Privacy Policy
This Privacy Policy explains what personal data Kidab collects, why we collect it, how long we keep it, who we share it with, and what rights you have over your data. We are committed to protecting your privacy and handling your data transparently and lawfully.
1. Who manages your data
The company responsible for your data is:
| Legal entity | Sentinel Mesh |
| Address | Erbil, Republic of Iraq |
| Platform | Kidab (kidab.io) |
| Privacy contact | Use the form at kidab.io/contact with subject "Privacy" |
Kidab follows international privacy standards and applicable Iraqi data protection obligations. Where these standards apply to you, you have the rights described in section 8.
2. What Personal Data We Collect
Account data
When you create an account, we collect your email address, chosen username, display name, and account role (for example: job seeker, employer, or agency). We also record whether your email address has been verified and the date your account was created.
Profile data
If you choose to build a profile, we store what you provide: your headline, biography, location, work experience, education history, skills, languages spoken, portfolio link, and profile photo. All of this is optional beyond what you decide to share. Your visibility setting controls who can see your profile.
Job and application data
Employers who post jobs provide: job title, description, requirements, location, salary range, and work type. Job seekers who apply provide a cover letter. We record the status and stage of each application.
Employer evaluation notes
Employers may write private evaluation notes about candidates during the hiring process. We store this data in a field called employer notes (employer_notes). These notes are visible only to the employer who created them and are never displayed to the candidate under any circumstances.
We process employer notes on the basis of legitimate interests in enabling employers to manage their recruitment process effectively.
Company data
Employers who create a company profile provide the company name, industry, size, location, description, website, and optionally a logo. This information is displayed on the public company page.
Device and connection information
When you use Kidab, we automatically collect certain technical information for security and operational purposes: your IP address, browser type, and the country your request comes from. We also record login events, account changes, and other significant actions in a security log. This helps us detect and prevent fraud and unauthorised access.
Early access request data
If you submitted your email address to request early access to Kidab, we collected your email address and your consent to contact you about your access. This data is held separately and used only for communications about your access request.
What we do not collect
- We do not ask for or store sensitive personal details such as ethnicity, religion, political views, health conditions, or sexual orientation
- We do not collect payment card details — payments are handled entirely by our payment processor
- We do not store your password — only a secure, irreversible transformation of it
- We do not track you across other websites
- We do not sell your data to third parties
3. Why We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account | Email address, username, and your sign-in credentials | Contract — to deliver the service you signed up for |
| Provide matching and job marketplace services | Profile, jobs, applications, company data | Contract — to deliver the service you signed up for |
| Send verification and transactional emails | Email address | Contract — to deliver the service you signed up for |
| Prevent fraud, abuse, and unauthorised access | IP address, browser type, security log | Legitimate interests — keeping the platform safe and operational for all users |
| Enable employers to evaluate and manage candidates | Employer notes (employer_notes) — employer-visible only, never shared with candidates |
Legitimate interests — enabling employers to conduct their recruitment process |
| Communicate with early access requestors about their access | Early access email address | Consent — you gave us permission |
| Comply with legal obligations | Security logs (limited retention) | Legal obligation — required by applicable law |
4. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Account, profile, and company records (including uploaded photos and logos) | While your account is active | Deleted when you delete your account — including account records, profile data, job listings, applications, and uploaded files |
| Active session tokens | 30 days | Deleted on logout or after 30 days of inactivity |
| One-time verification codes | 10 minutes | Deleted immediately after use or expiry — whichever comes first |
| Activity and security audit log (IP address, browser type, country, action type) | 2 years | Deleted automatically after 2 years. Records linked to an active security incident are retained until the incident is resolved and any regulatory notification period has elapsed. |
| Job listings | While the employer account is active | Removed from public search immediately on account deletion. Listings that reach their expiry date are closed automatically by a daily process. |
| Applications and cover letters | While the related job exists | Linked to the job posting lifecycle — deleted when the job is removed |
Employer notes (employer_notes) |
While the employer account is active | Deleted when the employer closes their account. Never disclosed to the candidate (see sections 2 and 8). |
| Early access request data | Until access is granted, opted out, or account created | Can be removed at any time by contacting us |
5. Who We Share Your Data With
Between users on the platform
When a job seeker applies for a job, their application and publicly visible profile information is shared with the employer who posted that job. This is the core function of the platform. The seeker's email address is not shown to employers.
Services we use to run the platform
We use a small number of third-party services to operate the platform. These providers are bound by data processing agreements — they may only use your data to deliver services to Kidab, not for their own purposes, and must protect your data to an equivalent standard wherever they operate. Where data is transferred outside the European Economic Area or the United Kingdom, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
- Hosting and infrastructure: Our platform is hosted on edge infrastructure that operates globally, including in data centres within the EU and internationally.
