Last updated: May 2026
This Privacy Policy applies to all users of workeer.de - both Talents (job seekers) and Companies (employers). Sections that apply to only one group are marked accordingly.
PART A - General Provisions (applies to all users)
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Workeer gGmbH
Weinbergsweg 27, 10119 Berlin, Germany
Managing Directors: David Jacob, Karl Liebich
Data Protection Contact: david.jacob@workeer.de
Website: https://workeer.de
Legal Notice: https://workeer.de/de/impressum
We have not appointed a legally mandatory data protection officer. For any data protection queries, please contact us directly at: david.jacob@workeer.de
Master data (e.g. name, address, nationality)
Contact data (e.g. email address, phone number)
Content data (e.g. text entries, documents, photos, CVs)
Usage data (e.g. pages visited, click behaviour, access times)
Meta and communication data (e.g. IP addresses, device information)
Contract data (e.g. booked packages, payment history)
Application data (e.g. CV, qualifications, language skills)
Art. 6(1)(a) GDPR: Consent of the data subject
Art. 6(1)(b) GDPR: Performance of a contract or pre-contractual measures
Art. 6(1)(c) GDPR: Compliance with a legal obligation
Art. 6(1)(f) GDPR: Legitimate interests of the controller
Personal data will be deleted once the purpose of processing no longer applies and no statutory retention obligations prevent deletion. Statutory retention periods in Germany are generally 6 years (Section 257 HGB) and 10 years (Section 147 AO).
Some tools we use transfer data to third countries outside the EU/EEA (in particular to the USA). Where no adequacy decision by the EU Commission exists, we base such transfers on Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR or, where available, the EU-U.S. Data Privacy Framework. Details are provided in the respective tool sections.
Personal data: Any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data or an online identifier.
Processing: Any operation carried out on personal data, whether or not by automated means (e.g. collection, storage, alteration, transmission, deletion).
Pseudonymisation: Processing of personal data in such a way that it can no longer be attributed to a specific person without additional information.
Profiling: Any form of automated processing of personal data to evaluate certain personal aspects of a natural person (e.g. work performance, economic situation, interests, behaviour).
Controller: The natural or legal person that determines the purposes and means of processing personal data.
Processor: A natural or legal person that processes personal data on behalf of the controller.
We only disclose or transfer personal data to third parties (processors or other parties) on the basis of a legal permission (e.g. if a transfer to payment service providers is required for contract performance under Art. 6(1)(b) GDPR), your consent, a legal obligation, or our legitimate interests (e.g. when using hosting services, etc.).
Where we engage processors pursuant to Art. 28 GDPR, this is done exclusively with carefully selected providers that offer sufficient guarantees for appropriate technical and organisational measures.
In accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope and purposes of processing.
These measures include ensuring the confidentiality, integrity and availability of data, physical access controls, logical access controls, input controls, transfer controls and data separation. We also consider data protection in the development and selection of hardware and software in accordance with the principle of privacy by design and by default (Art. 25 GDPR). The specific measures are documented in our separate TOM document (Technical and Organisational Measures).
Each time our website is accessed, our hosting provider automatically stores information in server log files transmitted by your browser:
IP address of the requesting device
Browser type and version, operating system
Referrer URL, page accessed, date and time
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the website).
Retention period: 7-30 days, then automatic deletion.
Our website uses cookies. Technically necessary cookies are placed on the basis of Art. 6(1)(f) GDPR. Analytics and marketing cookies are only placed after you have given your consent via our consent banner (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the 'Cookie Settings' link in the footer of our website.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Analysis of user behaviour on our website, access statistics, optimisation of our services.
Data processed: IP address (anonymised), browser/device data, pages visited, session duration, conversion data.
Legal basis: Art. 6(1)(a) GDPR (consent via consent banner).
Retention period: 14 months, then automatic deletion.
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. Privacy Policy: https://policies.google.com/privacy
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Management and deployment of tracking and marketing tags. Does not itself set cookies or collect personal data.
Data processed: IP address, technical connection data (when loading the script).
Legal basis: Art. 6(1)(f) GDPR.
Retention period: No independent data storage.
Third-country transfer: USA. SCC.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Monitoring website visibility in Google Search, SEO analysis.
