Privacy Policy

Effective as of: 26 April 2026
Last updated: 27 April 2026

1. Introduction

This Privacy Policy describes the principles governing the processing of personal data of users and visitors of hiddenjobs.eu(the “Service”) — the EN-language B2B side of HiddenJobs aimed at international companies hiring Polish remote talent.

The controller of personal data is:

SOLID SOFTWARE Piotr Czerwiński
Szkolna 4, 55-114 Kryniczno, Poland
Tax ID (NIP): PL9151812835

Contact: [email protected]

The Controller processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”) and applicable Polish law.

2. How Personal Data Is Collected

On hiddenjobs.eu, personal data may be collected:

  • via email contact (when you reach out about a job listing, retainer, or general inquiry),
  • through the use of the Service (technical logs, analytics — see sections 3.1 and 3.5).

Providing personal data is voluntary; however, in certain cases it may be necessary to achieve a specific purpose (for example, an inquiry without a return email cannot be answered).

The Service uses cookies and localStorage solely for technical purposes (proper functioning of the website, remembering theme preference, recording the analytics consent decision). Cookies and localStorage are not used for marketing or advertising profiling. Users may change their cookie settings at any time in their browser.

The Service uses the PostHog analytics tool (infrastructure located in the European Union) only after you grant consent via the banner displayed on the site. No analytics data is collected without consent. The full scope and purposes of processing are described in section 3.5.

3. Purpose, Legal Basis and Retention Period

3.1. Ensuring the Proper Functioning of the Service

Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR)

Purpose: ensuring security, technical operation and analysis of how the Service functions.

For this purpose, hosting-provider analytics tools operating in cookieless mode may be used. They do not write any information to the user's browser storage (no cookies, no localStorage) and serve solely to measure aggregated traffic and page performance indicators (Core Web Vitals). Use of these tools does not require separate user consent as it takes place under the legitimate interest of the Controller and does not involve storing information on the end-user device within the meaning of Art. 173 of the Polish Telecommunications Law Act and Art. 5(3) of Directive 2002/58/EC.

Retention period: until a valid objection is raised or the purpose of processing is achieved.

3.2. Email Contact and Inquiries

Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) — responding to inquiries and conducting business correspondence.

Purpose: answering questions about job listings, hiring services, retainers, and general inquiries.

Retention period: until the limitation period for potential claims expires.

3.3. Establishment, Exercise or Defense of Legal Claims

Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR)

Retention period: until the limitation period for claims expires.

3.4. Data of Company Representatives

HiddenJobs may process personal data of individuals representing companies interested in cooperation or in publishing job listings on the public board.

The scope of data may include in particular:

  • first and last name,
  • business email address,
  • company name,
  • job title,
  • other information voluntarily provided in correspondence.

Purposes of processing:

  • establishing business contact,
  • presenting information about possible cooperation with HiddenJobs,
  • conducting correspondence regarding job listings or retainer cooperation.

Legal basis: legitimate interest of the Controller (Article 6(1)(f) GDPR) consisting of conducting business communication and developing cooperation with companies interested in hiring Polish remote talent.

Data may originate from:

  • the data subject directly (for example via email),
  • publicly available sources such as company websites or professional profiles.

Retention period: for the period necessary to conduct correspondence or until an objection to processing is raised.

3.5. Visitor Analytics (PostHog)

The Service uses PostHog to analyse aggregated traffic and understand how visitors interact with the Service. Data collection happens only after consent is granted via the banner displayed on the site.

The scope of collected data may include:

  • URL of the page visited and source of the visit (e.g. search engine, referring site),
  • approximate geographic location at country level (derived from the IP address, which is not stored in an identifiable form),
  • technical information about the device and browser (browser type, screen resolution, operating system),
  • an anonymous visitor identifier stored in the browser (localStorage),
  • aggregated interaction events (e.g. page navigation, clicks on outbound links).

The tool is provided by PostHog Inc. The Service uses PostHog infrastructure located in the European Union (eu.posthog.com), which means that during standard operation data is not transferred outside the European Economic Area.

The Service does not use session recording (session replay), does not employ automatic interaction capture (autocapture), and does not track user activity across different websites.

Legal basis: consent (Art. 6(1)(a) GDPR), expressed by clicking “Accept” in the consent banner. Consent may be withdrawn at any time by clearing site data (localStorage) in the browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

Purpose: analysis of aggregated traffic and interactions with the Service in order to develop the Service and better understand which content and offers resonate with visitors.

Retention period: no longer than 12 months from the date of the event, in accordance with the provider's configuration.

4. Recipients of Personal Data

To the extent necessary for the purposes described above, personal data may be shared with:

  • email service providers,
  • hosting and CDN infrastructure providers,
  • analytics service providers (in particular PostHog Inc., using infrastructure located in the European Union),
  • public authorities where required by law.

Current list of principal processors (as of 27 April 2026):

  • Vercel Inc. (USA, with EU data processing addendum and Standard Contractual Clauses) — application-layer hosting and edge CDN, plus aggregated cookieless analytics (Vercel Analytics).
  • PostHog Inc. — visitor analytics tool used only after consent, with infrastructure in the European Union (eu.posthog.com).
  • Email provider used for inbound contact correspondence — infrastructure within the European Union.

Personal data is not sold or publicly disclosed. Data is shared with third parties only to the extent necessary to fulfil the purpose for which the data subject has given consent or for which a legitimate interest exists.

5. Transfers of Data Outside the EEA

Due to the use of external service providers, personal data may be processed outside the European Economic Area (EEA).

In such cases the Controller ensures the application of appropriate safeguards required by the GDPR, in particular Standard Contractual Clauses (SCCs) or other legal mechanisms ensuring an adequate level of data protection.

6. Data Security

The Controller applies appropriate technical and organisational measures to ensure the protection of personal data, including in particular:

  • secured connections (TLS/SSL) for all traffic to and from the Service,
  • strict Content Security Policy headers limiting the origins from which scripts, styles, images and connections can load,
  • restricting access to inbound correspondence only to authorised persons,
  • safeguards protecting against unauthorised access to hosting and email infrastructure.

7. Rights of Data Subjects

Data subjects have the right to:

  • access their data,
  • rectify their data,
  • erase their data,
  • restrict processing,
  • object to processing,
  • data portability,
  • withdraw consent at any time (e.g. analytics consent — see section 3.5).

All rights can be exercised by sending a request to [email protected]. Withdrawal of analytics consent can additionally be done at any time by clearing site data (localStorage) for hiddenjobs.eu in the browser settings.

Requests are processed without undue delay, no later than 30 days from receipt.

Data subjects also have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) or, where applicable, their local supervisory authority within the EU.

8. Technical Logs

Technical logs (including IP address, request path, user agent, date and time of request) may be automatically recorded by the hosting provider as part of the technical infrastructure in order to ensure security and proper operation. Logs are retained per the hosting provider's policy (typically 30 days), unless longer retention is required for security reasons or to investigate a specific incident.

9. Changes to the Privacy Policy

This Privacy Policy may be updated due to the development of the Service or changes in applicable law. Users will be informed of significant changes via the Service or, where applicable, electronically. The current version is always available at this URL with the “Last updated” date at the top.