The Nejo Privacy Policy

Your privacy is important to us!

Who we are and who this policy applies to

• Website visitors: Anyone who visits our website
• Employers: Contact persons of our customers and business contacts

This privacy policy applies to https://mynejo.com as well as to all websites that link to this privacy policy.

Using Nejo via Third-Party Platforms (e.g., ChatGPT)

What is personal data?

Personal data refers to all information that relates to you as an identifiable person. Which of your data we process depends on:

• which of our services you use
• which voluntary consents you have given us
• which data you enter yourself

Basis of our data processing

Purpose and Legal Basis

We process your personal data for the following purposes and on the following legal bases:

• To create and manage your user account. Legal basis: Art. 6(1)(b) GDPR (contract performance)
• To analyze your resume to create personalized job recommendations and for the "1-Click Application" functionality. Legal basis: Art. 6(1)(a) GDPR (consent)
• To improve our AI algorithms (only anonymized data). Legal basis: Not applicable, as no personal data (see Recital 26 GDPR)
• To send email notifications (e.g., job alerts, tips). Legal basis: Art. 6(1)(a) GDPR (consent)
• For abuse detection and security of our services. Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
• To analyze usage data for product improvement and further development of our platform. For non-logged-in users, this is done only with consent via our cookie banner (Art. 6(1)(a) GDPR). For logged-in users, we process usage data based on our legitimate interest in improving our product (Art. 6(1)(f) GDPR). We ensure that your rights and freedoms are preserved – particularly through pseudonymization and data minimization.

For contact persons of our business customers and contacts, we process data for:

• Support in the recruiting process
• Support with employer branding strategy

What data do we process

Here you can find details about which personal data we process in the various areas of our platform, why we need it, and how long we store it.

Profile creation and account data - Required information

Create & manage account

When you create a Nejo account, we process your first name, your email address, and a password you set, which we store encrypted. We use this data to create your account, log you in, and send you operationally necessary information about your account (e.g., registration confirmation, password reset).

Registration logs

For security purposes and to document your registration, we store the time of confirmation and the associated IP address.

Social Login (Google, LinkedIn, Facebook, Apple)

If you log in via one of these providers, we typically receive your name and email address from them. You then do not need a password for Nejo. Changing your email address within Nejo is not possible for social login accounts; please use the respective provider’s change functions if needed.

Legal basis

Contract performance or pre-contractual measures (Art. 6(1)(b) GDPR); security and fraud prevention legitimate interest (Art. 6(1)(f) GDPR).

Storage duration

As long as your account is active. If you are inactive for 24 months, we will remind you by email. If you do not respond, we will irrevocably delete your account (including registration logs) after another 6 months, unless legal obligations prevent this.

Profile creation and account data – Voluntary information

Voluntary profile data for job search & application

1-Click Application

When you apply, we show you before sending which data from your profile will be transmitted to the employer. You actively confirm this transmission.

Search with Resume

When you upload your resume, we store the file encrypted in our EU cloud (Azure Germany). We extract only the matching-relevant information mentioned above and do not store sensitive categories separately. Please do not upload confidential or sensitive data that is not required for your application.

Search with AI Chat

• Career path and career trajectory
• Education and qualifications
• Skills and competencies
• Language skills
• IT and technical knowledge
• Project and industry experience
• Desired work location

• Microsoft Azure (EU) for hosting and data processing
• OpenAI, L.L.C. as a sub-processor of Microsoft in connection with Azure OpenAI
• Google Cloud (EU) for AI-powered analysis and processing functions
• Anthropic (EU) for AI-powered analysis and processing functions

• Chat history and extracted data: 18 months after last use of the AI chat function
• Anonymized training data: Unlimited (as there is no longer any personal reference)

Legal basis

Insofar as the information is required to provide your desired functions (job search, application): contract performance / pre-contractual measures (Art. 6(1)(b) GDPR). For additional, purely voluntary data: your consent or usage action (Art. 6(1)(a) GDPR).

