Privacy Policy

Last updated: 2026-04-17

This Privacy Policy explains what personal data ToRecruit collects, how we use it, who we share it with and what rights you have. It is written to be plain, specific and accurate - if anything is unclear, please contact us at privacy@torecruit.org and we will clarify. This Policy applies alongside our Terms of Service, Cookie Policy and Acceptable Use Policy.

Who is the data controller

The data controller for personal data processed on the ToRecruit platform is the legal entity that operates ToRecruit ("ToRecruit", "we", "us", "our"). For any privacy question, you can reach us at privacy@torecruit.org.

Where you are in the European Economic Area, the United Kingdom or Switzerland, we process your data in line with the General Data Protection Regulation (GDPR). Where you are in Ukraine, we process your data in line with the Law of Ukraine "On Personal Data Protection". Local rules may grant you additional rights, which we honour.

What data we collect, and from whom

We only collect data that you give us directly. We do not buy personal data from data brokers and we do not scrape your social profiles. The categories below reflect exactly the fields our registration, onboarding and profile screens show.

Account data, collected at registration: email address, password (stored only as a salted hash), chosen role (Candidate or Company), authentication provider (email or Google), email-verification status, avatar URL if you sign in with Google, referral code if applicable, and timestamps (created, updated, last active).

Candidate profile data, collected during onboarding and optional later edits: first name, last name, date of birth, country, city, timezone, work domain and specialisation, job title, seniority level, years of experience, short bio, hard skills, soft skills, languages and proficiency, work formats (remote / office / hybrid), employment types, salary expectations (min and max), willingness to relocate and preferred destination countries, CV file, optional certificates and education, work-experience history, portfolio links (GitHub, LinkedIn, Behance, Dribbble, Kaggle, personal site, other URLs).

Candidate contact data, collected during onboarding Step 4 with an explicit note that these may be shared with Companies: phone number, Telegram handle, WhatsApp number, Skype, LinkedIn URL, preferred contact method, job-search status.

Company profile data, collected at Company onboarding: company name, optional legal name, description, logo, company type, industry, size, stage, founding year, country and city, list of office locations, hiring domains and specialisations, company links (website, careers page, blog, LinkedIn, Glassdoor, DOU), and - for the internal contact person - full name, position, email, phone, Telegram and LinkedIn.

Consent data: your cookie-consent decision, the version of the Terms and Privacy Policy you accepted, and the timestamp of that acceptance.

Technical data, collected automatically when you visit the Service: IP address, device type, browser, language, pages visited, session duration and diagnostic logs. See the Cookie Policy for detail.

Payment data (Companies only): billing name, address, VAT identifier if provided, purchase history. Full card numbers are processed by our payment processor and never stored on our servers.

Why we process the data and on what legal basis

We process personal data only for specific purposes, with a clear legal basis for each.

  • Creating and operating your account - basis: performance of a contract (the Terms of Service).
  • Showing your public Candidate profile to Companies that search our platform - basis: performance of contract and, where applicable, your consent, because you actively chose to register as a Candidate and set your status to "looking for a job".
  • Selling contact unlocks: disclosing your public contact data (phone, messengers, social links) to a Company that pays the unlock fee - basis: your consent, given at onboarding when you submitted those contacts knowing they would be sold to hiring Companies.
  • Including you in matching lists that we share with Companies as part of our staffing-agency activity, and charging the Company a success fee if you are hired - basis: your consent and our legitimate interest in running a recruitment marketplace.
  • Processing Company payments, issuing invoices, handling refunds and detecting fraud - basis: performance of contract and compliance with tax and anti-fraud law.
  • Keeping the Service secure, investigating abuse and enforcing our Terms - basis: our legitimate interest in a safe platform.
  • Sending transactional emails (email verification, password reset, payment receipts, critical service notices) - basis: performance of contract.
  • Sending optional product updates or marketing - basis: your separate consent, which you can withdraw at any time.
  • Meeting legal obligations (for example, responding to a court order or a data-subject request) - basis: legal obligation.

