Legal
Privacy Policy
Effective date: 21 April 2026 · Last updated: 21 April 2026
1. Who we are (Data Controller)
TalentCost is a global payroll intelligence platform operated by Kliqer Holding B.V., Radarweg 29, 1043 NX Amsterdam, Netherlands ("we", "us", "our"). We are the data controller responsible for the personal data you provide when using talentcost.com and our related services (the "Service").
For all data protection enquiries or to exercise your rights, contact us at privacy@talentcost.com.
2. Personal data we collect
We collect and process the following categories of personal data:
2.1 Account data
When you create an account, we collect your email address, full name, and (if email/password sign-up) a hashed password. If you sign up via Google OAuth, we receive the name and email address authorised by your Google account. We do not receive or store your Google password.
2.2 Profile and subscription data
We store your subscription tier (Free, Pro, or Enterprise), remaining calculation credits, credit reset date, and — if you choose to upload one — a profile avatar image.
2.3 Calculation data
When you run a payroll calculation, we store the inputs you provide: target country, gross or net salary, currency, employment period, and the resulting cost breakdown. We associate these records with your account to power your calculation history and dashboard analytics.
2.4 AI conversation data
If you use the AI assistant ("Ask AI") feature, your questions and the AI-generated responses are stored against the relevant calculation record to allow you to review them later. These messages may be transmitted to our AI processing partner (Groq, Inc.) solely to generate the response.
2.5 Payment data
Billing is handled entirely by Stripe, Inc. We do not store card numbers, bank details, or other payment instrument data on our servers. We receive and store Stripe customer IDs, subscription IDs, and plan information to manage your access tier.
2.6 Usage and analytics data
We use Google Analytics to collect anonymised information about how visitors use our website, including page views, session duration, referral source, and device type. This data is collected via cookies and does not directly identify you. See Section 7 for more information on cookies.
2.7 Security and bot-protection data
We use Cloudflare Turnstile on our sign-up and sign-in forms to distinguish human users from bots. Turnstile may collect browser signals (e.g. interaction patterns, IP-derived signals) to generate a challenge token that is verified server-side. We do not receive or store the raw signals.
2.8 Log and technical data
Our hosting infrastructure automatically records standard server logs including IP addresses, HTTP request details, timestamps, and error information. These logs are used exclusively for security monitoring, debugging, and service reliability.
3. Legal basis for processing (GDPR Article 6)
| Purpose | Data category | Legal basis |
|---|---|---|
| Create and manage your account | Account data, profile data | Contract performance (Art. 6(1)(b)) |
| Deliver payroll calculations and history | Calculation data | Contract performance (Art. 6(1)(b)) |
| AI assistant responses | AI conversation data | Contract performance (Art. 6(1)(b)) |
| Process your subscription payment | Payment / Stripe data | Contract performance (Art. 6(1)(b)) |
| Send transactional emails (confirmation, welcome) | Email address, name | Contract performance (Art. 6(1)(b)) |
| Prevent fraud, abuse, and bot activity | Security / log data | Legitimate interests (Art. 6(1)(f)) |
| Website analytics and product improvement | Usage / analytics data | Consent (Art. 6(1)(a)) — via cookie banner |
| Comply with legal obligations | Any relevant data | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to such processing at any time (see Section 9).
Where we rely on consent (analytics cookies), you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
4. How we use your personal data
- To create, authenticate, and maintain your account.
- To run payroll calculations and display results in your dashboard.
- To generate AI-powered responses to questions about your calculations.
- To manage your subscription, process payments, and issue invoices.
- To send transactional emails: email confirmation, password resets, billing receipts, and product update notifications directly related to your account.
- To detect and prevent fraudulent or abusive use of the Service.
- To improve and develop the Service through aggregated, anonymised analytics.
- To comply with applicable laws and respond to lawful requests.
We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We do not use your calculation inputs or results for training AI models without your explicit, separate consent.
