Jobs Talents Pricing
Sign In Get Started
Compliance & Accountability

Record ofProcessing Activities

This page is the public summary of our Record of Processing Activities under Article 30 of the GDPR. It documents the categories of data, purposes, legal bases, recipients and retention periods used by the Alion Service.
01 - Controller
Controller andRepresentative

Alion is the controller of the personal data described in this Record. Contact details and the address of our EU representative are available in our Privacy Policy. Data protection enquiries should be addressed to our Data Protection mailbox listed in the Privacy Policy.

02 - Activities
ProcessingActivities

A. Public artifact indexing

Categories of data subjects: authors of publicly available professional artifacts (commits, packages, model cards).

Categories of data: public username, public display name, public commit email (when published in public commits), public repository or package metadata, declared languages and topics.

Purpose: building an auto-generated public portfolio that the data subject can claim, edit, hide or permanently delete.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)), documented in our Legitimate Interest Assessment.

Retention: thirty (30) days from indexing for unclaimed portfolios, then permanent deletion plus addition of an irreversible identifier hash to the do-not-re-index registry. Claimed portfolios are retained for the lifetime of the account.

Recipients: the data subject themselves (via the invitation and the claim flow); no third parties for advertising or resale purposes.

B. Account and profile management

Categories of data subjects: registered candidates and employer users.

Categories of data: identifiers, contact data, professional background, online presence, content posted by the user, technical data.

Purpose: providing, operating and securing the Service.

Legal basis: performance of a contract (GDPR Art. 6(1)(b)) and legitimate interest for security and abuse prevention.

Retention: for the duration of the account, plus the period required to meet legal, tax and accounting obligations.

C. Transactional invitation notifications

Categories of data subjects: authors of publicly available artifacts who have published a contact email in their public commits or profiles.

Categories of data: public commit email, minimal context required to render the invitation.

Purpose: sending a single transactional notification inviting the author to view, claim or permanently delete the auto-generated portfolio.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)). The email is not used for marketing, advertising or product promotion.

Retention: until the first of (i) the invitation expiry, (ii) thirty (30) days from indexing, (iii) any objection or erasure request. After that, the email is permanently deleted and an irreversible hash is added to the do-not-re-index registry.

D. Employer discovery and messaging

Categories of data subjects: registered candidates who have explicitly opted in to be discoverable.

Categories of data: claimed profile data, preferences for messages from employers.

Purpose: allowing employers to discover and contact candidates who have opted in.

Legal basis: consent (GDPR Art. 6(1)(a)) and performance of the contract.

Retention: until the candidate withdraws consent or deletes the account.

E. Site analytics and security

Categories of data subjects: visitors to the Site.

Categories of data: pseudonymous analytics identifiers, IP address, technical data, security logs.

Purpose: operating, securing and improving the Site.

Legal basis: legitimate interest (GDPR Art. 6(1)(f)); consent for any non-essential cookies, as described in our Cookie Policy.

Retention: short by default (typically 12 months for analytics, up to 24 months for security logs unless extended for incident response).

03 - Transfers
InternationalTransfers

Personal data are stored in the European Union by default. Where transfers outside the European Economic Area are necessary (for example to use a specific subprocessor), they are governed by Standard Contractual Clauses or other appropriate safeguards under Chapter V of the GDPR.

04 - Security
Technical andOrganisational Measures

We apply encryption in transit, encryption at rest for sensitive fields, role-based access control, pseudonymisation where appropriate, audit logging for access to personal data, automatic time-to-live deletion for unclaimed records, regular backups with restricted access, and a 72-hour breach notification procedure.

05 - Update
UpdateCycle

This Record is reviewed at least once a year and whenever a new processing activity is introduced or an existing activity changes materially.