Hireo App Privacy Policy

1.1. This Privacy Policy sets out the rules for the processing and protection of personal data of Users using the Hireo App SaaS application available at hireoapp.com (the “Service” or “Application”). The document complies with all applicable regulations, including Regulation (EU) 2016/679 (GDPR) and the Polish Act of 18 July 2002 on the provision of electronic services.

1.2. Personal data controller: The operator of the Service and personal data controller is Hireo App with its registered office at ul. Oliwkowa 4, 05-500 Józefosław, Poland, NIP: 8641662880 (the “Controller”). You can contact the Controller about privacy matters at privacy@hireoapp.com.

1.3. The Controller processes personal data in accordance with the law, observing the principles of lawfulness, fairness and transparency. We respect Users’ right to privacy and implement safeguards to ensure data security. Communication with the Service is protected, among other things, with SSL/TLS encryption. Personal data is treated as confidential and protected against unauthorised access.

When using the Application, Users may be asked to provide personal data. The scope of collected data includes in particular:

- E-mail address – used to register the account, authenticate logins and communicate with the User.

- User preferences – such as the interface language, so we can tailor the Application experience to the User’s needs.

- Content voluntarily submitted by the User – especially information contained in uploaded documents (e.g. CVs), job postings or other materials. Such content may include the User’s personal data or personal data of third parties provided by the User (e.g. candidate data, references in a CV).

- Technical and activity data – information automatically collected while using the Service, such as the device IP address, browser type, device type, operating system, approximate geolocation, and usage data (visited subpages, time spent in the Service, activity logs, etc.). These data are collected via cookies and similar technologies (details in the cookies section).

Personal data of Hireo App Users may be processed for the following purposes on the bases set out below:

- Providing the Service and its features – in particular creating and operating the User account, authenticating the User and enabling access to the Application, and performing the electronic services agreement. Legal basis: necessity for the performance of a contract with the User (Art. 6(1)(b) GDPR).

- Communication and support – answering questions, providing technical assistance and customer care, sharing important information about the Service (e.g. changes to terms or policies). Legal basis: Controller’s legitimate interest in delivering proper customer care and maintaining relationships with Users (Art. 6(1)(f) GDPR).

- Ensuring Service security – monitoring and preventing fraud, abuse and unauthorised access, and protecting the integrity of IT systems and data. Legal basis: Controller’s legitimate interest in protecting the Service, networks and Users from threats (Art. 6(1)(f) GDPR).

- Analysing Application usage and developing services – performing technical and statistical analyses of how the Service is used, collecting information about User activity to improve functionality, quality and user experience. Legal basis: Controller’s legitimate interest in improving and developing services (Art. 6(1)(f) GDPR).

- Controller’s own marketing activities – including e-mail delivery of marketing messages, newsletters and information about new features or offers relating to Hireo App. Such actions are taken only with the User’s prior consent. Legal basis: the User’s voluntary consent (Art. 6(1)(a) GDPR). Details appear in the Marketing section below.

- Establishing, exercising or defending legal claims – where necessary we process data to assert our rights or defend against claims (e.g. disputes, complaints), including verifying compliance with the Terms. Legal basis: Controller’s legitimate interest in protecting its rights and pursuing claims (Art. 6(1)(f) GDPR).

Whenever processing is based on the User’s consent, the consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

The Controller may share collected personal data with selected recipients solely to the extent necessary to fulfil the processing purposes described above. Potential recipients include:

- Processors acting on behalf of the Controller – e.g. external IT providers, including hosting and cloud infrastructure vendors that supply server space and maintain the Service, and software/tool vendors supporting the Application. All such entities process data under a contract with the Controller and strictly in line with its instructions.

- Payment service providers – if the User makes payments in the Service, their data (e.g. e-mail address) may be transferred to Stripe or other payment operators for authorisation and settlement purposes.

- Analytics and marketing tool providers – e.g. Google LLC (Google Analytics) for gathering usage statistics. These providers may receive information about User activity in the Application (such as analytics cookies).

- Artificial intelligence solution providers – if the Application uses AI-powered features (e.g. CV analysis or job matching), User data may be processed by an external AI provider. For example, CV text may be sent to an AI API to generate summaries; each time this happens on the Controller’s instruction and in accordance with data protection principles.

- Communication service providers – e.g. external systems for transactional e-mails and notifications (including support messages or newsletters) and helpdesk tools.

- Business partners – when the User utilises services offered jointly with or via integration with a partner (e.g. another platform), data may be transferred to that partner with the User’s consent or at their request.

- Public authorities and authorised institutions – personal data may be disclosed to state authorities, law enforcement, courts or other bodies entitled by law to obtain such information, but only where the obligation to disclose arises from legal regulations.