Data processed: Aggregated search and click data (not attributable to individuals).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in SEO optimisation).
Retention period: Approx. 16 months per Google policy.
Third-country transfer: USA. EU-U.S. Data Privacy Framework.
Provider: PostHog Inc., 965 Mission St, San Francisco, CA 94103, USA
Purpose: Product analytics, session recording, funnel analysis, feature flag management.
Data processed: Usage behaviour, click paths, session recordings (masked), device data, IP address.
Legal basis: Art. 6(1)(a) GDPR (consent) for session recordings; Art. 6(1)(f) GDPR for aggregated analytics.
Retention period: 1 year.
Third-country transfer: USA (EU cloud hosting configurable). SCC. https://posthog.com/privacy
Provider: Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA
Purpose: Event tracking, cohort analysis, product optimisation.
Data processed: User ID (hashed), event data, device data, IP address (anonymised).
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: 1 year. Opt-out: https://mixpanel.com/optout
Third-country transfer: USA. SCC.
Provider: Hotjar Ltd., Dragonara Business Centre, 5th Floor, Paceville St Julian's STJ 3141, Malta
Purpose: Heatmaps, session recordings and surveys for UX optimisation. Input fields are automatically masked.
Data processed: Mouse movements, clicks, scroll behaviour, IP address (anonymised).
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: 1 year. Opt-out: https://www.hotjar.com/legal/compliance/opt-out
Third-country transfer: Primarily EU (Malta). No regular third-country transfer.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Internal visualisation and analysis of business and analytics data in dashboards.
Data processed: Connection data to linked data sources (e.g. Google Analytics); no independent collection from website visitors.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per Google privacy policy.
Third-country transfer: USA. EU-U.S. Data Privacy Framework.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Search ads, display advertising and remarketing campaigns.
Data processed: Cookie ID, IP address, conversion data, device information.
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: 90 days. Opt-out: https://adssettings.google.com
Third-country transfer: USA. EU-U.S. Data Privacy Framework.
Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Purpose: Measuring advertising effectiveness, Custom Audiences, remarketing.
Data processed: Cookie ID, IP address (hashed), browser fingerprint, pages visited, conversion events.
Legal basis: Art. 6(1)(a) GDPR (consent). Pixel is only activated after consent.
Retention period: Up to 180 days. Opt-out: https://www.facebook.com/privacy/policy/
Third-country transfer: USA. SCC + EU-U.S. Data Privacy Framework.
Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Purpose: Lead generation campaigns on Facebook and Instagram. Users complete a contact form directly within the platform; Meta then transmits the data to us. Workeer is the sole data controller for any further processing from the point of receipt.
Data processed: Name, email address, phone number (as entered by user), any additional fields in the form (e.g. company, job interest), timestamp of transmission.
Legal basis: Art. 6(1)(a) GDPR (consent: users explicitly consent before submitting the lead form).
Retention period: Until fulfilment of purpose, max. 12 months. Opt-out: https://www.facebook.com/privacy/policy/
Third-country transfer: USA. SCC + EU-U.S. Data Privacy Framework. Privacy Policy Meta: https://www.facebook.com/privacy/policy/
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland
Purpose: B2B advertising, conversion tracking and retargeting.
Data processed: LinkedIn member ID (hashed), IP address, pages visited, conversion events.
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: 90 days. Opt-out: https://www.linkedin.com/psettings/guest-controls
Third-country transfer: USA. SCC.
Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Purpose: TikTok advertising, conversion tracking, Custom Audiences.
Data processed: Cookie ID, IP address, device data, conversion events.
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: Up to 13 months. Privacy Policy: https://www.tiktok.com/legal/privacy-policy
Third-country transfer: USA. SCC.
Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland
Purpose: Lead generation campaigns on TikTok. Users complete a contact form directly within the app; TikTok then transmits the data to us. Workeer is the sole data controller for any further processing from the point of receipt.
Data processed: Name, email address, phone number (as entered by user), any additional form fields, timestamp of transmission.
Legal basis: Art. 6(1)(a) GDPR (consent: users explicitly consent before submitting the lead form).
Retention period: Until fulfilment of purpose, max. 12 months.
