Privacy Policy

Jaicob B.V.

Version: 1.0 — May 2026

1. Who we are

Jaicob B.V. ("Jaicob", "we", "our", or "us") is a Dutch company that operates an AI-powered recruitment platform. Our platform helps employers automate and streamline their hiring process: from sourcing and screening candidates to scheduling interviews and sending messages.

This privacy policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. We believe in being transparent and straightforward, so we have written this policy in plain language rather than legal jargon.

If anything is unclear, please contact us at support@jaicob.ai: we are happy to help.

2. Who this policy applies to

This policy applies to three groups of people. Depending on which group you belong to, our role and responsibilities differ.

It does not apply to candidates (job applicants)

If you are applying for a job through a company that uses our platform, that company, not Jaicob, decides why and how your personal data is used. In legal terms, the company is the "data controller" (the one calling the shots), and we are the "data processor" (the one carrying out the work on their behalf, under a data processing agreement as required by Article 28 GDPR).

This means that if you want to know more about why your data is being processed, or if you want to exercise your privacy rights regarding your application, you should contact the company you applied to. We are happy to assist them in responding to your request.

It does apply to clients and users (recruiters and employers)

If your company has signed up to use Jaicob, we collect and manage certain data about you and your account. For this data, we are the data controller: meaning we decide why and how it is processed. We need this information to run your account, provide the service, and stay in touch with you. This privacy policy applies to these personal data.

It does apply to website visitors

If you visit our website (jaicob.ai), we collect some technical data to keep the site running and improve it. For this data, we are also the data controller. This privacy policy also applies to these personal data.

3. What personal data we collect

Clients and users

When you sign up or use our platform, we collect:

  • Company name and contact person name
  • Email address and phone number
  • Billing information
  • Login credentials (username and encrypted password)
  • Account activity logs (login/logout times, features used)

Website visitors

When you visit jaicob.ai, we collect:

  • IP address
  • Browser information (type and version)
  • Visit data (pages viewed, traffic sources, user flows)
  • Date and time of your visit

Customer support

If you contact us for help, we collect:

  • Your name and email address
  • The content of your question or complaint
  • Any correspondence between you and our support team

4. Why we use your data

Clients and users

We use your data to:

  • Create and manage your account and give you access to the platform
  • Provide technical support
  • Monitor platform performance and fix errors
  • Prevent misuse or automated abuse
  • Record your acceptance of our terms of use
  • Send invoices and manage billing

Website visitors

We use website visitor data for technical analysis, to improve the website, and to optimise the user experience.

Platform improvement

We may use fully anonymised and aggregated data (data that can no longer be traced back to any individual) to improve our platform and optimise our AI models. Because this data is no longer personal data within the meaning of the GDPR (see Recital 26 GDPR), the GDPR does not apply to this use. Where we use pseudonymised data instead (data where direct identifiers have been replaced but re-identification remains possible), we rely on our legitimate interest as a legal basis (Article 6(1)(f) GDPR).

5. Our legal basis

The GDPR requires us to have a legal reason (a "legal basis") for every type of data processing. Here is what applies in each case:

Clients and users

  • Account management and support: we need your data to carry out our contract with you (Article 6(1)(b) GDPR).
  • Billing: we process billing data both to perform our contract (Article 6(1)(b) GDPR) and to meet our legal obligations under Dutch tax law (Article 6(1)(c) GDPR).

Website visitors

  • Website analysis: we rely on our legitimate interest in improving our website and services (Article 6(1)(f) GDPR).

6. How long we keep your personal data

We do not keep your personal data longer than necessary. The exact retention period depends on the type of data and why we collected it:

  • AI function log files: minimum 6 months — required by Article 12 of the AI Act (high-risk AI logging).
  • Client/user account data: up to 3 years after account termination — legal protection or evidentiary support in disputes.
  • Customer support correspondence: 1 year after last contact — quality assurance.
  • Financial records: 7 years after end of contract — Dutch fiscal retention obligation (Article 2:10 of the Dutch Civil Code).
  • Website visitor data: 30 days — technical analysis only.
  • Consent records: 3 years after withdrawal — to demonstrate GDPR compliance.

