Data privacy

Last updated: May 2026

This Privacy Policy applies to all users of workeer.de - both Talents (job seekers) and Companies (employers). Sections that apply to only one group are marked accordingly.


PART A - General Provisions (applies to all users)

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:


Workeer gGmbH

Weinbergsweg 27, 10119 Berlin, Germany

Managing Directors: David Jacob, Karl Liebich

Data Protection Contact: david.jacob@workeer.de

Website: https://workeer.de

Legal Notice: https://workeer.de/de/impressum


2. Data Protection Officer

We have not appointed a legally mandatory data protection officer. For any data protection queries, please contact us directly at: david.jacob@workeer.de


3. General Information on Data Processing

3.1 Categories of data processed

Master data (e.g. name, address, nationality)

Contact data (e.g. email address, phone number)

Content data (e.g. text entries, documents, photos, CVs)

Usage data (e.g. pages visited, click behaviour, access times)

Meta and communication data (e.g. IP addresses, device information)

Contract data (e.g. booked packages, payment history)

Application data (e.g. CV, qualifications, language skills)


3.2 Legal bases

Art. 6(1)(a) GDPR: Consent of the data subject

Art. 6(1)(b) GDPR: Performance of a contract or pre-contractual measures

Art. 6(1)(c) GDPR: Compliance with a legal obligation

Art. 6(1)(f) GDPR: Legitimate interests of the controller


3.3 Deletion and retention periods

Personal data will be deleted once the purpose of processing no longer applies and no statutory retention obligations prevent deletion. Statutory retention periods in Germany are generally 6 years (Section 257 HGB) and 10 years (Section 147 AO).


3.4 Transfers to third countries

Some tools we use transfer data to third countries outside the EU/EEA (in particular to the USA). Where no adequacy decision by the EU Commission exists, we base such transfers on Standard Contractual Clauses (SCC) pursuant to Art. 46(2)(c) GDPR or, where available, the EU-U.S. Data Privacy Framework. Details are provided in the respective tool sections.


3.5 Definitions

Personal data: Any information relating to an identified or identifiable natural person. A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data or an online identifier.

Processing: Any operation carried out on personal data, whether or not by automated means (e.g. collection, storage, alteration, transmission, deletion).

Pseudonymisation: Processing of personal data in such a way that it can no longer be attributed to a specific person without additional information.

Profiling: Any form of automated processing of personal data to evaluate certain personal aspects of a natural person (e.g. work performance, economic situation, interests, behaviour).

Controller: The natural or legal person that determines the purposes and means of processing personal data.

Processor: A natural or legal person that processes personal data on behalf of the controller.


3.6 Cooperation with processors and third parties

We only disclose or transfer personal data to third parties (processors or other parties) on the basis of a legal permission (e.g. if a transfer to payment service providers is required for contract performance under Art. 6(1)(b) GDPR), your consent, a legal obligation, or our legitimate interests (e.g. when using hosting services, etc.).

Where we engage processors pursuant to Art. 28 GDPR, this is done exclusively with carefully selected providers that offer sufficient guarantees for appropriate technical and organisational measures.


3.7 Security measures (Art. 32 GDPR)

In accordance with Art. 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs and the nature, scope and purposes of processing.

These measures include ensuring the confidentiality, integrity and availability of data, physical access controls, logical access controls, input controls, transfer controls and data separation. We also consider data protection in the development and selection of hardware and software in accordance with the principle of privacy by design and by default (Art. 25 GDPR). The specific measures are documented in our separate TOM document (Technical and Organisational Measures).


4. Website Visit and Technical Operation

4.1 Server log files

Each time our website is accessed, our hosting provider automatically stores information in server log files transmitted by your browser:

IP address of the requesting device

Browser type and version, operating system

Referrer URL, page accessed, date and time

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and securing the website).

Retention period: 7-30 days, then automatic deletion.