Third-country transfer: USA. SCC.
Provider: Reddit, Inc., 548 Market Street, #16093, San Francisco, CA 94104, USA
Purpose: Reddit advertising, conversion tracking.
Data processed: Cookie ID, IP address (anonymised), device data.
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention period: 90 days. Privacy Policy: https://www.redditinc.com/policies/privacy-policy
Third-country transfer: USA. SCC.
Provider: Adevinta Germany GmbH, Marlene-Dietrich-Platz 1, 10785 Berlin, Germany
Purpose: Job listings and advertising on Kleinanzeigen.de.
Data processed: Job listing content, employer contact data.
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention period: Per Kleinanzeigen terms of service.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Video advertising on YouTube and embedding of YouTube videos on our website. We use YouTube's enhanced privacy mode (youtube-nocookie.com) so that a connection to YouTube servers is only established when you actively play a video.
Data processed: IP address, browser/device data, video interactions, conversion events. For logged-in Google users, data may be linked to their Google account.
Legal basis: Art. 6(1)(a) GDPR (consent via consent banner for ads; consent when clicking to play for embedded videos).
Retention period: Per Google privacy policy. Opt-out: https://adssettings.google.com/authenticated
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://www.google.com/policies/privacy/
Provider: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland (parent: X Corp., USA)
Purpose: Advertising on X (formerly Twitter), conversion tracking and retargeting via the X Pixel.
Data processed: Cookie ID, IP address, device data, pages visited, conversion events, email address (hashed) if applicable.
Legal basis: Art. 6(1)(a) GDPR (consent via consent banner).
Retention period: Up to 30 days. Opt-out: https://twitter.com/privacy
Third-country transfer: USA. SCC. Privacy Policy: https://twitter.com/en/privacy
Provider: Meta Platforms Ireland Ltd. (Facebook, Instagram), LinkedIn Ireland Unlimited Company, TikTok Technology Ltd., Twitter International Unlimited Company (X), Google Ireland Ltd. (YouTube), Reddit Inc.
Purpose: We operate public company pages, fan pages and groups on social media platforms. Purpose: public relations, communication with users, distribution of job listings and content. Note: For Facebook fan pages, we are jointly responsible with Meta for the processing of Insights data pursuant to the ECJ ruling (C-210/16). A Joint Controller Agreement pursuant to Art. 26 GDPR has been concluded with Meta.
Data processed: Interactions with our pages (likes, comments, shared content, messages), Insights/statistics data from platform operators, IP address, device data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication). For direct messages, Art. 6(1)(b) GDPR may apply.
Retention period: Per the respective platform privacy policies. Workeer has no influence over the retention periods of platform operators.
Third-country transfer: USA and other third countries as applicable. SCC or EU-U.S. Data Privacy Framework depending on platform. Meta: https://www.facebook.com/privacy/policy/ | LinkedIn: https://www.linkedin.com/legal/privacy-policy | TikTok: https://www.tiktok.com/legal/privacy-policy | X: https://twitter.com/en/privacy | YouTube: https://policies.google.com/privacy
Provider: Brevo SAS, 7 rue de Madrid, 75008 Paris, France
Purpose: Sending transactional emails (registration confirmation, application notifications) and newsletters.
Data processed: Email address, name, open and click behaviour, IP address.
Legal basis: Art. 6(1)(b) GDPR (transactional emails); Art. 6(1)(a) GDPR (newsletters after consent). Unsubscribe at any time via the unsubscribe link in the newsletter.
Retention period: Until unsubscription (newsletter) or fulfilment of purpose.
Third-country transfer: EU data centres. No regular third-country transfer.
Provider: Superchat GmbH, Alte Jakobstrasse 77, 10179 Berlin, Germany
Purpose: Business messaging and customer communication across multiple channels.
Data processed: Name, phone number, email address, message content.
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR for marketing messages.
Retention period: Per Superchat terms of service.
Third-country transfer: Germany. No third-country transfer.
Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (parent: Meta Platforms, USA)
Purpose: Direct communication with users and employers.
Data processed: Phone number, message content, communication metadata.
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR (consent).
