Legal

Privacy Policy

Last updated: May 2026

GDPREU / EEA

UK GDPRUnited Kingdom

KVKKTurkey

TMGGermany

1. Data Controller

Workruno

Gewerbetreibender · Kleingewerbe

Waldstr. 124E · 65451 Kelsterbach · Germany

Email: support@workruno.com

Privacy: support@workruno.com

2. Personal Data We Collect

Account data

Name, email, company name, website, phone (from registration / settings).

Legal basis: Contract — Art. 6(1)(b) GDPR

Candidate data

CVs, contact details, notes, stage history, interview records you upload for recruitment.

Legal basis: Legitimate interest / contract — Art. 6(1)(b)(f) GDPR

Billing data

Subscription status, invoice history. Card details processed by Stripe only — Workruno never stores card numbers.

Legal basis: Contract — Art. 6(1)(b) GDPR

Usage data

Pages visited, features used, session duration. No third-party analytics.

Legal basis: Legitimate interest — Art. 6(1)(f) GDPR

Technical data

IP address, browser type, device info, session cookies.

Legal basis: Necessary for service delivery

3. Cookies

Cookie	Purpose	Category	Duration
sb-*	Auth session (Supabase)	Necessary	Session / 1 week
locale	Language preference	Functional	1 year
cookie-consent	Stores consent preference	Necessary	1 year

We do not use advertising cookies, tracking pixels, or Google Analytics.

4. Data Sharing & Third Parties

We do not sell your data. Processors under contractual DPAs:

SupabaseDatabase, auth, storageEU (Frankfurt)DPA ↗

StripePayments, invoicingEU / US (SCCs)DPA ↗

AI ProviderAI text generation (zero data retention)US

VercelHosting, CDNUS / EU (SCCs)DPA ↗

Resend / SMTPTransactional emailEU / US (SCCs)

5. International Data Transfers

→EU Standard Contractual Clauses (SCCs) — GDPR Art. 46(2)(c)
→UK International Data Transfer Agreements (IDTA) — UK GDPR
→EU–US Data Privacy Framework adequacy decisions where applicable

6. Data Retention

Account data: Subscription duration + 90 days after deletion request

Candidate data: Until you delete it or close your account

Invoices: 10 years (German commercial law: § 257 HGB, § 147 AO)

Unverified accounts: Automatically deleted after 30 days

Session cookies: Deleted on logout or after inactivity

7. Your Rights

EU / EEA — GDPR (Art. 15–22)

→Right of access (Art. 15)
→Right to rectification (Art. 16)
→Right to erasure / "right to be forgotten" (Art. 17)
→Right to data portability (Art. 20) — export from Settings
→Right to object to processing (Art. 21)
→Right to lodge a complaint with your national DPA

Supervisory authority: BfDI (Germany)

UK — UK GDPR (Data Protection Act 2018)

→Same rights as EU GDPR apply under UK law
→Right to make a Subject Access Request (SAR)
→Right to erasure and data portability

Supervisory authority: ICO (UK)

Turkey — KVKK (Law No. 6698)

→Right to know if personal data is being processed (Art. 11/a)
→Right to request information if data has been processed (Art. 11/b)
→Right to request correction of incomplete or incorrect data (Art. 11/d)
→Right to request deletion or destruction of data (Art. 11/e)
→Right to object to outcomes from automated systems (Art. 11/g)

Authority: Kişisel Verileri Koruma Kurumu (KVKK)

To exercise any rights: support@workruno.com — we respond within 30 days.

8. Security

TLS 1.3 in transit, AES-256 at rest, Row-Level Security, access control. Personal data breach notification within 72 hours (GDPR Art. 33–34). See Security page.

9. Changes

Material changes communicated by email and in-app notice at least 30 days before taking effect.

10. Contact

Privacy: support@workruno.com

Legal: support@workruno.com

Security: Report a vulnerability

← Terms

Imprint Security