Privacy Policy
Last updated: 2026-05-12
1. Who we are
This site is operated by Sivel Labs SRL, a Belgian limited liability company registered in La Hulpe, Belgium. Sivel Labs SRL is the data controller within the meaning of the GDPR (Regulation (EU) 2016/679).
2. Data we collect
We process personal data only in the following cases:
2.1 Contact form
- Submitted fields: name, email address, subject, message.
- Technical metadata: Salted SHA-256 hash of your IP address (32-character prefix, never the clear IP ; salt rotated server-side via service_keys), User-Agent, displayed language.
- Retention: 90 days, then automatic deletion.
- Legal basis: your consent (art. 6.1.a GDPR) by submitting the form, plus legitimate interest (art. 6.1.f) for abuse prevention.
2.2 Job listings (browsing)
Browsing our open positions requires no personal data from you. No candidate or recruiter personal data is exposed by this section.
2.3 No tracking cookies
This site uses no third-party cookies and no analytics tracking tools (Google Analytics, Matomo, etc.). Only browser localStorage (a key-value storage area, distinct from cookies — not automatically sent to the server and exempt from the consent-banner requirement of ePrivacy art. 5(3)) holds a language preference key sl-lang. Internal links add a ?lang=fr|en|nl query parameter to the URL to propagate the chosen language: this parameter is visible in server logs (limited to the language value; no other PII).
3. Anti-bot — Cloudflare Turnstile
The contact form is protected by Cloudflare Turnstile (a privacy-respecting reCAPTCHA alternative). Turnstile may process your IP address and a browser fingerprint on Cloudflare's servers. More information: Cloudflare Privacy Policy.
- Data categories : visitor IP address, browser fingerprint (user-agent, language, timezone), cryptographic challenge result. No persistent third-party cookies — Turnstile may set at most a session-scoped
cf_clearancetechnical cookie. - Retention : Cloudflare retains Turnstile tokens and metadata for at most 24h (per Cloudflare policy). On the Sivel Labs side, only the verification result (boolean) is processed, never the raw IP.
- Legal basis : legitimate interest (GDPR art. 6.1.f) — bot protection is a necessary and proportionate security measure given the form's public exposure.
- Unavailability : if Turnstile is unavailable (Cloudflare outage, network block, browser extension), the interface may accept submission in degraded mode. The server remains the final authority: it validates Turnstile when configured and may reject the request if anti-bot verification fails.
- Outside EU transfer : Cloudflare operates from the USA but relies on Standard Contractual Clauses (SCCs) from the European Commission plus the Data Privacy Framework. Cloudflare's sub-processors are listed at cloudflare.com/gdpr.
4. Sub-processors
- OVH SAS (France) — infrastructure hosting; data remains in EU.
- Brevo SA (France) — transactional email delivery (form-submission notification).
- Cloudflare Inc. (USA) — Turnstile anti-bot; standard contractual clauses.
Audience measurement and navigation replay: no third-party sub-processor. These processing operations run on tools self-hosted on the infrastructure listed above (data never leaves our servers). See the cookie policy for details (opt-in, retention periods, technical safeguards).
5. Scope of AI processing
Data collected via this site (contact form, technical metadata): no artificial-intelligence processing. No automated scoring, no AI spam classification, no profiling, no automated decision-making within the meaning of GDPR Article 22. Received messages are read exclusively by a human senior consultant at Sivel Labs Talents and any selection of items included in the recruitment workflow remains under explicit human control.
Data collected outside this site, after a recruitment mandate begins: if you become a candidate or client of the Sivel Labs Talents recruitment section operated by Sivel Labs SRL, the subsequent processing of your data (CV, candidate file, exchange history, mission brief) may rely on the CareerToolbox.AI platform (assisted candidate identification, job-description drafting assistance, CV analysis) — strictly as a tool assisting the human consultant, never as an autonomous decision-maker. This use is governed by a separate contract (recruitment mandate OR candidate consent) detailing the AI's role, the DPIA conducted, the applicable EU AI Act safeguards (Article 50 transparency + Article 26 user obligations if high-risk classification), and the candidate's right to human intervention.
Clear boundary: as long as you are not in a contractual recruitment relationship with Sivel Labs SRL, NONE of your data crosses this boundary. If a next step triggers AI processing, you are explicitly informed before the data is transferred to the platform.
5b. AI crawlers and public-content indexation
Public content on this site (agency descriptions, job openings exposed via the public API /api/public/v1/orgs/sivel-labs-talents/jobs, legal pages) is explicitly opt-in for AI crawlers (GPTBot, ClaudeBot, Google-Extended, PerplexityBot, CCBot…) via our robots.txt and llms.txt. This is a deliberate choice: we want AI answer engines to correctly answer queries like "which recruitment agency in Belgium?". No visitor personal data is exposed via these entry points: neither contact form contents (which remain private and encrypted), nor IP fingerprints, nor User-Agent headers. Only marketing copy and publicly-available job listings are indexable. If you operate an AI crawler and would like our site removed from your index, contact dpo@sivel-labs.be — we will adjust the robots.txt to your request within a reasonable timeframe.
6. Your rights
You have the right to access, rectify, erase, object, restrict, and port your data. To exercise these rights, write to dpo@sivel-labs.be with a proof of identity. Response within 30 days max.
If we don't respond, you may file a complaint with the Belgian Data Protection Authority (APD-GBA).
7. Security
All transfers are encrypted with TLS 1.2 or higher (nginx config : TLSv1.2 + TLSv1.3 accepted ; legacy clients on TLSv1.0/1.1 are rejected). Received messages are stored in a protected database, accessible only to the management team of Sivel Labs SRL and the senior consultants assigned to the file. No commercial third-party disclosure.
8. DPO contact
Email: dpo@sivel-labs.be
Postal address: Sivel Labs SRL, La Hulpe, Belgium