- Email delivery: We use a transactional email provider (Brevo) to send account-related emails such as verification codes and password reset links. Only your email address, display name, and the content of the specific email are shared. Our email delivery provider may use AI service providers — including OpenAI, Google Gemini, and Anthropic — as sub-processors to deliver their service. These AI providers are bound by data protection obligations under our email provider's published Data Processing Agreement and operate under Standard Contractual Clauses for any international transfers. Your email content may be processed by these systems as part of email delivery infrastructure. You can review Brevo's published sub-processor list at brevo.com/legal/subprocessors.
- Bot protection: We use a security verification service to distinguish real users from automated bots on our forms. This processes your IP address and browser characteristics to generate a risk score.
- Analytics: We use privacy-preserving analytics that processes traffic data at the network edge without storing cookies or building user profiles. No personal data is collected or stored by our analytics system.
Legal requirements
We may share your data with law enforcement or courts if required by a valid legal order. We will not share data voluntarily and will notify you when we are legally permitted to do so.
What we never do
- We do not sell your personal data to any third party
- We do not share your data with advertisers
- We do not use your data for purposes other than those stated in this policy
- Employer notes are never shared with the candidate they concern, under any circumstances
6. Cookies and Tracking
We use a minimal number of cookies, all of which are required for the platform to work or to keep your account secure. We do not use advertising cookies or tracking pixels on our website.
| Cookie name | Purpose | Duration | Type |
|---|---|---|---|
| Authentication cookie kidab_auth |
Keeps you signed in to your account. Stored securely — cannot be read by scripts on the page. | 30 days | Required to work |
| Security cookie kidab_sec |
Protects your account from a specific type of attack where another website could otherwise take actions on your behalf without your knowledge. | 30 days | Required to work |
| Security verification cookie | Set by our bot protection service when you interact with forms. Used to verify you are a real user. | Up to 1 hour | Required to work |
| Language preference | Remembers whether you chose Arabic or English. Stored in your browser's local storage, not as a cookie. | Until cleared | Preference |
7. How We Protect Your Data
We apply security measures appropriate to the nature of the data we hold. These include:
- All data is encrypted when stored and when transmitted between your browser and our platform
- Your password is never stored — only a strong, one-way transformation that cannot be reversed to reveal your original password
- Your sign-in session is authenticated using a token stored in an HttpOnly, Secure cookie — it cannot be read by browser scripts or accessed by other websites
- Access to personal data within Kidab is restricted to only what each function of the platform strictly requires
- We maintain a security activity log to detect and respond to threats
- We support passkey authentication (biometric or PIN-based) as a more secure and phishing-resistant alternative to passwords
No system is completely immune to security incidents. In the event of a data breach that poses a risk to your rights, we will notify the relevant data protection authorities within 72 hours and, where required, notify affected individuals as quickly as possible.
8. Your Rights
You have rights over your personal data. The rights available depend on where you live, but most of the following apply to all Kidab users. To use any right, visit kidab.io/contact and select "Privacy & Data".
| Right | What it means | How to use it |
|---|---|---|
| See a copy of your data | Request a copy of the personal data we hold about you | Contact us — we respond within one month |
| Download your data | Receive your data in a machine-readable format | Available in-account: Account → Export Data (where available — contact us if you cannot locate this) |
| Delete your account and data | Delete your account and associated personal data | Available in-account: Account → Delete Account |
| Correct your data | Correct inaccurate personal data we hold about you | Available in-account: edit your profile |
| Limit how we use your data | Request that we restrict processing of your data in certain circumstances | Contact us |
| Object to how we use your data | Object to processing based on legitimate interests | Contact us — we will assess and respond |
| Withdraw consent | Where processing is based on your consent, withdraw it at any time | Early access: contact us to remove your email address |
If you believe we have not handled your data correctly, you have the right to complain to a data protection authority in your country. We would always prefer to resolve concerns directly — please reach out before making a formal complaint.
9. Children and Minimum Age
Kidab is not directed at children or minors. You must be at least 18 years old to create an account. This age limit reflects the professional nature of our platform and aligns with the minimum age for binding agreements under Iraqi law. It also exceeds the minimum digital consent age under GDPR Article 8.
If we become aware that a user is under 18, we will close the account and delete all associated personal data. If you believe a minor under 18 has registered, please contact us immediately.
10. Changes to This Policy
We will notify registered users of material changes to this policy at least 30 days before they take effect, by email or through a notice on the platform. The "Last updated" date at the top of this page shows when the current version was published.
Continuing to use Kidab after a policy change takes effect constitutes acceptance of the updated policy. If you do not agree, you may delete your account before the change takes effect.
11. Contact and Data Requests
To exercise any of your rights, raise a concern, or ask a question about this policy, use our contact form at kidab.io/contact and select "Privacy & Data" as the issue type. We do not publish a direct email address in order to protect this channel from abuse and to ensure requests reach the correct team.
We aim to respond to all data requests within one month. For complex requests we may take up to three months in total, and will let you know if this applies to your request.
This Privacy Policy is governed by the laws of the Republic of Iraq. For users in the European Union or the United Kingdom, applicable regional data protection law applies and takes precedence where relevant.