Privacy Policy – Staffando App

1. Controller

The controller within the meaning of the General Data Protection Regulation ("GDPR") is:

Freigeist Entertainment Labs UG (haftungsbeschränkt)
represented by the managing director Michael Kühne
Hermann-Häcker-Str. 29
18225 Kühlungsborn, Germany
Email:

Data protection contact: For data protection inquiries (data subject rights, withdrawal of consent, objection), you can contact us at with the subject line "Data Protection".

No data protection officer has been appointed, as there is no legal obligation to do so.

2. Purposes and Legal Bases

We process personal data for the following purposes and on the following legal bases:

a) Provision of app functions / performance of the contract (registration, login, profile, job search, matching, chat, applications, employer functions, activation of purchased services), Art. 6(1)(b) GDPR

b) Consent-based functions (e.g. location sharing, push notifications, Firebase Analytics, personalized advertising/AdMob, optional profile data; in each case only after opt-in), Art. 6(1)(a); Art. 7 GDPR

c) Security, prevention of misuse/fraud, stability (e.g. crash reports, performance monitoring, technical logs, fraud detection), Art. 6(1)(f) GDPR

d) Legal obligations (e.g. retention of billing/transaction data required under commercial and tax law), Art. 6(1)(c) GDPR.

You can withdraw consent at any time with effect for the future (see section "Withdrawal" and "Your Rights"), Art. 7(3) GDPR

3. What Data We Process in the App

Where we refer to data as "necessary", this means that it is required for providing the respective app functions. Without this data, certain functions cannot be provided. Voluntary information can be changed or removed at any time.

3.1 Registration and Account Data

Necessary basic data (required for using the app):

• Email address and encrypted password (or comparable login data in the case of third-party login)
• Name and role selection (jobseeker / employer)
• Acceptance of the Terms and Conditions and Privacy Policy

Without this information, no account can be created and the app cannot be used in a meaningful way.

Voluntary additional information:

• Additional profile data that may be requested directly during onboarding
• Data from third-party logins (e.g. Google: name, email, profile picture): this facilitates registration, but is not mandatory – registration without Google login is possible.

3.2 Profile Data

We distinguish between necessary basic data that we need in order to provide the platform functions, and voluntary additional information that improves your profile but is not mandatory.

Jobseekers – necessary basic data:

• First and last name
• Assignment to a user account (email / user ID)

This information is required so that you can be found, matches can be assigned meaningfully, and employers know who they are dealing with.

Jobseekers – voluntary additional information:

• Additional contact details (e.g. phone number)
• Date of birth
• Profile picture(s)
• Skills, languages, qualifications
• Detailed availability, desired locations of assignment, job preferences
• Uploaded documents (CV, references, certificates). Please note: Do not upload documents containing special categories of personal data (e.g. health data) unless this is necessary. If such data is nevertheless included, we process it only insofar as this is necessary for the purpose requested by you or if you have manifestly made this data public

This information helps to improve the quality of matching and the meaningfulness of your profile, but is not mandatory for using the app.

Employers – necessary basic data:

• Company name
• Company type / industry
• Company location (address; where applicable including geocoordinates for location-based functions)

Without this information, job ads cannot be published and assigned in a meaningful way.

Employers – voluntary additional information:

• Name and contact details of a contact person
• Company description, pictures, logo
• Social media links, website, additional company services (e.g. breakfast/lunch/dinner)
• VAT ID / VAT number (optional, e.g. for EU invoices under the reverse charge procedure)
• Information on premium status, ratings, verification documents (e.g. as part of a verification process)

This information improves the presentation of your company and the trust of jobseekers, but is voluntary beyond the basic data.

3.3 Usage, Device and Log Data

• App version, operating system, device model (e.g. for push notifications)
• Log entries relating to important technical events (errors, timeouts)
• Interactions in the app (e.g. job views, likes/dislikes, bookmarks, swipes, applications, chat activity)
• Usage analysis via Firebase Analytics (only with your consent; in aggregated/pseudonymized form)
• Crash and performance data (e.g. crash reports, performance metrics) for stabilization and error analysis

3.4 Location Data

If you consent, we process:

• GPS location: current location during active use
• Last known location: to improve search results
• IP-based location determination (fallback) via a geolocation service (see "ipapi.co" below); the IP address is used only for a one-time location determination and is not stored in the user profile.