5. Third-party data processors
We share personal data with the following sub-processors solely to the extent necessary to deliver the Service. Each processor is bound by a Data Processing Agreement (DPA) and may only process your data on our documented instructions.
| Processor | Purpose | Location | Reference |
|---|---|---|---|
| Supabase, Inc. | Authentication, database storage | USA / EU (selectable region) | supabase.com/privacy |
| Stripe, Inc. | Payment processing, billing | USA / EU | stripe.com/privacy |
| Google LLC (Analytics) | Website analytics | USA (adequacy / SCCs) | policies.google.com/privacy |
| Cloudflare, Inc. (Turnstile) | Bot and abuse protection | USA / EU | cloudflare.com/privacypolicy |
| Resend, Inc. | Transactional email delivery | USA (SCCs) | resend.com/privacy |
| Groq, Inc. | AI language model inference | USA (SCCs) | groq.com/privacy |
| Render Services, Inc. | Calculator application hosting | USA (SCCs) | render.com/privacy |
| Vercel, Inc. | Web application hosting, edge CDN | USA / EU (selectable) | vercel.com/legal/privacy-policy |
Where processors are located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place through the EU Standard Contractual Clauses (SCCs) adopted under Commission Decision (EU) 2021/914, or through an applicable adequacy decision.
6. How long we keep your data
| Data category | Retention period |
|---|---|
| Account data (email, name, password hash) | For the lifetime of your account, plus 30 days after deletion request |
| Calculation records | For the lifetime of your account, plus 30 days after deletion request |
| AI conversation records | For the lifetime of your account, plus 30 days after deletion request |
| Payment / Stripe references | 7 years from the date of the transaction (legal obligation) |
| Server / security logs | 90 days, then automatically purged |
| Analytics data (Google Analytics) | 14 months (Google's default retention), then anonymised |
| Profile avatar images | Until you replace or delete the image, plus 30 days |
After a deletion request we may retain anonymised, aggregated data (e.g. total number of calculations run per country) that cannot identify you.
7. Cookies and similar technologies
Strictly necessary cookies
Supabase places a session cookie (sb-*) that is required to keep you signed in. These cookies are necessary for the Service to function and cannot be disabled without logging you out.
Analytics cookies (consent required)
With your consent, Google Analytics places cookies (_ga, _gid, _gat) to help us understand how our website is used. These cookies collect anonymised data and do not identify you personally. You can withdraw consent at any time by adjusting your cookie preferences via the consent banner, or by installing the Google Analytics opt-out browser add-on.
Security cookies (Cloudflare Turnstile)
Cloudflare may set a short-lived cookie as part of the Turnstile bot-protection challenge on sign-up and sign-in forms. This is strictly necessary for account security.
You can control cookies through your browser settings. Disabling analytics cookies will not affect the core functionality of the Service.
8. International data transfers
Some of our processors are located in the United States. Whenever we transfer personal data outside the EEA, we ensure an appropriate safeguard applies:
- Standard Contractual Clauses (SCCs) — EU Commission implementing Decision (EU) 2021/914, incorporated into our DPAs with each US-based processor.
- Adequacy decisions — where the European Commission has determined that the recipient country provides an adequate level of protection.
You may request a copy of the relevant SCCs by contacting us at privacy@talentcost.com.
9. Your rights under GDPR
As a data subject in the EEA (or UK / Switzerland), you have the following rights:
| Right | What it means |
|---|---|
| Right of access (Art. 15) | Obtain a copy of the personal data we hold about you and information on how it is used. |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Right to erasure (Art. 17) | Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations. |
| Right to restriction (Art. 18) | Ask us to pause processing while a dispute is resolved. |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format to transfer to another service. |
| Right to object (Art. 21) | Object to processing based on legitimate interests (e.g. analytics). We will stop unless we have compelling legitimate grounds. |
| Rights re: automated decisions (Art. 22) | Not be subject to decisions based solely on automated processing that produce significant legal effects. |
| Right to withdraw consent | Withdraw any consent you have given at any time, without affecting the lawfulness of prior processing. |
To exercise any of these rights, email privacy@talentcost.com with the subject line "Data Subject Request". We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you). We may ask you to verify your identity before processing the request.
You also have the right to lodge a complaint with your national supervisory authority. As our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens (AP), you may lodge a complaint directly with the AP or with your local EU data protection authority. A full list of EU supervisory authorities is available at edpb.europa.eu.
10. Account deletion
You may delete your account at any time from Dashboard → Settings or by emailing privacy@talentcost.com. Upon deletion we will permanently erase your account data and calculation records within 30 days, except where retention is required by law (e.g. billing records).
11. Children's privacy
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and/or by displaying a prominent notice on the website at least 14 days before the changes take effect. The updated policy will always be accessible at talentcost.com/privacy.
13. Contact us
For questions, requests, or concerns about this Privacy Policy or how we handle your data:
- Email: privacy@talentcost.com
- Post: Kliqer Holding B.V., Radarweg 29, 1043 NX Amsterdam, Netherlands
We aim to respond to all enquiries within 5 business days.