We use cookies.

What does it mean?

Captcha is invalid. Please attempt to accept cookies (in the bottom left corner), reload the page, switch to a different network, disable VPN, or contact support support@onde.app.

Oops, something go wrong, please try again later

The phone number you’ve added already exists. Please choose another phone number or contact support@onde.app.

English Español Portugês العربية Français

English

Recruitment and Contracting Privacy Policy

Last updated: 27.11.2025

1. Who we are and the scope of this Policy

This Recruitment and Contracting Privacy Policy (“Policy”) explains how Ondemand Apps OÜ, a company incorporated under the laws of the Republic of Estonia (registry code 14521027, address: Tornimäe 7-36, 10145 Tallinn, Estonia, e-mail: hi@onde.app) (“we”, “us”) processes personal data of candidates in connection with our recruitment and contracting activities.

This Policy applies to individuals who use or are considered for cooperation with us, whether as employees, freelancers, sole traders, or under any other B2B service or advisory arrangement, and to people we may contact in the context of such processes, such as referees or recommenders.

It does not apply to our processing of personal data of employees or contractors after they are hired or enter into a contract.

We act as a data controller for the processing described in this Policy. We currently do not appoint a data protection officer because we do not meet the conditions set out in Article 37 GDPR and relevant guidance. For any questions or to exercise your rights, please contact us at hi@onde.app.

2. What data do we process

We process the following categories of personal data about you, as relevant to a given recruitment process:

1. Identification and contact details

  • full name, e-mail address;

2. Application data

  • CV/résumé and any information contained in it (education, work history, skills, languages, publications, portfolio links, etc.);
  • cover letter, “Say hi” free-text message, and other information you voluntarily provide via our forms or e-mail;

3. Data generated during the recruitment process

  • information and notes from interviews and communications with you;
  • assessment or test results, where applicable;
  • internal evaluation and the status of your application.

4. Data from third-party sources

  • information you make publicly available in professional profiles (e.g., LinkedIn, GitHub, portfolio websites), to the extent relevant to the role;
  • references or recommendations from persons you provide as referees or who refer you to us.

We do not intentionally request or require you to include any special categories of personal data (such as information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data, sexual orientation, or similar) or data relating to criminal convictions and offences. If you choose to provide such information, we will handle it in accordance with the terms set out in Section 4.

3. For what purposes and on what legal bases we process your data


We process your personal data for the purposes and on the legal bases listed below. We always rely on at least one of the legal bases under Article 6 GDPR (and, where applicable, Article 9).

1. Managing your application and the recruitment process, including considering you for similar or future roles within a limited period after your application

  • assessing your qualifications and suitability for a role;
  • communicating with you (e-mail, phone, messages);
  • scheduling and holding interviews, meetings, and tests;
  • making hiring or cooperation decisions and preparing offers, statements of work, or contracts (whether employment or B2B services contracts).

Legal basis: Article 6(1)(b) GDPR (taking steps at your request before entering into an employment or services contract) and, where 6(1)(b) does not strictly apply or where we consider you for similar or future roles, Article 6(1)(f) GDPR (our legitimate interest in recruiting staff and contractors). You have the right to object to such processing at any time (see Section 9).

2. Compliance with legal obligations

  • meeting obligations under applicable labour, tax, equal treatment/non-discrimination, and data-protection laws;
  • responding to requests from competent authorities where required by law.

Legal basis: Article 6(1)(c) GDPR (compliance with legal obligations).

3. Defending and enforcing legal claims

  • Establishing, exercising, or defending potential legal claims related to our recruitment process (for example, in case of disputes about discrimination, contractual negotiations, or other claims).

Legal basis: Article 6(1)(f) GDPR (our legitimate interest in protecting our rights and defending against claims). We take applicable statutory limitation periods into account when setting and periodically reviewing the retention periods described in Section 6.

4. Improving our recruitment process

  • generating anonymised or aggregated statistics (e.g., number of applications, time-to-hire);
  • improving our recruitment workflows and candidate experience.

Legal basis: Article 6(1)(f) GDPR (our legitimate interest in improving our recruitment). Wherever possible, we use anonymised or aggregated data that no longer identifies you.

4. Special categories of personal data and criminal-records data

We do not typically need to process special categories of personal data about you (Article 9 of the GDPR) or data concerning criminal convictions and offences (Article 10 of the GDPR) during the recruitment process. 

Please do not include such information in your CV or other documents, unless it is strictly necessary and directly related to the position (for example, information on disability required to arrange reasonable accommodations).

If we nonetheless receive such information:

  • For health or disability information needed to comply with employment and social-security obligations or to provide reasonable accommodations, we may process it based on Article 9(2)(b) or 9(2)(h) GDPR, together with the relevant Article 6 basis described above;
  • For any other special-category information (e.g., political opinions, religion, trade-union membership), we will not use it in the recruitment decision and will endeavour to erase or minimise it as soon as practicable;
  • We process criminal records data only if explicitly required or permitted by applicable law and subject to appropriate safeguards. If such processing becomes relevant for a specific role, we will provide you with an additional notice.

