Privacy Policy.

1. Who we are

Hireloom is a founder-led IT recruitment business operated by Georgiana Ionela Bordeianu, based in Iași, Romania. For the purposes of the EU General Data Protection Regulation (GDPR) and Romanian Law no. 190/2018, we are the data controller for the personal data described below — for both candidates and hiring-company contacts.

Trade-register (ONRC) and fiscal (CUI) identification of the operating entity are provided on request and will be published here once finalised. You can reach us about any privacy matter at iustin.potolinca998@yahoo.com.

We are a small, founder-run operation. We have not appointed a statutory Data Protection Officer because we do not meet the thresholds in GDPR Art. 37 (we do not carry out large-scale systematic monitoring or large-scale processing of special-category data) and we do not process Romanian national identification numbers (CNP). We keep this under review and provide the contact point above for all privacy questions. As a controller established in the EU, we are not required to appoint an EU representative.

2. What personal data we collect

We collect only what you give us, grouped by who you are:

• Candidates(role application, the spontaneous “For candidates” form, or contact): your name, email, LinkedIn or profile URL, location, the technologies and skills you work with, your engagement preferences (permanent / contract), any message you write, and your CV file (PDF or DOCX) and everything it contains.
• Hiring companies: your name, work email, company, the role and the brief you send us.
• Newsletter: your email address only.

Please do not include special-category data in your CV. A CV or a free-text message can unintentionally reveal data that the GDPR treats as sensitive (Art. 9) — for example health or disability, racial or ethnic origin, religious or political beliefs, trade-union membership, or sexual orientation (a photo, a date of birth, or a national ID number can imply these). We do not ask for this data and ask you not to provide it; see section 5. We do not use advertising or profiling cookies (section 11).

3. How we collect your data

We obtain personal data in two ways:

• Directly from you (GDPR Art. 13): the contact form, the per-role application form, the spontaneous candidate form, the CV upload, and the newsletter sign-up.
• By sourcing (GDPR Art. 14): when we proactively identify potential candidates, we may collect limited professional information from public professional networks and job boards (for example LinkedIn). Where we source your data this way, we will give you this information at our first contact and at the latest within one month, tell you the source, and you can object at any time (see section 9).

4. Why we use your data, and our legal basis

We match each purpose to a lawful basis under GDPR Art. 6. The legal basis to process your data and the safeguard for any cross-border transfer (section 7) are separate things; both apply where relevant.

• Sourcing, assessing and matching candidates, and contacting you about roles — our legitimate interests (Art. 6(1)(f)): the interest of Hireloom and of our hiring-company clients in connecting suitable talent with roles, which candidates reasonably expect a recruiter to do. We have carried out a balancing test (legitimate-interests assessment), available on request.
• Putting a candidate forward for a specific role — steps taken at your request before a possible engagement (Art. 6(1)(b)) may also apply.
• Keeping your CV and details for future roles (talent pool), and the newsletter — your consent (Art. 6(1)(a)), captured separately, never pre-ticked, and withdrawable at any time without affecting processing already carried out.
• Responding to hiring-company enquiries — legitimate interests and/or steps prior to a contract (Art. 6(1)(f) / (b)).

5. Special-category data in CVs

We do not seek special-category data (Art. 9) and we do not use it to screen or assess you. No field on our forms asks for it. If such data appears incidentally in a CV or message, we do not rely on it, and we will not share it with a client unless an Art. 9 condition applies — normally your explicit consent (Art. 9(2)(a)). CV files are held in a private, access-controlled storage bucket in the EU (section 12). Given that we routinely process CVs, we have considered whether a data protection impact assessment is required and keep that under review. We also ask Romanian candidates to redact any national ID number (CNP) from documents.

6. Who we share your data with

There are two distinct kinds of recipient:

• Hiring-company clients (recipients / independent controllers). Sharing relevant candidate profiles — and, where appropriate, CVs — with our clients is a core purpose of our service. When we put you forward for a specific role we tell you, and a client becomes an independent controller of your data once they receive it, under their own privacy policy. Placements span Romania, Israel, Brazil, Germany, Portugal, Ukraine, Azerbaijan, India and Poland.
• Processors that run this site and our communications, acting only on our instructions under data processing agreements: Supabase (EU-region database and private CV storage, with its own sub-processors), Resend (transactional email, United States), Vercel (hosting and CDN, United States), and Cloudflare (domain and DNS, United States).

We do not sell your personal data and we do not share it with advertising or profiling networks.