After the retention period expires, we delete or fully anonymise the data so that it can no longer be traced back to you.

7. Who we share your personal data with

We work with a small number of trusted service providers (known as "(sub-)processors") who help us run the platform. We have data processing agreements with each of them, as required by Article 28 GDPR, to make sure they handle your data with the same level of care that we do.

Hosting

Your data is stored on servers operated by Amazon Web Services (AWS) in Frankfurt, Germany. AWS is ISO 27001 certified, which means it meets a recognised international standard for information security. This infrastructure allows us to align with these requirements, supported by additional safeguards, such as the EU-U.S. Data Privacy Framework and Standard Contractual Clauses (SCCs), to ensure full compliance regarding international data transfers.

International transfers

Some of our service providers may be located outside the European Economic Area (EEA). When personal data is transferred outside the EEA, we make sure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Binding Corporate Rules (BCRs); or
  • An adequacy decision by the European Commission for the country in question.

We only work with service providers that offer sufficient guarantees for the protection of your personal data.

Third-party links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites. We recommend that you read their privacy policies before sharing any personal data with them.

8. Your rights

Under the GDPR, you have a number of rights when it comes to your personal data. Here is an overview:

  • Right of access (Article 15 GDPR): You can ask us for a copy of the personal data we hold about you.
  • Right to rectification (Article 16 GDPR): If your data is incorrect or incomplete, you can ask us to correct it.
  • Right to erasure (Article 17 GDPR): You can ask us to delete your personal data. We may decline if a legal retention obligation applies.
  • Right to restriction (Article 18 GDPR): You can ask us to temporarily stop processing your data, for example while we investigate a dispute about accuracy.
  • Right to data portability (Article 20 GDPR): You can ask us to provide your data in a structured, commonly used, machine-readable format (such as CSV or JSON), so you can transfer it to another service.
  • Right to object (Article 21 GDPR): You can object to processing based on our legitimate interest. We will then reassess whether our interest outweighs yours.

How to exercise your rights

Clients, users, and others: If your data is processed by Jaicob as data controller (for example, account data or website visit data), you can reach us at:

  • Email: support@jaicob.ai
  • Post: Burgemeester Stekelenburgplein 199, 5041 SC Tilburg, the Netherlands

Please describe your request as clearly as possible. We may ask you to provide a copy of your ID to verify your identity. You are welcome to black out your photo and citizen service number (BSN) on the copy. We will respond within one month. If your request is complex, we may extend this period by up to two months: we will let you know if that is the case (Article 12(3) GDPR).

Right to file a complaint

If you are not satisfied with how we handle your request, you have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Their contact details are listed in Section 14 below.

9. AI and automated processing

Our platform uses artificial intelligence to help employers find the right candidates more efficiently. Here is what you should know about how it works and what safeguards are in place.

High-risk AI system

Our platform is classified as a high-risk AI system under the EU AI Act (Regulation (EU) 2024/1689), specifically under Article 6(2) read together with Annex III, point 4(a). This is because it is used for the recruitment and selection of natural persons: a context in which AI can have a significant impact on people's opportunities.

This classification means that we are subject to strict requirements regarding risk management, transparency, data quality, human oversight, and technical documentation.

No fully automated hiring decisions

Our platform does not make hiring or rejection decisions on its own. All match scores, screening results, and candidate rankings generated by the platform are intended as support tools for human recruiters: not as final decisions.

The company that uses our platform (you, the client) is required to ensure that a qualified person reviews and approves every decision before it affects a candidate. Fully automated hiring or rejection decisions, without meaningful human involvement, are not permitted (Article 22 GDPR; Article 14 AI Act).

Your right to an explanation

If your application was assessed using our AI features, you have the right to request an explanation of how those features worked in your case. Since the company that received your application is the data controller, please direct your request to them. We will provide them with the technical information they need to give you a meaningful answer.

