Privacy Policy
This Privacy Policy explains what personal data Kidab collects, why we collect it, how long we keep it, who we share it with, and what rights you have over your data. We are committed to protecting your privacy and handling your data transparently and lawfully.
1. Who manages your data
The company responsible for your data is:
| Organisation | Sentinel Mesh |
| Address | Erbil, Republic of Iraq |
| Platform | Kidab (kidab.io) |
| Privacy contact | Use the form at kidab.io/contact and select "Privacy & Data", "Delete My Account", or "Export My Data" as the issue type. |
Kidab follows international privacy standards and applicable Iraqi data protection obligations. Where these standards apply to you, you have the rights described in section 8.
2. What Personal Data We Collect
Account data
When you create an account, we collect your email address, chosen username, display name, and account role (for example: job seeker, employer, or agency). We also record whether your email address has been verified and the date your account was created.
Profile data
If you choose to build a profile, we store what you provide: your headline, biography, location, work experience, education history, skills, languages spoken, portfolio link, and profile photo. All of this is optional beyond what you decide to share. Your visibility setting controls who can see your profile.
Job and application data
Employers who post jobs provide: job title, description, requirements, location, salary range, and work type. Job seekers who apply provide a cover letter. We record the status and stage of each application.
Employer evaluation notes
Employers may write private evaluation notes about candidates during the hiring process. We store this data in a field called employer notes (employer_notes). These notes are visible only to the employer who created them and are never displayed to the candidate under any circumstances.
We process employer notes on the basis of legitimate interests in enabling employers to manage their recruitment process effectively.
Company data
Employers who create a company profile provide the company name, industry, size, location, description, website, and optionally a logo. This information is displayed on the public company page.
Device and connection information
When you use Kidab, we automatically collect technical information for security and operational purposes: your IP address, browser type, and the country your request comes from. We also record login events, account changes, and other significant actions in a security log.
We also use the country detected from your IP address to suggest a starting location for your job search. This happens only when generating the page: your country code is not stored, not logged, and not shared with anyone.
Early access request data
If you submitted your email address to request early access to Kidab, we collected your email address and your consent to contact you about your access. This data is held separately and used only for communications about your access request.
What we do not collect
- We do not ask for or store sensitive personal details such as ethnicity, religion, political views, health conditions, or sexual orientation
- We do not collect payment card details
- We do not store your password — only a secure, irreversible transformation of it
- We do not track you across other websites
- We do not sell your data to third parties
3. Why We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account | Email address, username, and your sign-in credentials | Contract |
| Provide matching and job marketplace services | Profile, jobs, applications, company data | Contract |
| Send verification and transactional emails | Email address | Contract |
| Prevent fraud, abuse, and unauthorised access | IP address, browser type, security log | Legitimate interests |
| Enable employers to evaluate and manage candidates | Employer notes — employer-visible only | Legitimate interests |
| Communicate with early access requestors | Early access email address | Consent |
| Comply with legal obligations | Security logs | Legal obligation |
| Suggest a starting location for your job search | Your country detected from your IP address (used to generate the page only; not stored) | Legitimate interests |
4. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Account, profile, and company records | While your account is active | Deleted when you delete your account |
| Active session tokens | 7 days | Deleted on logout or after 7 days of inactivity |
| One-time verification codes | 10 minutes | Deleted immediately after use or expiry |
| Activity and security audit log | 2 years | Deleted automatically after 2 years |
| Job listings | While the employer account is active | Removed from public search immediately on account deletion |
| Applications and cover letters | While the related job exists | Linked to the job posting lifecycle |
| Employer notes | While the employer account is active | Deleted when the employer closes their account |
| Early access request data | Until access is granted or opted out | Can be removed at any time by contacting us |
5. Who We Share Your Data With
Between users on the platform
When a job seeker applies for a job, their application and publicly visible profile information is shared with the employer who posted that job. The seeker's email address is not shown to employers.
Services we use to run the platform
We use a small number of third-party services to operate the platform. These providers are bound by data processing agreements and may only use your data to deliver services to Kidab.
- Hosting and infrastructure: Our platform is hosted on edge infrastructure that operates globally.
- Email delivery: We use Brevo to send account-related emails. Only your email address, display name, and the content of the specific email are shared.
- Bot protection: We use a security verification service to distinguish real users from automated bots.
- Analytics: We use privacy-preserving analytics that processes traffic data at the network edge without storing cookies or building user profiles.
Legal requirements
We may share your data with law enforcement or courts if required by a valid legal order.
What we never do
- We do not sell your personal data to any third party
- We do not share your data with advertisers
- We do not use your data for purposes other than those stated in this policy
- Employer notes are never shared with the candidate they concern
6. Cookies and Tracking
We use a minimal number of cookies, all of which are required for the platform to work or to keep your account secure.
| Cookie name | Purpose | Duration | Type |
|---|---|---|---|
Session cookie__Host-session | Keeps you signed in to your account. HttpOnly, host-bound, Secure. | 7 days | Required |
CSRF protection cookieXSRF-TOKEN | Protects your account from CSRF attacks. Domain-scoped, readable by the app. | 7 days | Required |
Role cookiekidab-role | Stores your account role for client-side routing. Not used for access control. | 7 days | Required |
Bot protection__cf_bm | Helps our security infrastructure provider (Cloudflare) distinguish real visitors from automated bots to protect this site. Set automatically on all page visits. Encrypted — only Cloudflare can read it. Does not track you across other websites. | 30 min | Required |
Security clearancecf_clearance | Confirms your browser passed a Cloudflare security check, so you are not challenged again during your visit. Set and read by Cloudflare only. | 30 minutes (Cloudflare default) | Required |
Language preferencelang | Remembers your chosen display language for future visits. Stores only a short language code (en, ar, or ckb) — no personal information. | 1 year | Preference |
Theme preferencekidab-theme | Remembers your chosen display theme for future visits. Stores only a short value (light or dark) — no personal information. | 1 year | Preference |
7. How We Protect Your Data
- All data is encrypted when stored and when transmitted
- Your password is never stored — only a one-way transformation
- Your sign-in session is authenticated using an HttpOnly, Secure cookie
- Access to personal data is restricted to only what each function strictly requires
- We maintain a security activity log to detect and respond to threats
- We support passkey authentication as a phishing-resistant alternative to passwords
Where AI-assisted features are made available, you will be informed at the point of use that you are interacting with an AI system, in accordance with Article 50 of the EU AI Act.
8. Your Rights
You have rights over your personal data. To use any right, visit kidab.io/contact and select "Privacy & Data".
| Right | What it means | How to use it |
|---|---|---|
| See a copy of your data | Request a copy of the personal data we hold about you | Contact us |
| Download your data | Receive your data in a machine-readable format | Account → Export Data |
| Delete your account and data | Delete your account and associated personal data | Account → Delete Account |
| Correct your data | Correct inaccurate personal data | Edit your profile |
| Limit how we use your data | Restrict processing in certain circumstances | Contact us |
| Object to how we use your data | Object to processing based on legitimate interests | Contact us |
| Withdraw consent | Withdraw consent at any time | Contact us |
9. Children and Minimum Age
Kidab is not directed at children or minors. You must be at least 18 years old to create an account.
10. Changes to This Policy
We will notify registered users of material changes to this policy at least 30 days before they take effect.
11. Contact and Data Requests
To exercise any of your rights, use our contact form at kidab.io/contact and select "Privacy & Data" as the issue type.
This Privacy Policy is governed by the laws of the Republic of Iraq. For users in the European Union or the United Kingdom, applicable regional data protection law applies and takes precedence where relevant.