Privacy Policy
Hirrd is committed to protecting your personal data. This policy explains who we are, what data we collect, why we collect it, and how you can exercise your rights under the General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).
1. Data Controller
The data controller responsible for your personal data is:
As data controller, Hirrd determines the purposes and means of processing your personal data and is responsible for ensuring that processing complies with applicable law.
2. Data We Collect
We collect the following categories of personal data:
| Category | Data | Source |
|---|---|---|
| Identity | Full name, chosen role (jobseeker or employer) | Provided by you on registration |
| Contact | Email address | Provided by you on registration |
| Profile | Profile photo (optional) | Uploaded by you |
| Application data | CV/résumé, cover letters | Uploaded by you when applying |
| Job postings | Job title, description, salary, location, type | Created by employer users |
| Activity | Applications submitted, status updates, application history | Generated by platform use |
| Company data | Company name, description, website, logo | Provided by employer users |
| Usage data | Pages visited, search queries, session duration | Collected automatically |
| Technical | IP address, browser type, device type | Collected automatically |
| Preferences | Notification settings, cookie consent | Set by you |
We do not collect sensitive special-category data (e.g. health, religion, political views, biometric data). Please do not include such information in your CV or cover letters.
3. Legal Basis for Processing
We rely on the following legal bases under GDPR Article 6:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Creating and managing your account | Performance of contract | Art. 6(1)(b) |
| Processing job applications | Performance of contract | Art. 6(1)(b) |
| Sending transactional emails (confirmations, status updates) | Performance of contract | Art. 6(1)(b) |
| Sharing your application with an employer you applied to | Performance of contract | Art. 6(1)(b) |
| Preventing fraud and ensuring platform security | Legitimate interest | Art. 6(1)(f) |
| Aggregated, anonymised platform analytics | Legitimate interest | Art. 6(1)(f) |
| Analytics cookies (non-essential) | Consent | Art. 6(1)(a) |
| Sending marketing or job-alert emails | Consent | Art. 6(1)(a) |
| Complying with legal obligations | Legal obligation | Art. 6(1)(c) |
Where we rely on legitimate interest, we have conducted a balancing test and concluded that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time.
4. How We Use Your Data
- Creating and authenticating your account.
- Enabling jobseekers to apply for jobs and employers to review applications.
- Sharing your application (CV, cover letter, name) with the employer you explicitly apply to — and only that employer.
- Sending transactional notifications (application confirmations, status updates, account alerts).
- Sending optional job-alert and marketing emails where you have given consent.
- Improving the platform through anonymised, aggregated usage analytics.
- Detecting and preventing fraud, abuse, and unauthorised access.
- Complying with applicable legal obligations.
We do not sell, rent, or share your personal data with third parties for their own marketing purposes. Ever.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | Duration of active account + 30 days after deletion request |
| CV and cover letters | Duration of active account + 30 days after deletion request |
| Application history | Duration of active account + 30 days after deletion request |
| Job postings | Duration of employer account + 30 days after deletion request |
| Usage logs | Up to 12 months, then automatically deleted |
| Anonymised analytics | Indefinitely (cannot identify you) |
| Legal/financial records | As required by Spanish law (generally 5–10 years) |
When you request account deletion, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
Employers who have received your application may retain your data independently subject to their own privacy obligations. We recommend contacting them directly to request deletion of their copy.
6. Third-Party Processors
We use the following sub-processors to operate the platform. Each processes data only on our instructions and under a Data Processing Agreement (DPA):
| Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (AWS eu-west-1, Ireland) | supabase.com/privacy |
| Resend Inc. | Transactional email delivery | EU SCCs in place | resend.com/privacy |
| Vercel Inc. | Platform hosting and CDN | EU SCCs in place; edge nodes worldwide | vercel.com/legal/privacy-policy |
We do not use any advertising networks, data brokers, or social tracking pixels.
7. International Data Transfers
Our primary infrastructure (Supabase) is hosted in the EU (Ireland). Where processors operate outside the EU/EEA (e.g. Vercel's global edge network), transfers are covered by:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The EU–US Data Privacy Framework (DPF) where applicable.
You may request a copy of the relevant transfer mechanism documentation by emailing privacy@hirrd.com.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. All requests should be sent to privacy@hirrd.com and will be responded to within 30 days.
| Right | What It Means |
|---|---|
| Access (Art. 15) | Receive a copy of all personal data we hold about you. Available via Settings → Download My Data. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. Available via your profile settings. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"). Available via Settings → Delete Account. |
| Restriction (Art. 18) | Ask us to limit processing in certain circumstances (e.g. while we verify a dispute). |
| Portability (Art. 20) | Receive your data in machine-readable JSON format. Available via Settings → Download My Data. |
| Objection (Art. 21) | Object to processing based on legitimate interest. We will cease unless we have compelling legitimate grounds. |
| Withdraw Consent (Art. 7) | Withdraw consent at any time for consent-based processing (e.g. marketing emails, analytics cookies). |
| Lodge a Complaint | You have the right to lodge a complaint with the AEPD (see below). |
To lodge a complaint with the Spanish supervisory authority:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: www.aepd.es
Phone: +34 912 663 517
See our GDPR Rights page for step-by-step guidance on exercising each right.
9. Cookies
We use strictly necessary cookies to keep you signed in (Supabase session cookies) and a preference cookie to remember your consent choice. Analytics cookies are only set with your explicit consent.
See our Cookie Policy for full details and to manage your preferences.
10. Children
Hirrd is not directed at children. The minimum age to use Hirrd is 16 years, which is the age of digital consent in Spain under the LOPDGDD. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with data, please contact us immediately at privacy@hirrd.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email at least 30 days before the changes take effect and update the version number and date at the top of this page. Continued use of Hirrd after the effective date constitutes acceptance of the updated policy.
12. Contact
For all privacy-related queries, data subject requests, or concerns, contact us at:
Hirrd — Data Protection
Email: privacy@hirrd.com
We aim to respond within 30 days as required by GDPR Art. 12(3).