Use:

• Job search "nearby"
• Work & travel functions and spots
• Location-based job recommendations

3.5 Communication Data (Chat & Notifications)

• Chat messages between jobseekers and employers (after a match)
• DirectConnect/Chatlike messages / job offers from employers to jobseekers
• System and status messages (e.g. new applications, new matches)
• Push notifications (title, message text, type of notification)
• Notification settings (which types of push notifications you would like to receive)

3.6 Payment and Subscription Data

If you book job packages or premium subscriptions, we store only the information we need in order to activate and verify the services you have booked:

• Which product you have booked (e.g. which job package or which premium subscription)
• Price, currency and duration
• Whether a subscription is currently active or has expired
• Which account or job ad the purchase belongs to

The actual payment processing (e.g. your credit card or other payment methods) takes place exclusively via the app stores or payment providers. We do not receive any complete payment or card data.

4. Services Used and Recipients

4.1 Firebase (Google Cloud Platform)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Services used in the app:

• Firebase Authentication (login, Google login integration)
• Cloud Firestore (profiles, jobs, applications, chats, matches, subscriptions, transactions, push tokens)
• Firebase Storage (profile pictures, documents)
• Cloud Functions (server-side logic, e.g. payment verification, matching logic, AI connection)
• Remote Config (feature flags, configuration)
• Firebase Analytics (only with consent; usage analysis to improve the app)
• Firebase Crashlytics (crash reports and non-fatal errors for stabilization/error analysis)
• Firebase Performance Monitoring (performance metrics/traces for analyzing stability and speed)

Server location: Primarily EU region (e.g. europe-west3, Frankfurt).

Legal basis: Art. 6(1)(b), (f) GDPR; Art. 28 GDPR (processing on behalf).

Notes on Analytics/Crash Reports:

• Firebase Analytics is disabled by default in the app and is activated only after your explicit consent. You can change this decision at any time in the app.
• Crashlytics/Performance Monitoring serve stability, error analysis and performance optimization. Technical information (e.g. app version, device type, time of an error) may be processed in this context. A pseudonymous user ID may be used for attribution; email addresses are not transmitted in plain text, but only masked if set.
• We have concluded a data processing agreement with Google/Firebase pursuant to Art. 28 GDPR. Depending on the configuration, access from third countries (e.g. as part of support services) cannot be completely ruled out; in this case, the transfer takes place only on the basis of appropriate safeguards (see section "International Data Transfers").

4.2 Google Login (Google OAuth)

You can sign in using a Google account.

Provider: Google Ireland Limited / Google LLC

Data: Name, email address, profile picture, technical tokens for authentication.

This data is transferred to Firebase, and part of it is stored in the user profile. Further processing by Google is governed by Google's privacy policy.

Legal basis: Art. 6(1)(b) GDPR (execution of the login at your request).

Use of Google Login is voluntary; alternatively, you can register using email and password.

4.3 In-App Purchases and Subscriptions

For in-app purchases and subscriptions (e.g. job packages, premium subscriptions), we use:

• the Google Play Store (Android), and
• the Apple App Store (iOS)

Through these services, we receive information about which product you purchased, when the purchase took place, and whether a subscription is still active. We use this information, for example, to activate job ads or your premium status.

The actual payment (e.g. credit card, account) is handled directly via the app store or the respective payment service provider. We do not see or store complete payment data. Apple/Google process payment and store data under their own responsibility. Their privacy notices also apply.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract) and Art. 6(1)(c) GDPR (statutory retention obligations).

4.4 Google Places API

Provider: Google Ireland Limited

Use: company search, address autocomplete, location selection.

Data: Search terms, country/region, possibly coordinates. In particular, search terms, technical metadata (e.g. IP address) and address data entered by you may be processed.

Legal basis: Art. 6(1)(b) GDPR (performance of the contract).

