Privacy Policy of OneTap.Work

Effective date: 15 August 2025

1. Who we are (Data Controller)

• Name: Sviatoslav Mysiv, conducting business under the name JDG Sviatoslav Mysiv (“OneTap.Work”, “we”).
• Address: al. Jana Pawła II 3b/137, 80‑462 Gdańsk, Poland.
• Identifiers: NIP 5842863282, REGON 540695811.
• E‑mail for privacy and data subject requests: support@onetap.work
• Data Protection Officer (DPO): not appointed. For all matters, please use the e‑mail above.
• Language: official versions of the Policy are available in English and Polish. In case of discrepancies for users in Poland, the Polish version prevails.

2. Who this Policy applies to

• Candidates — private users who create a profile/CV and/or apply for job postings.
• Employers/recruiters — use the company dashboard to publish and manage job postings and candidates.
• Visitors to the OneTap.Work website and web applications.

3. Roles and responsibilities regarding data

• We as controller: process personal data to create and administer accounts, provide and improve the service, ensure security/anti‑fraud, personalize within the service, communicate, manage consents/cookies, and fulfil legal obligations.
• Employer as a separate controller: processes candidate data received when (a) a candidate applies to that employer’s vacancy; or (b) a candidate, by an explicit action, makes their profile visible to employers (“passive access”). From the moment the employer receives the data, the employer’s own privacy policy applies and the employer is an independent controller.
• We as processor for the employer: when the employer stores candidate data in the “employer dashboard” and instructs us to host/technically process it. Such processing is governed by a Data Processing Addendum (DPA).
• Joint controllership: does not apply unless expressly designated for a specific feature.

4. What data we process
   4.1. Candidate data (you provide at your own discretion)

• Account: first name, last name, e‑mail, password (hash), photo (optional), phone number (where needed).

• Profile/CV: experience, education, skills, portfolio/links, certificates, salary expectations, visa/relocation preferences (if you choose to provide), other fields required to apply.

• Activity: job applications, saved jobs, search settings, reactions to recommendations.

• Communications: support requests, survey responses, subscription settings.

  4.2. Employer/recruiter data

• Account: company name, full name of contact person, work e‑mail, role/position, phone number (where needed), payment details (for paid features), billing/invoice history.

  4.3. Technical data and cookies/SDKs

• Technical logs: IP address, user agent, session/device identifiers, security events.

• Cookies and similar technologies: categories and vendors are described in the Cookie Policy. Analytics (Google Analytics), tag manager (GTM), diagnostics/stability monitoring (Sentry) — activated only after consent via CMP, except for strictly necessary items.

  4.4. Job content from third‑party public sources (GDPR Art. 14)

• We index publicly available job postings (employers’ career pages, professional job boards, RSS, etc.). Such postings may sometimes include personal data of contact persons (name, position, work e‑mail/phone).

• Sources — only public web pages and open job boards; we do not control their content. Before indexing, we conduct a data protection impact assessment (DPIA) for high‑risk processing, as recommended by UODO.

  4.5. Prohibition on special/criminal data

• Please do not add special categories of data (Art. 9 GDPR) to your profile/CV, nor data on convictions/offences (Art. 10 GDPR). If you nonetheless provide such data, we will process it only with your separate explicit consent or another legal basis provided by law. Employers are prohibited from requesting data beyond the scope set in Art. 221 of the Kodeks pracy (Polish Labour Code), including “świadectwo niekaralności” (certificate of no criminal record) without a specific legal basis.

5. Purposes and legal bases for processing (GDPR Arts. 6, 9, 10)

• Provision of the service, creation and administration of accounts, handling job applications — contract (Art. 6(1)(b) GDPR).
• Employers’ “passive access” to candidates’ profiles if a candidate enabled profile visibility; personalization of feed/recommendations within the service; ensuring IT security, preventing abuse; protection of legal claims — our legitimate interests (Art. 6(1)(f) GDPR), assessed in Appendix A (LIA). You may object to such processing at any time.
• Marketing e‑mail/push communications; analytics and diagnostics (GA/Sentry) — only with your consent (Art. 6(1)(a) GDPR; as well as Arts. 398–399 PKE regarding marketing consents and use of devices).
• Compliance with legal obligations (accounting/tax, responding to authorities’ requests) — Art. 6(1)(c) GDPR.
• Special categories (if you knowingly provided them) — only with explicit consent (Art. 9(2)(a) GDPR) or another applicable basis.
• Data on convictions/offences — only under the conditions of Art. 10 GDPR (as a rule — we do not process).

