Privacy Policy

Last updated: February 27, 2026

1. Who We Are

Remote Genie AI, a company incorporated under the laws of Poland, with registered address at ul. Straganiarska 20/22/35 80-837 Gdansk (“we”, “us”, “our”), operates the online job-search platform available at https://remotegenie.ai (the “Service”).

We are the controller of personal data processed in connection with your use of the Service, within the meaning of Regulation (EU) 2016/679 (“GDPR”).

This Service is operated in compliance with the GDPR, the Polish Act of 10 May 2018 on the Protection of Personal Data, and other applicable EU legislation.

Privacy contact: [email protected]

Data Protection Officer: We have assessed that the mandatory appointment of a Data Protection Officer is not required in our current circumstances under GDPR Article 37. All privacy queries are handled by our legal team at [email protected]. We keep this assessment under review as our processing activities evolve.

2. Definitions

Term	Meaning
User (“you”)	A natural person who registers for or uses the Service.
Account	A set of credentials and settings you create to access the Service.
Personal data	Any information that directly or indirectly identifies you as a natural person (Art. 4(1) GDPR).
Processing	Any operation performed on personal data (Art. 4(2) GDPR).
Controller	The entity that determines the purposes and means of processing — us.
Processor	A third party that processes data on our behalf under a documented data-processing agreement.
Cookies	Small text files stored on your device to enable, improve, and analyse use of the Service.
AI Features	Tools and capabilities of the Service based on artificial intelligence or automated data processing, used to personalise job matching and recommendations for you.

3. Data Minimisation and Accuracy

We collect only the personal data that is necessary for the purposes described in this Policy (GDPR Art. 5(1)(c)). We take reasonable steps to keep personal data accurate and up to date. You can review and update your profile information at any time through Account settings.

4. Scope and Legal Basis

This Policy applies to all personal data we collect and process in connection with the Service. The legal bases we rely on under Article 6 GDPR are:

Legal basis	When we use it
Art. 6(1)(b) — Contract	Processing necessary to provide the Service: managing your account, delivering job-search and AI matching features, processing payments, sending transactional messages.
Art. 6(1)(c) — Legal obligation	Processing necessary to comply with applicable law: accounting records, tax obligations, responding to lawful authority requests.
Art. 6(1)(f) — Legitimate interests	Platform security, fraud prevention, and improving the Service through analytics. We have conducted a Legitimate Interests Assessment (LIA) for each such purpose; a summary is available on request at [email protected].
Art. 6(1)(a) — Consent	Optional marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data We Collect

5.1 Account Data

Email address, cryptographic password hash (we never store your password in plain text), authentication identifiers (including temporary OAuth tokens used during sign-in flows — not stored after authentication completes), account creation date, and subscription status.

5.2 Profile and Job-Preference Data

Name, professional title, skills, desired location, preferred seniority level, job categories of interest, and any other information you voluntarily provide in your profile.

5.3 Usage Data

Interactions with the platform (searches performed, jobs viewed, companies browsed, filters applied), pages visited, language and locale settings, and session-level diagnostics. Referrer URLs are recorded and may incidentally contain personal data (e.g., where you arrived from a personalised link).

5.4 Technical Data

IP address, request timestamps, cookie identifiers, approximate geographic location derived from IP (city-level precision), browser type and version, device type and operating system, and standard web-server log data.

5.5 Payment Data

We collect limited billing metadata only: your chosen subscription plan, transaction status, invoice dates, and masked card details (last 4 digits and card brand) as returned by Stripe. We never receive or store your full card number, CVV/CVC, or card expiry date.

5.6 Communications

Messages you send to our support team and your stated marketing preferences.

6. Payment Processing — Stripe

Payments are processed exclusively by Stripe, Inc. (“Stripe”), a certified PCI DSS payment infrastructure provider.

When you enter payment details into Stripe's hosted checkout form, those details are transmitted directly to Stripe over an encrypted connection. Stripe acts as an independent data controller for the payment data you submit to its forms.
For billing-related data we share with Stripe to manage subscriptions, Stripe acts as our data processor under a Data Processing Agreement that meets GDPR Article 28 requirements.
We inform you that Stripe processes your payment data subject to Stripe's Privacy Policy.
Stripe is certified under the EU–US Data Privacy Framework, providing a valid transfer mechanism for personal data transferred to the United States.
We receive only the tokenised representation and billing metadata described in section 5.5.

