Using ReverseApply (referred to as "Platform", "we", "us") involves the processing of your personal data. We are committed to Total Privacy (our core principle of processing only what is strictly necessary and giving you granular control over your data): facilitating connections between companies and job seekers to close matches efficiently and without spam.
Data Controller
The Data Controller is ReverseApply, operating from Zürich, Switzerland. Until our formal incorporation as a Swiss GmbH, you can contact us at [email protected]. We process personal data in accordance with the GDPR and, where applicable, the Swiss Federal Act on Data Protection (FADP).
We have not appointed a Data Protection Officer as we are not legally required to do so at this time.
Privacy at a Glance
ReverseApply connects job seekers with companies to help find the right opportunities.
We collect information like your email, skills, and job preferences to make matching possible.
This data helps us suggest relevant jobs to you and help companies discover candidates.
You are in control: you can view, edit, delete, or export your data and manage your cookie and marketing preferences.
We protect your information with strong encryption, secure servers, and trusted providers, following GDPR and Swiss data laws.
Legal Basis for Processing
We process personal data on the following legal bases:
Performance of Contract: To provide the Service (matching, application management).
Consent: For optional cookies and specific marketing features.
Legitimate Interest: Our legitimate interests include ensuring platform security, preventing fraud, and improving the Service. We have assessed that these interests do not override your fundamental rights and freedoms, as they are essential to providing a safe and functional platform for all users.
Profiling & Automated Matching:
We use automated profiling to suggest suitable job matches based on:
Skills and certifications you've added to your profile
Education history and qualifications
Languages you speak
Country and location preferences
This profiling helps us show you relevant job opportunities and helps companies discover suitable candidates. These are assistive recommendations only — you remain in full control of which opportunities to pursue, and no legally significant decisions are made solely by automated means.
This processing is necessary for the performance of the contract (providing the matching Service).
Categories of Personal Data
We may process the following categories of personal data:
Account Data (Email address, profile settings)
Voluntarily Provided Professional Data (CVs, job preferences)
Company Data (Business name, address, history, logos, job postings) used to verify legitimacy and facilitate hiring.
Technical Data (IP address, device info, access logs)
Usage Data (Matching results, AI-generated features)
We do not knowingly process personal data of children under 16 years of age.
Mandatory and Optional Data
To use ReverseApply, certain data is required, while other data is optional:
Required Data
Email address (for account creation and authentication)
Basic profile information (location) when activating your profile
Without this data, we cannot create or maintain your account or provide the core matching Service.
Optional Data
Skills, certifications
CV uploads and AI-assisted profile generation
Open to work status
Providing more detailed information improves matching accuracy but is entirely your choice.
Data Retention
Personal data is retained only for as long as necessary to provide the Service.
Retention Periods:
• User Profile & Account Data: Retained for the duration of your account. Deleted or anonymized immediately upon account deletion.
• Analytics Data (GA4): User-level and event-level data associated with cookies is retained for 14 months (standard Google Analytics retention period).
• Backups: Encrypted backups are retained for up to 90 days for resilience and disaster recovery.
• Legal Requirements: Records required by law (e.g., tax, fraud prevention) may be retained for statutory periods.
Your Rights under GDPR
We operate in strict compliance with the General Data Protection Regulation (GDPR). As a user, you have the following fundamental rights:
Right of Access: You can view the data we hold about you in your profile and request a full copy anytime in your dashboard by clicking on the top-right menu and then clicking "Export my data".
Right to Erasure ('Right to be Forgotten'): You can delete your account and all associated data at any time via Profile settings.
Right to Rectification: You can request correction of inaccurate or incomplete personal data.
Right to Restriction of Processing: You can request limitation of processing under certain circumstances.
Right to Object: You may object to processing based on legitimate interest at any time.
Data Portability: You can request a machine-readable export (JSON format) of your data.
Right to Withdraw Consent: Where we process your data based on consent (e.g., marketing cookies, optional features), you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent via Cookie Settings or by contacting us.
