Privacy Policy

Last update: 17.03.2026

This Privacy Policy explains how we process personal data when you use the Wantapply website and related services (the “Service”). Wantapply is a platform that enables Employers to publish job offers and enables Candidates and other visitors to discover vacancies and contact Employers (often directly).

We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applicable Polish law.

Controller – who we are and how to contact us
Scope
GDPR roles on the Service (Controller / Processor / Employers)
Categories of personal data we process
Why we process your personal data (purposes, lawful bases, recipients, retention)
Applications to Employers and sharing of Candidate data
Cookies and similar technologies
Recipients of personal data (who we share data with)
International transfers (outside the EEA)
Data retention and deletion
Security
Your rights under the GDPR
Complaints (Supervisory Authority)
Changes to this Policy

1. Controller – who we are and how to contact us

Controller (Data Controller within the meaning of Article 4(7) GDPR): JDG Eldar Azizov, a company registered in Poland, with its registered office at Aleja Komisji Edukacji Narodowej 19/7, Warszawa, 02-797.

If you have questions about data or privacy, write to:

Contact point for privacy matters: [email protected]
General support contact: [email protected]
Data Protection Officer (DPO): [email protected]

2. Scope

This Policy applies to personal data processed in connection with browsing and using the Service as a Visitor, using the Service as a Candidate (including creating and using a candidate account), and communicating with Wantapply (e.g., support requests).

This Policy does not replace privacy notices provided by Employers in the context of their recruitment processes.

This Policy also applies where you use the Service as an Employer representative (for example, if you create an account to publish or manage job offers on behalf of an Employer), to the extent Wantapply acts as a controller for that account and related Service administration.

3. GDPR roles on the Service (Controller / Processor / Employers)

Because the Service connects Candidates with Employers and enables the publication of job offers, the role of each party under the GDPR depends on the specific processing activity. The terms “controller”, “processor” and “personal data” have the meanings given in the GDPR (including Articles 4(7) and 4(8)).

3.1 Wantapply as Controller

Wantapply acts as a controller in relation to personal data processed to operate, maintain and secure the Service and to provide its functionalities to users. This includes, in particular:

creating and managing user accounts and authentication (where available);
providing website and platform features (including access to job listings and user preferences);
providing service communications and user support;
ensuring network and information security, preventing fraud and abuse, and maintaining logs for security and troubleshooting purposes;
managing cookie preferences and performing analytics (where enabled and subject to applicable consent requirements);
complying with legal obligations and protecting our rights (including establishing, exercising or defending legal claims).

For these processing activities, Wantapply determines the purposes and essential means of processing and therefore acts as Controller.

3.2 Employers as Controllers for recruitment

Employers who publish job offers on the Service typically act as independent controllers in relation to personal data processed in their recruitment processes. In particular, Employers act as controllers for personal data that Candidates provide to Employers when applying via:

an Employer's own website or external application form;
email, messaging channels (e.g., Telegram), or other direct contact methods shown in a job posting;
any other channels controlled by the Employer.

In these scenarios, the Employer determines the purposes of processing (e.g., candidate assessment, interviews, hiring decisions) and the essential means of processing. Employers are responsible for providing Candidates with the information required under Articles 13 and/or 14 GDPR and for ensuring a lawful basis for their recruitment processing. Wantapply does not determine the Employer's recruitment purposes and is not responsible for the Employer's compliance in respect of such recruitment processing.

3.3 Wantapply as Processor for Employers (only where “Apply via Wantapply” is provided)

Where the Service enables Candidates to submit an application through Wantapply (for example, by uploading a CV/resume or submitting application data within the Service) and Wantapply processes such application data solely on the documented instructions of an Employer, Wantapply acts as a processor within the meaning of Article 4(8) GDPR and the Employer remains the controller for that recruitment processing.

In such cases:

Wantapply processes the application data only for the purpose of transmitting and/or making the application available to the relevant Employer and for supporting the Employer's recruitment workflow as instructed;
the Employer determines which data is required for the application, who within the Employer's organisation can access it, and how long it will be retained in the context of recruitment;
Wantapply's processing is governed by a data processing agreement compliant with Article 28 GDPR (including appropriate security measures and confidentiality obligations).

At the moment of submission, we will inform the Candidate which Employer will receive the application and what categories of data will be shared.