4.2 Cookies and consent management

Our website uses cookies. Technically necessary cookies are placed on the basis of Art. 6(1)(f) GDPR. Analytics and marketing cookies are only placed after you have given your consent via our consent banner (Art. 6(1)(a) GDPR). You can withdraw your consent at any time via the 'Cookie Settings' link in the footer of our website.


5. Web Analytics and Tracking (all users)

Google Analytics

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Analysis of user behaviour on our website, access statistics, optimisation of our services.

Data processed: IP address (anonymised), browser/device data, pages visited, session duration, conversion data.

Legal basis: Art. 6(1)(a) GDPR (consent via consent banner).

Retention period: 14 months, then automatic deletion.

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. Privacy Policy: https://policies.google.com/privacy


Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Management and deployment of tracking and marketing tags. Does not itself set cookies or collect personal data.

Data processed: IP address, technical connection data (when loading the script).

Legal basis: Art. 6(1)(f) GDPR.

Retention period: No independent data storage.

Third-country transfer: USA. SCC.


Google Search Console

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Monitoring website visibility in Google Search, SEO analysis.

Data processed: Aggregated search and click data (not attributable to individuals).

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in SEO optimisation).

Retention period: Approx. 16 months per Google policy.

Third-country transfer: USA. EU-U.S. Data Privacy Framework.


PostHog

Provider: PostHog Inc., 965 Mission St, San Francisco, CA 94103, USA

Purpose: Product analytics, session recording, funnel analysis, feature flag management.

Data processed: Usage behaviour, click paths, session recordings (masked), device data, IP address.

Legal basis: Art. 6(1)(a) GDPR (consent) for session recordings; Art. 6(1)(f) GDPR for aggregated analytics.

Retention period: 1 year.

Third-country transfer: USA (EU cloud hosting configurable). SCC. https://posthog.com/privacy


Mixpanel

Provider: Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, USA

Purpose: Event tracking, cohort analysis, product optimisation.

Data processed: User ID (hashed), event data, device data, IP address (anonymised).

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: 1 year. Opt-out: https://mixpanel.com/optout

Third-country transfer: USA. SCC.


Hotjar

Provider: Hotjar Ltd., Dragonara Business Centre, 5th Floor, Paceville St Julian's STJ 3141, Malta

Purpose: Heatmaps, session recordings and surveys for UX optimisation. Input fields are automatically masked.

Data processed: Mouse movements, clicks, scroll behaviour, IP address (anonymised).

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: 1 year. Opt-out: https://www.hotjar.com/legal/compliance/opt-out

Third-country transfer: Primarily EU (Malta). No regular third-country transfer.


Looker Studio

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Internal visualisation and analysis of business and analytics data in dashboards.

Data processed: Connection data to linked data sources (e.g. Google Analytics); no independent collection from website visitors.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per Google privacy policy.

Third-country transfer: USA. EU-U.S. Data Privacy Framework.


6. Advertising and Remarketing (all users)

Google Ads (incl. Remarketing)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Search ads, display advertising and remarketing campaigns.

Data processed: Cookie ID, IP address, conversion data, device information.

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: 90 days. Opt-out: https://adssettings.google.com

Third-country transfer: USA. EU-U.S. Data Privacy Framework.


Meta Pixel (Facebook / Instagram Ads)

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Purpose: Measuring advertising effectiveness, Custom Audiences, remarketing.

Data processed: Cookie ID, IP address (hashed), browser fingerprint, pages visited, conversion events.

Legal basis: Art. 6(1)(a) GDPR (consent). Pixel is only activated after consent.

Retention period: Up to 180 days. Opt-out: https://www.facebook.com/privacy/policy/

Third-country transfer: USA. SCC + EU-U.S. Data Privacy Framework.


Meta Lead Ads (Facebook / Instagram)

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Purpose: Lead generation campaigns on Facebook and Instagram. Users complete a contact form directly within the platform; Meta then transmits the data to us. Workeer is the sole data controller for any further processing from the point of receipt.

Data processed: Name, email address, phone number (as entered by user), any additional fields in the form (e.g. company, job interest), timestamp of transmission.

Legal basis: Art. 6(1)(a) GDPR (consent: users explicitly consent before submitting the lead form).

