Privacy Notice
Last updated: June 2025
Introduction
Marxel (“we”, “us”, “our”) operates an applicant tracking system that helps businesses manage their recruitment process. This privacy notice explains how we collect, use, store, and protect personal data when you use our services.
We are committed to protecting your privacy and handling your data in an open and transparent manner. This notice explains how we support UK GDPR, EU GDPR, and applicable data protection law obligations when providing the service.
Who This Notice Applies To
This notice applies to:
- Customers: Businesses and individuals who use Marxel to manage recruitment
- Candidates: Individuals whose personal data is uploaded to Marxel by our customers
- Website visitors: Individuals who visit our website
Data We Collect
Customer Data
When you sign up for Marxel, we collect:
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Name and email address | Account creation and communication | Contract performance |
| Company name | Account setup | Contract performance |
| Billing information | Payment processing | Contract performance |
| Usage data | Service improvement and support | Legitimate interest |
Candidate Data
Our customers upload candidate data to Marxel. This may include:
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| Name and contact details | Recruitment management | Legitimate interest of our customer |
| CV/resume content | Recruitment assessment | Legitimate interest of our customer |
| Employment history | Recruitment assessment | Legitimate interest of our customer |
| Education history | Recruitment assessment | Legitimate interest of our customer |
| Interview notes and assessments | Recruitment decisions | Legitimate interest of our customer |
| Communication history | Recruitment management | Legitimate interest of our customer |
Important: For candidate data, our customers are the data controllers. We act as a data processor on their behalf. If you are a candidate and wish to exercise your data rights, please contact the company that collected your information directly. You may also contact us at hello@marxel.co and we will direct your request appropriately.
Website Visitor Data
When you visit our website, we collect:
| Data Type | Purpose | Lawful Basis |
|---|---|---|
| IP address | Security and analytics | Legitimate interest |
| Browser and device information | Service optimisation | Legitimate interest |
| Pages visited | Analytics and improvement | Consent (via cookies) |
How We Use Your Data
We use personal data to:
- Provide and maintain our services
- Process payments and manage subscriptions
- Send service-related communications
- Provide customer support
- Improve our services
- Comply with legal obligations
- Detect and prevent fraud
We do not sell your personal data to third parties.
AI Features
Marxel uses OpenAI's API to power CV screening. When a customer processes candidates, the following data is sent to OpenAI:
- CV text content — for parsing structured candidate information (skills, experience, education)
- CV text and job criteria — for evaluating candidates against the role rubric and assigning a screening bucket
- Job description text — for synthesising evaluation criteria
- Scanned CV images— where a CV is a scanned document that cannot be read as text, the PDF page images are sent to OpenAI's Vision API for text extraction. This means the raw document image (not just extracted text) transits OpenAI's servers.
We do not use your data to train any Marxel-owned AI models. Under OpenAI's API usage policies, data submitted via the API is not used to train OpenAI's models by default. OpenAI is a sub-processor bound by data processing terms consistent with this notice.
Automated decision-making: AI-generated scores and screening buckets are tools to assist human decision-making. All hiring decisions remain with the Controller (the organisation using Marxel). Candidates have the right to request human review of any automated assessment — contact the organisation that collected your information, or us at hello@marxel.co.
Customers can opt out of AI features by contacting us at hello@marxel.co.
Data Sharing and Third Parties
We share data with service providers who process data on our behalf. Current authorised sub-processors are:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Vercel Inc. | Application hosting and delivery | United States / global infrastructure | Application traffic, logs, and customer data in transit |
| Railway Corporation | Database hosting where configured | United States / selected infrastructure region | Application database records and customer data at rest |
| UploadThing | CV file upload and file storage | United States / global infrastructure | Uploaded files, filenames, file URLs, and file metadata |
| OpenAI, L.L.C. | AI-powered parsing, OCR fallback, evaluation, and embeddings | United States | Candidate data submitted to AI features |
| Sentry | Error monitoring, performance monitoring, and session replay | United States / European Union | Error events, diagnostics, masked replay data, and operational metadata |
| Resend Inc. | Transactional email delivery | United States | Email addresses, names, and email content |
| Stripe Inc. | Payment processing and subscription management | United States / global infrastructure | Billing data and subscription metadata, not CV content |
| PostHog Inc. | Product analytics and masked session replay when enabled with consent | United States / European Union | Usage events, product analytics metadata, and masked replay data |
| Google LLC | Google OAuth authentication and website analytics when enabled | United States / global infrastructure | OAuth profile data, email addresses, IP addresses, and analytics events |
| Upstash, Inc. | Redis-backed caching and rate limiting when configured | United States / selected infrastructure region | Cache keys, cached AI outputs, and rate-limit metadata |
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International Data Transfers
Your data may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including the United States.