6. Is providing data mandatory? Consequences of not providing it (GDPR Art. 13(2)(e))

• Required for candidate registration: name, e‑mail, password. Without these, account creation is not possible.
• Required to apply for a vacancy: data marked as “required” in the application form (e.g., CV, experience).
• For employers: company name, work e‑mail, full name of contact person; for paid features — payment details.
• Other fields — optional; not providing them may reduce recommendation relevance or limit some features, but will not prevent use of the basic service.
• Consent for marketing/analytics — optional. Refusal does not affect access to the service, except that you will not receive marketing messages/analytics.

7. Recipients and categories of recipients (GDPR Art. 13(1)(e))

• IT infrastructure providers (hosting/PaaS, CDN), analytics, diagnostics/monitoring, e‑mail/SMS, billing/payments, support services, consent management tools (CMP), security tools.
• Employers/recruiters — receive your application data or access to your profile only if you enabled visibility.
• Public authorities — in cases provided by law.
• The current “Subprocessor Register” with names, roles, processing countries, transfer mechanisms (DPF/SCC), and Data Act compliance status is published at onetap.work/subprocessors (link in the footer).

8. Cookies/SDKs and Prawo Komunikacji Elektronicznej (PKE)

• Storing information on or accessing information from your device (cookies/SDKs) is carried out in accordance with PKE:
  a) consent for direct marketing and the use of end‑user devices for marketing — under Art. 398 PKE (applies to both B2C and B2B addressees);
  b) storing/accessing information on the device — under Art. 399 PKE.
• Until consent is given via CMP, we fully block any non‑strictly necessary tags/SDKs. For GA we apply Consent Mode v2 in the “denied” state until consent, IP masking, and collection limitations. Sentry is activated only with consent; in a no‑consent mode, device/session identifiers are not set or read.
• Details (cookie categories, vendors, durations, purposes) — in the Cookie Policy available in the footer.

9. International transfers (EEA → third countries)

• We strive to process data within the EEA. If a transfer outside the EEA is necessary, we apply:
  a) the EU‑US Data Privacy Framework (for certified recipients in the US); and/or
  b) Standard Contractual Clauses (SCCs) and supplementary measures (encryption, minimization, access controls).
• Before onboarding each provider, we verify their status in the DPF registry or ensure SCCs. The actual status for each provider is published and updated in the Subprocessor Register.

10. Retention periods (GDPR Art. 5(1)(e), 13(2)(a))

• Profiles visible for “passive access”: as long as you keep the visibility enabled; you may disable visibility or delete your profile at any time.
• Technical logs: 12 months; security/anti‑fraud logs — up to 24 months.
• Accounting/tax data (invoices, payments): 5 years (from the end of the tax reporting year), unless the law requires otherwise.
• Marketing consents: until withdrawn.

11. Your rights (GDPR Arts. 15–22)

• Access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, withdrawal of consent at any time (does not affect lawfulness prior to withdrawal), complaint to UODO.
• We do not make decisions producing legal effects concerning you or similarly significantly affecting you solely based on automated processing (Art. 22 GDPR). Job recommendations constitute profiling with limited impact within the service; you can opt out of personalization in settings.

12. How to exercise your rights and manage settings

• Send rights requests to support@onetap.work. For faster identification, please use your account e‑mail.
• Profile visibility (“passive access”) can be enabled/disabled in settings.
• Manage cookie/marketing consents via the CMP/“Cookie settings” link in the footer.
• We respond without undue delay and no later than 1 month (may be extended by up to 2 months for complex requests; we will inform you separately).

13. Marketing communications (GDPR, PKE)

• We conduct e‑mail/push/phone marketing only with your prior consent (applies also to B2B addresses). You can opt out at any time via the “unsubscribe” link, settings, or by contacting us.
• We do not share your contact details with third parties for their own marketing without your separate consent.

14. Data from public job postings: transparency under Art. 14 GDPR

• If you discover that your personal data appears in a job posting published on an open resource from which it was ingested into our platform, please note: we do not control what data is published in such sources. However, if you wish us to delete this data from our system, you can submit a deletion request (support@onetap.work). All required deletions are carried out within two weeks of receiving the request.

• Deletion and de‑indexing mechanism: We are developing a tool that will allow employers and companies to delete all indexed job postings themselves and to block indexing of specific pages or domains. While this feature is under development, you can contact us at support@onetap.work with a request for deletion or to block indexing. You can also add appropriate rules to your robots.txt to disallow indexing by our bot. For the fastest result, we recommend doing both — contact us and configure robots.txt.

