Privacy Policy

1. Our Approach to Privacy

This Privacy Policy (“Policy”) explains how we collect, store, process, transfer, share, and use personal data that identifies or relates to you (“Personal Data”) in connection with your use of: (i) the Rekruiter web and mobile applications, (ii) any website or webpage operated by us (including rekruiter.ai), and (iii) any related services, features, or communications (together the “Services”).

This Policy applies to:

• Candidates – individuals whose information (e.g., CVs, profiles) is processed through the Services.
• Clients – organisations and users such as recruitment agencies, freelance recruiters, HR teams, and hiring managers who use the Services to manage roles and candidate pipelines.

2. Controller / Processor Roles

• Controller (Rekruiter): For account administration, security, service communications, website analytics, and our own marketing, Rekruiter is the data controller.
• Processor (Rekruiter): For Customer Data uploaded or provided by Clients (e.g., job descriptions, candidate CVs, interview notes, communications, tags, scoring), Rekruiter acts as a data processor under Article 28 GDPR. The Client is the data controller of Customer Data. Our processor obligations are set out in the Data Processing Agreement (DPA) section of this Policy.

3. About Us

ReKruiter.Ai is incorporated in Austria. For EU GDPR queries, contact privacy@rekruiter.ai. You may also contact your supervisory authority (see Section 15).

4. Personal Data We Collect and How We Use It

The Annex to this Policy lists the categories of Personal Data we collect and how we use it, as well as the applicable legal bases.

You may provide Personal Data when you:

• create or update an account or profile;
• upload or process Candidate data (including via CV uploads and integrations);
• use features such as job posting, matching, enrichment, and messaging;
• connect third‑party services (e.g., LinkedIn – see Section 8);
• communicate with us (support, sales, social channels, feedback forms);
• participate in surveys, tests, events, or beta programmes.

Special Categories of Data. Where Candidates or Clients submit special category data (e.g., health or disability information, race/ethnicity, religious beliefs), processing requires your explicit consent (Article 9(2)(a) GDPR). You should only provide such information where necessary and lawful. Rekruiter does not require special category data for the Service to function.

5. Data Retention

We retain Personal Data only as long as necessary for the purposes described in this Policy, including to meet legal, accounting, or reporting requirements. Criteria include data volume and sensitivity, risk of harm from unauthorised use, purposes of processing, and whether those purposes can be achieved by other means. Clients may set their own retention periods for Customer Data; we act accordingly as processor.

6. Recipients of Personal Data

We may share Personal Data with:

• Service Providers / Subprocessors (e.g., secure hosting, storage, analytics, communications, monitoring, customer support). We impose contractual safeguards and confidentiality obligations. During beta, Rekruiter will maintain and publish an up‑to‑date list of subprocessors; users will be notified prior to material changes.
• Clients (for Candidate data): If you are a Candidate, the Personal Data contained in your profile, CV, submissions, or communications may be shared with relevant Clients advertising roles or managing talent pipelines through the Services, in accordance with the controller’s instructions and applicable law.
• Professional Advisors & Auditors where necessary for compliance and corporate governance.
• Corporate Transactions (e.g., merger, financing, acquisition) where permitted by law and subject to appropriate safeguards.
• Law Enforcement / Regulators / Legal Proceedings where required by law or where we reasonably believe disclosure is necessary to protect rights, safety, or enforce our terms.

7. Marketing and Communications

We may send Service messages (transactional/operational), which are not subject to marketing opt‑out. With your consent where required (or otherwise under legitimate interests, as applicable), we may send newsletters or information about features, events, and opportunities. You can opt out via the unsubscribe link or by contacting privacy@rekruiter.ai. Your marketing preferences do not affect essential Service communications.

8. Integrations (including LinkedIn)

You may choose to connect third-party accounts (e.g., LinkedIn) to enrich profiles or facilitate sourcing. If you authorise such connections, we will receive the categories of data the third party shares under your consent (e.g., name, profile URL, professional history, email if available). Usage is limited to providing and improving the Services as instructed by the relevant controller. Your use of third-party services is also governed by those providers’ privacy policies and terms. You can revoke access via the third-party platform or within Rekruiter, subject to the provider’s controls.

9. International Data Transfers

We may process Personal Data outside the EEA where our service providers operate. Where we transfer Personal Data to countries without an adequacy decision, we implement appropriate safeguards under Articles 44–49 GDPR, such as EU Standard Contractual Clauses and additional measures as appropriate. You may request details at privacy@rekruiter.ai.

10. Security

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Measures include access controls, encryption in transit and at rest (where applicable), monitoring, and vulnerability management. No system is perfectly secure; residual risk remains with internet transmission.

