1. Introduction

Welcome to HirePort. This Privacy Policy explains how HirePort NL B.V. ("HirePort", "we", "us", or "our"), registered with the Dutch Chamber of Commerce under number 83949909, with its registered office at Vijzelstraat 68, 1017 HL Amsterdam, The Netherlands, collects, uses, shares, and protects personal data in relation to our website, platform, and services.

HirePort provides a Software-as-a-Service (SaaS) platform that enables organisations to efficiently collaborate with recruitment agencies and centralise their hiring processes. Our platform integrates with Applicant Tracking Systems (ATS) such as SmartRecruiters and Recruitee, facilitating secure data exchange via API connections.

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Dutch GDPR Implementation Act (Uitvoeringswet AVG), and other applicable privacy legislation.

This Privacy Policy applies to anyone who directly or indirectly uses our services, visits our website, or has contact with HirePort. By using our services, you acknowledge and agree to the collection and use of information as described in this policy.

Age Restriction: If you are younger than 16 years old, you cannot use our website or services.

2. Our Role in Data Processing

Depending on the context, HirePort acts as either a Data Controller or a Data Processor:

2.1 HirePort as Data Controller

We act as the Data Controller when we determine the purposes and means of processing personal data, such as:

• Managing our relationship with you as a customer or user

• Operating and improving our website and platform

• Marketing and communications about our services

• Complying with legal obligations

• Processing data about our employees and contractors

2.2 HirePort as Data Processor

We act as a Data Processor when processing personal data on behalf of our customers (the Data Controllers) for recruitment and talent acquisition purposes. In this capacity, we process data according to the instructions provided by the Data Controller and as set forth in our Data Processing Agreements (DPAs).

3. Categories of Data Subjects

We collect and process personal data from the following categories of individuals:

3.1 Candidates

Applicants, potential applicants, candidates, and potential candidates submitted through our platform by recruitment agencies or directly by employers.

3.2 Users

Employees and representatives of companies (employers) and recruitment agencies who use our platform.

3.3 Website Visitors

Individuals who visit our website or careers websites provided as part of our services.

3.4 Referrers

Individuals who visit referral sites or make referrals for candidates through our services.

3.5 Business Partners

Representatives of partner organisations, suppliers, and other business contacts.

4. Categories of Personal Data We Process

4.1 Candidate Data

When processing on behalf of our customers, we may process:

• Contact details (name, email address, telephone number, address)

• CVs/resumes and work history

• Motivation letters and application documents

• E-mail communications

• Notes and ratings about candidates

• Availability and notice period

• Salary expectations

• Information gathered through integrations with third-party services

4.2 User Account Data

• Name and email address

• Telephone number

• Login credentials (username and password)

• Organisation and role information

• Vacancy and recruitment information

• Usage history and platform activities

4.3 Payment and Financial Data

• Bank account and payment details

• Invoice information

• Company registration details (e.g., Chamber of Commerce extract)

• Transaction records

4.4 Website and Technical Data

• IP address

• Browser type and version

• Traffic source and referral data

• Date and time of access

• HTTP requests and responses

• Cookies and similar technologies

4.5 Referrer Data

• Contact details

• Social and business connections

• Referral information (status and associated rewards)

• E-mail communications

5. Purposes of Processing

We process personal data for the following purposes:

5.1 Service Delivery

• Providing and operating our recruitment management platform

• Facilitating collaboration between employers and recruitment agencies

• Managing candidate submissions and recruitment workflows

• Processing placements and generating invoices

5.2 Account Management

• Creating and managing user accounts

• Authentication and access control

• Sending service-related notifications and updates

5.3 Communication

• Responding to inquiries and support requests

• Sending important service announcements

• Recording communications for training and quality purposes

5.4 Marketing (with consent)

• Sending newsletters and promotional content

• Displaying targeted advertisements

• Conducting market research and analysis

5.5 Platform Improvement

• Analysing usage patterns and platform performance

• Developing new features and services

• Ensuring platform security and preventing fraud

5.6 Legal and Compliance

• Complying with legal and regulatory obligations

• Maintaining financial and administrative records

• Responding to lawful requests from authorities

6. Legal Bases for Processing

We process personal data based on the following legal grounds under Article 6 GDPR:

• Performance of Contract: Processing necessary to provide our services and fulfil our contractual obligations.

• Legitimate Interest: Processing necessary for our legitimate business interests, such as improving our services, marketing to existing customers, and ensuring platform security.

• Consent: Processing based on your explicit consent, such as for marketing communications and certain cookies.

• Legal Obligation: Processing necessary to comply with legal requirements, such as tax and accounting obligations.

