Privacy Policy

1. Who we are

Matchboks is operated by Moi Consulting AS, a Norwegian limited liability company based in Sandnes, Norway. Moi Consulting AS is the data controller for all personal data processed through the Service and is responsible for how your data is handled.

You can reach our privacy team at:

• Email: hei@matchboks.no
• Moi Consulting AS, Sandnes, Norway

2. Scope of this policy

This policy applies to everyone who uses Matchboks: candidates creating profiles and looking for work, companies posting jobs and searching for talent, and visitors to our marketing site. Different sections below make clear when something only applies to one of those groups.

3. What we collect

We only collect personal data we actually need. The categories below list every type of data Matchboks handles.

Account data

Email address, name, phone number (optional), password (stored hashed, never in plain text), account role (candidate, company, admin), language preference, notification preferences.

Candidate profile data

Profile photo, headline, bio, current and desired job titles, years of experience, skills with proficiency levels, work experience, education, certifications, languages, location (city level), remote work preference, salary expectations, availability date, portfolio URLs, social links (LinkedIn, GitHub, website), and optional honest descriptions, which are private free-text fields used only by the AI to improve match quality. They are never shared with other users.

CV files

If you upload a CV, Matchboks stores the original file in secure cloud storage and sends its text contents to an AI service for parsing into structured profile fields. You can delete the CV file at any time from your profile.

Company profile data

For employer accounts: company name, logo, description, mission, industry, size, website, social links, team members, office locations, values, benefits, and published job listings.

Matching and interaction data

Swipe decisions (interested, pass, save), mutual matches, bookmarks, applications, job views, profile views, and the AI-generated relevance scores we compute between candidate profiles and job listings.

Messaging and support

Messages you send through the in-app chat after a mutual match, support tickets and support chat messages, and any attachments you share in those conversations.

Technical data

Device type, operating system and version, app version, IP address, approximate location (city level, only if you allow it), push notification token, session activity timestamps, crash reports, and basic analytics events (page views, button clicks) needed to operate and improve the Service.

Cookies

We use a small number of functional cookies to keep you logged in and remember your preferences. See our Cookie Policy for the full list.

4. Why we can process your data (lawful basis)

Under GDPR Article 6, every use of your personal data must have a lawful basis. Matchboks relies on:

• Contract (Art. 6(1)(b)): processing necessary to provide the Service you signed up for: creating your account, showing you matches, letting you message other users, and handling applications.
• Legitimate interests (Art. 6(1)(f)): protecting the Service against fraud and abuse, improving our product based on aggregated usage patterns, and securing our systems. We balance these interests against your rights and stop immediately if you object.
• Consent (Art. 6(1)(a)): for optional features like marketing emails, push notifications, precise location, and the use of honest description fields. You can withdraw consent at any time in your settings.
• Legal obligation (Art. 6(1)(c)): when we must retain records to comply with Norwegian tax, accounting, or anti-money-laundering law.

5. How we use your data

• Provide and operate the Service: create your account, show job listings and candidate profiles, compute matches, deliver messages, process applications.
• Run the AI matching system (explained in Section 6 below).
• Send transactional notifications (new match, new message, application update) and, only if you consent, occasional product updates.
• Detect fraud, abuse, and violations of our Terms of Service.
• Analyze aggregated, anonymized usage data to fix bugs and prioritize improvements.
• Comply with legal obligations and respond to lawful requests from authorities.

6. How the matching works (automated decision-making)

Matchboks uses an AI-powered scoring system to help candidates and companies find relevant matches. You have a right to know how it works:

• Your structured profile data (skills, experience, location, salary preferences, job preferences) is compared against job listings or candidate profiles to produce a relevance score between 0 and 100.
• Matches are sorted by this score so the most relevant appear first. All visible profiles remain visible. The system ranks, it does not filter or exclude.
• No hiring or rejection decisions are made automatically. Every match is surfaced to a human (candidate or recruiter) who makes the actual choice.
• You can swipe, browse, save, and review all available matches. The score is a recommendation, not a gate.
• The score considers: skills with proficiency, years of experience, job title, location proximity, salary overlap, and a semantic similarity between your profile text and the job description computed from text embeddings. Free-text honest descriptions are used by the AI to inform match relevance, but are never shown to other users and never block you from being seen.

