Privacy policy

Effective April 4, 2026

Bringboard ("we," "us") operates an applicant tracking platform at bringboard.com. This policy explains what data we collect, why, and what rights you have over it. We are based in Athens, Greece, and process data under the EU General Data Protection Regulation (GDPR).

Roles

For the personal data of our account holders (recruiters, hiring managers), we act as the data controller. For candidate data that organizations store through Bringboard, we act as a data processor on behalf of the organization, which remains the controller.

What we collect

Account data

Name, email address, and avatar when you create an account. Authentication is handled through Supabase Auth; we do not store passwords directly.

Organization and hiring data

Company name, branding, job positions, hiring stages, notes, emails, interview schedules, workflows, and any custom fields your team configures. This data belongs to your organization.

Candidate and applicant data

Candidate names, email addresses, applications, resumes, form responses, and enrichment profiles entered by your team or submitted by candidates through hosted careers pages. Your organization is the controller for this data.

Connected accounts

If you connect Google Calendar or GitHub, we store encrypted access tokens and the minimum account info needed to provide scheduling and profile features. You can disconnect at any time.

Usage and technical data

Page views, feature usage, browser type, and crash reports. We use this to fix bugs and improve the product. See the service providers section below.

How we use your data

  • Provide and operate the applicant tracking service
  • Send transactional emails (invitations, notifications, interview confirmations)
  • Deliver interview scheduling via calendar integrations
  • Monitor errors and improve reliability
  • Analyze anonymized usage to improve the product
  • Respond to support requests

We do not sell your data. We do not use candidate data for advertising or profiling outside the scope of the service you requested.

Legal basis (GDPR)

  • Contract: Processing account and organization data is necessary to deliver the service you signed up for.
  • Legitimate interest: Usage analytics and error tracking to maintain and improve the platform.
  • Consent: Analytics and marketing cookies are only activated when you grant consent through our cookie banner. Optional integrations (Google Calendar, GitHub) are activated only when you explicitly connect them.

Service providers

We share data with the following processors, all under appropriate data processing agreements:

  • Supabase — Authentication, database hosting, file storage (AWS eu-central-1)
  • Vercel — Application hosting and edge delivery
  • Postmark — Transactional email delivery
  • PostHog — Product analytics (EU-hosted)
  • Sentry — Error and performance monitoring
  • Upstash — Rate limiting and caching (Redis)
  • Google — Analytics (GA4) for measuring site traffic and usage; Calendar and OAuth integration (when connected by you)
  • LinkedIn — Advertising pixel for measuring campaign performance (requires your consent)
  • Reddit — Advertising pixel for measuring campaign performance (requires your consent)

Cookies

We set the following first-party cookies: bb_logged_in to reflect your authentication state across our domains, sidebar_state for interface preferences, and bb_consent to store your cookie consent choices (365 days).

When you consent to analytics cookies, Google Analytics (GA4) sets cookies such as _ga to measure site traffic. When you consent to marketing cookies, LinkedIn and Reddit may set cookies (e.g. _li, _rdt) to measure advertising campaign performance.

Consent

When you first visit our site, a cookie banner asks you to accept or reject optional cookies. You can change your preferences at any time using the "Cookie settings" link in the page footer. Withdrawing consent is as easy as granting it; your updated preferences take effect immediately.

Data security

Data is encrypted in transit (TLS) and at rest. Connected account tokens are encrypted before storage. Our database is hosted on compliant infrastructure. Access to production data is restricted and logged.

Data retention

We retain your data for as long as your account is active. Organization data is retained for as long as the organization maintains an account. When you delete your account or your organization closes its account, we delete associated data within 30 days, except where retention is required by law.

Your rights

Under the GDPR, you can:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Object to processing based on legitimate interest
  • Withdraw consent for optional integrations at any time
  • Lodge a complaint with a supervisory authority (in Greece: the Hellenic Data Protection Authority)

To exercise any of these rights, email us at hello@bringboard.com.

International transfers

Some of our service providers process data outside the EU. Where this occurs, transfers are protected by Standard Contractual Clauses or adequacy decisions approved by the European Commission.

Children

Bringboard is not directed at individuals under 16. We do not knowingly collect data from children.

Changes

We may update this policy as our practices or legal requirements change. Material changes will be communicated via email or an in-app notice. The effective date at the top of this page reflects the latest version.

Contact

For privacy questions or data requests, contact us at hello@bringboard.com.