5. From where do we obtain your data

We collect your personal data mainly from you:

  • When you submit your CV and form via our careers page;
  • When you send us your CV or application by e-mail or other channels;
  • during interviews and other interactions.

We may also collect personal data about you from:

  • professional networking sites and publicly available online sources (e.g., LinkedIn, GitHub, portfolio sites), but only to the extent relevant to your professional background and the role;
  • referees or other contacts you provide or who refer you to us.

Data about referees and other contacts

  • If you provide us with contact details of referees or other people we may contact in the context of your application, we will process their name, contact details, and the information contained in their reference or recommendation.

When we obtain data from third parties rather than directly from you, we respect the information obligations under Articles 14 and 15 of the GDPR, unless an exemption applies.

6. How long do we keep your data

We retain your personal data only for as long as necessary for the purposes described in this Policy, taking into account applicable limitation periods and best practice guidance under the GDPR.

1. Applications and recruitment records

  • We retain your data for the duration of the recruitment process and, after it concludes, for a period of generally no longer than 2 years from the date we receive your application or your last meaningful interaction with us (whichever is later).
  • During this period, we may still contact you about your application or similar roles for which you may be suitable. We may also need to retain the data to document a fair recruitment process, produce anonymized statistics, or establish, exercise, or defend potential legal claims.

2. Claims and legal obligations

  • Where a dispute, investigation, or legal proceeding is actually initiated or reasonably anticipated before the end of the general retention period specified above, we may retain only the data relevant to that matter for a period longer than the specified period. In such cases, we keep the data for the duration of the dispute or proceeding, as well as for the applicable statutory limitation or archiving period, and store it separately from our active recruitment systems.

3. E-mail and system logs

  • Copies of your messages and our responses may be retained in our email systems and security logs in accordance with our general IT and archiving policies. However, we do not use them for active recruitment purposes once the retention periods above have expired.

When the applicable retention period expires, we will delete or irreversibly anonymize your data in our systems and those of our processors, unless we are required by law to retain it for a more extended period.

7. Who has access to your data and international transfers

7.1. Internal recipients

Your personal data is accessed only by Onde personnel who need it for recruitment purposes, such as HR/People Operations, hiring managers, and other participants in the recruitment process, on a need-to-know basis and subject to confidentiality obligations.

7.2. Processors and other recipients

We use third-party service providers to support our recruitment activities. These providers act as data processors, processing your personal data on our behalf and in accordance with our instructions. They include, in particular:

  • TalentLyft – our applicant tracking system provided by AdoptoTech d.o.o., based in Croatia, EU. TalentLyft hosts candidate data on servers within the European Union and utilizes approved sub-processors (such as Intercom for in-app support chat and Mailgun for email delivery) with appropriate data processing agreements and security measures in place, including Standard Contractual Clauses where required.
  • E-mail and communication service providers – providers that host our corporate e-mail and internal communication tools, through which recruitment correspondence may pass.

We may also share your data with:

  • external advisors (such as legal counsel), where necessary for the purposes described in section 3;
  • public authorities, courts, or law enforcement bodies, as required by applicable law.

We ensure that all processors and recipients provide appropriate technical and organisational measures to protect your personal data.

7.3. Transfers outside the EU/EEA

As a rule, your personal data is stored within the European Union / European Economic Area.

Some of our processors or their sub-processors may be established outside the EU/EEA or may access data from such locations (for example, specific components of e-mail delivery or support services). In these cases, we ensure that an adequate level of protection is provided in line with Chapter V GDPR, typically by:

  • relying on an adequacy decision of the European Commission, where applicable; and/or
  • entering into Standard Contractual Clauses (SCCs) adopted by the European Commission with the relevant recipient and implementing additional safeguards where required. 

8. Whether you have to provide your data

Providing your basic personal data (such as name, contact details, and information about your professional background) is necessary for us to assess your application and to take steps at your request before entering into an employment or B2B services contract (or another cooperation agreement). If you do not provide this information, we will not be able to consider your application. Providing any additional information is voluntary and not required to participate in a specific recruitment process.

9. Your rights

Under the GDPR, you have the following rights in relation to your personal data, subject to the conditions and limitations set out in the law:

  • Right of access – to obtain confirmation whether we process your personal data and, if so, to receive a copy of it.
  • Right to rectification – to correct or complete inaccurate or incomplete data.
  • Right to erasure – to request deletion of your personal data in certain circumstances (for example, where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis).
  • Right to restriction of processing – to request that we restrict processing of your data in specific cases.
  • Right to data portability – to receive specific data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
  • Right to withdraw consent – where processing is based on your consent (where applicable), you may withdraw it at any time by contacting us at hi@onde.app or using any withdrawal mechanism we provide. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, contact us at hi@onde.app. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with your local supervisory authority in the EU/EEA, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The Estonian supervisory authority can be contacted at:

Andmekaitse Inspektsioon
Tatari 39, 10134 Tallinn, Estonia
E-mail: info@aki.ee
Phone: +372 627 4135

10. Automated decision-making

We do not make hiring decisions based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

11. Changes to this Policy

We may update this Policy from time to time, for example, due to changes in our processing activities or applicable law. The latest version will always be available on our careers website, with the date of the newest update indicated at the top.