Legal

Privacy Policy

How we collect, use and protect personal data when you visit our website, contact us, apply as a candidate, work with us as a client, or interact with us as a recruiting partner.

Last updated: [Datum]
Controller

1. Controller

The controller responsible for the processing of personal data on this website is:

Controller

AndHire GmbH

Schleemkoppel 18
22117 Hamburg
Germany

Data Protection Officer
[Falls du einen bestellst, Name und Kontakt hier einsetzen. Falls nicht, diese Zeile löschen. Ein DSB ist in Deutschland nach Section 38 BDSG Pflicht, sobald mindestens 20 Personen ständig mit der automatisierten Verarbeitung personenbezogener Daten beschäftigt sind, oder in bestimmten anderen Fällen.]
Data collected

2. What data we collect

Depending on how you interact with us, we may process the following data.

Website visitors

IP address, browser and device information, pages visited, date and time of access, and cookie or analytics data where you have given consent.

Clients and prospects

Name, company name, role or job title, business email address, phone number, hiring needs, company size, industry and ecommerce setup, and communication history.

Candidates

Name, contact details, CV and career history, location, languages, skills, salary expectations, availability, portfolio links, interview notes, assessment results, role preferences, and professional profiles where publicly available or provided to us.

Recruiting partners and suppliers

Contact details, company information, communication history, candidate submissions, and contract and billing data.

Purposes

3. Why we process data

We process personal data to respond to inquiries, to provide recruiting and hiring services, to assess candidate fit for open roles, to create candidate profiles and shortlists, to communicate with clients, candidates and partners, to manage contracts, billing and business operations, to improve our website and services, to meet legal and regulatory obligations, and to protect our rights and prevent misuse.

Legal basis

4. Legal basis (Art. 6 GDPR)

We process personal data based on one or more of the following legal bases. Consent (Art. 6 (1) (a) GDPR), where you have given us permission. Contract or pre-contractual steps (Art. 6 (1) (b) GDPR), where processing is needed to provide our services. Legitimate interests (Art. 6 (1) (f) GDPR), such as operating a recruiting business, managing client relationships and improving our services. Legal obligations (Art. 6 (1) (c) GDPR), where we must process data for tax, accounting or regulatory reasons.

Candidates

5. Candidate data

If you apply through us, are introduced by a recruiting partner, or are identified through professional channels, we may process your profile to assess your suitability for relevant ecommerce, growth or operational roles.

We may share selected candidate information with clients only when it is relevant to a specific hiring process. We do not sell candidate data. Where possible, we limit the first client-facing profile to relevant professional information. Sensitive or unnecessary personal details are not shared unless required for the hiring process.

AI

6. Use of AI

We may use AI-assisted tools to help us structure and review information. For example, AI may help us summarize CVs, structure interview notes, compare candidate profiles with role requirements, create candidate shortlists, draft client-facing candidate summaries and improve internal recruiting workflows.

AI supports our process but does not replace human judgment. We do not make final hiring, rejection or placement decisions based solely on automated processing within the meaning of Art. 22 GDPR. A human reviews candidates before they are presented to a client.

Third parties

7. Sharing data with third parties

We may share personal data with clients involved in a hiring process, recruiting and sourcing partners, IT, hosting and software providers, accounting, legal and tax advisors, and authorities where legally required. All external service providers are required to process data only for agreed purposes and with appropriate safeguards. Where a provider acts as a processor on our behalf, we conclude a data processing agreement under Art. 28 GDPR.

Transfers

8. International data transfers

Our core data systems are hosted in the EU/EEA.

Some recruiting operations involve trusted partners outside the EU/EEA, including in China. Where personal data is accessed or processed outside the EU/EEA, we apply appropriate safeguards, including contractual protections, access controls, data minimization and, where required, the EU Standard Contractual Clauses adopted by the European Commission. You can request more information about these safeguards using the contact details above.

Cookies

9. Cookies and analytics

Our website uses necessary cookies to make the website function. We may also use analytics or marketing cookies only where legally allowed and, where required, after you have given consent through our cookie banner. In Germany, the storage of or access to information on your device, such as non-essential cookies, is governed by Section 25 TDDDG. You can withdraw your cookie consent at any time with effect for the future.

Retention

10. Data retention

We keep personal data only as long as necessary for the purposes described in this policy. Candidate data is usually kept for 24 months after the last meaningful contact, unless a longer retention period is legally required or you ask us to delete it earlier. Client and contract data may be stored longer where required for tax, accounting or commercial law reasons (in Germany, retention periods of up to ten years can apply).

Your rights

11. Your rights

Depending on your situation, you have the right to request access to your personal data (Art. 15), request correction of inaccurate data (Art. 16), request deletion (Art. 17), request restriction of processing (Art. 18), object to certain processing (Art. 21), request data portability (Art. 20), and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a data protection authority. To exercise your rights, contact us at privacy@andhire.com.

The competent supervisory authority for us is the Hamburg Commissioner for Data Protection and Freedom of Information (Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit).

Security

12. Security

We use reasonable technical and organizational measures to protect personal data, including access controls, encryption, secure storage, internal permission rules and regular review of data access.

Updates

13. Updates

We may update this Privacy Policy from time to time. The current version is always available on this website.