Who we share your data with

Companies that use ToRecruit to find Candidates. Public profile data is visible to Companies browsing or searching the platform. Contact data is disclosed only to a Company that has paid the unlock fee or that is part of a formal match under our staffing-agency service. Once disclosed, the receiving Company becomes an independent controller of those contacts.

Service providers acting on our behalf (processors): cloud hosting, database, email delivery, authentication (including Google for Google sign-in), payment processing, error-monitoring, analytics, customer support. These processors are bound by contract to process data only on our instructions and to protect it adequately.

Authorities, where legally required, for example to respond to a valid court order, tax authority request, or law-enforcement demand.

Prospective buyers or investors, only in the context of a corporate transaction (merger, acquisition, investment), under a confidentiality agreement and with notice to users where required by law.

We do not sell or rent your data for advertising, and we do not share it with third-party advertising networks.

How long we keep data

Account data: while your account is active and for up to twenty-four (24) months after account closure, then deleted or fully anonymised, unless a longer period is required by law (for example, invoices kept for the statutory tax period).

Candidate profile data: while your account is active. When you delete a field, the field is removed within thirty (30) days from our active systems and from backups within ninety (90) days.

Disclosed contact data already unlocked by a Company: we keep a record of the unlock transaction (who, when, which Candidate, which price) for six (6) years for tax and dispute-resolution purposes. We cannot recall data from the Company that purchased it; we will, on your request, forward a withdrawal notice to that Company.

Payment and billing records: up to ten (10) years, as required by Ukrainian tax law.

Server logs and cookies: up to twelve (12) months.

Consent records: as long as we need them to demonstrate compliance, typically six (6) years after withdrawal or account closure.

International data transfers

Our servers and the servers of our processors may be located outside your country of residence, including in the European Economic Area and the United States. When we transfer personal data outside the EEA or outside Ukraine, we rely on an appropriate transfer mechanism, typically Standard Contractual Clauses approved by the European Commission, combined with additional safeguards where necessary.

You can ask us for a copy of the safeguards applicable to your data by writing to privacy@torecruit.org.

Your rights

Subject to applicable law, you have the right to:

  • Access your personal data and receive a copy of it;
  • Correct inaccurate or incomplete data;
  • Delete your data ("right to be forgotten") when we no longer need it or when you withdraw consent on which processing is based;
  • Restrict processing or object to processing based on our legitimate interests;
  • Portability: receive your data in a structured, machine-readable format and, where technically feasible, have us transmit it to another controller;
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal;
  • Lodge a complaint with a supervisory authority - for Ukraine, the Ukrainian Parliament Commissioner for Human Rights; for the EEA, the supervisory authority of your country of residence.

To exercise any right, write to privacy@torecruit.org. We will respond within one month; in complex cases we may extend the deadline by up to two additional months, with notice to you.

Automated decision-making and profiling

We use matching algorithms to rank Candidates against a Company's vacancy (for example, by skill overlap, seniority and location). These rankings inform a human recruiter's decision - no decision that produces legal effects or similarly significantly affects you is made purely automatically.

You can ask us for more information on the logic of the matching algorithm by writing to privacy@torecruit.org.

Security

We apply technical and organisational measures to protect personal data, including encryption in transit (TLS), encryption at rest for databases and backups, access control with least-privilege principles, audit logs, and regular review of our vendors.

No system is completely secure. If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority within the statutory deadline (72 hours under the GDPR).

Children

The Service is not directed at children under 16. If you believe we have collected data from a child under the applicable minimum age, write to privacy@torecruit.org and we will delete it.

Data from Google sign-in

If you choose to register or sign in with Google, we receive from Google only the basic profile information you approve at the Google consent screen - typically email address, name and profile picture URL. ToRecruit's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not request access to your Gmail, Google Drive, Calendar or any other Google service beyond basic sign-in.

Changes to this Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page shows when the current version took effect. If the change materially affects your rights, we will notify you by email or by a notice inside the Service at least fifteen (15) days before the change takes effect.

Contact

Privacy questions, requests and complaints: privacy@torecruit.org. General support: support@torecruit.org.