Privacy Policy

1. Data Controller

In the context of using ReCo by recruiters (for example, processing their registration, billing, or contact data), the data controller is Truely sp. z o.o., with its registered office at ul. Piłsudskiego 18, 39-400 Tarnobrzeg, Poland (EU).

With regard to the personal data of candidates processed using the ReCo software, recruiters bear sole responsibility for collecting and carrying out any other data processing operations; in this capacity, they become the data controllers of candidates’ personal data. These data are stored locally on devices owned by the recruiters, and the Company neither has access to nor processes these data.

The Company does not act as a data controller or a processor (sub-processor) for candidate data. Its role is limited to providing the ReCo software.

2. Responsibility for Data Processing

ReCo is a tool made available to recruiters to facilitate the interviewing process. All candidate data is stored exclusively on the recruiters’ devices, to which the Company has no access.As the controller of candidates’ personal data, the recruiter is fully responsible for:

• Collecting, processing, and storing candidate data.
• Ensuring appropriate technical and organizational measures to protect this data.
• Communicating with candidates and informing them of their rights and the principles of data processing.
• Complying with all applicable regulations, including the GDPR.

Truely sp. z o.o. does not participate in recruitment processes or make recruitment decisions. As a software provider, it does not have access to candidate data and is not responsible for it.Any requests related to the exercise of candidates’ rights (such as the right of access, rectification, or erasure of data) must be directed directly to the recruiter.

3. Personal Data Collected by ReCo Users

Recruiters using ReCo may locally collect and process the following categories of candidates’ personal data, depending on the needs of a particular recruitment process:

• Identification data: first name, last name, email address, phone number, position, etc.
• Employment-related data: CV/resumé, information on professional experience, education, skills, and other data voluntarily provided by candidates.
• Communication Data: Correspondence between recruiters and candidates.

Candidate data is saved exclusively on the recruiters’ devices. The Company has no access to or involvement in the processing of this data.

The recruiter, acting as the data controller of the candidates’ personal data, is required, among other things, to:

• Have an appropriate legal basis for processing (e.g., the candidate’s consent or processing necessary for taking steps prior to entering into a contract).
• Process only data necessary for recruitment purposes, in line with the principle of data minimization.
• Ensure special protection in the case of processing special categories of data (e.g., health information).
• Clearly inform candidates about the storage period for their data and enable them to exercise their rights.

The Company neither conducts nor participates in recruitment processes; its role is limited solely to providing the tool (the ReCo software).

4. How ReCo Users Process Personal Data

Candidates’ personal data that recruiters collect and process using ReCo may be used, in particular, for:

• Matching candidates to job offers and generating recommendations.
• Communicating with candidates (informing them about current and future employment opportunities).
• Storing data for future recruitment processes, provided there is a valid legal basis (e.g., the candidate’s consent).

All data is stored locally on the recruiter’s devices, and the recruiter is responsible for complying with data protection regulations, including the GDPR.Specifically, the recruiter is obliged to:

• Ensure a valid legal basis (GDPR) for each purpose of processing.
• Fulfill information obligations towards candidates.
• Adhere to the principles of data minimization and purpose limitation.
• Define and enforce data retention periods.

Truely sp. z o.o. does not have access to candidates’ data and is not involved in recruitment processes.

5. Data Retention Period

The recruiter, as the data controller, decides how long candidates’ personal data will be stored on the devices where the ReCo software is installed.The recruiter is required to:

• Determine and document the data retention period in a manner consistent with data protection regulations.
• Inform candidates about the planned period of data storage.
• Erase or anonymize data once the specified retention period has passed, as well as when there is no longer a legal basis for processing.
• Respect the rights of candidates (e.g., the right to erasure, the right to restriction of processing) in accordance with the GDPR.

The Company does not control or determine the data retention period and does not participate in the process of data deletion.

