top of page
rigel-logo_dark_blue-complete.png

Privacy Policy

Effective Date - February 28, 2026 

Last Updated - February 28, 2026

Author - RigelAi.org

1. Introduction

Rigel ("Rigel," "we," "us," "our") operates a skills-first recruiting platform that connects candidates with employers through structured, explainable matching. This Privacy Policy describes how we collect, process, store, share, and protect personal data when you use our platform at rigel.ai and any associated services.

By using Rigel, you agree to this Privacy Policy. If you do not agree, please do not use our services.

2. Scope

This policy applies to all users of Rigel worldwide, including but not limited to users in the United States (CCPA/CPRA), the European Union and European Economic Area (GDPR), the United Kingdom (UK GDPR), Canada (PIPEDA), and Australia (Privacy Act 1988).

3. Data We Collect

From Recruiters

  • Name and email address

  • Organization name and details

  • Authentication metadata (via Wix)

  • Job postings and requirement configurations

  • Platform activity and usage logs
     

From Candidates (Registered Accounts)

  • Name and email address

  • Uploaded CV/resume files

  • Structured profile data parsed from your CV (education, experience, skills, contact information, and additional sections such as projects, certifications, and publications)

  • Profile edits you make during review

  • Job applications and match results
     

From Guest Candidates (Quick Apply)

  • Email address

  • Uploaded CV file

  • Single-job match result
     

Technical Data (All Users)

  • IP address

  • Device type and browser metadata

  • Usage and navigation logs

  • Security and access logs
     

Cookies and Tracking
Our website is hosted on Wix, which sets cookies for site functionality, analytics, and session management. We do not set additional tracking cookies beyond those required by the Wix platform. You can manage cookie preferences through your browser settings.

4. How We Process Your Data

CV Parsing and Profile Creation
When you upload a CV, Rigel processes it through an automated pipeline:

  1. Text extraction: Your document is converted to structured text using Apache Tika, an open-source document processing tool hosted on our infrastructure.

  2. AI-powered extraction: Large language models (LLMs) extract and structure information from your CV, including contact details, education history, work experience, skills, and additional sections. We currently use OpenAI (GPT-4o series) and Google Vertex AI (Gemini 2.5 Flash) for this purpose.

  3. Deterministic validation: All LLM outputs are validated against rule-based checks to ensure accuracy and consistency.

  4. Candidate review: You can review, edit, and correct your parsed profile before it is used for any matching. No matching occurs against unconfirmed profiles (except single-job matching for guest quick-apply).


Match Scoring
Match scores are calculated using structured algorithmic formulas based on recruiter-defined weights. Scoring uses deterministic comparison of your confirmed profile against job requirements. All scores are reproducible, and the scoring formula is transparent to both candidates and recruiters.
 
What We Do Not Do

  • We do not infer protected characteristics (race, gender, age, disability, etc.)

  • We do not use facial recognition or biometric data

  • We do not use hidden surveillance data

  • We do not make fully automated employment decisions — recruiters make all final hiring decisions

  • We do not sell your personal information

  • We do not share your data for behavioral advertising

5. Legal Bases for Processing (GDPR)

Where GDPR applies, we process your data on the following bases:

  • Contractual necessity: To provide the Rigel service you signed up for, including CV parsing, profile creation, and match scoring.

  • Legitimate interest: To improve our services, ensure platform security, and prevent abuse.

  • Consent: Where required by law, such as for marketing communications.

  • Legal compliance: To meet legal obligations, including tax, employment, and data protection laws.

6. CCPA/CPRA Compliance

If you are a California resident:

  • We do not sell your personal information.

  • We do not share your data for cross-context behavioral advertising.

  • You have the right to know what personal information we collect, request its deletion, request correction, and opt out of any future sale (though we do not sell data).

  • To exercise your rights, contact us at privacy@rigelai.org

7. Who We Share Data With

We share personal data only with the following categories of recipients:

Service Providers (Subprocessors)

  • Google Cloud Platform — Infrastructure hosting, data storage, and compute. Receives all platform data (encrypted at rest and in transit).

  • Google/OpenAI — CV text extraction and structuring via API (Gemini 2.5 Flash or GPT-4o mini). Receives CV text content only (no filenames or metadata).

  • Google Vertex AI — CV text extraction and structuring as an alternative provider (Gemini 2.5 Flash). Receives CV text content only (no filenames or metadata).

  • Wix — Website hosting and authentication. Receives name, email, and session data.

  • Apache Tika — Document text extraction, self-hosted on Rigel's own infrastructure. Processes uploaded document files.

We remain responsible for all subprocessor handling of your data. We maintain agreements with each subprocessor requiring them to protect your data in accordance with this policy.

Recruiters

When you apply to a job, the recruiting organization receives your match score and the sections of your profile relevant to that job. Recruiters do not see your raw CV file, contact details, or information unrelated to the job requirements until you and the recruiter mutually agree to connect.

Legal Requirements

We may disclose data if required by law, court order, or governmental request.

8. International Data Transfers

Your data is processed in the United States on Google Cloud infrastructure (us-central1 region). If you are located outside the United States, your data will be transferred to and processed in the US.

 

For transfers from the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms as required by applicable law.

9. Data Retention

  • Registered accounts: Your data is retained for as long as your account is active. Upon account deletion, your data is removed within 30 days, except where retention is required by law.

  • Guest quick-apply data: Retained for up to 12 months. If you create a full account within that period, your guest data is merged into your account.

  • Backups: Purged within 90 days of the data being deleted from primary storage.

  • Anonymized/aggregated data: May be retained indefinitely for service improvement and analytics. This data cannot identify you.

10. Security

  • We implement the following security measures:

  • TLS encryption for all data in transit

  • Encryption at rest for stored data

  • Role-based access controls

  • Multi-tenant data isolation (recruiter data is scoped by organization)

  • UUID-based identifiers to prevent enumeration

  • Parameterized database queries to prevent injection attacks

  • Structured audit logging

  • Rate limiting on public endpoints

  • OIDC token verification for internal service communication

 

No system is 100% secure. If you become aware of a security issue, please contact us at support@rigelai.org.

11. Your Rights

Depending on your location, you may have the right to:

  • Access your personal data

  • Correct inaccurate data

  • Delete your data

  • Export your data in a portable format

  • Restrict processing of your data

  • Object to processing based on legitimate interest

  • Withdraw consent where processing is based on consent

To exercise any of these rights, contact us at privacy@rigelai.org. We will respond within 30 days (or the timeframe required by applicable law).

If you are in the EU/EEA/UK and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

12. Children's Privacy

Rigel is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected such information, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on our website or sending you an email. Your continued use of Rigel after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries:

bottom of page