7. How We Use Your Data

Purpose	Legal basis
Creating and managing your Account	Art. 6(1)(b) — contract
Providing job-search and AI matching features	Art. 6(1)(b) — contract
Processing subscriptions, payments, invoices	Art. 6(1)(b) — contract
Sending transactional messages (sign-in confirmations, payment receipts, account notifications)	Art. 6(1)(b) — contract
Sending subscription renewal reminders (at least 7 days before each renewal)	Art. 6(1)(b) — contract
Delivering personalised job recommendations using AI Features	Art. 6(1)(b) — contract
Fraud prevention and security monitoring	Art. 6(1)(f) — legitimate interest
Platform analytics and service improvement (using anonymised or aggregated data)	Art. 6(1)(f) — legitimate interest
Compliance with legal obligations (tax, accounting, court orders)	Art. 6(1)(c) — legal obligation
Sending marketing emails and newsletters	Art. 6(1)(a) — consent

8. AI Features and Automated Processing

When you use AI-powered features (job matching, search ranking, recommended jobs), your profile data and search inputs are processed automatically to generate personalised results.

Automated decision-making

These recommendations are informational — they help you discover relevant opportunities but do not produce binding decisions. We consider that this processing does not constitute automated decision-making with legal or similarly significant effects within the meaning of GDPR Article 22, because: (1) recommendations are non-binding and you may apply to any job regardless of ranking; (2) no employment decisions are made by the Service; and (3) no profile is created for purposes beyond job-search assistance.

Nonetheless, you may at any time request a human review of how AI Features have been applied to your profile by contacting [email protected]. We will respond within 30 days.

AI model training: We do not use your personal data to train any AI models, whether public or private. Data used to improve the accuracy of our recommendation algorithms is processed only in pseudonymised or aggregated form.

9. Information Sharing

We do not sell your personal data. We share data only in the following circumstances.

9.1 Processors

We use the following third-party service providers acting on our documented instructions under GDPR-compliant data-processing agreements:

Category	Provider	Data processed
Authentication & database	Firebase / Google LLC (US)	Account credentials, profile data, session tokens
Payment processing	Stripe, Inc. (US)	Billing metadata, subscription status
Cloud hosting & infrastructure	Coolify (self-hosted)	All data stored on the platform
Transactional email	SendGrid / Twilio Inc. (US)	Email address, message content
Analytics	Google Analytics / Google LLC (US)	Usage data, technical data (anonymised)

All processors are bound by data-processing agreements. Processors may engage sub-processors provided they maintain equivalent data protection obligations. Where processors transfer data outside the EEA, an appropriate transfer mechanism is in place (see Section 13).

9.2 Legal obligations

When disclosure is required by law, court order, or a lawful request from a competent public authority (including tax authorities for invoice data).

9.3 Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. You will be notified in advance of any such transfer and of any material change to how your data is processed.

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law:

Data category	Retention period
Active account data	For the lifetime of your Account
Deleted account data	Deleted within 30 days of receiving your request; data no longer needed for statutory purposes is irreversibly destroyed
Accounting and tax records	5 years from the end of the relevant financial year (Polish Accounting Act)
Server and access logs	90 days from the date of recording
Support communications	3 years from the date of last contact, or until account deletion if earlier
Backup copies	Overwritten or destroyed within 60 days of the associated account deletion
Anonymised analytics data	May be retained indefinitely (no longer constitutes personal data)

You can request deletion of your Account at any time via Account settings or by emailing [email protected].

11. Cookies

We use cookies for the following purposes:

Category	Examples	Expiry	Consent?
Strictly necessary	Session token, CSRF protection, load-balancing	Session or up to 1 year	No
Functional	Saved filters, locale preference	Up to 1 year	No
Analytics	Google Analytics (visitor counts, behaviour)	Up to 2 years	Yes
Marketing	Google Ads conversion tracking	Up to 90 days	Yes

On your first visit you will be shown a cookie-consent banner. You may accept all, accept strictly necessary only, or customise by category. You can change your preferences at any time via the cookie settings link in the site footer. Strictly necessary cookies cannot be disabled; the Service cannot function without them.