Retention period: Until fulfilment of purpose, max. 12 months. Opt-out: https://www.facebook.com/privacy/policy/

Third-country transfer: USA. SCC + EU-U.S. Data Privacy Framework. Privacy Policy Meta: https://www.facebook.com/privacy/policy/


LinkedIn Ads / LinkedIn Insight Tag

Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland

Purpose: B2B advertising, conversion tracking and retargeting.

Data processed: LinkedIn member ID (hashed), IP address, pages visited, conversion events.

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: 90 days. Opt-out: https://www.linkedin.com/psettings/guest-controls

Third-country transfer: USA. SCC.


TikTok Pixel

Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

Purpose: TikTok advertising, conversion tracking, Custom Audiences.

Data processed: Cookie ID, IP address, device data, conversion events.

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: Up to 13 months. Privacy Policy: https://www.tiktok.com/legal/privacy-policy

Third-country transfer: USA. SCC.


TikTok Lead Generation

Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

Purpose: Lead generation campaigns on TikTok. Users complete a contact form directly within the app; TikTok then transmits the data to us. Workeer is the sole data controller for any further processing from the point of receipt.

Data processed: Name, email address, phone number (as entered by user), any additional form fields, timestamp of transmission.

Legal basis: Art. 6(1)(a) GDPR (consent: users explicitly consent before submitting the lead form).

Retention period: Until fulfilment of purpose, max. 12 months.

Third-country transfer: USA. SCC.


Reddit Ads

Provider: Reddit, Inc., 548 Market Street, #16093, San Francisco, CA 94104, USA

Purpose: Reddit advertising, conversion tracking.

Data processed: Cookie ID, IP address (anonymised), device data.

Legal basis: Art. 6(1)(a) GDPR (consent).

Retention period: 90 days. Privacy Policy: https://www.redditinc.com/policies/privacy-policy

Third-country transfer: USA. SCC.


Kleinanzeigen (Ads)

Provider: Adevinta Germany GmbH, Marlene-Dietrich-Platz 1, 10785 Berlin, Germany

Purpose: Job listings and advertising on Kleinanzeigen.de.

Data processed: Job listing content, employer contact data.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention period: Per Kleinanzeigen terms of service.


YouTube Ads & Video Embedding

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Video advertising on YouTube and embedding of YouTube videos on our website. We use YouTube's enhanced privacy mode (youtube-nocookie.com) so that a connection to YouTube servers is only established when you actively play a video.

Data processed: IP address, browser/device data, video interactions, conversion events. For logged-in Google users, data may be linked to their Google account.

Legal basis: Art. 6(1)(a) GDPR (consent via consent banner for ads; consent when clicking to play for embedded videos).

Retention period: Per Google privacy policy. Opt-out: https://adssettings.google.com/authenticated

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://www.google.com/policies/privacy/


X (Twitter) Ads

Provider: Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, Ireland (parent: X Corp., USA)

Purpose: Advertising on X (formerly Twitter), conversion tracking and retargeting via the X Pixel.

Data processed: Cookie ID, IP address, device data, pages visited, conversion events, email address (hashed) if applicable.

Legal basis: Art. 6(1)(a) GDPR (consent via consent banner).

Retention period: Up to 30 days. Opt-out: https://twitter.com/privacy

Third-country transfer: USA. SCC. Privacy Policy: https://twitter.com/en/privacy


Social Media Presences (Pages and Groups)

Provider: Meta Platforms Ireland Ltd. (Facebook, Instagram), LinkedIn Ireland Unlimited Company, TikTok Technology Ltd., Twitter International Unlimited Company (X), Google Ireland Ltd. (YouTube), Reddit Inc.

Purpose: We operate public company pages, fan pages and groups on social media platforms. Purpose: public relations, communication with users, distribution of job listings and content. Note: For Facebook fan pages, we are jointly responsible with Meta for the processing of Insights data pursuant to the ECJ ruling (C-210/16). A Joint Controller Agreement pursuant to Art. 26 GDPR has been concluded with Meta.

