Data

Data typeRetention periodReason
Account, profile, and company recordsWhile your account is activeDeleted when you delete your account
Active session tokens7 daysDeleted on logout or after 7 days of inactivity
One-time verification codes10 minutesDeleted immediately after use or expiry
Activity and security audit log2 yearsDeleted automatically after 2 years
Job listingsWhile the employer account is activeRemoved from public search immediately on account deletion
Applications and cover lettersWhile the related job existsLinked to the job posting lifecycle
Employer notesWhile the employer account is activeDeleted when the employer closes their account
Early access request dataUntil access is granted or opted outCan be removed at any time by contacting us

5. Who We Share Your Data With

Between users on the platform

When a job seeker applies for a job, their application and publicly visible profile information is shared with the employer who posted that job. The seeker's email address is not shown to employers.

Services we use to run the platform

We use a small number of third-party services to operate the platform. These providers are bound by data processing agreements and may only use your data to deliver services to Kidab.

  • Hosting and infrastructure: Our platform is hosted on edge infrastructure that operates globally.
  • Email delivery: We use Brevo to send account-related emails. Only your email address, display name, and the content of the specific email are shared.
  • Bot protection: We use a security verification service to distinguish real users from automated bots.
  • Analytics: We use privacy-preserving analytics that processes traffic data at the network edge without storing cookies or building user profiles.

Legal requirements

We may share your data with law enforcement or courts if required by a valid legal order.

What we never do

  • We do not sell your personal data to any third party
  • We do not share your data with advertisers
  • We do not use your data for purposes other than those stated in this policy
  • Employer notes are never shared with the candidate they concern

6. Cookies and Tracking

We use a minimal number of cookies, all of which are required for the platform to work or to keep your account secure.

Cookie namePurposeDurationType
Session cookie
__Host-session
Keeps you signed in to your account. HttpOnly, host-bound, Secure.7 daysRequired
CSRF protection cookie
XSRF-TOKEN
Protects your account from CSRF attacks. Domain-scoped, readable by the app.7 daysRequired
Role cookie
kidab-role
Stores your account role for client-side routing. Not used for access control.7 daysRequired
Bot protection
__cf_bm
Helps our security infrastructure provider (Cloudflare) distinguish real visitors from automated bots to protect this site. Set automatically on all page visits. Encrypted — only Cloudflare can read it. Does not track you across other websites.30 minRequired
Security clearance
cf_clearance
Confirms your browser passed a Cloudflare security check, so you are not challenged again during your visit. Set and read by Cloudflare only.30 minutes (Cloudflare default)Required
Language preference
lang
Remembers your chosen display language for future visits. Stores only a short language code (en, ar, or ckb) — no personal information.1 yearPreference
Theme preference
kidab-theme
Remembers your chosen display theme for future visits. Stores only a short value (light or dark) — no personal information.1 yearPreference

7. How We Protect Your Data

  • All data is encrypted when stored and when transmitted
  • Your password is never stored — only a one-way transformation
  • Your sign-in session is authenticated using an HttpOnly, Secure cookie
  • Access to personal data is restricted to only what each function strictly requires
  • We maintain a security activity log to detect and respond to threats
  • We support passkey authentication as a phishing-resistant alternative to passwords

Where AI-assisted features are made available, you will be informed at the point of use that you are interacting with an AI system, in accordance with Article 50 of the EU AI Act.

8. Your Rights

You have rights over your personal data. To use any right, visit kidab.io/contact and select "Privacy & Data".

RightWhat it meansHow to use it
See a copy of your dataRequest a copy of the personal data we hold about youContact us
Download your dataReceive your data in a machine-readable formatAccount → Export Data
Delete your account and dataDelete your account and associated personal dataAccount → Delete Account
Correct your dataCorrect inaccurate personal dataEdit your profile
Limit how we use your dataRestrict processing in certain circumstancesContact us
Object to how we use your dataObject to processing based on legitimate interestsContact us
Withdraw consentWithdraw consent at any timeContact us
A note for EU and UK residents: Kidab has not yet appointed an official EU or UK representative. You can still contact us directly to exercise any of your rights in the meantime.

9. Children and Minimum Age

Kidab is not directed at children or minors. You must be at least 18 years old to create an account.

10. Changes to This Policy

We will notify registered users of material changes to this policy at least 30 days before they take effect.

11. Contact and Data Requests

To exercise any of your rights, use our contact form at kidab.io/contact and select "Privacy & Data" as the issue type.

This Privacy Policy is governed by the laws of the Republic of Iraq. For users in the European Union or the United Kingdom, applicable regional data protection law applies and takes precedence where relevant.