Privacy Policy

Effective date: March 13, 2026

1. Introduction

Rekrutko ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal data in connection with:

  • The Rekrutko website — the marketing site at rekrutko.si
  • The Rekrutko platform — our recruitment and applicant tracking system (ATS)

This policy applies to the following categories of individuals:

  • Account Holders — users who have a Rekrutko account
  • Organization Members — users who belong to an organization on the platform
  • Job Applicants (Candidates) — individuals who apply for jobs through the platform, including those who apply without creating an account
  • Visitors — individuals who visit the rekrutko.si website or public job listing pages

By using our website or platform, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

2.1 Website (rekrutko.si)

When you visit the rekrutko.si marketing website, we collect minimal data. Specifically:

  • We do not use analytics, tracking pixels, or advertising technologies.
  • We store only an essential locale cookie to remember your language preference.
  • We do not collect contact form data — our call-to-action directs you to send an email, so any communication is handled by your own email client.

2.2 Platform — Account Information

When an account is created on the Rekrutko platform, we collect:

  • Email address — used for authentication and communication
  • Password — stored securely using bcrypt hashing; we never store your password in plain text
  • Display name — shown within the platform to other organization members
  • Profile photo — optionally uploaded by you
  • Language preference — used to display the platform in your chosen language

2.3 Platform — Organization Information

When an organization is created on the platform, we collect:

  • Organization name — displayed on job listings and within the platform
  • URL slug — used to generate the organization's unique URL path
  • Organization logo — optionally uploaded, displayed on job listings
  • Team member email addresses — used to send invitations to join the organization

2.4 Platform — Job Posting Information

When a job is created, we collect:

  • Job title and description
  • Employment type — such as full-time, part-time, or contract
  • Work mode — such as on-site, remote, or hybrid
  • Custom application form fields — defined by the organization to gather specific information from candidates

2.5 Platform — Candidate Application Data

When a candidate submits an application, the following data may be collected:

  • Full name
  • Email address
  • CV/Resume — uploaded as a PDF file (maximum 3 MB)
  • Cover letter
  • Custom field responses — answers to organization-defined application questions

Candidates can submit applications without creating a Rekrutko account.

2.6 Platform — Evaluation Data

During the review process, organization members may generate the following data about candidates:

  • Decisions — such as advancing, rejecting, or holding a candidate
  • Ratings and criteria scores — numerical assessments on defined criteria
  • Feedback and notes — written evaluations by reviewers

2.7 Automatically Collected Data

We automatically collect the following when you use the platform:

  • Session cookie — an essential, HTTP-only cookie used solely for authentication; it expires when you close your browser
  • Locale cookie — an essential, persistent cookie used to store your language preference

We do not use any tracking, analytics, or advertising cookies.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Operating the platform — providing and maintaining the Rekrutko service
  • Authentication — verifying your identity and managing sessions
  • Enabling candidate reviews — allowing organization members to evaluate applicants
  • Sending invitation emails — notifying individuals invited to join an organization
  • Sending interview emails — facilitating communication between organizations and candidates
  • Public job listings — displaying published job postings to visitors
  • Security — detecting and preventing unauthorized access or abuse
  • Legal compliance — fulfilling our legal obligations

We do not use your data for:

  • Advertising or marketing to third parties
  • Automated profiling or decision-making
  • Selling or renting data to any third party
  • Training machine learning or artificial intelligence models

4. How We Share Your Data

4.1 Within Organizations

Data shared within an organization depends on the member's role:

  • Owners and Admins — can access all organization data, including all candidate applications and evaluations
  • Reviewers — can only access candidate data for the jobs they have been assigned to

4.2 Public Job Listings

When an organization publishes a job, the job title, description, employment type, work mode, organization name, and organization logo are publicly visible to anyone who visits the listing page.