Data processed: Interactions with our pages (likes, comments, shared content, messages), Insights/statistics data from platform operators, IP address, device data.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in public relations and communication). For direct messages, Art. 6(1)(b) GDPR may apply.

Retention period: Per the respective platform privacy policies. Workeer has no influence over the retention periods of platform operators.

Third-country transfer: USA and other third countries as applicable. SCC or EU-U.S. Data Privacy Framework depending on platform. Meta: https://www.facebook.com/privacy/policy/ | LinkedIn: https://www.linkedin.com/legal/privacy-policy | TikTok: https://www.tiktok.com/legal/privacy-policy | X: https://twitter.com/en/privacy | YouTube: https://policies.google.com/privacy


7. Communication and CRM (all users)

Brevo (formerly Sendinblue)

Provider: Brevo SAS, 7 rue de Madrid, 75008 Paris, France

Purpose: Sending transactional emails (registration confirmation, application notifications) and newsletters.

Data processed: Email address, name, open and click behaviour, IP address.

Legal basis: Art. 6(1)(b) GDPR (transactional emails); Art. 6(1)(a) GDPR (newsletters after consent). Unsubscribe at any time via the unsubscribe link in the newsletter.

Retention period: Until unsubscription (newsletter) or fulfilment of purpose.

Third-country transfer: EU data centres. No regular third-country transfer.


Superchat

Provider: Superchat GmbH, Alte Jakobstrasse 77, 10179 Berlin, Germany

Purpose: Business messaging and customer communication across multiple channels.

Data processed: Name, phone number, email address, message content.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR for marketing messages.

Retention period: Per Superchat terms of service.

Third-country transfer: Germany. No third-country transfer.


WhatsApp Business

Provider: WhatsApp Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (parent: Meta Platforms, USA)

Purpose: Direct communication with users and employers.

Data processed: Phone number, message content, communication metadata.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(a) GDPR (consent).

Retention period: Per WhatsApp Privacy Policy: https://www.whatsapp.com/legal/privacy-policy

Third-country transfer: USA. SCC.


8. Website Technology (all users)

Statamic (CMS)

Provider: Statamic, LLC, USA

Purpose: Content management system for our website.

Data processed: Server-side processing of form submissions; no independent data collection from visitors.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per server-side configuration.

Third-country transfer: USA (software vendor). Server hosting per hosting provider (potentially EU).


Google Fonts

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Embedding of web fonts for consistent display. When a page loads, the browser establishes a connection to Google servers.

Data processed: IP address, browser type, operating system, referrer URL (transmitted on every page load).

Legal basis: Art. 6(1)(f) GDPR or Art. 6(1)(a) GDPR (consent). Important: German courts (e.g. Munich Regional Court I, Ref. 3 O 17493/20) have held that embedding external Google Fonts without consent violates the GDPR and is a common basis for cease-and-desist claims. We strongly recommend local font hosting.

Retention period: Per Google privacy policy. Opt-out: https://adssettings.google.com/authenticated

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://www.google.com/policies/privacy/


9. CRM and Automation (all users)

HubSpot

Provider: HubSpot Ireland Limited, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland (parent: HubSpot, Inc., Cambridge, MA, USA)

Purpose: CRM system for managing user relationships (talents and companies), email marketing, lead management, communication history.

Data processed: Name, email address, company (for employers), phone number, interaction history, email opens and clicks.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR (legitimate interest in CRM).

Retention period: For the duration of the business relationship; thereafter subject to statutory retention periods.

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC. https://legal.hubspot.com/privacy-policy


make.com (formerly Integromat)

Provider: Make s.r.o., Prikop 843/4, 602 00 Brno, Czech Republic

Purpose: Workflow automation and integration of various systems (e.g. CRM, email, databases) for talents and companies.

Data processed: Data fields from connected systems, depending on the configured workflows.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Workflow logs after 30 days. No independent long-term storage.

Third-country transfer: EU-based servers. Possible third-country transfer depending on connected services.