All external recipients must ensure confidentiality and security of data. The Controller shares data solely when necessary and on the basis of appropriate data-processing agreements or legal provisions.

Some recipients may be located outside the European Economic Area (EEA), particularly service providers headquartered in the United States or maintaining infrastructure there (e.g. Google LLC, Stripe, AI providers). Any transfer outside the EEA takes place with appropriate safeguards in line with Chapter V GDPR.

Data is transferred only to countries or entities covered by a European Commission adequacy decision, or on the basis of Standard Contractual Clauses approved by the Commission or other lawful safeguards. Where no adequacy decision exists, we implement supplementary measures such as SCCs, binding corporate rules or obtain explicit User consent after explaining potential risks.

The Controller continuously monitors the legal status of third-country transfers. For instance, providers such as Google may participate in the EU–US Data Privacy Framework, meaning the EU recognises them as providing adequate protection.

Personal data is stored no longer than necessary for the purposes for which it was collected. Retention periods are defined as follows:

- User account data (e-mail, profile, settings) – stored for as long as the User maintains an active account. If the User deletes the account, the data is deleted or permanently anonymised in active systems.

- Data entered by the User (e.g. CV content, postings) – stored until the User deletes the data within the Service or until the account is deleted, whichever comes first. The User controls these voluntary entries and may edit or delete them at any time.

- Technical and analytics data (system logs, activity information) – retained for the period necessary for security and statistical purposes. Logs may be stored for several months unless longer retention is justified by security needs (e.g. investigating abuse) or legal requirements.

- Communication data (e.g. e-mails exchanged with the User) – stored for the time needed to handle the request or perform the relevant action and may then be archived for the legally required period (e.g. complaint correspondence for up to one year after closing the case).

- Marketing data (e-mail addresses for the newsletter) – retained until the User withdraws consent or unsubscribes, but no longer than the data remains current (e.g. until the address stops working).

If consent is withdrawn or an effective objection is raised, the data covered by the consent/objection may still be retained to evidence compliance with legal obligations or until limitation periods for claims expire. After the listed periods, data is deleted or anonymised, unless legal provisions require longer storage (e.g. accounting/tax records currently kept for five years after the fiscal year). If data is needed to pursue or defend claims, we may retain it until the relevant proceedings conclude or limitation expires.

Users whose data is processed are entitled to the following GDPR rights:

- Right of access – to receive confirmation whether the Controller processes the User’s personal data and, if so, to obtain access to the data and information about purposes, categories and recipients.

- Right to rectification – to request immediate correction of inaccurate data concerning the User or completion of incomplete data.

- Right to erasure (“right to be forgotten”) – to request deletion of personal data, e.g. when it is no longer necessary for the purposes collected, the User withdrew consent, objected to marketing processing or the data is processed unlawfully. The Controller must delete data in the cases listed in Art. 17 GDPR.

- Right to restriction of processing – to request temporary suspension of processing (other than storage) in specific situations, e.g. while verifying data accuracy or legal bases.

- Right to data portability – to receive provided personal data in a structured, commonly used, machine-readable format and transfer it to another controller, where processing is based on consent or contract as per Art. 20 GDPR.

- Right to object – to object at any time to processing based on Art. 6(1)(f) GDPR (legitimate interest) for reasons related to the User’s particular situation. In particular, the User may object to processing for direct marketing, and such processing will stop immediately.

- Right to withdraw consent – whenever processing relies on the User’s consent, it may be withdrawn at any time. Withdrawal does not affect processing carried out before the withdrawal.

- Right to lodge a complaint with a supervisory authority – Users may complain about data processing to the competent authority. In Poland this is the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw. Users in other EU countries may contact their local authority.

To exercise rights, Users can send a request – preferably via e-mail – to privacy@hireoapp.com, specifying which right they wish to use and which data/operations it concerns. We respond without undue delay, at the latest within one month (extendable by another month where necessary, with prior notice). To protect data, we may ask for additional identity verification.

Providing personal data is voluntary, but in many cases it is required to use specific Service features. Failure to provide required data (e.g. an e-mail during registration) may prevent completion of the relevant action – such as creating an account or receiving an answer. Where data is processed to perform the service agreement, providing it is a condition for entering into and performing the contract; without it we cannot supply the Service. In all other cases, data provision is optional and based on the User’s choice or consent (e.g. adding extra profile information).

The Controller notes that any personal data entered into the Service by the User should concern only the User or third parties for whom the User has a lawful basis (e.g. consent). Sharing third-party data via the Application is solely the User’s responsibility. The User declares that if they include the data of others (e.g. references in a CV, candidate contact details), they do so lawfully and without breaching privacy. The Controller is not liable for receiving third-party data provided in violation of law. If it turns out that data of a minor below the required age or third-party data without a legal basis has been entered, the Controller may take appropriate action, including deleting such data from the Service.