AI Voice conversations

Our platform includes an AI Voice feature that can conduct screening calls with candidates by phone. If this feature is used, you will be clearly informed at the start of the call that you are speaking with an AI system and not a human being. This disclosure is required by the AI Act and is built into our platform.

You are never required to participate in an AI Voice call. If you prefer to speak with a human, please let the company that contacted you know.

Transparency about AI use

The client that uses our platform is required to inform candidates, before their data is processed, that their application will be assessed in whole or in part by AI systems. This obligation arises from both the GDPR (Article 13) and the AI Act (Article 13 of the Regulation).

10. How we keep your data safe

We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your data against loss, misuse, unauthorised access, and other forms of unlawful processing, in accordance with the GDPR.

Standards we follow

  • ISO 27001:2022: the international standard for information security management.
  • Cyber Essentials: a baseline security certification.
  • Google CASA Tier 2: a security certification for cloud applications, ensuring high standards for data protection and vulnerability management.

What we do to protect your data

To protect the data itself, we encrypt all databases containing personal data, maintain duplicate databases and backups, and keep our IT infrastructure up to date with security patches and updates. We build security measures into all application systems, including proper access management, and physically secure our IT facilities and equipment against unauthorised access, damage, and interference.

To control who can access data, we follow access control procedures so that staff only have access to the systems and data they need for their work, use strong, unique passwords and password managers, and require all employees involved in data processing to maintain strict confidentiality.

On an organisational level, we maintain a written security policy describing how we protect data and ensure privacy, follow procedures for the development, maintenance, and destruction of data and information systems, and have a documented procedure for responding to data breaches. We log all user activity involving personal data, as well as other relevant events such as unauthorised access attempts and disruptions that could lead to data alteration or loss, and we regularly audit compliance with our security policies through spot checks.

Where personal data is processed by third parties, we require them to provide adequate security. We enter into data processing agreements with these parties and, where they are located outside the EEA, ensure that appropriate safeguards for international transfers are in place.

Data breaches

If a security breach occurs, we will notify the affected parties without delay and in any case within 72 hours. We will inform the affected client and, where required by the GDPR, the affected candidates and/or the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). We will take immediate steps to contain the breach and limit its impact. A full report will be prepared and shared with the affected parties.

11. Cookies

We keep our use of cookies to a minimum. We only use functional cookies that are strictly necessary for the website to work properly, such as:

  • Authentication cookies (to keep you logged in)
  • Session management cookies (to remember your settings)
  • Security cookies (to prevent misuse)

These cookies are essential for the basic functioning of our website and do not require your consent under the Dutch Telecommunications Act (Article 11.7a). Please note that some functional cookies may process limited personal data (such as your IP address). Where this is the case, we rely on our legitimate interest as the legal basis.

We do not use tracking cookies, marketing cookies, or third-party analytics cookies.

12. Children

Our platform is intended for use by companies (clients) and adults (candidates and users). We do not knowingly collect personal data from children under the age of 16. If we discover that we have inadvertently processed a child's data, we will delete it immediately.

13. Changes to this policy

We may update this privacy policy from time to time, for example when we add new features, when the law changes, or when we improve our data practices.

If we make changes, we will let you know by email or through a notification on the platform. We recommend checking this policy periodically to stay informed.

If we make significant changes that you do not agree with, you have the right to terminate your agreement with us.

14. Contact and complaints

Contact us

If you have any questions about this privacy policy, or if you want to exercise any of your rights, please get in touch:

  • Jaicob B.V.
  • Burgemeester Stekelenburgplein 199, 5041 SC Tilburg, the Netherlands
  • Email: support@jaicob.ai
  • Chamber of Commerce (KvK): 92883761

File a complaint

If you believe that we have not handled your personal data properly, you have the right to file a complaint with the Dutch Data Protection Authority:

15. Suppliers and business contacts

If you are a supplier or business partner providing goods or services to Jaicob, we collect and use your business contact details solely for the purpose of our working relationship. The legal basis for this processing is the performance of our contract with you (Article 6(1)(b) GDPR). We retain this data for as long as necessary for the contract, and for up to 7 years afterwards to meet our fiscal retention obligations.