Privacy Policy

1. Controller

YesIQ GmbH
Torstraße 105–107, 10119 Berlin, Germany
Managing Director: Viktoriya Kovalenko
E-Mail: [email protected]
Privacy contact: [email protected]
Phone: +49 (30) 52015090

Commercial Register: Charlottenburg, HRB 276701
VAT ID: DE457833318

2. Data Protection Officer (DPO)

We have not appointed a Data Protection Officer at this time. For all data-protection inquiries, please contact us at [email protected].

3. Categories of Data Subjects and Personal Data

3.1 Website visitors

• IP address (truncated where technically feasible)
• Browser type, language, operating system
• Referrer URL, page views, session duration
• Cookie identifiers and similar technologies (see Cookie Policy)
• Form-submission content (name, email, phone, message)

3.2 Candidates (job seekers)

• Identification data: full name, email, phone, optional photograph
• Professional data: CV/resume, cover letter, work history, education, certifications, languages, skills, salary expectations, availability
• Contact and preference data: location, target role, target country, work-permit status
• Application metadata: source, application date, stage, notes from interviews
• Where you choose to provide them: links to professional profiles (LinkedIn, Xing, GitHub, etc.)
• Communications: emails, calendar invitations, recorded interview notes

3.3 Corporate clients and their representatives

• Business contact: name, work email, work phone, role, company
• Company data: legal name, registered address, signed agreements, hiring needs
• Billing data: legal entity, billing address, VAT, invoice references

3.4 Special-category data (Art. 9 GDPR)

We do not intentionally collect special-category data such as health, religion, political opinions, trade-union membership, ethnicity, sexual orientation, or biometric data. Candidates are kindly asked not to include such information in CVs unless required for the role. If special-category data is received, it is processed only on the basis of the candidate's explicit consent (Art. 9 (2)(a) GDPR) and only to the minimum extent necessary.

4. Purposes and Legal Bases of Processing

We process personal data for the following purposes, on the legal bases shown:

• Operating the website (server logs, security) — Art. 6 (1)(f) GDPR, legitimate interest in stable, secure operation.
• Cookies and similar technologies (analytics, advertising) — Art. 6 (1)(a) GDPR, opt-in consent via the cookie banner.
• Responding to contact-form / email enquiries — Art. 6 (1)(b) (pre-contractual measures) and/or (f) (legitimate interest).
• Recruitment processing (CV review, matching, interviews, presenting candidates to clients) — Art. 6 (1)(b) (pre-contractual measures with the candidate) and Art. 6 (1)(a) (consent for talent-pool storage).
• Client engagements (search mandates, contracts, invoicing) — Art. 6 (1)(b) GDPR.
• Marketing emails and newsletters — Art. 6 (1)(a) GDPR, double-opt-in consent, withdrawable at any time.
• Legal and tax obligations — Art. 6 (1)(c) GDPR (HGB, AO, GwG where applicable).
• Defending legal claims — Art. 6 (1)(f) GDPR.
• Special-category data (only if voluntarily provided) — Art. 9 (2)(a) GDPR, explicit consent.

5. Recipients and Processors

We share personal data only with carefully selected processors and recipients bound by Data Processing Agreements under Art. 28 GDPR:

• Manatal (Manatal Asia Co., Ltd.) — Applicant Tracking System for storing and managing candidate records.
• Calendly (Calendly LLC) — meeting-scheduling for sales and recruitment calls.
• Google Ireland Ltd. — Google Analytics 4, Google Tag Manager (only after consent).
• Meta Platforms Ireland Ltd. — Meta Pixel for advertising measurement (only after consent).
• Hosting provider — details available on request.
• Email provider — details available on request.
• Corporate clients — when presenting shortlisted candidates, with the candidate's prior consent.
• Authorities and courts — only where legally required.
• Tax advisors, auditors, lawyers — under professional confidentiality and Art. 28 GDPR where applicable.

A current list of sub-processors is available on request via [email protected].

6. International Transfers

Where data is transferred outside the European Economic Area (EEA) — for instance to Google or Meta in the United States, or to Manatal infrastructure where applicable — we ensure an adequate level of protection through one or more of the following safeguards:

• EU–U.S. Data Privacy Framework (Adequacy Decision of 10 July 2023) for certified U.S. recipients.
• Standard Contractual Clauses (2021/914/EU) combined with supplementary technical measures (encryption in transit and at rest, pseudonymisation where feasible).
• Transfer Impact Assessments for non-DPF transfers, in line with Schrems II requirements.

Copies of safeguards are available on request.

7. Storage Periods

• Server access logs — up to 14 days, then deleted/anonymised.
• Website analytics (GA4) — default 14 months from last interaction.
• Contact-form enquiries (no contract concluded) — up to 12 months.
• Candidate records — active recruitment: duration of the active process plus 6 months.
• Candidate records — talent pool (with consent): up to 24 months from consent, then deletion or renewed consent request.
• Corporate-client records (active contract) — duration of contract.
• Bookkeeping and tax-relevant records — 10 years (§ 147 AO, § 257 HGB).
• Marketing-consent records — until withdrawal of consent + 3 years for evidentiary purposes.

After expiry of the retention period, data is deleted or fully anonymised, except where statutory retention obligations require longer storage.

8. Your Rights

You have the following rights regarding your personal data, subject to applicable conditions:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16)
• Right to erasure — "right to be forgotten" (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21) — including against processing based on legitimate interest and against direct marketing at any time.
• Right to withdraw consent (Art. 7 (3)) — without affecting prior lawful processing.
• Right not to be subject to a decision based solely on automated processing (Art. 22) — see Section 10.

To exercise these rights, contact us at [email protected]. We will respond within one month (extendable by two months in complex cases, with notice).

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for YesIQ GmbH is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)
Alt-Moabit 59–61, 10555 Berlin, Germany
Phone: +49 (30) 13889-0
E-Mail: [email protected]
Web: https://www.datenschutz-berlin.de

You may also contact the supervisory authority of your country of residence.

10. Automated Decision-Making and Profiling

YesIQ does not make decisions producing legal or similarly significant effects about you based solely on automated processing within the meaning of Art. 22 GDPR. Where AI-assisted candidate matching or scoring is used as a support tool, final decisions are made by qualified human reviewers. You may at any time request information on the logic involved, the significance, and the consequences of any AI-supported steps.

11. Source of Data Collected from Third Parties

Where we receive personal data about candidates from third parties (e.g., a corporate client referring a candidate, a job-board, or a publicly accessible professional profile), we inform the data subject within a reasonable period — at the latest within one month — pursuant to Art. 14 GDPR, and provide the source of the data.

12. Security of Processing

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Measures include encryption in transit (TLS), access controls based on the principle of least privilege, logging and monitoring, regular backups, and staff confidentiality undertakings. Our processors are required to maintain equivalent measures.

13. Cookies and Tracking Technologies

For details on cookies, pixel tags, and similar technologies used on this website — including Google Analytics 4 and Meta Pixel — please see our Cookie Policy.

14. Children

Our services are not directed at children under the age of 16. We do not knowingly process personal data of children. If you believe a child has submitted data, please contact us so we can delete it.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our processing activities or applicable law. The "Last updated" date at the top of this page will reflect the latest revision. Material changes will be notified via the website or by email where appropriate.