Privacy policy

Last updated: 2026-05-17

The short version

We collect what you give us when you sign up and use the app — name, email, photos, profile fields, swipes, messages — and we use it to make the swipe-and-match flow work. We never sell your data. You can export or delete everything from your account settings. Everything is hosted in the EU.

This page is the long version, written to satisfy GDPR Articles 13 and 14 and Dutch law. If anything is unclear, email privacy@jobinder.app.

Who we are

Jobinder is operated by the founding team while the legal entity is being set up. Once the operating company is incorporated, this section will be replaced with the registered name, KvK number and address. Until then, the founder is the responsible person for the purposes of GDPR and you can reach the privacy contact at privacy@jobinder.app.

What we collect

We only collect data you actively give us or that is generated when you use the product. We do not buy data, scrape data from third parties, or track you across the web.

When you sign up

  • Email address (used for sign-in via magic-link).
  • For workers: full name, date or year of birth (optional), city, trade, years of experience, desired salary, contract preferences, bio, hobbies outside work, LinkedIn URL (optional), Instagram URL (optional), and the photos you upload.
  • For companies: company name, KvK number (optional and verifiable), sector, city, founded year, project types, work culture tags, languages spoken on site, operating cities, perks offered, typical salary band, public bio, what you look for in a worker, optional cover image.

When you use the app

  • Swipes (left / right / super), so the system can stop showing you the same profile and create a match when there's mutual interest.
  • Matches you form with other accounts.
  • Messages you send and receive inside a match.
  • Basic technical data — IP address, browser type, time of request — that any web server records to deliver a page.
  • Product analytics (page views, button clicks) if you opt in via the cookie banner. See /cookies.

What we do NOT collect

  • Government ID numbers (Burgerservicenummer, passport, ID card).
  • Financial data (bank account, card numbers).
  • Health data, religion, political opinions, union membership.
  • Location data beyond the city you tell us.
  • Cross-site advertising trackers.

Why we process your data — and the legal basis

GDPR Article 6 requires a legal basis for every processing activity. Here's how it maps for us:

  • To run the service you signed up for (matching, messaging, profile hosting) — contract performance (Art. 6(1)(b)).
  • To send you transactional emails (magic-link sign-in, new match notifications) — contract performance.
  • To prevent abuse, fraud, and protect the platform (rate limiting, abuse detection, soft-deleting bad actors) — legitimate interest (Art. 6(1)(f)).
  • To improve the product with analyticsconsent (Art. 6(1)(a)), captured via the cookie banner, withdrawable any time.
  • To meet our legal obligations (tax records when payments start, responses to lawful requests) — legal obligation (Art. 6(1)(c)).

Who can see your data

Other users

  • Workers and companies see each other's profile cards (everything you put in your profile) during swiping.
  • After a match, both parties can read the messages they exchange with each other — not anyone else's.

Our sub-processors

We use a small number of EU-based service providers to run the product. Each has its own GDPR-compliant terms; data processing agreements (DPAs) are or will be in place before launch.

  • Supabase — database, file storage, auth, realtime messaging. Region: eu-west-3 (Paris).
  • Netlify — site hosting and serverless functions for the application code.
  • Resend — transactional email (magic-link, match notifications). EU region.
  • PostHog — product analytics (only if you opt in). EU region.
  • Sentry — error tracking (only if enabled). EU region.
  • Stripe — payments. Activated only when paid features launch. EU region.

Authorities

We disclose data to public authorities only when legally required and only the minimum necessary. We will resist overbroad requests.

International transfers

All processing takes place inside the European Union. We do not transfer personal data outside the EEA. If that ever changes (for example, if we add a sub-processor outside the EU), we'll update this page and rely on Standard Contractual Clauses or another GDPR-recognised mechanism.

How long we keep your data

  • Active profile data: as long as your account is active.
  • Messages: kept while either party still has the match active. After an unmatch, the chat is hidden from both users but retained for 90 days for abuse review, then deleted.
  • Swipes: 12 months, then anonymised aggregates only.
  • Account deletion: when you delete your account from /me/account, your profile, photos, swipes and unmatched chats are removed within 30 days. Active chats remain visible to the other party but with your data redacted.
  • Server logs: 30 days for security and debugging.
  • Financial records: 7 years from invoice date (Dutch tax law), once payments are active.

Your rights

Under GDPR you have the following rights regarding your personal data. You can exercise most of them directly in the app:

  • Access — request a copy of your data. Use /me/account → Export for an immediate download.
  • Rectification — fix anything inaccurate via /me/edit.
  • Erasure — delete your account via /me/account → Delete.
  • Restriction — ask us to pause processing in specific cases.
  • Portability — receive your data in a machine-readable format (the export above is JSON).
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for analytics, you can withdraw at any time from the cookie settings.
  • Complain to a supervisory authority — Dutch users can file a complaint with the Autoriteit Persoonsgegevens. EU users can complain to their local DPA.

To exercise any right not handled directly in the app, email privacy@jobinder.app and we'll respond within 30 days as required by GDPR Article 12(3).

Automated decision-making

Jobinder does not make decisions about you that have legal or similarly significant effects without human involvement. The discover feed is ordered chronologically with no scoring algorithm in place; we explicitly do not run an “ELO score” or similar opaque ranking system. See /how-it-works for the full statement on transparency.

Children

Jobinder is for adults at work. You must be 18 or older to sign up. Accounts found to belong to minors are removed without notice; if you are a parent or guardian who believes a child has signed up, email privacy@jobinder.app and we will delete the account immediately.

Security

Data is encrypted in transit (TLS) and at rest (Supabase Postgres + S3). Auth tokens are short-lived and rotated. Production access is limited to the founding team. We will publish a vulnerability disclosure policy before public launch.

Changes to this policy

We may update this policy as the product changes or to comply with new obligations. Material changes will be communicated by email to active users at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

Contact

For anything privacy-related — questions, requests, complaints — email privacy@jobinder.app.

Disclaimer: This is the first draft of our privacy policy, written by the operator and not yet reviewed by an independent legal counsel under Dutch law. A reviewed version will be published before paid features are activated. Until then, this draft applies. If you spot a gap or have a concern, email privacy@jobinder.app.