Using Obvelum (referred to as "Platform", "we", "us") involves the processing of your personal data. We are committed to a privacy-first approach (our core principle of processing only what is strictly necessary and giving you granular control over your data): facilitating connections between companies and job seekers to close matches efficiently and without spam.
Data Controller
Obvelum acts as data controller for all core platform functionality, including user profiling, matching, communication facilitation, and session coordination. Where third-party services are used (e.g., Daily.co), those providers act as independent processors or controllers as applicable.
The Data Controller is Obvelum, operating from Zürich, Switzerland. Until our formal incorporation as a Swiss GmbH, you can contact us at [email protected]. We process personal data in accordance with the GDPR and, where applicable, the Swiss Federal Act on Data Protection (FADP).
We have not appointed a Data Protection Officer as we are not legally required to do so at this time.
Privacy at a Glance
Obvelum connects job seekers with companies to help find the right opportunities.
We collect information like your email, skills, and job preferences to make matching possible.
This data helps us suggest relevant jobs to you and help companies discover candidates.
You are in control: you can view, edit, delete, or export your data and manage your cookie and marketing preferences.
We protect your information with strong encryption, secure servers, and trusted providers, following GDPR and Swiss data laws.
Legal Basis for Processing
We process personal data on the following legal bases:
Performance of Contract: To provide the Service (matching, application management).
Consent: For optional cookies and specific marketing features.
Legitimate Interest: Our legitimate interests include ensuring platform security, preventing fraud, and improving the Service. We have assessed that these interests do not override your fundamental rights and freedoms, as they are essential to providing a safe and functional platform for all users.
Profiling & Automated Matching:
We use automated profiling to suggest suitable job matches based on:
Skills and certifications you've added to your profile
Anonymized industry tags generated from your work history
Education history and qualifications
Languages you speak
Country and location preferences
This profiling helps us show you relevant job opportunities and helps companies discover suitable candidates. These are assistive recommendations only — you remain in full control of which opportunities to pursue, and no legally significant decisions are made solely by automated means.
This processing is necessary for the performance of the contract (providing the matching Service).
Candidate Profile Visibility and Identity Disclosure
Obvelum is built on a privacy-first matching model. During the discovery and matching phase, companies receive only pseudonymised professional information — such as skills, experience level, languages, and location preferences. Obvelum does not share direct identifiers (such as name, email address, or photograph) at this stage.
Obvelum does not transmit personal identifiers to the other party when a direct interaction begins. When you join a scheduled call or start a message exchange, Obvelum provides the communication channel only. Any personal information you share during that interaction — your name, contact details, or anything else — is disclosed by you, at your own discretion. When and how direct interaction becomes possible depends on your availability mode:
• Open to work: Obvelum schedules a video conference and sends separate invitations to you and the company. No identifying information is exchanged in advance. You become identifiable to the other party only when you voluntarily join the call. This applies to all job types, including market research sessions.
• Open to chat (networking): when you are open to networking, direct text messaging may be enabled between you and a company without a prior video call. Any information you choose to share in that exchange is shared directly by you.
In both cases the disclosure is initiated by your own action, not by Obvelum proactively sharing your data.
Obvelum acts as a facilitator of discovery and connection and does not control or monitor the content of communications between users once direct interaction has begun.
Categories of Personal Data
We may process the following categories of personal data:
Account Data (Email address, profile settings)
Voluntarily Provided Professional Data (CVs, work history, job preferences)
Company Data (Business name, address, history, logos, job postings) used to verify legitimacy and facilitate hiring.
Technical Data (IP address, device info, server access logs — which may include authenticated session identifiers for security monitoring and incident investigation purposes)
Usage Data (Matching results, AI-generated features)
We do not knowingly process personal data of children under 16 years of age.
Mandatory and Optional Data
To use Obvelum, certain data is required, while other data is optional:
Required Data
Email address (for account creation and authentication)
Basic profile information (location) when activating your profile
Without this data, we cannot create or maintain your account or provide the core matching Service.
Optional Data
Skills, certifications
Work history
CV uploads and AI-assisted profile generation
Open to work status
Providing more detailed information improves matching accuracy but is entirely your choice.
Data Retention
Personal data is retained only for as long as necessary to provide the Service.
Retention Periods:
• User Profile & Account Data: Retained for the duration of your account. Deleted or anonymized immediately upon account deletion.
• Analytics Data (GA4): User-level and event-level data associated with cookies is retained for 14 months (standard Google Analytics retention period).
• Backups: Encrypted backups are retained for up to 90 days for resilience and disaster recovery.
• Server & Access Logs: Retained for up to 14 days for security monitoring and incident investigation.
• Legal Requirements: Records required by law (e.g., tax, fraud prevention) may be retained for statutory periods.
Your Rights under GDPR
We operate in strict compliance with the General Data Protection Regulation (GDPR). As a user, you have the following fundamental rights:
Right of Access: You can view the data we hold about you in your profile and request a full copy anytime in your dashboard by clicking on the top-right menu and then clicking "Export my data".
Right to Erasure ('Right to be Forgotten'): You can delete your account and all associated data at any time via Profile settings.
Right to Rectification: You can request correction of inaccurate or incomplete personal data.
Right to Restriction of Processing: You can request limitation of processing under certain circumstances.
Right to Object: You may object to processing based on legitimate interest at any time.
Data Portability: You can request a machine-readable export (JSON format) of your data.
Right to Withdraw Consent: Where we process your data based on consent (e.g., marketing cookies, optional features), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent via Cookie Settings or by contacting us.