When we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement where applicable
- Adequacy decisions where available
You can request a copy of the relevant safeguards by contacting us at hello@marxel.co.
Data Retention
We retain personal data for the following periods:
| Data Type | Retention Period |
|---|---|
| Customer account data | Duration of account plus 2 years |
| Candidate data | Until deleted by the customer or account closure, plus applicable backup retention periods (typically up to 30 days) |
| Cached AI processing results | Up to 7 days; purged immediately upon candidate deletion |
| Billing and transaction records | 7 years (legal requirement) |
| Website analytics | 26 months |
Customers can delete individual candidates directly through the Marxel dashboard. Deletion permanently removes the CV file from secure file storage, all associated database records, and any cached AI processing results.
Your Rights
Under UK and EU data protection law, you have the following rights:
Right of Access
You can request a copy of the personal data we hold about you.
Right to Rectification
You can request that we correct inaccurate or incomplete personal data.
Right to Erasure
You can request deletion of your personal data. Customers can delete individual candidates directly through the Marxel dashboard, which permanently removes the CV file, all database records, and cached AI processing results. For candidate erasure requests directed to us, we will coordinate with the relevant customer and action the deletion within 30 days.
Right to Restrict Processing
You can request that we restrict how we process your personal data.
Right to Data Portability
You can request a copy of your data in a structured, machine-readable format.
Right to Object
You can object to our processing of your personal data based on legitimate interests.
Rights Related to Automated Decision-Making
Marxel uses AI to assist in screening and scoring CVs. AI-generated scores and bucket assignments support, but do not replace, human judgement — all hiring decisions remain with the organisation using Marxel. You have the right not to be subject to decisions based solely on automated processing that significantly affect you, and may request human review of any AI-generated assessment by contacting the organisation that uploaded your data.
Right to Withdraw Consent
Where we rely on consent, you can withdraw it at any time.
To exercise any of these rights, contact us at hello@marxel.co.
We will respond to your request within 30 days. There is no fee for making a request, unless your request is clearly unfounded or excessive.
For candidates: If your data was uploaded by one of our customers, please contact that organisation directly to exercise your rights. You can also contact us and we will help direct your request.
Cookies
We use cookies and similar technologies on our website.
Essential Cookies
Required for the website to function. Cannot be disabled.
Analytics Cookies
Help us understand how visitors use our website. We use:
- PostHog — Product analytics and masked session replay
- Google Analytics — Website analytics
You can manage your cookie preferences through our cookie banner or your browser settings.
Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS)
- Encryption of data at rest
- Access controls and authentication
- Regular security reviews
- Employee training on data protection
Children's Data
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at hello@marxel.co.
Changes to This Notice
We may update this privacy notice from time to time. We will notify you of significant changes by:
- Posting a notice on our website
- Sending an email to registered customers
We encourage you to review this notice periodically.
Complaints
If you have concerns about how we handle your personal data, please contact us first at hello@marxel.co.
You also have the right to lodge a complaint with a supervisory authority:
EU: You may contact your local data protection authority.
Contact Us
For any questions about this privacy notice or our data practices:
Email: hello@marxel.co
Data Protection Contact: hello@marxel.co
Summary
| What | Details |
|---|---|
| Who we are | Marxel, United Kingdom |
| What we collect | Customer data, candidate data (as processor), website data |
| Why we collect it | Service delivery, legal compliance, improvement |
| Who we share with | Service providers listed above |
| How long we keep it | Candidate data is retained while needed to provide the service, unless deleted earlier or agreed otherwise |
| Your rights | Access, rectification, erasure, portability, objection |
| How to contact us | hello@marxel.co |
See also our Terms of Service or contact us with any questions.