4.5 External Job APIs

To display additional job offers, we use, among others:

• Federal Employment Agency (Germany)
• Adzuna (UK/Ireland)
• Remotive

Only search parameters are transmitted (e.g. job title/keywords, city/town, radius, filters). Depending on your settings, these parameters may be derived from your location. No account identifiers (such as name, email, profile ID) are transmitted to these job APIs.

Legal basis: The legal basis is Art. 6(1)(b) GDPR (provision of the job search function) and, insofar as additional external jobs are integrated to expand the selection, Art. 6(1)(f) GDPR (legitimate interest in a broader selection of jobs).

4.6 Geolocation via ipapi.co

Provider: Kloudend, Inc., USA

Use: If no GPS is available and you use location-based functions, the app may query an external geolocation service (ipapi.co) for approximate location determination (country/city). In doing so, the IP address is transmitted to the provider and used exclusively to answer the location request. We do not store the IP address permanently, but only the result (e.g. country/city), insofar as this is required to display regional search results, Art. 5(1)(c); Art. 6(1)(f) GDPR. The IP address is used exclusively for a one-time location determination and is not stored by us.

Server location: Processing takes place on servers outside the European Economic Area (in particular in the USA).

Information on international data transfers can be found in the section "International Data Transfers" (Art. 44–46 GDPR).

4.7 AI Services (Mistral AI)

Provider: Mistral AI SAS, 15 rue des Halles, 75001 Paris, France (EU)

Use: For optional and automatically generated text suggestions (e.g. job descriptions, company descriptions, cover letters), we may use an AI service (Mistral AI). For this purpose, we transmit – insofar as required – the information and text modules or parameters entered by you or stored in the job or company profile (e.g. job title and other details relating to the job ad such as salary, fixed-term nature, required qualifications and skills, duration of employment, start date, own activity description, company name and location, name of contact person, own company description). Please do not enter any sensitive personal data (e.g. health data) in freely selectable description texts. Use of the AI function is partly automated or takes place on the user's own initiative on the basis of information previously provided by the user. No sensitive personal data should be entered.

The transmitted content is not used to improve the AI models, provided the provider assures this.

Server location / processing: Processing generally takes place within the EU. Access from third countries cannot be completely ruled out in individual cases (e.g. in the context of support or infrastructure).

Legal basis is Art. 6(1)(b) GDPR, insofar as the function is part of the selected scope of services; otherwise Art. 6(1)(a) GDPR (consent) if activated optionally.

4.8 Push Notifications (Expo / APNS / FCM)

We send push notifications via:

• Expo Push Service (intermediary layer)
• Apple Push Notification Service (APNS) for iOS
• Firebase Cloud Messaging (FCM) for Android

Data transmitted:

• Device push token (anonymized, per device)
• Content of the notification (title, text, type, possibly simple metadata such as job ID or match ID)

Assignment to your account takes place exclusively in our database via the stored tokens.

Legal basis: Art. 6(1)(a) GDPR (your consent to push notifications).

You can deactivate push notifications at any time in the app settings or in your device's system settings.

4.9 Advertising (Google AdMob)

If you use the "Basic" tariff as a jobseeker, advertisements may be displayed. For this purpose, we use Google AdMob.

• a) Personalized advertising takes place only if you have expressly consented in advance. Art. 6(1)(a); Art. 7 GDPR
• b) Non-personalized advertising may be displayed in order to finance the free use of the app. Technical device information and, where applicable, the advertising ID are processed for this purpose. The legal basis is – insofar as permitted under data protection law – Art. 6(1)(f) GDPR (financing of the app).
• c) Consent management / withdrawal: You can withdraw your consent to personalized advertising at any time in the app settings, Art. 7(3) GDPR
• d) In the iOS version of the app, only non-personalized advertising is currently displayed.
• e) Further information on data processing by Google can be found in Google's privacy information.

4.10 Brevo (Email Dispatch and CRM)

We use Brevo (formerly Sendinblue) as a service provider for email dispatch and contact management (CRM).

Provider: Brevo, 7 rue de Madrid, 75008 Paris, France (EU).