Google Analytics: We use Google Analytics to understand aggregate usage patterns with IP anonymisation enabled to minimise personal data transmitted. As the operator embedding Google Analytics, we may be considered joint controllers with Google for the initial data collection phase (CJEU, Case C-40/17). This joint controller relationship is governed by Google's Controller-Controller Data Protection Terms. Data transferred to the US is governed by Standard Contractual Clauses and Google's EU–US Data Privacy Framework certification.

Third-party policies: Google · Google Ads

12. Security

We implement appropriate technical and organisational measures to protect personal data, including:

TLS/HTTPS encryption for all data in transit.
Encryption at rest for all personal data stored in the database.
Access controls and principle of least privilege for internal systems.
Periodic security reviews and dependency audits.

Data breach notification

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you without undue delay by email to your registered address, as required by GDPR Article 34. We will also notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33.

If you suspect a security incident involving your Account, report it immediately to [email protected].

13. International Data Transfers

Our primary infrastructure is located within the EEA. Where we engage processors that transfer data outside the EEA, we ensure an appropriate safeguard is in place under GDPR Chapter V:

Processor	Country	Transfer mechanism
Stripe, Inc.	United States	EU–US Data Privacy Framework (adequacy decision)
Firebase / Google LLC	United States	Standard Contractual Clauses + Transfer Impact Assessment
Google Analytics	United States	Standard Contractual Clauses + Transfer Impact Assessment
SendGrid / Twilio Inc.	United States	Standard Contractual Clauses + Transfer Impact Assessment

For transfers governed by Standard Contractual Clauses, we have conducted Transfer Impact Assessments (TIAs) to verify that the legal environment in the destination country does not undermine the protection the SCCs provide. TIA summaries are available on request at [email protected].

14. Children's Privacy

The Service is not intended for persons under 18 years of age. We do not collect personal data from persons under 18. If we become aware that an Account belongs to a person under 18, we will delete it and all associated personal data without undue delay. If you believe a minor has provided personal data, contact us at [email protected].

15. Your Rights Under GDPR

As a data subject you have the following rights, exercisable free of charge:

Right	Description
Access (Art. 15)	Obtain confirmation of whether we process your data and receive a copy.
Rectification (Art. 16)	Request correction of inaccurate or completion of incomplete data.
Erasure (Art. 17)	Request deletion (“right to be forgotten”), subject to legal retention obligations.
Restriction (Art. 18)	Request that we restrict processing in certain circumstances.
Portability (Art. 20)	Receive your data in a structured, machine-readable format.
Objection (Art. 21)	Object to processing based on legitimate interest, including profiling for direct marketing.
Withdraw consent (Art. 7(3))	Withdraw any consent at any time, without affecting prior lawful processing.
Human review of AI (Art. 22)	Request human review of how our AI Features have been applied to your profile.

To exercise your rights, email [email protected] from your registered email address, including your account username. We will respond within 30 days (extendable to a maximum of 3 months in total for complex or numerous requests, with prior notice to you explaining the reason).

Right to Lodge a Complaint

If you believe we have violated your rights, you may lodge a complaint with the Polish supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych (UODO)

ul. Stawki 2, 00-193 Warszawa, Poland

Website: https://uodo.gov.pl

Email: [email protected]

Phone: +48 22 531 03 00

You may also lodge a complaint with the supervisory authority of your EU member state of habitual residence.

16. Changes to This Policy

We may update this Policy periodically. The “Last updated” date at the top reflects the current version. We will notify you of material changes via email and a prominent notice in the Service at least 14 days before the changes take effect.

For processing based on contractual necessity or legitimate interests, continued use of the Service after the effective date constitutes acceptance. For processing that requires your consent, material changes will require you to provide fresh consent before the new processing begins — continued use does not constitute consent.

17. Contact

For all privacy-related questions and data subject requests:

Remote Genie AI
Email: [email protected]
Website: https://remotegenie.ai