11. Automated Decision‑Making & Profiling

The Services may use algorithms and machine learning to assist with:

• Profile enrichment (e.g., parsing CVs, inferring skills or seniority);
• Role‑candidate matching (ranking/shortlisting);
• Interview or assessment triage (where enabled by the Client).

Where automated processing is used to produce significant effects, you have the right to request human review, to express your point of view, and to contest the decision. You may also opt out of non‑essential automated decision‑making where feasible. Contact privacy@rekruiter.ai.

12. Your Rights

Subject to applicable law, you have the right to: access, rectify, erase, restrict, object (including to marketing), and port your Personal Data, and to withdraw consent at any time (without affecting prior lawful processing). Requests may be submitted to privacy@rekruiter.ai. We will respond in accordance with GDPR timelines. You also have the right to lodge a complaint with your supervisory authority (see Section 15).

13. Cookies and Similar Technologies

Our websites and apps use cookies and similar technologies. We operate a consent banner in the EEA that distinguishes essential cookies (strictly necessary), analytics, and optional categories (e.g., advertising where relevant). You can manage preferences via the banner or browser settings. See our Cookie section in the Annex for typical purposes and lifetimes.

14. Children

The Services are not intended for individuals under 18. We do not knowingly collect data from children. If you believe a child has provided Personal Data, contact privacy@rekruiter.ai for prompt deletion.

15. Supervisory Authority & Contacting Us

You may lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) or your local EU supervisory authority.

16. Changes to this Policy

We may update this Policy periodically. Material changes will be indicated by updating the Last Updated date above and, where required, we will notify you via the Services or by email.

Data Processing Agreement (Article 28 GDPR)

Applies where Rekruiter acts as Processor of Customer Data on behalf of a Client (Controller).

• Subject‑Matter & Duration. Processing of Customer Data for the provision of the Services during the subscription/beta term and any return/ deletion period.
• Nature & Purpose. Hosting, storage, retrieval, organisation, transmission, parsing, enrichment, matching, communication, support, analytics (as instructed by Controller), and other operations necessary to provide the Services.
• Types of Personal Data & Data Subjects. Candidates (CVs, profiles, identifiers, contact details, work history, skills, notes, interview artefacts and transcripts where enabled), Client users (business contact details, roles, activity logs), and any other data provided by Controller.
• Controller Instructions. Rekruiter processes Customer Data only on documented instructions from Controller, including with respect to international transfers. If Rekruiter is required by law to process, it will inform Controller unless prohibited.
• Confidentiality. Rekruiter ensures persons authorised to process Customer Data are bound by confidentiality.
• Security. Rekruiter implements appropriate technical and organisational measures (see Section 10) and will assist Controller with security of processing, breach notifications, and data protection impact assessments where reasonably required.
• Subprocessors. Rekruiter may engage subprocessors subject to written agreements imposing equivalent data protection obligations. Rekruiter will maintain an up‑to‑date list and provide advance notice of material changes, allowing Controller to object on reasonable grounds.
• Data Subject Requests. Taking into account the nature of processing, Rekruiter will assist Controller by appropriate technical and organisational measures to fulfil data‑subject requests.
• Breach Notification. Rekruiter will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, providing information reasonably available to assist fulfilment of Controller obligations.
• Data Transfers. Rekruiter will ensure appropriate safeguards (e.g., SCCs) for transfers outside the EEA.
• Return & Deletion. Upon termination or at Controller’s written instruction, Rekruiter will delete or return Customer Data and delete existing copies unless retention is required by law.
• Audit. Rekruiter will provide information necessary to demonstrate compliance and allow audits by Controller or Controller’s auditor (subject to reasonable notice, scope, confidentiality, and frequency limitations).

Annex A – Categories of Personal Data, Use, and Legal Bases

A. Candidates

B. Clients

C. Both (Candidates & Clients)

Annex B – Cookies (Overview)

• Essential (strictly necessary): authentication, load balancing, security; duration: session to 12 months.
• Analytics (with consent): usage metrics, product improvement; duration: session to 24 months.
• Optional/Advertising (if used in future, with consent): ad measurement/interest‑based advertising. Cookie preferences can be managed via the consent banner and browser settings.

Annex C – Interest‑Based Advertising (If Enabled)

If we enable advertising, we may partner with third‑party advertising networks that use cookies or similar technologies to deliver more relevant ads and measure performance. You can opt out via platform tools (e.g., YourOnlineChoices, NAI, DAA) and our consent banner. Opt‑outs are browser/device‑specific and may require cookies to remain set.

Annex D – Automated Decision‑Making & Human Review

For matching and shortlisting, our systems may process Candidate attributes and job criteria to produce ranked outputs. Where such processing is likely to produce legal or similarly significant effects, you may request human intervention, contest a decision, or opt out where feasible by contacting privacy@rekruiter.ai.