ICANTalent

Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how ICAN MENA FZ-LLC (“we”) collects, uses, and protects personal data when you use ICAN Talent. ICAN Talent is designed for HR teams to process candidate data lawfully — most candidate data we hold is processed on behalf of our customers (you), under their instructions.

1. Who is the controller?

For account data of ICAN Talent users (HR Admins, Recruiters, etc.), ICAN MENA is the data controller. For candidate data uploaded into ICAN Talent, the customer organization is the controller and ICAN MENA is the data processor — see our Data Processing Addendum.

2. Data we collect about users

  • Account data: name, email, password hash, role, team membership
  • Usage data: pages visited, actions taken, errors encountered (for product improvement and security)
  • Billing data: organization name, billing address, VAT number, payment method (via Stripe)
  • Communications: support requests, marketing opt-in preferences

3. Candidate data we process for customers

When a customer uploads candidates into ICAN Talent, the following may be processed:

  • Identity: name, contact details, CV content, profile photo
  • Application data: job applied for, source, application date
  • Assessment data: AI scores, scorecards, interviewer notes
  • Communication: emails between customer and candidate routed through ICAN Talent

We process this data only on the customer's instructions and only for the purpose of operating the service.

4. Where data is stored

By default, all data is stored in the European Union (Frankfurt, Germany) using Vercel for application hosting and Supabase for database and storage. Enterprise customers may opt into UAE / Bahrain data residency on request.

5. AI providers

ICAN Talent uses Anthropic's Claude (via the Vercel AI Gateway) for AI features. Zero data retention is configured: prompts and outputs are not retained or used to train models. We do not send candidate data to other third-party AI services unless explicitly enabled by the customer (e.g., enrichment via Apollo or Clay on Pro and Enterprise plans).

6. Sharing and sub-processors

We share data with the sub-processors listed in our DPA (Vercel, Supabase, Anthropic, SendGrid, Stripe). We do not sell data. We may disclose data when required by law or to protect our rights.

7. Retention

User account data is retained for the lifetime of your account plus 90 days. Candidate data is retained per the customer organization's configured policy (default: 1 year after a candidate's last application). Audit logs are retained per your plan (Free: 30 days, Standard: 90 days, Pro: 1 year, Enterprise: 7 years).

8. Your rights

Under GDPR and UAE PDPL, you have the right to:

  • Access the data we hold about you
  • Correct or update inaccurate data
  • Delete your data (right to erasure)
  • Restrict or object to processing
  • Data portability — receive your data in a machine-readable format
  • Lodge a complaint with a supervisory authority

For account data, you can exercise these rights from your account settings. For candidate data, contact the customer organization that uploaded it (we will help you reach them).

9. Cookies

We use only essential cookies (session, CSRF, preferences). We do not use third-party tracking cookies or advertising cookies. No cookie banner is required for essential cookies under GDPR.

10. Changes

We will notify you of material changes by email at least 30 days before they take effect.

11. Contact

Questions or requests? Email privacy@icanmena.com.