Candidate Privacy Notice

Working version, pending legal review. Questions about your data: apply@nxopay.com.

Who this applies to

This notice applies when you submit an application through careers.nxopay.com for a role at NXOPAY. It explains what data we collect, how we use it, how long we keep it, and the rights you have over it.

What we collect

When you apply, we collect only what you provide in the application form:

• Your name (first and last)
• Your email address
• Your city and country
• Your written note and experience summary
• Links you choose to share (GitHub, LinkedIn, portfolio, etc.)
• Your expected monthly rate
• The role you applied for
• The timestamp and source of your submission

We do not use tracking cookies or third-party analytics on the careers site. We do not collect any data you did not explicitly type into the form.

Why we collect it

We process this data to evaluate your application for the role you applied to. Specifically:

• Application review. NXOPAY reviewers read your submission to decide whether to invite you to a technical validation session.
• AI-assisted evaluation. We use an AI-assisted tool (powered by Anthropic's Claude API) to help screen incoming applications against the role's requirements. The AI output is advisory; humans make final decisions.
• Communication. We use your email address to confirm receipt of your application and respond to you about the outcome.

Our legal basis for processing under GDPR is performance of a contract at your request — you are asking us to evaluate your candidacy, and evaluating it requires processing the data you provide.

Who we share it with

We share your data with the minimum parties necessary to run our hiring process:

• Anthropic (Claude API). We send the text of your application to Anthropic's API for AI-assisted evaluation. Anthropic acts as a data processor; their privacy practices are available at anthropic.com/legal/privacy. Data is processed in the United States under Standard Contractual Clauses.
• Our hosting providers. Application data is stored on servers operated by Railway (application backend) and Hostinger (this website). Both act as data processors.
• Microsoft 365. Confirmation emails and related correspondence flow through Microsoft 365, operating under Microsoft's data processing terms.

We do not sell, trade, or otherwise transfer your data to parties outside this list.

How long we keep it

• If your application is unsuccessful: we keep your data for up to six months after our decision, in case a comparable role becomes available.
• If we enter into an engagement with you: your application data becomes part of your contractor record, which is retained for the duration of the engagement plus the minimum period required by applicable tax, employment, or financial regulation.
• If you ask us to delete your data earlier: we will do so within 30 days unless a specific legal obligation requires us to retain it.

Your rights

You have the following rights over your data. To exercise any of them, email apply@nxopay.com with your name and the role you applied for. We will respond within 30 days.

• Access. You can request a copy of the personal data we hold about you.
• Rectification. You can ask us to correct any data that is inaccurate or incomplete.
• Erasure. You can ask us to delete your data. We will comply unless retention is required by law.
• Restriction. You can ask us to pause processing of your data while we resolve a dispute.
• Portability. You can request your data in a structured, machine-readable format.
• Objection. You can object to our processing of your data, in which case we will stop unless we have a compelling legitimate basis to continue.
• Withdrawal of consent. Where our processing relies on your consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
• Complaint. You have the right to complain to your local data protection authority if you believe we have mishandled your data.

International transfers

NXOPAY operates from the Gulf Cooperation Council (GCC) region. Some of our processors, notably Anthropic, operate from the United States. When your data is transferred outside your home jurisdiction, we rely on Standard Contractual Clauses or equivalent safeguards approved under applicable data protection law.

Security

We take reasonable technical and organisational measures to protect your data. These include encryption in transit (TLS) between your browser and our servers, access controls on internal systems, and regular review of our processing practices. No system is perfectly secure, and you should avoid including sensitive personal data (such as government identifiers or health information) in your application — we do not need it to evaluate you.

Changes to this notice

We may update this notice to reflect changes in our practices, the services we use, or applicable law. The "last updated" date at the top of this page shows when the current version took effect. We will not apply material changes retroactively to applications already received.

Contact

For any question about this notice or about your data, contact apply@nxopay.com.