Privacy Policy

1. Data Controller

The data controller responsible for data processing on this website is:

Appgineering GbR Email: privacy@appgineering.com

If you have any questions about data protection or wish to exercise your rights, please contact us at the email address above.

2. Data We Collect

We collect and process the following categories of personal data:

Account Data: When you sign in via Appgineering OAuth, we receive your name and email address from the authentication provider. We do not store passwords, as authentication is handled externally.

Profile Data: If you choose to create a talent profile, you may provide additional information such as a biography, skills, spoken languages, location, availability status, portfolio links, social media links, and contact preferences.

Job Postings: If you post jobs, we store the job title, description, category, location, compensation details, and associated metadata.

Applications: When you apply for a job, we collect the information you submit, including cover letters and links to uploaded resumes or other attachments.

Messages: We process the content of direct messages, application-related messages, and announcements exchanged through the platform.

Uploaded Files: Files you upload (such as avatars, portfolio images, organization logos, and application attachments) are stored in AWS S3 and served via AWS CloudFront CDN.

Usage Data: We automatically collect technical data including your IP address, user agent string, browser type, operating system, referral URLs, pages visited, and timestamps of access. This data is collected to ensure the security and functionality of our service.

3. Legal Bases for Processing

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

Contract Performance (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This applies to providing our core services, including account creation, profile management, job postings, applications, and messaging.

Legitimate Interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights. This applies to usage analytics, fraud prevention, platform security, and service improvement.

Consent (Art. 6(1)(a) GDPR): Where we rely on your consent, you have the right to withdraw it at any time. This applies to optional analytics cookies and marketing communications. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

4. Third-Party Service Providers

We use the following third-party service providers to operate our platform:

Amazon Web Services (AWS): Our application infrastructure is hosted on AWS. We use AWS S3 for file storage, AWS SES for transactional emails (such as notifications and account-related communications), and AWS CloudFront as a content delivery network. AWS processes data in EU regions. AWS acts as a data processor on our behalf and is bound by a Data Processing Agreement.

Appgineering OAuth: Authentication is handled through the Appgineering OAuth service (auth.appgineering.com). When you sign in, your name and email address are shared with our platform. The Appgineering authentication service is operated by the same entity (Appgineering GbR).

No personal data is sold to third parties. Data is only shared with service providers as described above, or where required by law.

5. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether personal data concerning you is being processed and, if so, to access that data along with supplementary information. You can export your data at any time through the account settings.

Right to Rectification (Art. 16 GDPR): You have the right to have inaccurate personal data corrected and incomplete data completed. You can update your profile and account information directly through the platform.

Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where there is no compelling reason for its continued processing. You can delete your account through the account settings, which will remove your personal data in accordance with our retention policy.

Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of processing of your personal data under certain conditions.

Right to Data Portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (ZIP archive containing JSON files and uploaded files), and to transmit that data to another controller.

Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR. You can contact your local data protection authority.

To exercise any of these rights, please contact us at privacy@appgineering.com.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Account Data: Retained for the duration of your account. Upon account deletion, your personal data is removed in accordance with the retention periods described below.

Session Data: Active sessions expire and are deleted after 7 days of inactivity.

Notifications: Dismissed notifications are deleted after 90 days. Unread notifications are retained until they are dismissed or your account is deleted.

Deleted Messages: When you delete a message, it is soft-deleted and permanently removed after 30 days.

Uploaded Files: Files associated with your account (avatars, portfolio images, attachments) are deleted when you delete the associated content or your account.

Usage Logs: Technical access logs are retained for up to 90 days for security and debugging purposes, after which they are automatically purged.

7. Cookies

Our website uses the following types of cookies:

Essential Cookies: These cookies are strictly necessary for the operation of our website. They include session cookies that maintain your authentication state and ensure the security of your session. These cookies cannot be disabled as the service cannot function without them. Legal basis: Art. 6(1)(b) GDPR (contract performance).

Functional Cookies: These cookies remember your preferences, such as language settings and display options, to provide a more personalised experience. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).

Analytics Cookies: These cookies help us understand how visitors interact with our website by collecting anonymous usage statistics. These cookies are only set with your explicit consent. Legal basis: Art. 6(1)(a) GDPR (consent). You can manage your cookie preferences at any time through the cookie settings on our website.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

All data transmitted between your browser and our servers is encrypted using HTTPS (TLS). Uploaded files are stored in encrypted AWS S3 buckets with restricted access policies. Database access is restricted and protected by authentication and network-level controls. We regularly review and update our security practices to maintain the integrity and confidentiality of your data.

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to applying industry-standard protections.

9. International Data Transfers

Our services are primarily hosted within the European Union using AWS EU regions (eu-central-1, Frankfurt). We strive to keep all personal data within the EU/EEA.

In cases where data may be transferred outside the EU/EEA (for example, for certain AWS services), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and adequacy decisions where applicable.

AWS is certified under the EU-US Data Privacy Framework, providing additional protection for any data that may be processed in the United States.

10. Children's Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 years of age.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible. If you believe that a child under 16 has provided us with personal data, please contact us at privacy@appgineering.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify registered users via email or through a prominent notice on our platform.

We encourage you to review this Privacy Policy periodically for any changes. The "Last updated" date at the top of this page indicates when this policy was last revised. Your continued use of our service after changes are posted constitutes your acceptance of the revised policy.

12. Contact & Data Protection

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Appgineering GbR Email: privacy@appgineering.com

We will respond to your inquiry within 30 days. For data subject access requests, we will respond within one month as required by the GDPR, with the possibility of a two-month extension for complex or numerous requests.