Clarification on roles.Wantapply does not act as a processor for Employers for all processing on the Service. Wantapply is a controller for the operation and security of the Service (including user accounts, logs, fraud prevention, and analytics, where enabled). Wantapply acts as an Employer's processor only for the limited processing of Candidate application data within the Service where (i) an “Apply via Wantapply” feature is provided, (ii) the Employer determines the recruitment purposes, and (iii) Wantapply processes the application data solely on the Employer's documented instructions under a data processing agreement.

3.4 Publication of job offers and recruiter contact details – joint controllership (Article 26 GDPR)

Job offers published on the Service may include personal contact details of individuals acting on behalf of Employers (for example, a recruiter's name, email address, LinkedIn profile URL, or messaging handle) where an Employer chooses to provide such details so that Candidates can contact the Employer directly.

For the limited processing of making those contact details available to Candidates via the Service (i.e., displaying, hosting, and distributing the job posting content that contains such contact details), Wantapply and the relevant Employer may be considered joint controllers within the meaning of Article 26 GDPR, because:

the Employer decides whether and which personal contact details are included in a job posting and for what recruitment-related purpose they are disclosed;
Wantapply determines essential means of publication and availability of the posting within the Service (such as the format of publication, display and indexing within the Service, access mechanisms, and removal/moderation procedures necessary to provide the Service).

Essence of the arrangement (Article 26 GDPR). Wantapply and Employers allocate responsibilities for this limited processing as follows:

Employer responsibilities:The Employer is responsible for ensuring that it has a lawful basis to disclose recruiter contact details to Candidates via the Service and for providing any required information to the individuals whose contact details are included (e.g., the Employer's employees or contractors), including information about disclosure through the Service and relevant retention periods within the Employer's organisation.
Wantapply responsibilities: Wantapply is responsible for operating the Service, implementing appropriate technical and organisational measures to protect personal data processed in connection with the publication, and providing mechanisms to request removal or correction of published content where appropriate.
Data subject rights: Data subjects may exercise their GDPR rights in respect of this limited processing against either joint controller. For operational efficiency, requests relating to the publication, display, correction or removal of recruiter contact details from job postings on the Service should be addressed to Wantapply at [email protected], and Wantapply will coordinate with the relevant Employer where necessary.

This joint controllership applies only to the publication of personal contact details within job posting content on the Service and does not extend to the Employer's subsequent recruitment processing of Candidate applications, for which the Employer acts as an independent controller as described in Section 3.2.

4. Categories of personal data we process

4.1 Data you provide to Wantapply

Account data: name, email address, login credentials (stored in a secure form), account settings and preferences.
Profile data (if you choose to provide it): job preferences, seniority, location/time zone, links (e.g., LinkedIn), and other information you add to your profile.
Communications: content of messages you send us (support requests, feedback) and associated metadata.
CV/Resume files (PDF) (where available): if you choose to upload a CV/resume to your Wantapply account, we process the file and the information contained in it (such as your work experience, education and skills). Please do not include sensitive information that is not necessary for recruitment (for example, health data, national identifiers, or payment details).

4.2 Data collected automatically

Technical and usage data: IP address, device identifiers, browser type, operating system, timestamps, pages viewed, referral URLs, and log data.
Cookie and similar technology data: identifiers and usage data collected through cookies and similar technologies, subject to your settings (see Section 7).

4.3 Data from third parties

If we offer third-party sign-in (e.g., Google sign-in), we may receive information necessary for authentication and account creation (typically an identifier such as an email address and basic profile data), depending on the options you choose and the permissions you grant.

4.4 Data processed by Employers

If you apply outside Wantapply (e.g., via an Employer's external link or direct contact details), the Employer processes the data you provide to them (e.g., CV/resume, cover letter, portfolio, contact details). In such cases Wantapply may not receive the content of your application.

4.5 Data of Employer representatives (where applicable)

If you create or use an Employer account, we may process: your name, business email, job title/role, Employer name, account credentials, account activity (e.g., job posting and moderation actions), and billing/transaction metadata (where paid features are used).

5. Why we process your personal data (purposes, lawful bases, recipients, retention)

We process personal data only to the extent necessary for specified, explicit and legitimate purposes and on a lawful basis under Article 6 GDPR. The main processing activities are described below.

