// POLITYKA PRYWATNOŚCI

// 1. Data Controller & Contact Information

Data Controller: Mykyta Usatenko and Eduard Shuliak
Operating as: Refcruiter
Location: Poland
Website: https://refcruiter.com

Contact for Privacy Matters::
📧 Founders:: [email protected], [email protected]
⏱️ Response Time:: Within 30 days (GDPR) / 45 days (CCPA)

// 2. Scope & Definitions

This policy applies to::

• Job Seekers/Candidates: Individuals who browse jobs, create accounts, or submit applications
• Employers/Recruiters: Individuals/companies who post jobs and review applications
• Website Visitors: Anyone who accesses our Service
• Guest Users: Individuals who apply to jobs without creating an account

Personal Data: Any information relating to an identified or identifiable individual.

// 3. Personal Data We Collect

Data You Provide Directly::

• Account Information: Name, email address, password (hashed), username
• Profile Information: First name, last name, professional title, location
• Resume/CV: Uploaded files containing work history, education, skills, contact info
• Company Information: Company name, website, logo, description, job postings
• Payment Data: Credit card information (handled entirely by Stripe, not stored by us)

Data Collected Automatically::

• Technical Data: IP address, browser type, device type, operating system
• Usage Data: Pages visited, time spent, click patterns
• Cookies: See our Cookie Policy

// 4. How We Use Your Personal Data

• Service Provision: Account management, job applications, job posting, communication
• Legal Obligations: Tax compliance, fraud prevention, legal requests
• Legitimate Interests: Service improvement, security, customer support
• With Your Consent: Marketing emails (opt-in only), non-essential cookies

// 5. Legal Basis for Processing (GDPR Article 6)

We process your data based on:

• Contract Performance (Art. 6(1)(b)): Necessary to provide our Service
• Consent (Art. 6(1)(a)): Where you explicitly agree
• Legitimate Interest (Art. 6(1)(f)): For service improvement, security, business operations
• Legal Obligation (Art. 6(1)(c)): When required by law

You have the right to object to processing based on legitimate interest.

// 6. Job Applications & Data Sharing with Employers

How Applications Work:

1. Your resume/CV and application data are uploaded to our secure Supabase storage
2. The employer gains access to view and download your application materials
3. Your name, email, resume, and cover letter are shared with the employer
4. The employer becomes an independent data controller for your application data

Employer Responsibilities (Data Processing Agreement):
Employers who receive applications act as independent Data Controllers and must:

• Comply with applicable privacy laws (GDPR, CCPA, etc.)
• Process data only for recruitment purposes
• Maintain appropriate security measures
• Respect data subject rights
• Delete data when no longer needed

Our Role: Refcruiter acts as a Data Processor, providing infrastructure to store and deliver applications.

Guest Applications: You can apply without an account. Guest applications are treated identically and stored for 90 days.

// 7. Who We Share Your Data With

• Employers/Recruiters: When you submit applications
• Supabase (US): Cloud storage with Standard Contractual Clauses (SCCs), encryption
• Stripe (US): Payment processing with PCI-DSS compliance, EU-US Data Privacy Framework
• Typesense: Self-hosted job search indexing (data under our control)
• Legal Authorities: When required by law or court order

We do NOT sell your personal information to third parties. (CCPA: We have not sold personal information in the past 12 months.)

// 8. Data Retention & Deletion

• Account Data: While active + 90 days after deletion
• Resumes/CVs: 90 days from application submission (automatic deletion)
• Application Records: 90 days from submission
• Payment Records: 7 years (legal requirement for tax compliance)
• Access Logs: 90 days

⚠️ Important: Our system automatically deletes application files after 90 days. Employers should download applications within this timeframe.