Retention period: Per WhatsApp Privacy Policy: https://www.whatsapp.com/legal/privacy-policy
Third-country transfer: USA. SCC.
Provider: Statamic, LLC, USA
Purpose: Content management system for our website.
Data processed: Server-side processing of form submissions; no independent data collection from visitors.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per server-side configuration.
Third-country transfer: USA (software vendor). Server hosting per hosting provider (potentially EU).
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Embedding of web fonts for consistent display. When a page loads, the browser establishes a connection to Google servers.
Data processed: IP address, browser type, operating system, referrer URL (transmitted on every page load).
Legal basis: Art. 6(1)(f) GDPR or Art. 6(1)(a) GDPR (consent). Important: German courts (e.g. Munich Regional Court I, Ref. 3 O 17493/20) have held that embedding external Google Fonts without consent violates the GDPR and is a common basis for cease-and-desist claims. We strongly recommend local font hosting.
Retention period: Per Google privacy policy. Opt-out: https://adssettings.google.com/authenticated
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://www.google.com/policies/privacy/
Provider: HubSpot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland (parent: HubSpot, Inc., Cambridge, MA, USA)
Purpose: CRM system for managing user relationships (talents and companies), email marketing, lead management, communication history.
Data processed: Name, email address, company (for employers), phone number, interaction history, email opens and clicks.
Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in CRM).
Retention period: For the duration of the business relationship; thereafter subject to statutory retention periods.
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://legal.hubspot.com/privacy-policy
Provider: Make s.r.o., Prikop 843/4, 602 00 Brno, Czech Republic
Purpose: Workflow automation and integration of various systems (e.g. CRM, email, databases) for talents and companies.
Data processed: Data fields from connected systems, depending on the configured workflows.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Workflow logs after 30 days. No independent long-term storage.
Third-country transfer: EU-based servers. Possible third-country transfer depending on connected services.
Provider: Zapier, Inc., 548 Market St. #62411, San Francisco, CA 94104, USA
Purpose: Workflow automation and integration of various systems for talents and companies.
Data processed: Data fields from connected systems.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Workflow logs after 30 days.
Third-country transfer: USA. SCC.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Internal communication (Gmail), document management (Drive, Docs), calendar and video conferencing (Meet) - used for communication with talents and companies.
Data processed: Emails, documents, calendar entries, contacts, meeting data.
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR.
Retention period: Per Google Workspace Data Processing Agreement.
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC.
The following types of cookies are used on our website:
Session cookies (transient cookies): Deleted when you leave the website and close the browser. They enable, for example, the storage of your login status during a session.
Persistent cookies: Remain stored after the browser is closed. They enable recognition on your next visit and the storage of preferences.
Third-party cookies: Set by providers other than Workeer (e.g. advertising or analytics service providers) and are subject to their respective privacy policies.
You can object to the use of tracking cookies for online marketing purposes at: http://www.aboutads.info/choices/ (US) or http://www.youronlinechoices.com/ (EU).
In addition to the above, we process the following data from our customers, prospects and business partners for the purpose of providing contractual services, customer care and marketing:
Contract data (e.g. subject matter of contract, duration, customer category)
Payment data (e.g. bank details, payment history, billing address)
Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (legitimate interests).
We process the data of our company customers in the context of booking transactions (job listing packages) to enable the selection, booking and payment of the chosen services.
Upon registration and logins, we store the IP address and the time of each user action on the basis of our legitimate interests (protection against misuse, Art. 6(1)(f) GDPR).
Retention: After expiry of statutory warranty and archiving obligations. Under commercial law: 6 years (Section 257 HGB). Under tax law: 10 years (Section 147 AO). Austria: 7 years (Section 132 BAO).
We use external payment service providers through whose platforms company customers can make payment transactions. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in offering secure and efficient payment options).
Data processed by payment service providers includes: name, address, bank details (account numbers, credit card numbers) and contract and amount-related information. We ourselves do not receive any account or credit card information, only payment confirmation or rejection. Payment service providers may transmit data to credit agencies for identity and credit checks.