Zapier

Provider: Zapier, Inc., 548 Market St. #62411, San Francisco, CA 94104, USA

Purpose: Workflow automation and integration of various systems for talents and companies.

Data processed: Data fields from connected systems.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Workflow logs after 30 days.

Third-country transfer: USA. SCC.


Google Workspace (G Suite)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Internal communication (Gmail), document management (Drive, Docs), calendar and video conferencing (Meet) - used for communication with talents and companies.

Data processed: Emails, documents, calendar entries, contacts, meeting data.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR.

Retention period: Per Google Workspace Data Processing Agreement.

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC.


10. Cookies - Types Explained

The following types of cookies are used on our website:

Session cookies (transient cookies): Deleted when you leave the website and close the browser. They enable, for example, the storage of your login status during a session.

Persistent cookies: Remain stored after the browser is closed. They enable recognition on your next visit and the storage of preferences.

Third-party cookies: Set by providers other than Workeer (e.g. advertising or analytics service providers) and are subject to their respective privacy policies.


You can object to the use of tracking cookies for online marketing purposes at: http://www.aboutads.info/choices/ (US) or http://www.youronlinechoices.com/ (EU).


11. Business-Related Processing

In addition to the above, we process the following data from our customers, prospects and business partners for the purpose of providing contractual services, customer care and marketing:

Contract data (e.g. subject matter of contract, duration, customer category)

Payment data (e.g. bank details, payment history, billing address)

Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 6(1)(c) GDPR (legal obligations), Art. 6(1)(f) GDPR (legitimate interests).


12. Order Processing and Customer Account (Companies)

We process the data of our company customers in the context of booking transactions (job listing packages) to enable the selection, booking and payment of the chosen services.

Upon registration and logins, we store the IP address and the time of each user action on the basis of our legitimate interests (protection against misuse, Art. 6(1)(f) GDPR).

Retention: After expiry of statutory warranty and archiving obligations. Under commercial law: 6 years (Section 257 HGB). Under tax law: 10 years (Section 147 AO). Austria: 7 years (Section 132 BAO).


13. External Payment Service Providers (Companies)

We use external payment service providers through whose platforms company customers can make payment transactions. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in offering secure and efficient payment options).

Data processed by payment service providers includes: name, address, bank details (account numbers, credit card numbers) and contract and amount-related information. We ourselves do not receive any account or credit card information, only payment confirmation or rejection. Payment service providers may transmit data to credit agencies for identity and credit checks.


Payment service providers used (each with link to their privacy policy):

PayPal (Europe) S.a r.l. et Cie, S.C.A., Luxembourg: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Klarna Bank AB, Stockholm, Sweden: https://www.klarna.com/de/datenschutz/

Stripe Payments Europe, Ltd., Dublin, Ireland: https://stripe.com/en/privacy

Visa Inc.: https://www.visa.de/datenschutz

Mastercard Europe SA: https://www.mastercard.de/de-de/datenschutz.html

American Express Services Europe Limited: https://www.americanexpress.com/de/content/privacy-policy-statement.html


The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions. Please refer to these for further information and to exercise your right of withdrawal, access and other data subject rights.


14. Administration, Financial Accounting, Office Organisation

We process data as part of administrative tasks, financial accounting and compliance with legal obligations (e.g. archiving). We process the same data that we process in the context of providing our contractual services.

Legal bases: Art. 6(1)(c) GDPR (legal obligation), Art. 6(1)(f) GDPR (legitimate interests in efficient business operations).

We disclose or transfer data in this context to tax authorities, tax advisors, auditors and payment service providers where legally required or necessary.


Special Note: Vulnerable Persons

Workeer explicitly serves refugees and international talents. We are aware of the particular vulnerability of this group and implement additional protective measures.


The data we process may include information that indirectly allows inferences about the ethnic origin or migration background of a person (e.g. nationality, country of birth, language skills). Such data may constitute special categories of personal data within the meaning of Art. 9 GDPR.


We process this data exclusively for the purpose of job placement and application management. Data will not be shared with authorities, immigration agencies or other government bodies unless we are legally required to do so.