6. Recruiter's Obligations Under the GDPR

As the data controller of the candidates’ personal data, the recruiter bears full responsibility for lawful data processing. In particular, the recruiter is responsible for:

• Obtaining an appropriate legal basis for each processing purpose (Article 6 GDPR).
• Informing candidates about how, why, and on what basis their data is processed, as well as the data retention period.
• Ensuring the security of the processed data.
• Respecting candidates’ rights (Articles 15–22 GDPR).
• Verifying third parties (e.g., cloud service providers) for GDPR compliance (Article 28 GDPR).

Since Truely sp. z o.o. does not participate in recruitment processes and does not process candidates’ data, any questions or requests regarding candidates’ personal data should be directed directly to the recruiter.

7. Data Security

The recruiter, as the data controller of candidates’ personal data, is responsible for implementing appropriate technical and organizational measures (Article 32 GDPR) to ensure processing security. This includes, among others:

• Using strong passwords and access controls on the devices where the data is stored.
• Regularly updating the operating system and the ReCo application.
• Employing data encryption or other methods to protect against unauthorized access.
• Training individuals who have access to the data on data protection matters.

Truely sp. z o.o. does not have insight into candidates’ data and does not participate in securing it.

Should the recruiter use third-party services (e.g., cloud backup storage), they must ensure that such third parties comply with GDPR requirements.

8. Third-Party Services

The Company does not provide personal data processing services beyond the functionalities offered by the ReCo software and does not have access to candidate data collected locally by the recruiter.If the recruiter chooses to use third-party services (e.g., cloud data storage, email services, integrations with other tools), the recruiter alone is responsible for selecting these services and ensuring their compliance with data protection regulations.In particular, the recruiter should:

• Verify the terms of cooperation with the third-party provider (for example, conclude a data processing agreement if the provider acts as a processor).
• Check whether any data transfers to third countries (outside the EEA) comply with Chapter V of the GDPR.
• Ensure that the provider has implemented appropriate security measures (Article 32 GDPR).

The Company is not liable for any actions or omissions by external service providers.

9. Rights of Candidates (Data Subjects)

Candidates have the following rights regarding the processing of their personal data by the recruiter (as the data controller):

• Right of access (Article 15 GDPR) – to obtain confirmation that their personal data is being processed and to receive a copy of that data.
• Right to rectification (Article 16 GDPR) – to request the correction of inaccurate or incomplete data.
• Right to erasure (“right to be forgotten,” Article 17 GDPR) – to request the deletion of personal data, provided there are no overriding legal grounds to retain it.
• Right to restriction of processing (Article 18 GDPR) – to request the restriction of processing in certain situations.
• Right to data portability (Article 20 GDPR) – to receive data in a structured, commonly used, and machine-readable format and to request the transfer of that data to another controller.
• Right to object (Article 21 GDPR) – to object to the processing of data based on the controller’s legitimate interests or for marketing purposes.
• Right to withdraw consent (Article 7(3) GDPR) – where processing is based on consent, it may be withdrawn at any time.
• Right to lodge a complaint with a supervisory authority (Article 77 GDPR) – to file a complaint with the competent authority (e.g., the President of the Personal Data Protection Office in Poland).

To exercise these rights, candidates should contact the recruiter directly, as the recruiter is the controller of their data.

10. Changes to This Privacy Policy

Truely sp. z o.o. may periodically update this Privacy Policy to reflect changes in the ReCo software, applicable legal requirements, or the Company’s internal policies. A new version of the Privacy Policy will be posted along with the updated “Last updated” date.

If changes significantly affect how the Company processes the personal data of recruiters (clients), the Company may also notify them separately (e.g., by email).

Recruiters are encouraged to regularly review this Privacy Policy. If changes in the ReCo software or in this Policy require modifications to the documents concerning the personal data of candidates, the recruiter is responsible for making those changes and ensuring compliance with the GDPR.

11. Contact

If you have any questions regarding this Privacy Policy—particularly about the operation of the ReCo software and its relationship with Truely sp. z o.o.—please contact us at:

‍Truely sp. z o.o.
ul. Piłsudskiego 18, 39-400 Tarnobrzeg, Poland (EU)
Email: kontakt@truely.pl

For matters related to candidates’ personal data processed in ReCo, please contact the recruiter directly, as the Company does not have access to such data and is not able to handle requests concerning its processing.