Hireo App services are available only to individuals aged 18 or over. The Application is not intended for children or anyone under 18; therefore, creating accounts and submitting personal data by minors below that age is prohibited. The Controller does not knowingly collect data of persons under 18.

If we learn that we are processing data of someone under 18 without parental/legal guardian consent or contrary to legal requirements, we will promptly delete such data from our systems. Accounts created in violation of the age restriction may be blocked or removed.

The Service uses cookies and similar technologies (such as local storage and tracking pixels) to provide the best experience and for statistical purposes. Cookies are small text files automatically stored on the User’s device (computer, smartphone) by the browser. They serve several useful functions, including:

- Facilitating Service operation: cookies keep sessions active so the User does not need to re-enter credentials on every page.

- Customising the interface: some cookies remember preferences (e.g. selected language, currency, layout), enabling personalised content and layout.

- Producing anonymous statistics: we use cookies to collect aggregated usage data. Tools like Google Analytics record visited pages, time spent, device and browser details, helping us analyse traffic and improve the Service (e.g. identify popular functions or areas needing improvement).

- Ensuring security: cookies can help detect authentication abuse (e.g. unauthorised access attempts) and prevent attacks on the Service.

The Service uses both session cookies (stored temporarily and deleted after closing the browser) and persistent cookies (stored until expiry or manual removal). Some cookies come from third parties (e.g. Google, Meta/Facebook integrations).

Users have full control over cookies. Browsers generally allow cookies by default, but Users can manage settings – disable cookie storage, delete saved cookies or receive alerts when they are set. Instructions are available in each browser’s documentation (Chrome, Firefox, Edge, Safari, etc.). Note that limiting cookies may negatively affect some features – e.g. logging out after navigating to another page, limiting personalised settings or anonymous analytics.

Detailed information about cookies may appear in a separate Cookie Policy, if published. Where this Privacy Policy does not regulate a matter, relevant legal provisions apply (notably the Polish Telecommunications Law of 16 July 2004 or successor legislation on electronic communications).

The Controller takes all reasonable steps to ensure a high level of security for personal data. We implement technical and organisational measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Measures include database access controls, SSL/TLS encryption, regular backups, infrastructure safeguards and internal procedures plus staff training.

We treat potential incidents or breaches with utmost seriousness. If a breach could result in a high risk to Users’ rights or freedoms, we will notify the supervisory authority and affected Users as required by GDPR.

Despite advanced safeguards, data transmission over the internet can never be 100% secure. Nonetheless, we continuously monitor and update protections to safeguard Users’ data.

With the User’s consent, the Controller may send marketing communications about Hireo App and its services. These include in particular:

- E-mail newsletters – periodic messages about new Application features, promotions, special offers or product updates.

- Commercial messages – one-off communications (e.g. e-mail) inviting Users to try new services or paid options when they have expressed interest.

Marketing communications are sent electronically (to the User’s e-mail) only after explicit consent. Consent can be granted during registration (checkbox) or later in account settings/newsletter signup. The User may withdraw consent at any time without negative consequences.

Every marketing e-mail contains an easy opt-out mechanism (e.g. unsubscribe link). Users may also withdraw consent by contacting us via e-mail. After withdrawal, the User’s e-mail is promptly removed from the mailing list and no further marketing messages are sent.

We do not send unsolicited commercial information to individuals who have not agreed to receive it. We respect privacy rights and comply with applicable laws, including Art. 10 of the Polish Act on electronic services and Art. 172 of the Telecommunications Law (regarding consent to use telecommunications equipment for direct marketing).

Questions, requests or demands concerning this Privacy Policy or data protection at Hireo App may be directed to the Controller via:

- E-mail: privacy@hireoapp.com

- Postal address: Hireo App, ul. Oliwkowa 4, 05-500 Józefosław, Poland.

We recommend electronic contact for faster handling. Please include your name (or company name) and e-mail address (and mailing address if writing on paper) so we can identify you and respond fully. We aim to answer without undue delay – typically within 14 days, and in the case of data-subject rights (Section 7) no later than the GDPR deadlines.

14.1. The Controller reserves the right to amend this Privacy Policy in the future, especially if legal regulations, technologies affecting data processing or the ways, purposes or scope of data collection change. Any updates will be published on the Service as a consolidated version of the Policy.

14.2. We may notify Users about material changes via clear notices (e.g. e-mails to registered Users or on-site banners). Please check the “last updated” date below regularly. Continued use of the Service after updates means acceptance of the revised privacy rules unless mandatory law provides otherwise.

14.3. Matters not regulated by this Privacy Policy are governed by Polish law and the GDPR. Where there is any inconsistency between this Policy and applicable law, the latter prevails.

Last updated: 25 November 2025 (version 1.0)