Under GDPR Article 22 you have the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects. Matchboks is designed as a recommendation tool with human decision-making at every step, so Article 22 does not apply. If you have questions or want to challenge how your data is used in matching, contact our privacy team.

7. Who we share your data with

Matchboks does not sell your data. We share it only in the situations described below.

Other users of the Service

Candidate profiles are visible to companies you match with or apply to. Company profiles are publicly visible. Messages are only visible to the people in the conversation. Honest description fields are never shared with other users. They are used only by the AI matching system. Contact details are only revealed after a mutual match.

Service providers (sub-processors)

We use trusted third-party services to run Matchboks. Each one is bound by a data processing agreement and may only process your data on our instructions.

• Supabase (Ireland / EU): primary database, authentication, file storage.
• Vercel (USA): web application hosting and edge delivery.
• OpenAI (USA): CV text parsing into structured fields and semantic text embeddings for matching. We send only the text content of your CV and profile, never your name, email, or contact details.
• Sentry (Germany): crash reporting and error monitoring.
• Apple App Store / Google Play: distribution of our mobile apps and push notifications.
• LinkedIn (USA): if you choose to sign in with LinkedIn, your name, email, and profile photo are received from them.

Legal disclosures

We may disclose data when legally required to do so, for example in response to a court order or a lawful request from Norwegian authorities, and only to the extent actually required.

8. International data transfers

Some of our sub-processors (OpenAI, Vercel) are based in the United States. When your data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal safeguard. You can request a copy of these by emailing our privacy team.

9. How long we keep your data

We keep your data only as long as we need it for the purposes above, or as required by law.

• Active account data is kept as long as your account is open.
• After you delete your account, we remove your profile, messages, matches, and uploaded files within 30 days. Aggregated, anonymized usage statistics may be retained indefinitely since they no longer identify you.
• Some records must be retained longer to comply with Norwegian bookkeeping law (5 years) or other legal obligations. Those records are kept in a restricted archive, used only for the stated legal purpose, and deleted as soon as the obligation expires.
• Candidate accounts that have been inactive for 24 months are flagged for review and may be deleted to minimize stored data.

10. Your rights

Under GDPR you have the following rights over your personal data. You can exercise any of them for free.

• Right of access (Art. 15): get a copy of the personal data we hold about you.
• Right to rectification (Art. 16): correct any data that is wrong or incomplete.
• Right to erasure (Art. 17): have your account and associated data deleted. The easiest way is the in-app Delete Account flow; see our Account Deletion page for the full process. /account-deletion
• Right to restrict processing (Art. 18): ask us to pause certain uses of your data while we investigate a concern.
• Right to data portability (Art. 20): receive your structured profile data in a machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interests, including marketing.
• Right to withdraw consent: where processing is based on consent, you can withdraw it at any time in your settings without affecting past lawful use.
• Right to lodge a complaint: if you believe we are mishandling your data you can complain to the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

To exercise any of these rights, email hei@matchboks.no or use the Delete Account flow in the app. We respond within one month.

11. Security

We protect your data with industry-standard safeguards: encryption in transit (TLS 1.2+) and at rest, hashed passwords, row-level security in the database, least-privilege access for employees, audit logging of admin actions, hardware-backed credential storage on mobile (iOS Keychain, Android Keystore), automated vulnerability scanning, and regular backups. No system is completely immune. If we ever suffer a data breach that affects you, we will notify you and Datatilsynet within 72 hours as required by GDPR.

12. Children

Matchboks is not intended for children under 16 years old. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has created an account, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you in-app and update the "Last updated" date at the top. Older versions are archived and available on request.

14. Contact us

Questions, concerns, or privacy requests: hei@matchboks.no

You also have the right to complain to the Norwegian Data Protection Authority:

Datatilsynet