Storage duration

As long as your account exists; when you delete your account, we delete your profile data and CV files (see deletion periods below).

System notifications (non-optional)

Sending & Hosting

These system-relevant emails are sent via:

• Azure Communication Services (Germany region) for certain transactional emails such as password reset and job notifications
• Customer.io for other system-relevant emails#h4

In doing so, we transmit your email address to the respective service providers as processors pursuant to Art. 28 GDPR. Data processing takes place exclusively on EU servers. Data processing agreements have been concluded with both service providers.

Legal basis

Contract performance (Art. 6(1)(b) GDPR) and legitimate interest in the secure and reliable provision of our services (Art. 6(1)(f) GDPR).

"Search with Resume (CV)" and "1-Click Application" functions

What data do we analyze from your resume?

• Career path and career trajectory
• Education and qualifications
• Skills and competencies
• Language skills
• IT and technical knowledge
• Project and industry experience
• Place of residence (if stated in CV)

Additional data captured if included in the resume:

• Name, phone number, nationality, date of birth, address
• Important: This data is NEVER used for job recommendations, but is only securely stored in your profile for the "1-Click Application" function.

Recipients, data processing, and data locations

• Microsoft Azure (EU) for hosting and data processing of our AI systems
• Google Cloud (EU) for AI-powered analysis and processing functions
• Anthropic (EU) for AI-powered analysis and processing functions

Data processing agreements exist with both service providers to ensure GDPR-compliant processing. Data transfer to third countries does not occur unless required for support purposes. In such cases, we rely on appropriate safeguards such as standard contractual clauses.

Storage duration

• CV raw data: 12 months after last use of the CV search function
• Extracted profile data: 18 months after last use of the CV search function
• Anonymized training data: Unlimited (as there is no longer any personal reference)

The storage periods start anew each time you use the CV search function.

Job alerts and email notifications

What data do we process?

For job alerts:

• Email address for sending
• Saved search criteria (keywords, location, industry, etc.)
• Sending preferences (frequency, timing)
• Interaction data (opens, clicks)

For marketing emails (e.g., job search tips & tricks):

• Email address
• Registration time
• Consent status
• Interaction behavior
• Usage behavior from PostHog (e.g., features used, pages visited, activity patterns)

Personalization of marketing emails

If you consent to receiving marketing emails, we combine your pseudonymized usage data from PostHog (e.g., which features you use, which pages you visit) with your email address in Customer.io. This allows us to send you more relevant content better tailored to your interests. This linking only occurs with your explicit consent for marketing emails.

Email sending via Customer.io

For sending job alerts and marketing emails, we use Customer.io as a processor. In doing so, we transmit your email address as well as relevant sending preferences and – with consent for marketing emails – selected usage data to Customer.io. Data processing takes place exclusively on EU servers. A data processing agreement pursuant to Art. 28 GDPR has been concluded.

Storage duration

• Active email alerts: for a maximum of 3 months
• Newsletter: Automatic deletion after 12 months without email interaction
• Sending history: 3 months for technical tracking

We only send you marketing emails (e.g., job alerts, job search tips and tricks) after your explicit and voluntary consent pursuant to § 174(3) TKG in conjunction with Art. 6(1)(a) GDPR. You can give this consent either during registration or later in your profile settings. You can revoke your consent at any time by:

• clicking the "Unsubscribe" link in the email, or
• changing the setting in your profile settings on Nejo

Using Nejo via ChatGPT or similar third-party platforms

When you use Nejo via a third-party platform (e.g., ChatGPT), the content you enter there (prompts/messages) may be transmitted to Nejo and processed by us to the extent necessary to provide the function.

What data do we process?

• Chat content that you share as part of using the Nejo function (particularly job-related information such as education, work experience, skills, job preferences).
• Technical metadata strictly necessary for secure operation and abuse prevention (e.g., timestamps, system status information, pseudonymous session or request identifiers, and error messages). This metadata is not used for tracking, profiling, behavioral analysis, or analytics within third-party platforms.