5.1 Provision of the Service and core functionality

Purpose: To provide and operate the Service, including enabling you to browse job offers and use website functionality.
Categories of personal data: Technical and usage data; strictly necessary cookie identifiers; security logs.
Lawful basis: Article 6(1)(f) GDPR (legitimate interests). Our legitimate interests are to deliver a functional and secure service, ensure network and information security, and prevent abuse.
Recipients: Infrastructure/hosting providers and vendors supporting essential operation of the Service (as processors).
Retention: Technical logs are retained for a limited period necessary for security and diagnostics, typically 12 months, unless a longer period is required for establishing, exercising or defending legal claims.

5.2 Account creation and account management (where available)

Purpose: To create and manage your user account, authenticate you, enable access to account-based features, and manage your preferences.
Categories of personal data: Account data; profile data (if provided); authentication data; account-related communications.
Lawful basis: Article 6(1)(b) GDPR (performance of a contract / steps prior to entering into a contract).
Recipients: Hosting/infrastructure providers; email delivery providers (verification, sign-in links, transactional messages); customer support tooling providers (as processors), where used.
Retention: Account data is retained while the account is active. After you request deletion, we delete or anonymise account data without undue delay, subject to Section 10 (e.g., legal obligations and limited backup retention).

5.3 Service communications and support

Purpose: To respond to enquiries, provide user support, and communicate with you about the Service (including service-related notices).
Categories of personal data: Account data; communications content; metadata (timestamps, identifiers); technical logs.
Lawful basis: Article 6(1)(b) GDPR where necessary to provide the Service; and/or Article 6(1)(f) GDPR where our legitimate interests are to handle enquiries, ensure quality of support, and maintain the Service.
Recipients: Support tooling providers (as processors), email providers, and relevant internal personnel on a need-to-know basis.
Retention: Support communications are retained for a limited period necessary for support, quality assurance and dispute handling, typically 12 months, unless a longer period is required for legal claims.

5.4 Security, fraud prevention and abuse monitoring

Purpose: To secure the Service, prevent unauthorised access, detect and mitigate fraud, and enforce policies.
Categories of personal data: IP address, device and browser data, access logs, security events, strictly necessary cookie/session identifiers.
Lawful basis: Article 6(1)(f) GDPR (legitimate interests) to ensure information security, prevent fraud and protect users; and in some cases Article 6(1)(c) GDPR (legal obligation), where applicable.
Recipients: Infrastructure providers; security and monitoring vendors (as processors); competent authorities where legally required.
Retention: Security logs are retained for a limited period proportionate to security needs, typically 24 months.

5.5 Legal compliance and protection of rights

Purpose: To comply with applicable laws, respond to lawful requests, and establish, exercise or defend legal claims.
Categories of personal data: Identifiers, correspondence, logs, and other data relevant to the specific legal obligation or claim.
Lawful basis: Article 6(1)(c) GDPR (legal obligation) and/or Article 6(1)(f) GDPR (legitimate interests) to protect our rights and the integrity of the Service.
Recipients: Competent authorities, courts, and external advisers (lawyers, auditors) where necessary and proportionate.
Retention: For as long as required by law or as necessary in connection with legal claims.

5.6 Session Replay (Amplitude) (where enabled)

Purpose. To understand how users interact with the Service and to improve usability and performance (for example, to identify navigation issues, broken flows, or pages where users encounter difficulties). Session replay helps us see user interactions such as page navigation, scrolling and clicks in order to improve the Service.

Categories of personal data: Interaction and technical data generated when you use the Service, which may include:

pages visited within the Service, navigation events, clicks/taps, scrolling and the timing of these actions;
device and browser information (e.g., device type, operating system, browser version);
identifiers used for analytics and session reconstruction (such as cookie/device identifiers and a session identifier); and
IP address (typically processed for security and approximate geolocation, depending on configuration).

We do not intend to record the content of what you type into forms (such as passwords or payment details). We configure session replay to minimise data capture by masking or excluding selected fields and on-page elements where appropriate.

Lawful basis. Article 6(1)(a) GDPR (consent). Session replay is activated only if you provide consent via our cookie banner/settings. You may withdraw your consent at any time by changing your preferences (see Section 7). Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Recipient. Session replay is provided by Amplitude, which acts as our processor and processes personal data on our behalf under an agreement consistent with Article 28 GDPR. Access to session replays is restricted to authorised personnel who need it for the purposes described above.