15. Employers’ obligations on the platform

• Employers are prohibited from requesting data beyond Art. 221 of the Labour Code and from processing special categories (Art. 9 GDPR) and criminal data (Art. 10 GDPR) without an appropriate legal basis. Violations may result in restricted access to the service.

16. Children

• The service is not intended for persons under 16 years of age. We do not verify users’ ages using official documents and cannot guarantee that every user meets this requirement. We take reasonable measures to prevent use of the service by persons under 16, but we cannot fully control or verify the accuracy of the information provided.

17. User responsibility

• You are responsible for the content of your profile/CV and other data you publish. If you find third‑party personal data in job postings indexed by us from public sources, please notify support@onetap.work — we will respond promptly.

18. Security

• We apply technical and organizational measures: data encryption in transit, access controls, environment segmentation, security logging, regular updates, data minimization, staff training, subprocessor vetting, testing/audits. Access to data is granted on a least‑privilege basis.

19. Supervisory authority and complaints

• You have the right to lodge a complaint with the Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00‑193 Warsaw, Poland, tel.: +48 22 531 03 00, uodo.gov.pl. We kindly ask you to contact us first — we will make every effort to resolve the issue.

20. Changes to this Policy

• We may periodically update the Policy. We will notify you of material changes by e‑mail or in the app no later than 14 days before they take effect. The current version is always available at onetap.work.

21. Contact
    JDG Sviatoslav Mysiv
    al. Jana Pawła II 3b/137, 80‑462 Gdańsk, Poland
    E‑mail: support@onetap.work

Appendix A. Summary of the Legitimate Interests Assessment (LIA)
A1. Security, abuse prevention, logging

• Interest: stable and secure operation of the service; incident investigation; anti‑fraud.
• Necessity: without logs/signals it is impossible or disproportionately difficult to ensure security.
• Impact and safeguards: log field minimization, access restrictions, encryption, limited retention, prohibition on use for marketing.
• Conclusion: the interest is justified; objection mechanisms do not restrict security.

A2. Personalization of job feed/recommendations

• Interest: increasing the relevance of the service.
• Necessity: without using profile/activity data, recommendation quality is reduced.
• Impact and safeguards: use of data within the service; no external sharing; ability to disable/object; transparency in the Policy.
• Conclusion: the interest is justified; simple opt‑out mechanisms are provided.

A3. Stability monitoring/diagnostics (Sentry)

• Interest: timely detection and fixing of errors.
• Necessity: without diagnostic signals, resolving critical failures is more difficult.
• Impact and safeguards: PII filtering, minimization, access controls, encryption; SDK is activated only after consent (PKE); in the no‑consent mode, device/session identifiers are not used.
• Conclusion: the interest is justified; risks are mitigated by technical/organizational measures.

A4. Indexing public job postings (GDPR Art. 14)

• Interest: providing users with a catalogue of vacancies.
• Necessity: indexing from public sources is an industry standard.
• Impact and safeguards: we index only publicly available content; (channel for objections, periodic review every 30 days, deletion/de‑indexing mechanism); DPIA for high‑risk; minimization of scope/retention; removal of outdated contacts.
• Conclusion: the interest is justified subject to full transparency, retention, and data subject controls.

Appendix B. International transfers: safeguards (overview)

• Google Ireland Limited / Google LLC (GA, GTM): processing in the EU with potential transfers to the US; where transfers occur — reliance on the EU‑US DPF (for certified recipients) and/or SCCs; supplementary measures — encryption in transit, minimization, IP masking/Consent Mode v2. Activated only after consent via CMP (except strictly necessary tags).
• Functional Software, Inc. (Sentry): possible processing in the US; reliance on SCCs; supplementary measures — PII filters, minimization, access controls, encryption; SDK — only with consent (PKE).
• Mailgun Technologies, Inc. (e‑mail): processing in the EU and/or US depending on configuration; for transfers to the US — DPF (where applicable) and/or SCCs; supplementary measures — TLS, DMARC/DKIM, limited log retention.
• Railway (PaaS): processing in selected regions; if processors/regions outside the EEA are involved — we ensure SCCs or equivalent mechanisms; supplementary measures — encryption, access controls, minimization.
• For each provider, the actual transfer mechanism and status (DPF/SCC) are listed in the Subprocessor Register.

Appendix C. Policy on government requests

• We verify each request for a legal basis, minimize the scope of data disclosed, and, where permitted by law, inform the user. We maintain a register of such requests.

Appendix D. Explanation of terms (short)

• “CMP” — Consent Management Platform; “DPF” — Data Privacy Framework; “SCCs” — Standard Contractual Clauses; “PKE” — Prawo Komunikacji Elektronicznej (Polish Electronic Communications Law).