Storage duration and deletion

• Chat content (prompts and responses): Storage for a maximum of 30 days after processing, then automatic deletion.
• Technical operational and security logs (e.g., timestamps, status and error messages): Storage for a maximum of 30 days, exclusively for system security, error analysis, and abuse prevention purposes.
• Anonymized and aggregated usage data: can be stored without time limit, as there is no longer any personal reference.
• After the respective periods expire, the data is automatically deleted or irreversibly anonymized.

Usage analysis for product improvement

What we do and why

To improve our platform, we use the product analytics tool PostHog Cloud EU to understand how our services are used – e.g., which features are used, where drop-offs occur, or which pages are particularly popular. This allows us to fix errors, improve user-friendliness, and prioritize development.

• Non-logged-in users: Analysis is done only with your consent via our cookie banner (Art. 6(1)(a) GDPR).
• Logged-in users: Analysis is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR. We pay particular attention to pseudonymization, data minimization, and transparency.

Even for logged-in users, no directly identifying data (such as name or email address) is transmitted to PostHog, but rather a pseudonymous user ID. Additionally, we use technical safeguards to exclude sensitive content (e.g., masking, client-side filters).

Legal basis for logged-in users

Processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR to provide and continuously improve our service in a functional, secure, and user-oriented manner. For this purpose, we conduct a balancing of interests: our development and quality interests are weighed against the potential impact on our users’ privacy. Key criteria include registered users’ expectations, pseudonymization, data minimization, technical and organizational safeguards, transparency, and easy opt-out options.

Revocation / Opt-out

You can object to the processing of your personal data for product analysis purposes at any time. In the application, you will find a toggle under [Profile > Settings > Usage Analytics]; when you deactivate it, we stop further collection and transmission of usage events to PostHog. Alternatively, you can also send your objection to us by email; we will then implement the opt-out technically for you. Upon request, we will review the deletion of already collected data.

What data we transmit

Typical data collected includes:

• pseudonymous user ID (for logged-in users)
• Event name (e.g., click, page view, feature used, …)
• Timestamp and URL context
• Device and browser information
• Campaign/referrer data (e.g., UTM tags)

Recipients, data processing, and data locations

Service provider: PostHog, Inc. as processor. We use PostHog Cloud EU; this instance is operated in the AWS region eu-central-1 (Frankfurt, Germany), and usage data remains in the EU. A data processing agreement has been concluded.

Storage duration and deletion

For usage analysis in PostHog, we use a pseudonymous user identifier (distinct_id). When your user profile is deleted, the connection between your account and this identifier is irrevocably deleted. Additionally, we delete or empty – where applicable – the corresponding person profile in PostHog (including identifying properties). Already collected usage events are retained but are no longer attributable to an identifiable account and are only evaluated in aggregated form for product statistics.

Hosting & Cloud Infrastructure (incl. Resume Processing)

We operate our platform – including the AI-based "Search with Resume" and the resulting job suggestions – on Microsoft Azure in the EU region Germany. For AI-powered analysis and processing functions, we also use Google Cloud (EU) and Anthropic (EU).

Legal basis

• Basic operation (account management, website, system emails): Contract performance or pre-contractual measures (Art. 6(1)(b) GDPR) as well as legitimate interest in security, availability, and performance (Art. 6(1)(f) GDPR).
• CV processing & job suggestions: Your explicit consent (Art. 6(1)(a) GDPR). We process your resume and generate personalized job suggestions only after your consent.
• Data processing: Microsoft Azure, Google Cloud, and Anthropic are processors pursuant to Art. 28 GDPR. Corresponding agreements are in place. All processing operations take place in the EU (Azure DE, Google Cloud EU), encrypted and secured in accordance with Art. 32 GDPR.

Consent

• No consent is required for basic operation.
• For AI-powered processing of your resume and generating personalized job suggestions with AI chat, separate consent is required, which you can revoke at any time.