Retention. Session replay data is retained for 90 days, unless a longer period is necessary for security investigations or for the establishment, exercise or defence of legal claims.

International transfers. Where Amplitude processes data outside the European Economic Area, we ensure appropriate safeguards in accordance with Chapter V GDPR (see Section 9).

5.7 CV/Resume upload and storage (PDF) (where available)

Purpose. To provide you with the functionality to store your CV/resume in your Wantapply account and, where you choose, to use it when applying for jobs through the Service.

Categories of personal data. Your CV/resume file (PDF) and the information contained in it (such as contact details, employment history, education, qualifications, skills, and other information you choose to include).

Lawful basis.We process your CV/resume in order to provide the Service feature you request (Article 6(1)(b) GDPR – performance of a contract / steps at your request prior to entering into a contract). Where the Service allows you to share your CV with an Employer, we do so only on your action and request.

Recipients. Our hosting and storage providers (as processors); and Employers only when you choose to share your CV with them. We do not store CV/resume files in analytics tools and we configure analytics/session replay tools to avoid capturing file contents.

Retention. We retain your uploaded CV/resume for as long as you keep it in your account or until you delete it. After deletion, we delete the file without undue delay, subject to limited technical backup retention. We may retain limited records necessary to establish, exercise or defend legal claims for up to 1 year where applicable.

Please avoid including information that is not necessary for recruitment (for example, health data or other special category data).

5.8 Employer accounts and job posting administration (Employer representatives)

Purpose: To create and manage Employer accounts, verify and authenticate Employer representatives, enable them to publish and manage job offers, and support the day-to-day administration of the Service.
Categories of personal data: Employer representative account data and account activity (see Section 4.5).
Lawful basis: Article 6(1)(b) GDPR, where processing is necessary to provide the Service requested by the Employer, and, where relevant, Article 6(1)(f) GDPR for the administration, protection and security of the Service.
Recipients: Our hosting, infrastructure and other service providers acting on our behalf as processors (see Section 8).
Retention: We keep Employer account data for as long as the account is in use. After the account is closed or no longer active, we may keep certain information for a limited period where necessary for legal compliance, resolving disputes, protecting the Service, or dealing with security-related matters.

6. Applications to Employers and sharing of Candidate data

6.1 Direct applications outside Wantapply

Job postings may contain external links or direct contact details allowing you to apply directly to an Employer. When you apply directly, the Employer processes your personal data as an independent Controller for recruitment purposes. Wantapply does not determine the Employer's purposes or means of processing and is not responsible for the Employer's compliance. We encourage you to review the Employer's privacy information before applying.

6.2 If applications are submitted via Wantapply (where offered)

If you submit an application through an in-platform “apply” feature operated by Wantapply, we will indicate at the point of application which Employer will receive your data and what data will be transmitted. The Employer will act as Controller for recruitment processing. Wantapply will act as Processor for the Employer only where we process the application on the Employer's documented instructions.

6.3 Simplified job posting and transparency considerations

The Service may allow Employers to post vacancies with a limited set of publicly displayed identifying information. Where appropriate, we may apply measures to prevent abuse (e.g., moderation, verification steps, removal of suspicious postings). If you believe a posting is fraudulent or insufficiently transparent, please contact us at [email protected].

6.4 Links to third-party websites

Job postings on the Service may include links to third-party websites (for example, Employer websites, external application forms, or social media pages). If you follow a link, you will leave the Service. We do not control and are not responsible for the privacy practices or content of those third parties. We encourage you to review the relevant third party's privacy notice before providing them with your personal data.

7. Cookies and similar technologies

We use cookies (and similar technologies such as local storage) to make the Service work, remember your preferences, and where you allow it measure and improve how the Service is used.

The information collected through cookies and similar technologies may be collected either by Wantapply directly (through first-party cookies and local storage set by the Service) or by third-party services we use to operate and improve the Service. Where required by law (including in the EU/EEA), third-party analytics technologies are not activated unless you opt in via our cookie banner/settings.

7.1 Types of cookies we use

Strictly necessary cookies (always on). These cookies are required for the Service to function and cannot be switched off in our systems. They are used, for example, to keep you signed in and protect your session and security.