7. International data transfers

Our primary data store is in the European Union. Two kinds of transfer outside the European Economic Area (EEA) can occur:

• To our US processors(Resend, Vercel, Cloudflare): we rely on appropriate safeguards — the European Commission’s Standard Contractual Clauses in each processor’s data processing agreement and, where the provider is certified, the EU-US Data Privacy Framework.
• To hiring-company clients abroad: where we put you forward for a role in a country covered by a European Commission adequacy decision, no further step is needed. Where the country is not covered by an adequacy decision, we rely on Standard Contractual Clauses (with a transfer risk assessment) or, only as a genuine exception, your explicit consent to be put forward for that specific role (Art. 49(1)(a)).

You can ask us for a copy of the safeguards we use at iustin.potolinca998@yahoo.com.

8. How long we keep your data

• Unsuccessful or inactive candidates: deleted or anonymised within 6 months, unless you have asked us to keep your details in our talent pool.
• Talent pool (consent-based): kept for up to 12 months, after which we delete your data or ask you to renew your consent. You can withdraw at any time.
• Candidates in an active process: for the duration of that engagement. Your CV follows the same clock as your candidate record.
• Hiring-company contacts: for the duration of our relationship plus a reasonable record-keeping period.
• Newsletter: until you unsubscribe.

Where a fixed period is not possible we apply these criteria and delete or anonymise data once it is no longer necessary (Art. 5(1)(e)). To have your CV and application deleted at any time, email iustin.potolinca998@yahoo.com.

9. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• have inaccurate data corrected (Art. 16);
• have your data erased (Art. 17);
• restrict how we process your data (Art. 18);
• receive data you gave us in a portable format, where processing is by consent or contract and carried out by automated means (Art. 20);
• object to processing based on our legitimate interests — including our sourcing of candidates — and to any direct marketing (Art. 21);
• withdraw consent at any time, for the talent pool and the newsletter, without affecting processing already carried out (Art. 7(3)).

To exercise any of these, email iustin.potolinca998@yahoo.com. There is no charge, we respond within one month (Art. 12(3)), and we may ask you to confirm your identity before we act.

10. Automated decision-making

We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects (Art. 22). A human — Georgiana Bordeianu — reviews and decides on every shortlisting; any filtering or matching is decision-support only, with meaningful human review. If we ever introduce automated screening, we will tell you the logic, its significance and consequences, and your right to human intervention.

11. Cookies and analytics

We use only strictly necessary cookies — authentication and session cookies in the private admin area — and no advertising, tracking, profiling, or third-party analytics cookies, so no consent banner is required under the ePrivacy rules (Romanian Law no. 506/2004). We run no analytics today; any future analytics will be privacy-friendly and cookieless. Full detail is in our Cookie Policy.

12. How we keep your data secure

We apply security measures proportionate to a small operation (Art. 32): CV files are held in a private storage bucket with no public URLs, reachable only through short-lived signed links; row-level security on the database; encryption in transit and at rest; access limited to the recruiter; and processors bound by data processing agreements.

13. Personal-data breaches

If a personal-data breach occurs, we will notify the supervisory authority (ANSPDCP, section 16) without undue delay and, where feasible, within 72 hours where the breach is likely to result in a risk to your rights and freedoms (Art. 33), and we will inform you without undue delay where it is likely to result in a high risk to you (Art. 34).

14. Information for US residents

Hireloom is an EU business and does not meet the applicability thresholds of the California Consumer Privacy Act (CCPA/CPRA) or the other US state privacy laws. As a courtesy: the categories of personal information we handle are identifiers (name, email) and professional/employment information (CV, skills, preferences, LinkedIn), collected directly from you and used to respond to enquiries, assess candidates, and share relevant profiles with hiring-company clients. We do not sell your personal information and we do not share it for cross-context behavioral advertising. US residents can email us to access or delete their data and will not be treated differently for exercising those rights.

15. International users and children

This site is operated from Romania (EU) for a professional audience across the EU, the UK, the US, Israel and Brazil. By submitting information from outside the EU you understand that your data is transferred to and processed in the EU and by the US processors listed in section 7.

The site is for working professionals and hiring companies and is not directed at children. We do not knowingly collect data from anyone under 16 (the age of digital consent in Romania). If you believe a child has provided us data, email us and we will delete it.

16. Complaints and the supervisory authority

We hope to resolve any concern directly — please contact us first. You also have the right to lodge a complaint with a supervisory authority. Our lead authority is the National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal — ANSPDCP), B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania; anspdcp@dataprotection.ro; www.dataprotection.ro. EU users may also contact their local authority, and UK users the Information Commissioner’s Office (ico.org.uk).

17. Accessibility

We aim to meet WCAG 2.2 Level AA. If you have trouble using the site or need information in an alternative format, email iustin.potolinca998@yahoo.com and we will help.

18. Changes to this policy

We may update this policy as the business or the law evolves. The “last updated” date at the top reflects the current version, and we will signal material changes. Questions about this policy or your data: iustin.potolinca998@yahoo.com.