Legal basis: Art. 6(1)(b) GDPR (contract performance) in conjunction with Art. 9(2)(b) GDPR (processing in the employment context) and, where applicable, Art. 9(2)(a) GDPR (explicit consent).

Additional protective measures: We have carried out a Data Protection Impact Assessment (DPIA) pursuant to Art. 35 GDPR and implemented Technical and Organisational Measures (TOMs) that reflect the heightened protection needs of this group.

No profiling: No automated decision-making or profiling takes place that could negatively affect refugees or international talents.

Data minimisation: We only collect data that is strictly necessary for the application process. Information on residence status or refugee status is not systematically collected.


PART B - Special Provisions for Talents (Job Seekers)

This section applies exclusively to persons who register on workeer.de as a talent or use the platform for job searching and applying.


15. Registration as a Talent

Talents can register on workeer.de to find jobs and submit applications. The following data is processed:

First and last name

Email address

Password (encrypted)

Optional profile details: place of residence, nationality, language skills, qualifications, CV, photo

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention period: Until account deletion (self-initiated or upon request). See Section 21 for instructions.


16. Applications via Workeer

When talents apply for positions through our platform, their application documents are forwarded to the respective employer:

Name, address, contact details

CV, certificates, qualifications

Language skills, work experience

Voluntarily added information

Legal basis: Art. 6(1)(b) GDPR.

Note: Workeer is not responsible for the further processing of application data by the employer. Please refer to that employer's privacy policy.


17. HiCandidate (AI Matching for Talents)

HiCandidate (Socialtelligence)

Provider: Socialtelligence GmbH (provider of HiCandidate)

Purpose: AI-powered candidate matching to support the recruitment process. Talent profiles are matched with suitable job listings.

Data processed: Talent profile data (name, qualifications, work experience, language skills), matching scores.

Legal basis: Art. 6(1)(b) GDPR (contract performance in the application process). Talents are informed about the use of this tool.

Retention period: During the application process; immediate deletion thereafter.

Third-country transfer: Subject to provider's server locations. Details available upon request.


PART C - Special Provisions for Companies (Employers)

This section applies exclusively to companies that register on workeer.de to post job listings and find talent.


18. Registration as a Company

Companies register to post job listings. The following data is processed:

Name of the contact person

Company name and address

Email address

Billing and payment data

Job listings and related content

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Retention period: For the duration of the business relationship; billing data subject to statutory retention period (10 years).


19. Tools for Companies

19.1 Project Management and Design

Asana

Provider: Asana, Inc., 633 Folsom Street, Suite 100, San Francisco, CA 94107, USA

Purpose: Project management and task tracking.

Data processed: Names, email addresses of users, task and project content.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Until account deletion.

Third-country transfer: USA. SCC. https://asana.com/terms#privacy-policy


Figma

Provider: Figma, Inc., 760 Market Street, Floor 10, San Francisco, CA 94102, USA

Purpose: Design collaboration for UI/UX drafts and graphics.

Data processed: Account data, design files, comments.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Until account deletion.

Third-country transfer: USA. SCC.


Canva

Provider: Canva Pty Ltd, 110 Kippax Street, Surry Hills, NSW 2010, Australia

Purpose: Creation of marketing and design materials.

Data processed: Account data, uploaded images and design data.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Until account deletion.

Third-country transfer: Australia and USA. SCC.


19.2 AI Assistance (internal use)

The following AI tools are used internally to support work processes. Personal data of customers or talents is generally not shared with these services.


OpenAI / ChatGPT

Provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA

Purpose: Internal text creation, content generation, process support.

Data processed: Only internally used inputs; no transfer of personal user data.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per OpenAI privacy policy: https://openai.com/privacy

Third-country transfer: USA. SCC.


Midjourney

Provider: Midjourney, Inc., USA

Purpose: AI-powered image creation for internal marketing graphics.

Data processed: Only internally used text prompts.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per Midjourney terms of service.

Third-country transfer: USA. SCC.


