GDPR & UK GDPR information

Last updated: 18 April 2026

This page is published in English for all users. It describes how Hirago operates today; if anything conflicts with mandatory local law, mandatory law prevails.

This page summarises how Hirago approaches personal data processing under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and related UK privacy rules, for users who are in the European Economic Area ("EEA"), the EU, or the UK. It supplements our Privacy Policy; if anything conflicts, we aim to give you the clearer or more protective explanation, but statutory rights under applicable law always prevail.

1. Controller and contact

The controller of your personal data collected through the Hirago Service is the Hirago entity operating the website and services. For data protection enquiries and to exercise your rights, email support@hirago.com. We will respond within the timelines required by law (typically within one month for GDPR requests, subject to extension in complex cases as permitted by law).

2. When this page applies

This page is primarily for natural persons acting outside purely personal or household activity who are located in the EEA, EU, or UK when we process their data in scope of GDPR / UK GDPR. Hirago's Service is directed at job seekers; if you are not in those regions, your local privacy laws may still apply — see our Privacy Policy.

3. Categories of personal data and purposes (summary)

We process identification and contact data, account credentials (hashed), profile and CV content, application history, usage and technical logs, cookie identifiers where used, and payment-related metadata through Stripe. Purposes include providing the Service, processing applications you initiate, billing, security, product improvement, customer support, and legal compliance. A fuller description appears in our Privacy Policy.

4. Legal bases (Art. 6 GDPR / UK GDPR)

We rely on appropriate legal bases, including:

  • Performance of a contract — processing necessary to deliver the Service you request (account, CV hosting, applications, paid features you purchase).
  • Legitimate interests — for example securing the platform, preventing abuse, improving features, limited analytics, and internal reporting, where we have balanced those interests against your rights and freedoms.
  • Consent — where required for certain cookies or marketing; you may withdraw consent at any time.
  • Legal obligation — where we must retain or disclose data to comply with law.

Where we process special categories of personal data (Article 9 GDPR), we will do so only when a specific condition applies (for example explicit consent or employment-related processing where authorised by law). We discourage uploading special-category data in your CV unless strictly necessary for your application.

5. Your rights

Subject to conditions and exemptions in the GDPR / UK GDPR, you may have the following rights:

  • Right of access (Art. 15): obtain confirmation whether we process your personal data and receive a copy of certain information about the processing.
  • Right to rectification (Art. 16): correct inaccurate data or complete incomplete data.
  • Right to erasure ("right to be forgotten") (Art. 17): request deletion where grounds apply (for example data no longer necessary, withdrawal of consent where consent was the sole basis, or unlawful processing).
  • Right to restriction of processing (Art. 18): request that we limit processing in defined circumstances.
  • Right to data portability (Art. 20): receive certain data you provided in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible, where processing is based on consent or contract and is carried out by automated means.
  • Right to object (Art. 21): object to processing based on legitimate interests (including profiling) on grounds relating to your situation, and to object to direct marketing (which we will honour if applicable).
  • Rights related to automated decision-making (Art. 22): where applicable, rights not to be subject to solely automated decisions with legal or similarly significant effects. Hirago does not intend to operate such decisions within Article 22 without appropriate notice and lawful basis.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority (see Section 9).

To exercise rights, email support@hirago.com from the address associated with your account where possible, or provide information we can use to verify your identity. We may refuse requests that are manifestly unfounded or excessive, or charge a reasonable fee where permitted.

6. Recipients and processors

Personal data is accessed by authorised Hirago personnel and by trusted processors who assist us — for example hosting providers, email delivery, payment processing (Stripe), authentication providers (such as Google), and tooling used for security or support. A list of categories of recipients appears in our Privacy Policy. When you apply to a job, employers or their processors also receive your application data as independent controllers or joint recipients depending on their architecture.

7. International transfers

If we transfer personal data outside the EEA or UK, we implement appropriate safeguards required by GDPR / Chapter V and UK GDPR, such as adequacy regulations where applicable, Standard Contractual Clauses approved by the European Commission, and the UK International Data Transfer Agreement / Addendum, supplemented by technical and organisational measures where appropriate.

8. Retention

We retain personal data only as long as necessary for the purposes described in our Privacy Policy, including providing the Service, legal, tax, and accounting obligations, dispute resolution, and security. CVs and application records may be kept for as long as your account exists and for a grace period afterwards unless you request deletion and we are not legally required to retain them.

9. Supervisory authorities

You have the right to lodge a complaint with a data protection supervisory authority in your country of habitual residence, place of work, or place of an alleged infringement. For the UK, the Information Commissioner's Office (ico.org.uk) is the supervisory authority. For the EU / EEA, you may contact your local authority — the European Data Protection Board lists them at edpb.europa.eu.

10. UK and EU representatives (if applicable)

Where GDPR Article 27 requires an EU representative for controllers not established in the EU, or UK GDPR requires a UK representative, we will publish their contact details here when appointed. Until then, contact support@hirago.com for all requests.

11. Updates

We may update this page to reflect changes in our processing or in law. Please review the "Last updated" date when you visit.

This summary does not replace the full Privacy Policy or the Terms of Service, and is not legal advice.