Privacy Policy
Effective Date: 1 January 2025 · Last Updated: 1 June 2026
1. Data Controller
The Talent Factory ("we", "us", "our") is the data controller for personal data processed through the observx.io platform and this website. For privacy enquiries, contact us at privacy@tms-observx.com.
2. What Data We Collect
2.1 Account and Identity Data
- Full name and email address (required to create an account)
- Job title, department, and seniority level (provided by your organization)
- Profile photograph (optional, user-uploaded)
2.2 Professional Performance Data
- Skills assessments and competency ratings
- Structured feedback submitted within the platform
- Achievement records and performance development plans
- Maturity tier assignments and tiering justifications
- Engagement and project staffing records
- Leave and availability records
2.3 Usage and Technical Data
- Log data: IP address, browser type, pages visited, timestamps
- Session data: single active session per user (no concurrent sessions)
- Audit trail records: every action performed within the platform
2.4 Contact and Enquiry Data
- Name, email, company name, and message content submitted via the contact form
- Email address submitted via the newsletter subscription form
3. Lawful Basis for Processing
| Purpose | Lawful Basis (GDPR Art. 6) |
|---|---|
| Providing platform services to your organization | Contract performance (Art. 6(1)(b)) |
| Talent management, skills tracking, and performance reviews | Legitimate interests of your organization (Art. 6(1)(f)) |
| AI-assisted features (where enabled) | Explicit opt-in consent (Art. 6(1)(a)) + DPA required |
| Security, fraud prevention, and audit trails | Legal obligation and legitimate interests (Art. 6(1)(c) and (f)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only, unsubscribe at any time |
4. Tenant Isolation and Data Separation
The Talent Factory operates a strict database-per-tenant architecture. Each customer organization's data is stored in a logically isolated database. No cross-tenant data access is possible at the application layer. Tenant identifiers are enforced at every API endpoint.
5. How We Use Your Data
- To deliver and operate the platform services contracted by your organization
- To generate skills intelligence, tiering recommendations, and staffing suggestions
- To maintain a permanent, tamper-evident audit trail of talent decisions
- To send transactional communications (account creation, feedback requests, cycle notifications)
- To respond to support and demo enquiries submitted via this website
- To improve platform reliability and security
6. AI Features and Automated Processing
Certain features of the platform use AI models to assist with skills gap analysis, tier recommendations, and staffing suggestions. These features are opt-in per tenant and require execution of a Data Processing Agreement (DPA) before activation. No fully automated decisions with legal or similarly significant effects are made without human review. Your organization's administrators retain override authority at all times.
7. Data Sharing and Third Parties
We do not sell personal data. We share data only with:
- Google Cloud Platform (GCP) — our infrastructure provider. Data is hosted in
us-east1by default;europe-west1andme-central1are available on request for data residency requirements. - Email delivery providers — SMTP relay (configurable as SendGrid) for transactional emails only.
- Your organization's administrators — who have role-based access control (RBAC) rights defined within your subscription.
All sub-processors are bound by data processing agreements consistent with GDPR requirements.
8. Security Measures
- Passwords hashed with Argon2id (industry best practice)
- Sensitive fields encrypted at rest using Fernet symmetric encryption
- Authentication tokens (JWT) with a 15-minute expiry
- Role-Based Access Control (RBAC) enforced at every API endpoint
- Single active session per user — new login invalidates existing sessions
- TLS 1.2+ in transit for all connections
- Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
9. Data Retention
- Active accounts: data retained for the duration of your organization's subscription
- Audit trail records: retained for a minimum of 7 years to support defensible talent decisions
- Contact enquiries: retained for 24 months, then deleted
- Newsletter subscriptions: retained until you unsubscribe
- Post-termination: customer data is deleted within 90 days of subscription end, unless a longer retention is required by law or requested in writing
10. Cookies
This marketing website uses only strictly necessary cookies (session management). No advertising, analytics, or tracking cookies are set without your consent. The platform application may set session cookies required for authentication. We do not use third-party tracking pixels.
11. Your Rights Under GDPR
If you are located in the EEA, UK, or other jurisdictions with similar data protection laws, you have the right to:
- Access — request a copy of personal data we hold about you
- Rectification — correct inaccurate data
- Erasure — request deletion of your data (subject to legal retention obligations)
- Restriction — restrict processing of your data in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent, you may withdraw at any time
To exercise any of these rights, email privacy@tms-observx.com. We will respond within 30 days. Note that rights exercised by individual employees may be subject to your employer's authorization procedures under the platform's RBAC framework.
12. International Transfers
Data is processed primarily in the United States (GCP us-east1). If your organization requires data to remain within the EEA, we offer eu-hosting on europe-west1. Standard Contractual Clauses (SCCs) are available on request.
13. Children's Privacy
The platform is designed for use by professionals in employment contexts. We do not knowingly collect personal data from individuals under 18 years of age.
14. Changes to This Policy
We may update this policy from time to time. Material changes will be notified to account administrators via email at least 14 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
15. Contact
For privacy enquiries, data subject requests, or to request our Data Processing Agreement:
privacy@tms-observx.com