4.3 Service Providers

We use the following third-party service providers to operate the platform:

  • Supabase — provides database hosting, authentication, and file storage infrastructure
  • SMTP email service — used to deliver invitation and interview notification emails

These providers process data on our behalf and are bound by contractual obligations to protect your data.

4.4 Legal Requirements

We may disclose your data if required to do so by law, regulation, legal process, or enforceable governmental request.

5. Data Storage and Security

We take the security of your data seriously. The following measures are in place:

  • Encryption at rest — all data stored in Supabase PostgreSQL is encrypted at rest
  • Encryption in transit — all data transmitted between your browser and our servers is protected with TLS
  • Password hashing — passwords are hashed using bcrypt before storage
  • File storage access controls — uploaded files (CVs, profile photos, logos) are stored in Supabase Storage with access controls that restrict who can view or download them
  • Row-Level Security (RLS) — database-level policies ensure users can only access data they are authorized to see
  • Secure cookies — session cookies are HTTP-only and secure, preventing client-side script access
  • Content Security Policy (CSP) headers — restrict the sources from which content can be loaded
  • Permissions-Policy headers — limit browser feature access to reduce the attack surface

6. Data Retention

We retain your data according to the following principles:

  • Account data — retained until you delete your account
  • Organization data — retained until the organization is deleted by its owner
  • Job posting data — retained until the job is deleted by the organization
  • Candidate application data — retained until the application is deleted by the organization, or automatically removed when the parent job or organization is deleted
  • Invitations — expire automatically after 7 days

When data is deleted, related records are removed through cascading deletions. For example, deleting an organization will also delete all of its jobs, applications, evaluations, and member associations.

7. Your Rights

7.1 All Users

Regardless of your location, you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate personal data
  • Deletion — request deletion of your personal data

7.2 Account Holders

In addition to the rights above, account holders have the right to:

  • Data portability — request your account data in a structured, commonly used, machine-readable format

7.3 Candidates

Candidates who have submitted applications have the right to:

  • Access — request information about what application data is held
  • Rectification — request corrections to their application data
  • Deletion — request removal of their application data
  • Objection — object to the processing of their personal data

7.4 GDPR Rights (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR), including:

  • The right to restrict processing of your personal data
  • The right to withdraw consent at any time, where processing is based on consent
  • The right to lodge a complaint with a supervisory authority in your member state

7.5 CCPA Rights (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including:

  • The right to know what personal information is collected, used, and shared
  • The right to request deletion of your personal information
  • The right to non-discrimination for exercising your privacy rights
  • The right to opt out of the sale of personal information — note that we do not sell your personal information

To exercise any of these rights, contact us at [email protected].

8. Data Processing Roles

Under applicable data protection laws, the roles and responsibilities for data processing are as follows:

  • Rekrutko as Data Processor — when processing candidate data on behalf of organizations, Rekrutko acts as a data processor. Organizations instruct us on how their data is processed through their use of the platform.
  • Rekrutko as Data Controller — for account data (email, display name, profile photo, language preference) and data necessary to operate the platform, Rekrutko acts as the data controller.
  • Organizations as Data Controllers — organizations that use the platform are the data controllers for the candidate data they collect through job applications and evaluations. Organizations are responsible for ensuring they have a lawful basis for processing candidate data.

9. International Data Transfers

Your data may be stored and processed in the regions where our infrastructure provider, Supabase, operates its services. When data is transferred outside your country of residence, we ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent mechanisms recognized under applicable data protection laws.

10. Cookies

We use only essential cookies. We do not use any optional, analytics, or advertising cookies.

  • Session cookie — essential; used for authentication; expires at the end of your browser session
  • Locale cookie — essential; used to remember your language preference; persistent

Because these cookies are strictly necessary for the operation of the website and platform, no consent banner is required.

11. Children's Privacy

The Rekrutko website and platform are not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] so we can take appropriate action.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will update the effective date at the top of this page. For significant changes, we may notify you through the platform or by other appropriate means.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: [email protected]