Anthropic Claude

Provider: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA

Purpose: AI-powered text processing and process support.

Data processed: Only internally used inputs.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per Anthropic privacy policy: https://www.anthropic.com/privacy

Third-country transfer: USA. SCC.


Google Gemini

Provider: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Purpose: AI-powered text processing.

Data processed: Only internally used inputs.

Legal basis: Art. 6(1)(f) GDPR.

Retention period: Per Google privacy policy.

Third-country transfer: USA. EU-U.S. Data Privacy Framework.


19.3 Meeting Tools

The following tools are used for virtual meetings with company clients, partners and internally. Participants will be informed at the beginning of a meeting about any recording or AI tools used, where legally required.


Google Meet

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Purpose: Video conferencing and virtual meetings.

Data processed: Name, email address, IP address, audio/video data during the meeting, chat messages, recordings if applicable.

Legal basis: Art. 6(1)(b) GDPR (contract performance); Art. 6(1)(f) GDPR.

Retention period: Per Google Workspace Data Processing Agreement. Recordings until manually deleted.

Third-country transfer: USA. EU-U.S. Data Privacy Framework + SCC.


Microsoft Teams

Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland

Purpose: Video conferencing, chat communication and file sharing.

Data processed: Name, email address, IP address, audio/video data, chat messages, shared files, recordings if applicable.

Legal basis: Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR.

Retention period: Per Microsoft Data Processing Agreement. Chat history configurable (default: 30 days to indefinite).

Third-country transfer: USA and others. EU-U.S. Data Privacy Framework + SCC. https://privacy.microsoft.com/en-gb/privacystatement


Fathom AI Notetaker

Provider: Fathom Video Inc., 340 S Lemon Ave #2051, Walnut, CA 91789, USA

Purpose: AI-powered automatic meeting transcription and summarisation of video calls. Fathom joins as a bot participant. Important: All meeting participants must be informed at the start of the meeting that Fathom is being used and that the meeting is being recorded. Recording without the consent of all participants may be unlawful.

Data processed: Audio/video content of the meeting, transcripts, AI-generated summaries, names and email addresses of participants.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient documentation) or Art. 6(1)(a) GDPR (consent of participants).

Retention period: Recordings and transcripts per Fathom settings; deletable by account holder. Privacy Policy: https://fathom.video/privacy

Third-country transfer: USA. SCC. No adequacy decision; a Data Processing Agreement (DPA) with Fathom should be concluded.


PART D - Data Subject Rights and Miscellaneous

20. Your Rights as a Data Subject

Right of access (Art. 15 GDPR): You may request information about the personal data we process about you.

Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.

Right to erasure (Art. 17 GDPR): You may request deletion of your data, unless statutory retention obligations apply.

Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing under certain conditions.

Right to data portability (Art. 20 GDPR): You may request that we provide your data in a structured, commonly used and machine-readable format.

Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests, in particular to direct marketing.

Right to withdraw consent (Art. 7(3) GDPR): You may withdraw consent given at any time with effect for the future.

Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with the competent supervisory authority.


To exercise your rights, please contact: david.jacob@workeer.de. We will respond within one month.


Competent supervisory authority:

Berlin Commissioner for Data Protection and Freedom of Information

Alt Moabit 59-61, 10555 Berlin, Germany

Tel.: +49 30 13889-0 | Email: mailbox@datenschutz-berlin.de


21. Deleting Your Account (Talents)

Talents can delete their account at any time:

Log in at workeer.de/de/login

Go to settings: workeer.de/de/account/einstellungen

Click 'Delete account' and confirm


Alternatively, send a deletion request by email to david.jacob@workeer.de from your registered email address. Deletion will be confirmed by email within 48 hours.


22. Children and Minors

Our services are not directed at persons under the age of 16. We do not knowingly collect data from children. Should such data come to our attention, it will be deleted immediately.


23. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in legal requirements, our services or new data processing activities. The current version is always available at workeer.de/de/data-privacy. We will notify registered users of material changes by email.


Last updated: June 2026

🍪 Choose cookie settings