Privacy Policy

1. Data Controller

The data controller responsible for the processing of your personal data is:

This Privacy Policy describes what personal data we collect, how and why we process it, with whom we share it, how long we retain it, and what rights you have. It applies to all Users of the 21Jobs platform at 21jobs.io and any associated services.

2. Applicable Law

As a Swiss company, we process personal data in compliance with the Swiss Federal Act on Data Protection (FADP/DSG), as revised and effective since September 1, 2023, and its associated Ordinance on Data Protection (DPO/DSV).

Where we process personal data of individuals located in the European Economic Area (EEA) or the United Kingdom (UK), we additionally comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR, as applicable. In the event of any conflict between these regulations, we apply the standard that provides the highest level of data protection.

3. Data We Collect

We collect the following categories of personal data:

3.1 Data You Provide Directly

• Account data: Name, email address, and password (stored as a bcrypt hash) when you register
• Authentication data: If you sign in via Google OAuth, we receive your name, email address, and profile picture from Google
• Profile data: Profile picture, job preferences (departments, locations, job types, experience levels, salary range)
• Company data: If you register as an employer — company name, role, and company affiliation
• Payment data: When you purchase a subscription or promotion, payment is processed by Stripe; we store your Stripe customer ID, subscription ID, and billing period, but never your credit card number or full payment details
• Communication data: Messages you send through our contact form (name, email, company, subject, message), support tickets, and any correspondence with us
• Newsletter data: Email address when you subscribe to our newsletter
• Job alert preferences: Alert name, filter criteria (keywords, departments, locations, types, levels, salary range), preferred notification channels (email, Telegram), and notification frequency
• Telegram data: If you enable Telegram notifications, we store your Telegram chat ID to deliver job alerts

3.2 Data Collected Automatically

• Usage data: Pages visited, features used, and interactions with the platform (via Umami Analytics, which does not use cookies and does not collect personally identifiable information)
• Click data: When you click on a job listing or company profile, we record the click along with your user agent (browser type), referrer URL, and a hashed version of your IP address (SHA-256 hash, truncated to 16 characters) — we never store your raw IP address in our database
• Activity logs: If you are logged in, we log certain account activities (such as login events, profile updates, alert changes, and subscription changes) for security and audit purposes
• Email delivery data: For transactional emails we send you, we log the recipient address, subject, email type, delivery status, and timestamp

3.3 Data We Do Not Collect

• We do not collect or store your raw IP address in our database (only a truncated hash for rate limiting)
• We do not log your search queries
• We do not use tracking cookies or advertising pixels
• We do not sell, rent, or trade your personal data to third parties
• We do not use your personal data for profiling or automated individual decision-making that produces legal or similarly significant effects

4. Purpose & Legal Basis for Processing

We process your personal data for the following purposes, based on the legal bases indicated:

6. Third-Party Service Providers

We use the following third-party service providers to operate our platform. Each provider processes data on our behalf and under our instructions. We have selected providers that offer appropriate data protection safeguards.

7. International Data Transfers

Some of our third-party service providers are located outside of Switzerland and the EEA, primarily in the United States. When your personal data is transferred to countries that do not provide an adequate level of data protection as recognized by the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the European Commission, we ensure that appropriate safeguards are in place, including:

• EU-US and Swiss-US Data Privacy Framework: Where providers are certified under the Data Privacy Framework
• Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses that ensure adequate data protection
• Contractual safeguards: Data processing agreements with all service providers that include appropriate data protection obligations

You may request information about the specific safeguards applied to a particular data transfer by contacting us at privacy@21jobs.io.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Below are our general retention periods:

When data is no longer needed, we securely delete or anonymize it. Where deletion is not technically feasible (e.g., in backup systems), we ensure the data is isolated and protected until deletion is possible.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS)
• Password hashing: Passwords are never stored in plain text; they are hashed using bcrypt with a salt
• IP address hashing: Raw IP addresses are not stored; only truncated SHA-256 hashes are used for rate limiting and click tracking
• HttpOnly cookies: Session cookies are HttpOnly (not accessible to JavaScript), Secure (only sent over HTTPS), and SameSite=Lax
• CSRF protection: Cross-site request forgery tokens are used on all authenticated forms
• Rate limiting: Automated rate limiting on sensitive endpoints (registration, login, contact forms) to prevent abuse
• Webhook signature verification: All incoming webhooks (Stripe, URLbox) are cryptographically verified
• Access controls: Role-based access controls restrict access to sensitive data and admin functions

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected individuals in accordance with applicable data protection law.

10. Your Rights

Under the Swiss FADP and, where applicable, the EU GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 25 FADP / Art. 15 GDPR): You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about the processing.
• Right to rectification (Art. 32 FADP / Art. 16 GDPR): You have the right to request that we correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR): You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent. This right is subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your personal data under certain circumstances.
• Right to data portability (Art. 28 FADP / Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, for EU residents, with the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at privacy@21jobs.io. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request. If your request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act on the request.

11. Automated Processing & Artificial Intelligence

We use artificial intelligence (Anthropic Claude, United States) to assist in the classification and normalization of job listing data, including:

• Categorizing jobs by department, location type, employment type, and experience level
• Normalizing salary information and currency formats
• Quality control validation of classified job data

Important: This AI processing is applied exclusively to publicly available job listing data (job titles, descriptions, company names) that is already publicly available on employer websites. We do not use AI to process your personal data, your profile information, your job applications, or any data you submit directly to us.

No automated decision-making is performed that produces legal effects concerning you or similarly significantly affects you.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children or minors. If you are under 18, you may not use the Service or provide any personal data. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data. If you believe that a child has provided us with personal data, please contact us at privacy@21jobs.io.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or operational needs. If we make material changes, we will notify you by posting the updated policy on this page and updating the "Last updated" date at the top. For material changes that significantly affect how we process your personal data, we will make reasonable efforts to notify you in advance (e.g., via email or a prominent notice on the platform). We encourage you to review this policy periodically. Your continued use of the Service after the updated policy becomes effective constitutes your acknowledgment of the changes.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or want to submit a complaint, please contact us:

You also have the right to contact the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch or, for EU residents, your local data protection supervisory authority.