Use in the app:

• Transactional emails: Sending emails relating to account and security events, e.g. email verification after registration, password reset, reactivation emails, invoice emails (e.g. after purchasing job packages or subscriptions), as well as forwarding support inquiries and reports from the app to our support email address.
• CRM / contact synchronization: So that we can contact you when needed, e.g. regarding your account or bookings, certain contact data (email address and, where stored in the app, e.g. name, role as jobseeker/employer, company name, language) is transmitted to Brevo when profile or account data changes and maintained there as a contact. This data is used exclusively for communication within the scope of using the app and the contractual relationship, and not for independent third-party marketing.

Data transmitted:

• For email dispatch: Recipient email address, content of the email (e.g. verification link, invoice as attachment), technical sender data.
• For support inquiries/reports: Your email address, user ID, subject entered by you and message text (forwarded to our support email address).
• For contact synchronization: Email address as well as the profile/account attributes mentioned above used for contact management.

Server location: Brevo processes data in the EU (including data centers in France, Germany, Belgium). Brevo can be used as a processor under the GDPR and meets the requirements for appropriate safeguards (including a data processing agreement pursuant to Art. 28 GDPR).

Legal basis: The legal basis is Art. 6(1)(b) GDPR (communication within the contractual relationship, support, invoices) and – where required – Art. 6(1)(f) GDPR (stable and secure communication infrastructure).

Further information:

• Brevo Privacy Policy
• Brevo & GDPR

4.11 Local Storage on the Device (AsyncStorage / SecureStore)

For operation of the app, certain information is stored locally, e.g.:

• Your app settings (e.g. language)
• Technical tokens/session information (where required)
• Consent status (e.g. analytics opt-in/opt-out)

For this purpose, we use, among other things, AsyncStorage and SecureStore. This data is stored on your device and is not transmitted to third parties without purpose.

Withdrawal of Consent

You can withdraw your consent (e.g. to location data, push notifications or analytics) at any time in your device's system settings or within the app. A withdrawal only takes effect for the future and does not affect the lawfulness of processing carried out prior to the withdrawal.

Local data may remain stored until logout, deletion of the app, or according to your device settings.

5. Purpose of Data Processing in the App

5.1 Provision of Core Functions

• Registration, login (including Google Login)
• Creation and management of profiles (jobseekers / employers)
• Creation, publication and management of job ads
• Matching between jobseekers and employers
• Chat communication between jobseekers and employers after a match
• Management of contact or quick-application requests (apply, status, history)
• Processing of job packages and premium subscriptions

5.2 Improvement and Further Development of the App

• Evaluation of which functions are used (e.g. via Firebase Analytics only with consent; plus internal aggregated statistics from system data)
• Optimization of search and matching algorithms
• Analysis of the effectiveness of job ads (e.g. views, applications)
• Internal reports (e.g. mini-job analytics, employer dashboard)

5.3 Communication

• Push notifications about new matches, applications, messages, system notices
• Emails relating to important account and security events (e.g. email verification, password reset, reactivation), invoices, and the handling of support inquiries and reports; dispatch is carried out via the service provider Brevo (see section 4.10).

5.4 Security and Prevention of Misuse

• Prevention of fraud (e.g. fake purchases, spam profiles)
• Technical logging for error analysis and stability
• Protection of our infrastructure and database

5.5 Automated Match Score, Filters and Thresholds

The automated match score evaluates the degree of correspondence between jobseeker profile data and the requirements stored by employers in a job ad. The information taken into account includes, among other things, professional experience, language skills, availability, location data and preferences independently stored by a user.

The match score serves solely as guidance and recommendation. It has no legal effect and does not replace any independent decision by users. In the context of displaying results, simplified match categories ("acceptable match", "good match", "perfect match") as well as graphical segment displays are used. An exact percentage may be displayed in individual cases, e.g. when an employer has to choose between several job offers for initiating contact.

The app uses defined minimum thresholds in order to improve the relevance of the displayed results. By default:

• Job offers are only displayed if the match score is at least 50%,
• Jobseeker profiles are only displayed if there is at least 30% correspondence.