Payment service providers used (each with link to their privacy policy):
PayPal (Europe) S.a r.l. et Cie, S.C.A., Luxembourg: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
Klarna Bank AB, Stockholm, Sweden: https://www.klarna.com/de/datenschutz/
Stripe Payments Europe, Ltd., Dublin, Ireland: https://stripe.com/en/privacy
Visa Inc.: https://www.visa.de/datenschutz
Mastercard Europe SA: https://www.mastercard.de/de-de/datenschutz.html
American Express Services Europe Limited: https://www.americanexpress.com/de/content/privacy-policy-statement.html
The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions. Please refer to these for further information and to exercise your right of withdrawal, access and other data subject rights.
We process data as part of administrative tasks, financial accounting and compliance with legal obligations (e.g. archiving). We process the same data that we process in the context of providing our contractual services.
Legal bases: Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interests in efficient business operations).
We disclose or transfer data in this context to tax authorities, tax advisors, auditors and payment service providers where legally required or necessary.
Workeer explicitly serves refugees and international talents. We are aware of the particular vulnerability of this group and implement additional protective measures.
The data we process may include information that indirectly allows inferences about the ethnic origin or migration background of a person (e.g. nationality, country of birth, language skills). Such data may constitute special categories of personal data within the meaning of Art. 9 GDPR.
We process this data exclusively for the purpose of job placement and application management. Data will not be shared with authorities, immigration agencies or other government bodies unless we are legally required to do so.
Legal basis: Art. 6(1)(b) GDPR (contract performance) in conjunction with Art. 9(2)(b) GDPR (processing in the employment context) and, where applicable, Art. 9(2)(a) GDPR (explicit consent).
Additional protective measures: We have carried out a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR and implemented Technical and Organisational Measures (TOMs) that reflect the heightened protection needs of this group.
No profiling: No automated decision-making or profiling takes place that could negatively affect refugees or international talents.
Data minimisation: We only collect data that is strictly necessary for the application process. Information on residence status or refugee status is not systematically collected.
PART B - Special Provisions for Talents (Job Seekers)
This section applies exclusively to persons who register on workeer.de as a talent or use the platform for job searching and applying.
Talents can register on workeer.de to find jobs and submit applications. The following data is processed:
First and last name
Email address
Password (encrypted)
Optional profile details: place of residence, nationality, language skills, qualifications, CV, photo
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention period: Until account deletion (self-initiated or upon request). See Section 21 for instructions.
When talents apply for positions through our platform, their application documents are forwarded to the respective employer:
Name, address, contact details
CV, certificates, qualifications
Language skills, work experience
Voluntarily added information
Legal basis: Art. 6(1)(b) GDPR.
Note: Workeer is not responsible for the further processing of application data by the employer. Please refer to that employer's privacy policy.
Provider: Socialtelligence GmbH (provider of HiCandidate)
Purpose: AI-powered candidate matching to support the recruitment process. Talent profiles are matched with suitable job listings.
Data processed: Talent profile data (name, qualifications, work experience, language skills), matching scores.
Legal basis: Art. 6(1)(b) GDPR (contract performance in the application process). Talents are informed about the use of this tool.
Retention period: During the application process; immediate deletion thereafter.
Third-country transfer: Subject to provider's server locations. Details available upon request.
PART C - Special Provisions for Companies (Employers)
This section applies exclusively to companies that register on workeer.de to post job listings and find talent.
Companies register to post job listings. The following data is processed:
Name of the contact person
Company name and address
Email address
Billing and payment data
Job listings and related content
Legal basis: Art. 6(1)(b) GDPR (contract performance).
Retention period: For the duration of the business relationship; billing data subject to statutory retention period (10 years).
Provider: Asana, Inc., 633 Folsom Street, Suite 100, San Francisco, CA 94107, USA
Purpose: Project management and task tracking.
Data processed: Names, email addresses of users, task and project content.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Until account deletion.
Third-country transfer: USA. SCC. https://asana.com/terms#privacy-policy
Provider: Figma, Inc., 760 Market Street, Floor 10, San Francisco, CA 94102, USA
Purpose: Design collaboration for UI/UX drafts and graphics.
Data processed: Account data, design files, comments.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Until account deletion.
Third-country transfer: USA. SCC.
Provider: Canva Pty Ltd, 110 Kippax Street, Surry Hills, NSW 2010, Australia
Purpose: Creation of marketing and design materials.