Storage duration & deletion

• Basic data: As long as your account is active; after 24 months of inactivity, reminder, after another 6 months, deletion.
• CV processing data & logs: according to your consent, identical lifecycle as account data.
• You can perform the complete and irrevocable deletion of your profile yourself at any time via your profile settings.

Technical & organizational measures

• All processing operations take place in Azure DE (EU region), encrypted and secured in accordance with Art. 32 GDPR.
• For the AI system "Search with Resume," a Data Protection Impact Assessment (DPIA) was conducted and technical filters were implemented to prevent extraction or disclosure of sensitive data (Art. 9).

Website usage and cookies

• Browser type
• Cookie data
• Device type
• Scroll behavior
• Identification ID (UUID)
• Click behavior

What technical data do we automatically collect?

When you visit our website, we automatically collect certain information in so-called "server log files". This is technical data that is generated with every website visit:

• IP address or hostname
• Browser used
• Time spent on the website
• Date and time of visit
• Pages of our website accessed
• Language settings and operating system
• "Leaving page" (which URL you left our website from)
• ISP (Internet Service Provider)

This information is not processed in a personally identifiable manner and is not linked to other personal data. It helps us to technically optimize our website and ensure its security.

Who is responsible for your data?

You can reach our Data Protection Officer at hi@mynejo.com.

Forwarding of application data

When you click the "Apply Now" button on Nejo, we always redirect you to the employer’s original job posting. When you then submit your application there, the company to which you send your data is responsible for the further processing of your data.

Who do we share your data with?

In some cases, we need to share your data with others. We only share your personal data with:

Authorities and public bodies

This only happens to the extent required by law (for example, data protection authority, courts, or labor chamber).

Software and service providers (processors pursuant to Art. 28 GDPR)

These providers support us with email services, administrative activities, and data center and cloud services.

• Microsoft Azure: Hosting of our AI systems and data processing, based on your explicit consent
• OpenAI (as a sub-processor in connection with Azure OpenAI)
• Google Cloud: AI-powered analysis and processing functions, based on your explicit consent
• Email services: for managing and conducting our newsletter, based on your explicit consent.
• Customer.io: Email sending for transactional system emails (Art. 6(1)(b) GDPR) as well as marketing emails based on your explicit consent (Art. 6(1)(a) GDPR)
• Data centers and cloud services: to ensure the availability and security of our website.
• Database providers
• Cookie consent management

Data transfer abroad

If we transfer your personal data to a country outside the EU/EEA (third country) for which no adequacy decision within the meaning of Art. 45 GDPR exists, we ensure the protection of your data through appropriate safeguards within the meaning of Art. 46 GDPR.

Google Fonts

.

Your rights

You have various rights regarding your data stored with us:

• Right to access: You can inquire at any time which data we have stored about you.
• Right to erasure: You can request the deletion of your data, unless legal retention obligations prevent this.
• Right to rectification: If your data is incorrect, you can request a correction at any time.
• Right to data portability: You can request that we transmit your data in a common format to you or another controller.
• Right to revocation and objection: You can revoke consents at any time and object to data processing.
• Right to restriction: You can request that we restrict the processing of your data.

AI-specific rights

In addition to GDPR rights, you have the following rights for the "Search with Resume" and "Apply with Resume" functions:

• Information about AI logic: Information about how our algorithms work
• Bias complaint: Report suspected discriminatory treatment by the AI system
• Human review: Request a manual review of AI recommendations
• Transparency: Detailed information about capabilities and limitations of the AI system
• Revocation of AI processing including deletion of your resume and any data extracted from it

Where personal data is processed without identifiability (e.g., in anonymous use via third-party platforms such as ChatGPT), certain rights (e.g., access or deletion on an individual level) cannot be technically implemented. In these cases, the provisions of Art. 11 GDPR apply.

Right to complain

If you suspect that your data processing violates data protection law, you have the right to complain:

• Directly to us by email at: hi@mynejo.com
• To the competent data protection authority: Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna.

• EU AI Act: Corresponding national supervisory authority for AI systems (details will be updated upon entry into force)