Both employers and jobseekers can change or deactivate these thresholds individually in their search settings. There is no automated rejection, restriction or assessment that would have legal effects or similarly significantly impair you within the meaning of Art. 22 GDPR. There is no solely automated decision in individual cases which produces legal effects concerning you or similarly significantly affects you; decisions on contacting, applying and hiring are made independently by the users.

6. Storage Period

The specific storage period depends on the type and purpose of the data:

• Profile data: Until deletion of your account. After account deletion, profile data is generally deleted within 30 days, unless statutory retention obligations prevent this.
• Chat messages: Generally up to 6 months after the last activity in the respective chat; thereafter chats are deleted or anonymized automatically or as part of cleanup routines.
• Applications: Rejected applications generally up to 90 days after status "rejected"; accepted applications for the duration of the employment relationship plus an appropriate period (e.g. 30 days), unless longer statutory obligations apply.
• Location data: If you consent to location processing, we process current GPS location data in order to provide location-based functions of the app (e.g. display of nearby jobs, matching relevance).
  1. Storage period for an active account: Location data (e.g. current position and last known position) is stored and updated in the user profile as long as your account is active and you use the location function. There is no automatic deletion of location data after a fixed period while a user account remains active. You can deactivate location sharing at any time in the app or device settings. In this case, no new location data will be collected or updated. However, location data already stored remains saved until your account is finally deleted.
  2. Storage period upon account deletion: If you delete your account, it is initially deactivated. After expiry of a grace period (e.g. 30 days), your account is finally deleted. In the course of this process, the location data stored in the profile (e.g. location, lastKnownLocation) is also deleted or anonymized.
  3. Local cache on the device: On your device, location data may be stored locally for a short time (e.g. up to 15 minutes) in order to improve use of the app. This local storage serves solely technical purposes and does not constitute an independent retention period.
• Payment and subscription data (transactions, subscriptions): Until the end of the contractual relationship and thereafter in accordance with retention periods required under commercial and tax law (generally up to 10 years).
• Log and error report data: Generally up to 90 days, unless longer retention is required for security or evidentiary reasons.

Longer storage may be required in individual cases insofar as this is necessary for the establishment, exercise or defense of legal claims, Art. 5(1)(e); Art. 17(3)(e) GDPR.

7. Disclosure of Data to Third Parties

Personal data is disclosed to third parties only:

1. if this is necessary for performance of the contract (e.g. in the case of a match between a jobseeker and an employer), the legal basis for displaying data within the framework of a match/application is Art. 6(1)(b) GDPR (provision of the platform and communication functions),
2. if we are legally obliged to do so,
3. if you have expressly consented, or
4. to our processors pursuant to Art. 28 GDPR (e.g. Firebase, Brevo for email dispatch and CRM, hosting providers, payment and push service providers).

7.1 Data Disclosure in the Event of Matches

If a match occurs between a jobseeker and an employer, the following become mutually visible:

• For employers: relevant profile data of the jobseeker and, where applicable, additional documents and records voluntarily stored by the jobseeker in the app
• For jobseekers: company profile, contact person and details of the advertised position
• In both directions: chat messages within the app

7.2 No Disclosure for Advertising Purposes

We do not sell or rent your personal data and do not disclose it for independent third-party marketing purposes.

8. Your Rights (Data Subject Rights)

You have the following rights under the GDPR at any time:

• Access (Art. 15 GDPR) to the personal data stored by us
• Rectification of inaccurate or incomplete data (Art. 16 GDPR)
• Erasure of your data ("right to be forgotten", Art. 17 GDPR), insofar as no retention obligations prevent this
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 21 GDPR)
• Withdrawal of consent: You can withdraw consent (e.g. location, push, analytics, personalized advertising) at any time in the app and – depending on the function – in your device's system settings. The withdrawal takes effect for the future; processing carried out up to the point of withdrawal remains lawful, Art. 7(3) GDPR. Please note: If you withdraw consent, certain functions may be restricted (e.g. jobs "nearby" without location), Art. 13(2)(e) GDPR.
• Complaint to a supervisory authority (Art. 77 GDPR), e.g. to the competent authority in your Member State.