Data processed: Account data, uploaded images and design data.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Until account deletion.
Third-country transfer: Australia and USA. SCC.
The following AI tools are used internally to support work processes. Personal data of customers or talents is generally not shared with these services.
Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA
Purpose: Internal text creation, content generation, process support.
Data processed: Only internally used inputs; no transfer of personal user data.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per OpenAI privacy policy: https://openai.com/privacy
Third-country transfer: USA. SCC.
Provider: Midjourney, Inc., USA
Purpose: AI-powered image creation for internal marketing graphics.
Data processed: Only internally used text prompts.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per Midjourney terms of service.
Third-country transfer: USA. SCC.
Provider: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
Purpose: AI-powered text processing and process support.
Data processed: Only internally used inputs.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per Anthropic privacy policy: https://www.anthropic.com/privacy
Third-country transfer: USA. SCC.
Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Purpose: AI-powered text processing.
Data processed: Only internally used inputs.
Legal basis: Art. 6(1)(f) GDPR.
Retention period: Per Google privacy policy.
Third-country transfer: USA. EU-U.S. Data Privacy Framework.
The following tools are used for virtual meetings with company clients, partners and internally. Participants will be informed at the beginning of a meeting about any recording or AI tools used, where legally required.
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Video conferencing and virtual meetings.
Data processed: Name, email address, IP address, audio/video data during the meeting, chat messages, recordings if applicable.
Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR.
Retention period: Per Google Workspace Data Processing Agreement. Recordings until manually deleted.
Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC.
Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland
Purpose: Video conferencing, chat communication and file sharing.
Data processed: Name, email address, IP address, audio/video data, chat messages, shared files, recordings if applicable.
Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR.
Retention period: Per Microsoft Data Processing Agreement. Chat history configurable (default: 30 days to indefinite).
Third-country transfer: USA and others. EU-U.S. Data Privacy Framework + SCC. https://privacy.microsoft.com/en-gb/privacystatement
Provider: Fathom Video Inc., 340 S Lemon Ave #2051, Walnut, CA 91789, USA
Purpose: AI-powered automatic meeting transcription and summarisation of video calls. Fathom joins as a bot participant. Important: All meeting participants must be informed at the start of the meeting that Fathom is being used and that the meeting is being recorded. Recording without the consent of all participants may be unlawful.
Data processed: Audio/video content of the meeting, transcripts, AI-generated summaries, names and email addresses of participants.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient documentation) or Art. 6(1)(a) GDPR (consent of participants).
Retention period: Recordings and transcripts per Fathom settings; deletable by account holder. Privacy Policy: https://fathom.video/privacy
Third-country transfer: USA. SCC. No adequacy decision; a Data Processing Agreement (DPA) with Fathom should be concluded.
PART D - Data Subject Rights and Miscellaneous
Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.
Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.
Right to erasure (Art. 17 GDPR): You may request deletion of your data, unless statutory retention obligations apply.
Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing under certain conditions.
Right to data portability (Art. 20 GDPR): You may request that we provide your data in a structured, commonly used and machine-readable format.
Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests, in particular to direct marketing.
Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent given at any time with effect for the future.
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with the competent supervisory authority.
To exercise your rights, please contact: david.jacob@workeer.de. We will respond within one month.
Competent supervisory authority:
Berlin Commissioner for Data Protection and Freedom of Information
Alt Moabit 59-61, 10555 Berlin, Germany
Tel.: +49 30 13889-0 | Email: mailbox@datenschutz-berlin.de
Talents can delete their account at any time:
Log in at workeer.de/de/login
Go to settings: workeer.de/de/account/einstellungen
Click 'Delete account' and confirm
Alternatively, send a deletion request by email to david.jacob@workeer.de from your registered email address. Deletion will be confirmed by email within 48 hours.
Our services are not directed at persons under the age of 16. We do not knowingly collect data from children. Should such data come to our attention, it will be deleted immediately.
We reserve the right to update this Privacy Policy to reflect changes in legal requirements, our services or new data processing activities. The current version is always available at workeer.de/de/data-privacy. We will notify registered users of material changes by email.
Last updated: June 2026