7. Data Sharing and Recipients

7.1 Within the Platform

Users have the option to share candidate personal data with other users (e.g., employers and recruitment agencies) through our platform, subject to appropriate permissions and the candidate's consent where required.

7.2 Service Providers (Sub-processors)

We engage trusted third-party service providers who process data on our behalf. We only share data necessary for their specific services and maintain Data Processing Agreements with all sub-processors. Our current sub-processors include:

• Amazon Web Services EMEA SARL – Cloud hosting and infrastructure (Frankfurt, Germany)

• Salesforce Inc – Customer relationship management (EU)

• OpenAI Ireland Limited – AI-assisted features (EU)

• Slack Inc – Internal communications (EU)

• Google Inc – Productivity and analytics (EU)

• Stripe – Payment processing (EU)

7.3 ATS Integrations

We integrate with Applicant Tracking Systems such as SmartRecruiters and Recruitee. Data shared through these integrations is governed by our DPAs and the respective ATS provider's privacy policies.

7.4 Legal and Regulatory Disclosure

We may share data with government agencies, law enforcement, or regulatory authorities when required by law or in response to valid legal requests. We will notify affected customers unless legally prohibited from doing so.

We do not sell your personal data to third parties.

8. International Data Transfers

We store and process personal data within the European Economic Area (EEA), primarily in Frankfurt, Germany using AWS infrastructure. All our sub-processors process data within the EU/EEA.

If any data transfer outside the EEA becomes necessary, we ensure appropriate safeguards are in place, such as:

• European Commission adequacy decisions

• Standard Contractual Clauses (SCCs)

• Additional technical and organisational measures where required

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

• User Account Data: Retained while the account is active. Automatically deleted after 5 years of inactivity.

• Candidate Data: Retained for 12-13 months in accordance with our DPAs, or as specified by the Data Controller.

• Communication Records: Deleted after 3 years of no interaction with HirePort.

• Marketing Data: Based on data up to 2 years old for targeted marketing activities.

• Financial Records: Retained as required by Dutch tax and accounting laws (typically 7 years).

• Analytics Data: Retained only as long as necessary for analysis purposes.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

10.1 Certifications and Compliance

• ISO 27001:2022 Certified – Our Information Security Management System (ISMS) is independently certified

• Full GDPR compliance

• SOC 2 Type II certification in progress (expected completion: end of 2025)

10.2 Technical Measures

• Encryption of data at rest and in transit using strong cryptography

• Secure hosting on AWS in Frankfurt, Germany (eu-central-1)

• OAuth 2.0 authentication with integrated ATS platforms

• Daily backups with 30-day retention

• Regular security updates and vulnerability management

• Intrusion detection and continuous monitoring

10.3 Organisational Measures

• Role-based access control with strict need-to-know principles

• Mandatory security awareness training for all employees

• Regular internal and external security audits

• Comprehensive activity audit logging

• Incident response procedures with 24/7 support for security incidents

• Secure disposal of data and equipment

11. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access: Obtain confirmation of whether we process your data and request a copy.

• Right to Rectification: Request correction of inaccurate or incomplete data.

• Right to Erasure: Request deletion of your personal data ("right to be forgotten").

• Right to Restriction: Request limitation of processing in certain circumstances.

• Right to Data Portability: Receive your data in a structured, commonly used format.

• Right to Object: Object to processing based on legitimate interests or for direct marketing.

• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing, including profiling.

To exercise your rights, please contact us using the details in Section 14. We will respond to your request within one month. In complex cases, we may extend this period by up to two additional months.

Right to Complain: If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

12. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to improve functionality and user experience. We use:

• Essential Cookies: Required for basic website functionality and security.

• Analytics Cookies: Help us understand how visitors interact with our website (with consent).

• Marketing Cookies: Used for targeted advertising and marketing (with consent).

You can manage your cookie preferences through your browser settings or by adjusting your consent when visiting our website. Deleting cookies may affect your experience on our platform.

13. Payment Processing

We use Stripe (www.stripe.com) for payment processing and financial administration. When you use our payment features, you agree to Stripe's terms and conditions and privacy policy, available at www.stripe.com/privacy.

14. Contact Information

Data Controller

HirePort NL B.V.
Vijzelstraat 68
1017 HL Amsterdam
The Netherlands

Data Protection Officer

Alexander Leenaers, Co-founder

General Inquiries

Email: support@hireport.io
Website: www.hireport.io
Chamber of Commerce: 83949909

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We encourage you to review this page periodically. Changes take effect when published on our website. For significant changes, we will provide prominent notice.

This Privacy Policy was last updated in December 2025.