Privacy Policy

1. Data controller

The data controller responsible for personal data processed through the Virkla platform and website is Virkla GmbH, Germany. For data subject requests including access, correction, and deletion, contact privacy@virkla.de.

• Data controller: Virkla GmbH, Germany
• Data protection contact: privacy@virkla.de
• Response time for data subject requests: within 30 days as required by GDPR Art. 12

2. Data we collect and why

We collect personal data only where we have a lawful basis to do so under GDPR Article 6. The data we collect depends on how you interact with Virkla.

• Website visitors: IP address, browser type, pages visited, and session duration — processed for website improvement under legitimate interest (Art. 6(1)(f))
• Demo and contact requests: name, email address, company, and message — processed to respond to your enquiry under pre-contractual steps (Art. 6(1)(b))
• Platform users: name, work email address, role, and usage data — processed to provide the platform under your subscription contract (Art. 6(1)(b))
• Candidates: application data processed as a data processor on behalf of the employer under a signed Data Processing Agreement
• Cookies: see Section 7 below

3. How we use your data

We use the personal data we collect for the following purposes:

• Providing and operating the Virkla platform and all associated features
• Responding to sales enquiries, demo requests, and support tickets
• Sending product updates and service communications to registered users — you may opt out at any time
• Analysing platform usage to identify bugs, improve performance, and develop new features
• Complying with legal obligations under German and EU law
• Enforcing our Terms of Service and protecting our legitimate business interests

4. Candidate data — Virkla as data processor

When employers use Virkla to manage hiring, candidate personal data is processed by Virkla on behalf of the employer. The employer is the data controller; Virkla is the data processor. We process candidate data only as instructed by the employer and do not use it for our own profiling, marketing, or model training without explicit consent. Candidates with questions about their data in a specific hiring process should contact the employer directly. Employers can request Data Processing Agreement documentation at privacy@virkla.de.

5. Data retention

We retain personal data only as long as necessary for the purpose it was collected.

• Website analytics data: 26 months from collection
• Demo and contact request data: 24 months from last interaction
• Platform user account data: duration of subscription plus 90 days after account closure
• Candidate data: configured per customer; default is 6 months after application closure
• Legal and compliance records: as required by applicable German and EU law

6. Your rights under GDPR

If you are located in the EU or EEA, you have the following rights regarding your personal data:

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion where we no longer have a lawful basis
• Right to restriction (Art. 18): request that we limit processing in certain circumstances
• Right to data portability (Art. 20): receive your data in a machine-readable format
• Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time
• Right to lodge a complaint: with the supervisory authority in your country — in Germany, the relevant state Datenschutzbeauftragter

7. Cookies

We use cookies and similar tracking technologies on our website. You can manage your preferences via the consent banner on your first visit.

• Strictly necessary cookies: required for the website and platform to function — cannot be disabled
• Analytics cookies: used to understand how visitors use the site — require consent
• Marketing cookies: used to track visits from advertising campaigns — require consent
• Functional cookies: used to remember preferences such as language setting — require consent

8. Third-party services and data transfers

We use a limited number of third-party services to operate the platform. All third parties are subject to data processing agreements and must comply with GDPR.

• Cloud infrastructure: data is hosted in EU-based data centres
• Analytics: privacy-respecting tools configured to anonymise IP addresses
• Email delivery: transactional emails delivered via a third-party provider under a signed DPA
• Payment processing: billing data handled by our payment processor; Virkla does not store full card details
• International transfers: where data leaves the EEA, Standard Contractual Clauses or equivalent safeguards are in place

9. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction.

• Encryption of data in transit (TLS 1.2 or higher) and at rest
• Role-based access controls limiting data access to authorised personnel only
• Regular security assessments and penetration testing
• Incident response procedures with notification obligations met under GDPR Art. 33–34
• Employee training on data protection and information security

10. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify registered users by email and update the date at the bottom of this page. Continued use of the platform after notification constitutes acceptance. For questions, contact privacy@virkla.de.

11. Sub-processors

We engage the following categories of sub-processors to deliver the Virkla platform. All sub-processors are bound by data processing agreements and must meet GDPR-equivalent standards. The list is reviewed and updated when sub-processors change.