The controller responsible for the processing of personal data on this website and within the platform is:
MesserGroup LLC
7901 4th ST N – STE 300
St. Petersburg, FL
US 33702 – United States of America
Represented by: Jamila Meßerschmidt
Reachable at hey@matchlyn.com
No data protection officer has been appointed.
This privacy policy explains how we process personal data of candidates(applicants, talent pool users, platform users), companies (clients, contact persons, platform users) and agencies (recruiting agencies active as partners on the platform). We comply with the EU General Data Protection Regulation (GDPR) to the extent we process data of individuals in the EU/EEA.
From candidates, we process master data such as first and last name, email address, phone number, place of residence, place and date of birth; professional data including work experience, positions, qualifications, skills, certificates, language skills, salary expectations and availability; documents such as the CV and optionally references and transcripts (applications without a CV are not processed); profile and usage dataincluding login credentials, session tokens, language setting, last activity and job matches; and internal assessment data such as recruiter notes, matching scores and evaluations.
From company representatives, we process company data (name, address, industry, logo, website, job postings), contact person data (name, function, email, phone) and platform access and usage data (user account, session token, language setting, last activity, platform usage).
From agency partners, we process agency data (company name, location, industry focus), contact person data (name, function, email, phone), platform access and usage data (user account, session token, job postings, collabs, matches) and internal assessment data (notes, evaluations, matching scores).
We process data to technically provide the website and platform, enable logins, manage sessions, store language preferences and conduct basic technical analyses (e.g. Vercel Analytics). Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (legitimate interest in secure platform operation).
Our core business is matching candidates with suitable job opportunities and companies. This includes collecting and analysing CVs and job descriptions, matching candidate profiles with job postings, internal evaluations and presenting candidates to companies.
Candidate profiles are never shared with companies or agencies before the candidate has consented and expressed interest in the specific role.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures), Art. 6(1)(f) GDPR (legitimate interest) and Art. 6(1)(a) GDPR (consent) where you actively provide your CV.
If you upload your CV or create a profile and consent to joining our talent pool, we use your data to contact you for suitable future positions or to present your profile. Consent may be withdrawn at any time. Legal basis: Art. 6(1)(a) GDPR.
For companies and agencies, we process data to provide platform access, manage job postings, facilitate inter-agency collaborations (collabs), suggest suitable candidates and handle the ongoing partnership. Legal basis: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.
We use contact information to respond to enquiries, coordinate appointments and share relevant information about positions or candidates. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.
We use AI models to parse CVs and job descriptions, extract content, calculate matching scores and generate suggestions. The AI does not make fully automated decisions (Art. 22 GDPR). A human always reviews results before a candidate is presented. AI services do not train their models on your data. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR.
We use publicly available data on LinkedIn, company websites and job portals to identify potential candidates and clients. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient recruiting and business development).
Candidates can upload their CV via an online form and create a user profile. Data processed: email address, name and hashed password. Google login is available as an option. Registration is confirmed via double opt-in.
Companies receive their own platform login and access to their job postings and candidate matches. Passwords are stored exclusively as hashes.
Agencies receive their own platform login and access to their job postings, collaboration requests (collabs) and candidate matches. Passwords are stored exclusively as hashes.
Candidates can only access their own profile, data and matches. Companies can only see their own job postings and candidate profiles for which the candidate has explicitly consented. Agencies can view and manage their own job postings, view collabs and suggest candidates, and see candidates from other agencies in anonymised form until mutual interest is confirmed. Admins (MatchLyn) have internal access to all data as required for operations. No external third parties receive access without a contractual basis.
The authentication cookie (better_auth_session_token) maintains your session for approx. 7 days (Art. 6(1)(b) GDPR). The language setting (locale) stores your language preference (Art. 6(1)(f) GDPR). Vercel Analytics provides privacy-friendly technical analysis (Art. 6(1)(f) GDPR). Sentry.io is used for monitoring and error reporting (Art. 6(1)(f) GDPR). We do not use not use marketing tracking or newsletters.
Amazon Web Services (AWS), Europe region (Frankfurt): storage of all platform data. Database infrastructure via Neon.com (serverless PostgreSQL, HQ in USA, database in AWS Frankfurt). Transfers on the basis of SCCs.
Vercel Inc. (USA): frontend hosting, form submissions (CV upload) and Vercel Analytics. Transfers on the basis of SCCs.
n8n GmbH (Germany, Berlin): workflow automation, CV scoring and matching. Apify Technologies s.r.o. (Czech Republic): parsing of job postings.
OpenAI (USA): AI-assisted text analysis via API. OpenAI provides a DPA and supports GDPR compliance through SCCs. Content is not used for general model training.
Google Workspace (Google LLC / Google Ireland): email communication and document storage, on the basis of SCCs. Data processing agreements (DPAs) per Art. 28 GDPR have been concluded with all processors.
Candidate profiles submitted by agencies are shared in anonymised form only until mutual interest is confirmed. Agencies submitting candidate profiles act on the basis of their own terms and conditions with candidates and bear their own responsibility. Sharing with other third parties only occurs for contract performance, with explicit consent or due to legal obligation.
Profiles and application documents are stored for as long as consent exists and no deletion request has been made. Upon withdrawal or objection, data is deleted from all tools, unless statutory retention obligations apply.
Client data is stored for the duration of the business relationship. Upon termination, accounts and data are deleted unless statutory retention periods apply (e.g. tax law, up to 10 years). Agencies are responsible for their own data retention and deletion.
Agency partner data is stored for the duration of the active partnership. Upon termination, accounts and data are deleted unless statutory retention periods apply, except for candidates in ongoing placement processes, whose data is retained until the respective process is concluded.
Under the GDPR, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21) and withdrawal of consent (Art. 7(3)). To exercise your rights, contact: hey@matchlyn.com. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR); an overview of EU supervisory authorities is available at edpb.europa.eu.
We use AI-based evaluations such as matching scores, but do not make fully automated decisions with legal effect (Art. 22 GDPR). A human recruiter always reviews results before a candidate is presented to a company or agency.
We implement appropriate technical and organisational measures including professional data centre hosting (AWS Europe, Frankfurt), role-based access controls, restriction of access to authorised personnel, password hashing and contractually bound processors. No external third parties receive direct system access.
We may update this policy when introducing new features, additional tools or in response to legal changes. The current version is always available at MatchLyn. We will notify you of material changes in an appropriate manner.
Last updated: 10 April 2026