You can request immediate deletion at any time by contacting

    Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected]

// 9. International Data Transfers

Your data may be processed and stored in:

• European Union: Primary database servers (via Supabase EU region)
• United States: Backup servers, Stripe payment processing

Transfer Safeguards (GDPR Chapter V):

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with processors
• EU-US Data Privacy Framework: For US-based processors certified under the framework
• Adequacy Decisions: Transfers to countries with EU adequacy decisions

You can request information about transfer safeguards by contacting

    Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected]

// 10. Your Privacy Rights

GDPR Rights (EU/UK/EEA Residents):

• Access (Art. 15): Obtain a copy of your personal data
• Rectification (Art. 16): Correct inaccurate data
• Erasure / "Right to be Forgotten" (Art. 17): Request deletion
• Restriction (Art. 18): Limit how we process your data
• Data Portability (Art. 20): Receive data in machine-readable format
• Object (Art. 21): Object to processing based on legitimate interests
• Withdraw Consent (Art. 7(3)): Withdraw consent anytime
• Lodge a Complaint (Art. 77): File complaint with supervisory authority

CCPA/CPRA Rights (California Residents):

• Right to Know: Request disclosure of personal information collected
• Right to Access: Obtain a copy of your information
• Right to Delete: Request deletion of your information
• Right to Correct: Request correction of inaccurate information (CPRA)
• Right to Opt-Out: We don't sell data, but you can opt out if practices change
• Non-Discrimination: We won't discriminate for exercising rights

LGPD Rights (Brazil Residents):

• Confirmation and access to your data
• Correction of incomplete or inaccurate data
• Anonymization, blocking, or deletion
• Data portability
• Revocation of consent

PIPEDA Rights (Canada Residents):

• Access your personal information
• Challenge accuracy and completeness
• Withdraw consent (where consent is the basis)
• File complaint with Privacy Commissioner of Canada

How to Exercise Your Rights:

1. Send an email to:
    Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected]
2. Include: Your full name, email address, and description of request
3. Specify: Which right you're exercising and your jurisdiction
4. Verification: We may request additional info to verify your identity
5. Response: Within 30 days (GDPR) / 45 days (CCPA)

// 11. Data Security

Technical Measures:

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication for admin accounts
• Password Security: Bcrypt hashing with salt, no plaintext storage
• CSRF Protection: Anti-CSRF tokens for all state-changing requests
• XSS Prevention: Input validation and output encoding

Data Breach Notification:
In the event of a personal data breach, we will notify affected users within 72 hours (GDPR requirement) and notify relevant supervisory authorities as required by law.

Limitation: No method of transmission or storage is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security.

// 12. Children's Privacy

Our Service is not intended for individuals under 16 years old (GDPR) / 13 years old (COPPA).

• We do not knowingly collect data from children
• If you are under 16 (or 13 in the US), do not use our Service
• If we learn we collected data from a child, we will delete it immediately
• Parents/guardians: Contact     Mykyta Usatenko: [email protected]
      Eduard Shuliak: [email protected] if you believe your child provided data

// 13. Automated Decision-Making & Profiling

We do NOT use automated decision-making or profiling that produces legal or similarly significant effects (GDPR Article 22).

• Job Matching: Our job recommendation algorithm is informational only
• Search Results: Ranking is based on relevance, not automated decisions about you
• No AI Hiring Decisions: Employers make all hiring decisions manually

// 14. California "Shine The Light" Law

We do not share personal information with third parties for their direct marketing purposes (Cal. Civ. Code § 1798.83).

// 15. Nevada Privacy Rights

We do not sell personal information (NRS 603A). If you wish to submit an opt-out request:
Email:     Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected] with subject "Nevada Opt-Out"

// 16. Updates to This Privacy Policy

We may update this Privacy Policy periodically. Material changes will be notified via:

• Email notification to registered users
• Prominent notice on our website for 30 days
• Updated "Last updated" date at the top
• For material changes requiring consent, we will obtain fresh consent

Your continued use after changes constitutes acceptance of the updated policy.

// 17. Supervisory Authorities & Complaints

You have the right to lodge a complaint with a data protection authority:

• Poland (UODO): https://uodo.gov.pl
• EU Supervisory Authorities: https://edpb.europa.eu
• UK (ICO): https://ico.org.uk
• California Attorney General: https://oag.ca.gov/privacy/ccpa
• Brazil (ANPD): https://www.gov.br/anpd
• Canada (OPC): https://www.priv.gc.ca

// 18. Contact Us

For any privacy-related questions, concerns, or rights requests:

📧 Email:     Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected]
📬 Postal Address: Refcruiter - Privacy Team, Mykyta Usatenko and Eduard Shuliak, Poland
⏱️ Response Time: Within 30 days (GDPR) / 45 days (CCPA)
📞 Alternative Contacts:
    Mykyta Usatenko: [email protected]
    Eduard Shuliak: [email protected]