Privacy Policy
Last updated: May 20, 2026
1. Who we are
Staffer AS ("Staffer", "we", "us") is a Norwegian company providing an AI-native talent intelligence platform. We act as the data controller for personal data processed about candidates who create a Staffer profile, and as a data processor for personal data we process on behalf of our client companies (employers).
Contact: privacy@staffer.com
2. Scope
This policy explains how we handle personal data when you visit our website, apply through the Staffer Portal, communicate with us, or use any of our services. It complies with the EU General Data Protection Regulation (GDPR), the Norwegian Personal Data Act, and applicable ePrivacy rules.
3. The data we collect and why
We only collect data we actually need. Below is the full list.
| Category | What we store | Purpose | Lawful basis | Retention |
|---|---|---|---|---|
| Account data | Email, password hash, authentication provider (Google, Apple), session tokens | Create and secure your account, sign you in, prevent abuse | Contract (Art. 6(1)(b)) | Until account deletion + 30 days backup window |
| Profile data | Full name, phone, location, job title, employer, summary, LinkedIn URL, avatar, banner | Build the candidate profile shown to potential employers | Contract / Consent (Art. 6(1)(b)/(a)) | Until you delete your profile |
| CV and uploaded files | CVs, portfolio files, case submissions, images, videos | Parse work history, present your portfolio, evaluate case responses | Contract (Art. 6(1)(b)) | Until you delete the file or your account |
| Work history | Experience, education, skills, links to personal sites | Match you with relevant opportunities | Contract (Art. 6(1)(b)) | Until profile deletion |
| Interview & assessment data | AI interview recordings, transcripts, ratings, case responses | Evaluate fit, share insights with hiring companies you opt into | Consent (Art. 6(1)(a)) — revocable any time | 24 months or until you revoke consent |
| Messages | Chat with Staffer, employer messages, support tickets | Facilitate hiring conversations and support | Contract / Legitimate interest (Art. 6(1)(b)/(f)) | 24 months after last interaction |
| Technical data | IP address, browser, device, log timestamps, error traces | Security, fraud prevention, debugging, service reliability | Legitimate interest (Art. 6(1)(f)) | 90 days for logs |
| Email engagement | Delivery, open, click, bounce, unsubscribe events | Operate transactional email reliably and honor opt-outs | Legitimate interest / Consent (Art. 6(1)(f)/(a)) | 24 months |
We do not intentionally collect special categories of data (health, ethnicity, political views, etc.). Please don't include them in your profile, CV, or messages.
4. How we use AI
Staffer uses AI models to parse CVs, summarize interviews, suggest skills, and surface relevant matches. AI-assisted decisions are always reviewable. You can:
- See every signal we hold about you (Article 15).
- Request a human review of any AI-assisted scoring or ranking (Article 22).
- Correct or delete inputs the model relied on.
Your data is not used to train third-party foundation models. Inference is done via contracted providers under zero-retention terms where available.
5. Who we share data with
We share personal data only with:
- Employers you opt into — only after you actively share your profile or apply.
- Sub-processors who help us run the service: cloud hosting, email delivery, AI inference, error monitoring, analytics. A current list is available on request.
- Authorities, when we are legally required to do so.
All sub-processors are bound by data processing agreements consistent with GDPR Art. 28.
6. International transfers
Personal data is primarily stored within the EU/EEA. Where a sub-processor processes data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and supplementary measures where required.
7. Security
We protect your data with row-level access controls, encryption in transit (TLS 1.2+) and at rest, signed URLs for private files, short-lived authentication tokens, principle-of-least-privilege staff access, audit logging, and regular vulnerability scans.
8. Your rights (GDPR Chapter III)
- Access — get a copy of your data (Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure — "right to be forgotten" (Art. 17).
- Restriction — pause processing (Art. 18).
- Portability — export in a machine-readable format (Art. 20).
- Objection — object to processing based on legitimate interest (Art. 21).
- Withdraw consent — at any time, without affecting prior lawful processing.
- Human review — of automated decisions (Art. 22).
To exercise any of these, email privacy@staffer.com. We respond within 30 days.
You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) or your local supervisory authority.
9. Cookies
We use strictly necessary cookies for authentication and security. Optional analytics cookies are only set with your consent via the cookie banner. You can change your preferences at any time.
10. Retention
Retention periods are listed per data category in Section 3. When a period expires or you delete your account, we erase the data from production systems within 30 days and from backups within 90 days.
11. Children
Staffer is not directed to anyone under 16. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy as the product or law evolves. Material changes will be notified by email and shown on this page with a new "Last updated" date.
13. Contact
Staffer AS
Oslo, Norway
privacy@staffer.com