In order to process requests, we may require appropriate proof of identity where this is necessary to prevent unauthorized disclosure of data, Art. 12(6) GDPR.

The competent supervisory authority may in particular be the State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania (seat of the controller).

To exercise your rights, please contact us at:
Email:

9. Data Security

We take appropriate technical and organizational measures to protect your data, including:

• TLS encryption during data transmission
• Secure authentication via Firebase Authentication
• Access control via Firestore and Storage security rules
• Role and authorization concepts at application level
• Regular security and version updates

10. International Data Transfers

Insofar as, for individual service providers, processing outside the European Economic Area (EEA) cannot be excluded (e.g. in the context of support services or intra-group access), transfers take place only in compliance with Art. 44 et seq. GDPR, in particular on the basis of appropriate safeguards (e.g. EU Standard Contractual Clauses) and – where required – additional technical and organizational protective measures.

Our email and CRM service provider Brevo processes data exclusively in the EU (France, Germany, Belgium); no transfer to third countries takes place for this processing.

Insofar as data is transferred to other service providers in third countries (in particular the USA) (e.g. Google, ipapi.co, where applicable Mistral), this takes place only:

• on the basis of an adequacy decision of the EU Commission or
• using Standard Contractual Clauses (Art. 46 GDPR) and additional protective measures.

In particular, transfers to third countries (e.g. the USA) may occur with the following service providers:

• Google (Firebase, AdMob, Google Login, Google Places) – For the use of Google Firebase backend services, we have preferably configured server locations in Germany (region: europe-west3, Frankfurt).
• ipapi.co (IP-based geolocation)
• Where applicable Mistral AI (depending on infrastructure and support access)

The following protective mechanisms apply to these transfers:

• Conclusion of Standard Contractual Clauses pursuant to Art. 46 GDPR
• Additional technical and organizational measures (e.g. pseudonymization, data minimization)
• Transfer only of the data required for the respective purpose

We ensure that only the data necessary for the respective purpose is transmitted (data minimization).

11. Changes to This Privacy Policy

We may adapt this Privacy Policy if technical or legal conditions change. The current version is made available in the app; the date of the last update can be found above.

In the event of material changes, we will inform you in an appropriate manner (e.g. via in-app notice) before the change takes effect, where this is required.

12. Contact

If you have questions about data protection or about exercising your rights, please contact:

Freigeist Entertainment Labs UG (haftungsbeschränkt)
Hermann-Häcker-Str. 29
18225 Kühlungsborn, Germany
Email:

This Privacy Policy applies exclusively to the mobile app "Staffando" and not to the website staffando.com.

13. Short Version in Plain Language

This short version is intended to make things easier to understand and does not replace the detailed information set out above.

What we store:

• Your account data (e.g. email, name, role as jobseeker or employer)
• Your profile information (e.g. skills, availability, company information)
• Your activities in the app (e.g. which jobs you view, like or apply for)
• Your chats and notifications within the app
• Location only if you allow it (for jobs "nearby")
• Information about your purchases (which package/subscription, when purchased, how long valid) – but no complete payment data such as credit card numbers.

What we need it for:

• So that you can log in and use your profile
• So that we can show you suitable jobs or candidates
• So that employers and jobseekers can chat with each other
• So that your booked services (e.g. Premium) can be activated
• So that we can improve the app and fix problems

Who we share data with:

• With technical service providers that help us operate the app (e.g. Firebase, Brevo for email dispatch and contact management, app stores, push service providers, AI service for text suggestions, Google AdMob for advertising – but only if you use the Basic tariff)
• With employers or jobseekers, if a match or an application takes place (in that case, both sides see the relevant profile and job information)
• Not with advertising companies for their own marketing purposes – we do not sell your data.

Your control:

• You can edit your profile or have it deleted
• You can deactivate location sharing and push notifications in the settings
• You can reject personalized advertising (then you will only see general ads) or use a Premium subscription completely ad-free
• You can write to us at any time if you want to know what we have stored about you or if something should be deleted.