Right to Lodge a Complaint: You have the right to lodge a complaint with a competent supervisory authority if you feel your personal data has been processed unlawfully. You may in particular contact your local data protection authority in the EU/EEA or the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Data Security & Encryption
Security is a high priority for us. We implement appropriate technical and organizational measures, including encryption at rest, TLS 1.3 encryption in transit, and Application-Layer Encryption (sensitive data like emails and messages are encrypted using AES-GCM 256-bit before storage). We minimize data exposure by using internal identifiers (Pseudonymization) protected by strict Role-Based Access Control (RBAC) and continuous monitoring.
International Data Transfers
We process your data within the European Union. When you access the Platform from outside the EEA, the data is displayed to you wherever you are located. This is a functional display of data you request, not a controller-initiated transfer. Our primary infrastructure and data processing remain within the EU.
Regarding our vendors: we primarily use providers within the EU. If we engage a third-party processor outside the EEA in the future, we will ensure GDPR compliance via mechanisms like Standard Contractual Clauses issued by the European Commission.
Data Processing & Subprocessors
Independent Controllers
Company Accounts and Uploaded Content
When companies create accounts and upload content (such as job postings, logos, descriptions, or contact details), they may include personal data relating to their employees or representatives. In this context, companies act as independent data controllers for such personal data, and Obvelum acts as a data processor, processing this data solely on the company's documented instructions and pursuant to a data processing agreement (where applicable) for the purpose of providing the Platform. This processor relationship applies only to personal data included in company-uploaded content (job postings, company descriptions, employee contact details), not to user profile data.
Companies are responsible for ensuring they have the legal right to upload and publish any personal data included in their content.
Data Processors
We use trusted third-party providers to host our infrastructure and provide essential services. These providers act as data processors under GDPR and process data only on our instructions. Our current subprocessors include Microsoft Azure (hosting/AI) and Google Ireland Ltd. (analytics/marketing).
Azure OpenAISwitzerland North / Sweden Central
We use Azure OpenAI Service for AI feature extraction. We opted for deployments in Switzerland (recognized as adequate by the EU) and Sweden to ensure strict adherence to EU privacy standards. Prompts and completions sent to Azure OpenAI are not used to train or improve Microsoft's or OpenAI's foundation models and are processed under Microsoft's data protection terms.
Third-Party Organisations and Data Responsibility
Obvelum connects candidates with three categories of organisations: direct employers, recruitment agencies, and paid research platforms. In all cases Obvelum's role is limited to facilitating discovery, matching, and initial connection. We do not act on behalf of any organisation and we do not determine how each organisation processes data collected during or after an interaction.
• From the moment you engage directly with an organisation — whether joining a scheduled call, exchanging messages, or participating in a session — that organisation acts as an independent data controller for any data it processes in connection with that interaction.
• Obvelum does not access or review the content of user communications or session content in the ordinary operation of the service. Communications are stored in encrypted form and are only accessed in strictly limited, documented circumstances: legal obligation, security or abuse prevention, or user-requested support.
• Live calls and sessions are facilitated via third-party infrastructure providers (such as Daily.co) and are not recorded or processed by Obvelum in any form unless explicitly stated.
• You may withdraw from any confirmed booking at any time before the interaction begins by cancelling through the platform. Once you have joined and chosen to disclose personal information, that disclosure is governed by the organisation's own privacy policy and applicable law.
We recommend reviewing the privacy policy of each organisation before disclosing personal information.
Additional considerations for research platforms
Paid research platforms may collect data beyond what a standard employer interaction involves — including session recordings, survey responses, and behavioural data. Obvelum does not determine the scope, purpose, or means of that data collection. All such data is processed under the Research Platform's own privacy policy, not Obvelum's.
Recipients and Categories of Recipients
We share personal data only when necessary with the following categories of recipients:
Cloud Infrastructure Providers: For hosting and data storage (Azure, EU region)
Email Service Providers: Mailgun for transactional emails (registration, notifications)
AI Services: Azure OpenAI (Switzerland/Sweden deployments) for profile extraction and matching
Marketing & Analytics Partners: Google AdSense (Marketing) and Google Analytics 4 (Analytics).
Legal & Regulatory Authorities: When required by law or to protect our rights
All third-party processors are bound by data processing agreements and process data only on our instructions.
Cookie Policy
We use cookies to ensure the proper functioning of the Platform. To support our service and understand how users find us, we use Google Analytics 4 (GA4) and Google AdSense.
Privacy-First Measurement: We use Google Consent Mode v2. By default, all tracking is disabled. However, to help us measure the success of our social media outreach, GA4 sends anonymous \"cookieless pings\" that allow us to count page views without tracking your identity or setting cookies. Full tracking and personalized advertising are only activated when you explicitly consent via the Google AdSense privacy banner.
Strictly Necessary: Required for authentication, security, and session management. These cannot be disabled.
Functional: Used to remember your app preferences (e.g. theme). These are optional but enhance your experience.
Google Analytics & AdSense
We use Google AdSense and Analytics. Google acts as an independent data controller for advertising purposes. We rely on Google's Consent Management tools to handle your privacy preferences regarding tracking and personalized ads. You can modify these choices at any time via the Ad Privacy settings. For more information, please visit Google's Privacy & Terms.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page. Continued use of the Platform after changes become effective constitutes your acknowledgment of the updated Privacy Policy. Where required by law (e.g., for material changes affecting your rights or processing purposes), we may seek your explicit consent before the changes take effect.
This is the original English version, produced with the assistance of AI tools. The English version remains the legally binding text.