Cake.me Privacy Policy

Last Updated: August 29, 2025

1. Scope & Roles

This policy applies to individuals and organizations using the Cake.me website, app, API, and related services. The data controller is Ardent Digital Co., Ltd. (Cake). Entrusted service providers may only process data in accordance with written instructions. Where GDPR/UK GDPR applies, we will designate a representative and Data Protection Officer (DPO), and disclose them on our website. Contact: [email protected].

2. Definitions

Sensitive Personal Data includes medical records, genetic data, sexual life, health check data, criminal records, race, religion, political opinions, trade union membership, precise location, communications content, account credentials, biometric features, neural data, and children’s data. De-identified Data means data that cannot reasonably be re-identified to a specific individual.

3. Data Categories We Collect

We collect: account and contact data, resumes and portfolios, job postings and company data, interaction records, device and technical information, cookies and similar technologies, and third-party data provided by partners. As a principle, we do not actively request sensitive data; if you disclose it yourself, please evaluate carefully.

4. Purposes & Legal Bases

We process data for the following purposes:

1. Contract performance and service provision (registration, verification, matching, notifications, support, payment, and security protection).
2. Legitimate interests (operations, analytics, R&D, fraud prevention, auditing), without overriding fundamental rights and freedoms.
3. Consent (marketing messages, visibility settings, research collaboration), which may be withdrawn at any time.
4. Legal obligations or rights assertion (requests from authorities or courts, tax, legal defense).
5. Vital interests (protection of life, body, property).
6. Personalization and recommendations (job or talent matching, AI resume suggestions).

5. Disclosures

We do not sell your personal data, nor do we share it for cross-context behavioral advertising (as defined under CPRA). If this changes, we will provide a “Do Not Sell or Share My Personal Information” link and support Opt-out Preference Signals (such as GPC).
We disclose data to:

1. Processors (cloud, communication, payments, security, analytics, etc.).
2. Employers and recruitment partners (only where you apply or set visibility).
3. In case of transactions or legal requests (mergers, reorganizations, courts, or authorities).
4. De-identified or aggregated statistical data.

6. International Transfers

Data may be processed overseas. We will use Standard Contractual Clauses (SCCs), adequacy decisions, or other safeguards to ensure your rights remain protected under applicable laws. Where local authorities impose restrictions, we will comply accordingly.

7. Retention

We retain data as long as needed to fulfill the purposes for which it was collected, considering legal obligations, dispute resolution, and security needs. Once retention is no longer necessary, data will be deleted or de-identified. Where a specific duration cannot be provided, we will disclose criteria (such as account status, statutory retention periods, complaint or litigation time limits).

8. Your Choices & Rights

You have the right to: access, rectify, obtain a copy, delete, restrict or stop processing, data portability, object (including direct marketing), and withdraw consent. We will respond within timelines required by applicable law and may conduct identity verification where necessary. If unsatisfied with our response, you may lodge a complaint with a supervisory authority.

9. Children

Our services are not designed for children. Minors must obtain consent and guidance from their legal guardians before using. In the EEA/UK, local legal age thresholds will apply.

10. Security & Breach Notice

We implement layered access, encryption, auditing, and backup measures. In the event of a personal data breach, we will notify regulators and affected individuals as required by applicable laws. We also maintain procedures for data disposal following service termination.

11. Automated Decisions & Profiling

We generally do not make decisions solely by automated means that significantly affect your rights. Where necessary, we will provide human intervention and appeal mechanisms.

12. Third-Party Links

Third-party services are governed by their own privacy policies. Please review them carefully.

13. Local Supplements

We are committed to complying with applicable privacy and data protection laws worldwide. As a global standard, we align with GDPR and ensure user rights are protected under local laws. Depending on your jurisdiction, you may enjoy rights such as access, rectification, deletion, restriction, portability, objection, and consent withdrawal. We will handle requests in line with legal timelines and requirements.

1. California, USA (CCPA/CPRA)

   In the past 12 months, we have collected identifiers (such as name, email, phone), employment and education information (such as resume contents), online activity records (such as event logs, IP, device information), and necessary sensitive data (such as account credentials, communication content).
   Purposes include account services, job and talent matching, support, and security maintenance. We do not sell or share your personal information; if this changes, we will provide a “Do Not Sell or Share” link and support GPC.
   Your rights include:

   1. Know, access, portability, delete, rectify
   2. Limit use of sensitive data
   3. Opt out of sale or sharing
   4. Freedom from discrimination

   We will respond to requests within 45 days, extendable by an additional 45 days if necessary. Requests may be submitted via [email protected] or our website form.

2. Taiwan (PDPA)

   When collecting data, we will inform you of the organization name, purposes, data categories (including name, contact details, educational/professional background, financial conditions, etc.), usage duration, territory, methods (e.g., platform, email, or system notifications), recipients, your rights and how to exercise them, and the consequences of not providing data.

   Data subjects may exercise rights to access, rectify, delete, and stop processing. We will generally respond within 15 days, extendable by another 15 days if necessary. In the event of a personal data incident, we will notify regulators and affected individuals as required.

3. Other Regions

   For regions not specifically listed, we will operate in compliance with applicable local data protection laws and guarantee user rights accordingly, including but not limited to access, rectification, deletion, restriction, portability, and objection. We will ensure cross-border transfers meet legal requirements and implement appropriate safeguards where needed.

For any inquiries or rights requests, please contact our privacy team at: [email protected].

14. Changes

If this policy is updated due to legal or service adjustments, we will notify you via website announcements or your provided contact methods. For material changes, we will explain in advance and they will take effect from the date of announcement. If you do not agree, please stop using our services and delete your account or adjust your settings accordingly.