Functional cookies (optional). These cookies help the Service remember your choices and provide convenience features. For example, we may store your language preference and interface settings.

Analytics / measurement cookies and similar technologies (opt-in). These cookies and technologies help us understand how visitors use the Service and improve performance and user experience. They may include Google Analytics cookies and Amplitude analytics. These are not essential for the Service to work.

Where enabled, we use Google Analytics to understand how visitors use the Service. In the EU/EEA, Google Analytics is used only with your consent. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards under Chapter V GDPR (see Section 9).

Session Replay (Amplitude) is treated as Analytics (opt-in). If we enable Amplitude Session Replay, it will only run if you opt in to analytics/measurement via our cookie banner/settings. More information is provided in Section 5.6.

Third-party authentication cookies (only if you choose social sign-in). If you sign in with Google or Facebook, those providers may set their own cookies as part of the authentication flow. You can use the Service without social sign-in by choosing another login method, where available.

7.2 Your choices and how to manage cookies

Where required by law (including in the EU/EEA), we use an opt-in mechanism for non-essential cookies and similar technologies. You can accept or refuse analytics/measurement cookies and you can change your choice at any time via our cookie settings. You can also delete or block cookies using your browser settings. Please note that blocking strictly necessary cookies may affect core functions of the Service (such as staying signed in).

7.3 Cookie list

A detailed and up-to-date list of cookies and similar technologies we use (including name, purpose, provider and storage duration) is available via our cookie settings. We update this information when cookies or providers change.

8. Recipients of personal data (who we share data with)

We share personal data only where necessary and subject to appropriate safeguards.

8.1 Processors (service providers)

We use processors that provide infrastructure and tools necessary to operate the Service, such as hosting/infrastructure (DigitalOcean), analytics (Google Analytics, where enabled), and payments (Stripe, primarily for Employer services). Processors act on our behalf and under our instructions, subject to contractual obligations consistent with Article 28 GDPR.

We may also use:

Amplitude (product analytics and, where enabled, Session Replay);
other vendors supporting email delivery, customer support, logging/monitoring and security;
analytics providers, such as Google Analytics.

A current list of our key processors/sub-processors can be made available on request at [email protected].

8.2 Employers

We share your data with Employers only when you choose to apply or otherwise share your data with an Employer (directly or via an in-platform apply feature, where offered).

8.3 Legal disclosures

We may disclose data where required by law, by a binding request from a competent authority, or where necessary to protect rights, safety and integrity of the Service.

9. International transfers (outside the EEA)

Some service providers (e.g., analytics or payment providers) may process personal data outside the European Economic Area. Where such transfers occur, we ensure an appropriate transfer mechanism under Chapter V GDPR, such as an adequacy decision or Standard Contractual Clauses (SCCs) and, where necessary, supplementary measures. This applies in particular to OpenAI, Amplitude, and Google Analytics.

10. Data retention and deletion

We retain personal data no longer than necessary for the purposes described in this Policy (storage limitation principle).

10.1 Account deletion / right to erasure (Article 17 GDPR)

You may request deletion of your personal data by using in-account deletion controls (if available) or by emailing [email protected]with the subject line “Erasure request”. We may request additional information necessary to verify your identity. We respond without undue delay and within the time limits set by the GDPR (typically one month, extendable where permitted). If we cannot delete certain data (e.g., due to legal obligations or legal claims), we will inform you of the reason and scope.

10.2 Backups

Personal data may remain in backups for a limited period until overwritten, consistent with our backup and disaster recovery procedures.

11. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR). These measures may include encryption in transit (TLS), access controls, logging and monitoring, vulnerability management and patching, and incident response processes.

12. Your rights under the GDPR

Subject to the conditions set out in the GDPR, you have the right to:

access (Article 15);
rectification (Article 16);
erasure (Article 17);
restriction of processing (Article 18);
data portability (Article 20);
object to processing based on legitimate interests (Article 21); and
withdraw consent at any time where processing is based on consent (Article 7(3)).

To exercise your rights, please contact us at [email protected].

13. Complaints (Supervisory Authority)

You have the right to lodge a complaint with the competent supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

14. Changes to this Policy

We may update this Policy from time to time. We will publish the updated version on the Service and update the “Last updated” date. Where required by law, we will provide additional notice of material changes.