Right to Lodge a Complaint: You have the right to lodge a complaint with a competent supervisory authority if you feel your personal data has been processed unlawfully. You may in particular contact your local data protection authority in the EU/EEA or the Swiss Federal Data Protection and Information Commissioner (FDPIC).
Data Security & Encryption
Security is a high priority for us. We implement appropriate technical and organizational measures, including encryption at rest, TLS 1.3 encryption in transit, and Application-Layer Encryption (sensitive data like emails and messages are encrypted using AES-GCM 256-bit before storage). We minimize data exposure by using internal identifiers (Pseudonymization) protected by strict Role-Based Access Control (RBAC) and continuous monitoring.
International Data Transfers
We process your data within the European Union. When you access the Platform from outside the EEA, the data is displayed to you wherever you are located. This is a functional display of data you request, not a controller-initiated transfer. Our primary infrastructure and data processing remain within the EU.
Regarding our vendors: we primarily use providers within the EU. If we engage a third-party processor outside the EEA in the future, we will ensure GDPR compliance via mechanisms like Standard Contractual Clauses issued by the European Commission.
Data Processing & Subprocessors
We use trusted third-party providers to host our infrastructure and provide essential services. These providers act as data processors under GDPR and process data only on our instructions. Our current subprocessors include Microsoft Azure (hosting/AI) and Google Ireland Ltd. (analytics/marketing).
Company Accounts and Uploaded Content
When companies create accounts and upload content (such as job postings, logos, descriptions, or contact details), they may include personal data relating to their employees or representatives. In this context, companies act as independent data controllers for such personal data, and ReverseApply acts as a data processor, processing this data solely on the company's documented instructions and pursuant to a Data Processing Agreement (DPA) for the purpose of providing the Platform. This processor relationship applies only to personal data included in company-uploaded content (job postings, company descriptions, employee contact details), not to user profile data.
Companies are responsible for ensuring they have the legal right to upload and publish any personal data included in their content.
Azure OpenAISwitzerland North / Sweden Central
We use Azure OpenAI Service for AI feature extraction. We opted for deployments in Switzerland (recognized as adequate by the EU) and Sweden to ensure strict adherence to EU privacy standards. Prompts and completions sent to Azure OpenAI are not used to train or improve Microsoft's or OpenAI's foundation models and are processed under Microsoft's data protection terms.
Recipients and Categories of Recipients
We share personal data only when necessary with the following categories of recipients:
Cloud Infrastructure Providers: For hosting and data storage (Azure, EU region)
Email Service Providers: Mailgun for transactional emails (registration, notifications)
AI Services: Azure OpenAI (Switzerland/Sweden deployments) for profile extraction and matching
Marketing & Analytics Partners: Google AdSense (Marketing) and Google Analytics 4 (Analytics).
Legal & Regulatory Authorities: When required by law or to protect our rights
All third-party processors are bound by data processing agreements and process data only on our instructions.
Cookie Policy
We use cookies to ensure the proper functioning of the Platform. To support our service and understand how users find us, we use Google Analytics 4 (GA4) and Google AdSense.
Privacy-First Measurement: We use Google Consent Mode v2. By default, all tracking is disabled. However, to help us measure the success of our social media outreach, GA4 sends anonymous \"cookieless pings\" that allow us to count page views without tracking your identity or setting cookies. Full tracking and personalized advertising are only activated when you explicitly consent via the Google AdSense privacy banner.
Strictly Necessary: Required for authentication, security, and session management. These cannot be disabled.
Functional: Used to remember your app preferences (e.g. theme). These are optional but enhance your experience.
Google Analytics & AdSense
We use Google AdSense and Analytics. Google acts as an independent data controller for advertising purposes. We rely on Google's Consent Management tools to handle your privacy preferences regarding tracking and personalized ads. You can modify these choices at any time via the Ad Privacy settings. For more information, please visit Google's Privacy & Terms.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page. Continued use of the Platform after changes become effective constitutes your acknowledgment of the updated Privacy Policy. Where required by law (e.g., for material changes affecting your rights or processing purposes), we may seek your explicit consent before the changes take effect.
This is the original English version, produced with the assistance of AI tools. The English version remains the legally binding text.