Privacy Policy

3.1 Account Registration Data

When you create an account or are invited to join an organization, we collect:

• User ID and internal account identifiers
• Full name
• Email address
• Password (stored in hashed form only — we never store plaintext passwords)
• Role within the organization account (Admin, Editor, or Viewer)

3.2 Business and Organization Data

To set up and maintain your employer profile, we collect:

• Company or business name
• Billing email address
• Business address (country, region, city, postal code, street)
• VAT identification number
• Company size category
• Company website URL and LinkedIn URL
• Company description
• Company logo (uploaded image file)
• Contact email address (if provided in the employer profile)
• Contact phone number

3.3 Billing and Payment Data

For subscription management and invoicing, we process:

• Selected subscription plan
• Billing cycle and payment history
• Payment method details (processed and stored by our merchant of record, Paddle — we do not store card numbers or bank details directly)
• Invoice records
• Paddle identifiers (customer ID, subscription ID, transaction IDs)
• Billing details used for tax and VAT handling (business entity and address identifiers stored by Paddle)

3.4 Content and Activity Data

When you use the Dashboard, we collect data related to your activity:

• Job postings you create (titles, descriptions, salary information, and other posting fields)
• Application details included in job posts (application URL, application email, application instructions)
• Employer profiles and location data
• Team member invitations sent
• Activity logs recording actions performed (creation, edits, deletions) with timestamps
• Search queries within the Dashboard
• Export and syndication settings (e.g., whether "allow export" is enabled for a job post)

3.5 Hiring Agency and Represented Employer Data

If you operate as a hiring agency, we additionally collect:

• Represented employer identifiers and profile data managed under your agency account
• Relationship metadata (which agency account manages which represented employer profiles)
• Evidence of authorization to publish on behalf of a represented employer, where requested for compliance or dispute handling

3.6 Technical and Usage Data

When you access the Dashboard, our systems automatically collect:

• IP address
• Browser type and version
• Device information
• Pages visited within the Dashboard and time spent
• Referring URLs
• User-Agent string
• Session data and authentication tokens/cookies
• Server-side session records (session ID, expiry time, IP address, user agent)
• Security and abuse-prevention signals (login attempts, lockout events, CSRF tokens, WAF and rate-limiting data)

3.7 Support and Sales Communication Data

When you contact us, we collect:

• Support requests submitted via the Dashboard (subject, message content, and related context such as account and employer identifiers)
• Enterprise and sales inquiries (email address, company or agency name, phone number, number of clients/employers, message content)

3.8 Browser Storage (LocalStorage and SessionStorage)

To improve your experience, the Dashboard may store data locally in your browser:

• Draft data for job posts (including form fields such as descriptions and application details) to prevent accidental loss
• UI preferences and convenience flags (sidebar state, onboarding selections, dismissed notifications)

This data remains on your device and is not transmitted to our servers unless you explicitly submit it (e.g., by publishing a job post).

4.1 Service Provision

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR)

We process your data to:

• Create and authenticate your account
• Manage your subscription and process billing
• Publish your job postings across our European market websites
• Manage team members and enforce role-based access control
• Maintain employer profiles and locations
• Operate agency plans, including management of multiple represented employers under one account
• Handle support inquiries submitted via the Dashboard

4.2 Service Improvement

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR)

We process usage and activity data to:

• Analyze usage patterns to improve the platform
• Debug issues and resolve errors
• Monitor performance
• Conduct product quality and operational analytics based on internal audit and activity logs

We do not use third-party analytics cookies in the Dashboard.

4.3 Security and Abuse Prevention

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR); legal obligation (Art. 6(1)(c) GDPR) where applicable

We process data to:

• Prevent unauthorized access, account takeover, and fraud
• Enforce CSRF protection, rate limiting, and web application firewall (WAF) rules
• Maintain audit trails of key administrative actions

4.4 Communication

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR); legitimate interest (Art. 6(1)(f) GDPR)

We send:

• Transactional emails (account confirmation, password reset, billing notifications, subscription status changes, team invitations) — these are necessary for the operation of the service and cannot be opted out of.
• Product-related communications to account administrators (feature updates, tips, and other non-essential messages) — you may opt out of these at any time by using the unsubscribe link included in each such email.

4.5 Legal Compliance

Legal basis: Legal obligation (Art. 6(1)(c) GDPR)

We process data to:

• Maintain tax and accounting records as required by law
• Prevent fraud
• Respond to lawful requests from competent authorities
• Verify and handle claims related to agency authorization and representation

5.1 Payment Processor — Paddle

Our merchant of record is Paddle.com Market Limited. When you subscribe to a paid plan or manage your billing, we share billing data with Paddle, including your billing email, business address, VAT ID, and payment details. Paddle processes and stores payment method details (e.g., card numbers) directly — we do not have access to this information. When you use the embedded checkout, Paddle's own scripts (Paddle.js) are loaded and may process additional technical data in accordance with Paddle's Privacy Policy.

5.2 Sub-Processors

We use the following sub-processors to operate the Dashboard:

We review our sub-processors regularly and will update this list when changes occur. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs).

5.3 Job Seekers (Published Content)

Job postings and employer profile information that you publish through the Dashboard are publicly visible on our European market websites. This is the core purpose of the service. Depending on the posting setup and applicable legal requirements, published information may identify a direct employer, a hiring agency, or both.

5.4 Publication Partners and Syndication

If you enable export or syndication for a job post (e.g., by selecting "allow export"), we may share that job post's content and associated employer profile data with third-party job boards and aggregators for wider publication and promotion. Disabling export stops future sharing; however, previously shared content may persist on partner platforms for a limited time and in search engine caches.

5.5 Within Your Organization

Administrators of your organization account may access and manage team member accounts, roles, and invitations. Authorized users within your organization may view audit and activity logs and job/employer data relevant to your account.

5.6 Legal and Regulatory Disclosures

We may disclose personal data to:

• Competent authorities when required by law
• Legal advisors when necessary for dispute resolution or the exercise or defence of legal claims

5.7 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify affected users of any such transfer and any changes to the applicable privacy policy.

5.8 External Links and Application Destinations

Job posts may include application URLs or email addresses that direct candidates to external websites or systems controlled by you (the employer or agency) or by third parties. Once a user leaves ENGLISHJOBS via an external link, the third party's privacy practices apply. We are not responsible for the privacy practices of external sites.

7.1 Active Accounts

• Account and business data is retained for the duration of your active account and subscription.
• Authentication sessions expire after 24 hours (or 30 days if you select "Remember me"). Expired sessions are deleted automatically by the database engine and on-demand when accessed.
• Billing event records (Paddle webhook data used for billing audit and troubleshooting) are retained for as long as your account remains active and are deleted when your account is deleted.
• Activity logs are retained for as long as your account is active.

7.2 After Account Deletion

When you request account deletion:

1. Grace period: Deletion is scheduled with a 48-hour grace period during which you may cancel the request.
2. Execution: After the grace period, account data is deleted within 14 days.
3. Billing and tax records are retained for the statutory retention period — typically 10 years under German commercial and tax law (§§ 147 AO, 257 HGB).
4. Published job posts may be retained in anonymized form for platform statistics.
5. Agency-representation metadata may be retained as needed for the exercise or defence of legal claims, audits, or dispute resolution.
6. Backups and disaster recovery copies may persist for up to 30 days after deletion before being overwritten.

7.3 Team Members

When a team member is removed from an organization account:

• The team member's personal data (name, email, credentials) is deleted promptly.
• Activity logs attributed to the removed member are anonymized.