Privacy Policy
Last updated March 31, 2026
Your privacy matters to us. This Privacy Policy explains what personal data we collect, how we use it, and your rights. It applies to your use of Kit as an account holder (employer, recruiter, or team member). This Privacy Policy forms part of our Terms of Service.
1. Who We Are
Kit is operated by Ernest Bursa (sole proprietorship), Dabrowskiego 96/5b, 60-576 Poznan, Poland. We are the data controller for the personal data described in this Privacy Policy.
- Email: [email protected]
- Data Protection Officer: We have not appointed a DPO as we do not meet the thresholds requiring one under Article 37 of the GDPR. For data protection inquiries, contact us at the email above.
- Supervisory authority: Our lead supervisory authority is the Polish Data Protection Authority (UODO), ul. Stawki 2, 00-193 Warsaw, Poland (uodo.gov.pl).
2. Scope and Our Dual Role
Kit serves two types of users, and our role under data protection law differs for each:
- Employers, recruiters, and team members (you): You create accounts and use Kit to manage recruitment. We are the data controller for your account data. This Privacy Policy governs that relationship.
- Candidates and applicants: When candidates apply to your job postings, their data is processed by Kit on your behalf. You are the data controller for candidate data, and Kit acts as a data processor. This relationship is governed by our Data Processing Agreement, not this Privacy Policy.
If you are a candidate, please contact the employer you applied to in order to exercise your data protection rights. They are the controller of your data.
3. Information We Collect
3.1 Account Information
When you create an account, we collect:
- Name and email address
- Password (stored as a cryptographic hash, not in plain text)
- Organisation name and team role
- Profile information you choose to provide
- Preferred language and notification preferences
3.2 Information from Third-Party Login
If you sign in using a third-party service (such as Google or GitHub OAuth), we receive your name, email address, and profile picture from that service. We do not receive or store your third-party password.
3.3 Usage Information
When you use Kit, we automatically collect:
- Log data (IP address, browser type, device information)
- Pages visited and features used
- Time and date of your visits
- Referring website or source
3.4 Payment Information
Payment is processed by Stripe, Inc. We do not store full credit card numbers. We receive only limited information such as the last four digits of your card, card type, and billing address. Stripe's privacy policy governs their processing of your payment data.
4. Lawful Basis for Processing
We process your personal data on the following lawful bases under Article 6(1) of the GDPR:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Providing and maintaining the Service | Contract (Art. 6(1)(b)) | Necessary to perform our contract with you |
| Processing payments and billing | Contract (Art. 6(1)(b)) | Necessary to fulfil our billing obligations |
| Sending transactional emails (account notifications, security alerts) | Contract (Art. 6(1)(b)) | Necessary to operate your account |
| Sending product updates and onboarding emails | Legitimate interest (Art. 6(1)(f)) | Our interest in helping you get the most from Kit. You can unsubscribe at any time. |
| Improving the Service and developing new features | Legitimate interest (Art. 6(1)(f)) | Our interest in making Kit better for all users, using aggregated and anonymised usage data |
| Analytics on marketing pages (Microsoft Clarity) | Consent (Art. 6(1)(a)) | Only with your cookie consent. See Section 6. |
| Fraud prevention and security monitoring | Legitimate interest (Art. 6(1)(f)) | Our interest in protecting the Service and its users from abuse |
| Compliance with legal obligations (tax records, law enforcement requests) | Legal obligation (Art. 6(1)(c)) | Required by Polish and EU law |
5. How We Share Your Information
We do not sell your personal data. We share your data only with the following categories of recipients:
5.1 Sub-processors
We use the following service providers to operate Kit. A full list with transfer mechanisms is maintained in our Data Processing Agreement (Annex 3).
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting, storage | Nuremberg, Germany (EU) |
| Cloudflare, Inc. | CDN, DNS, security | Global (DPF + SCCs) |
| Stripe, Inc. | Payment processing | United States (DPF + SCCs) |
| Functional Software, Inc. (Sentry) | Error monitoring | United States (DPF + SCCs) |
5.2 Other Disclosures
- Legal requirements: When required by law, court order, or governmental authority
- Business transfers: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity
- With your consent: When you explicitly agree to share information
6. Cookies and Tracking
We use cookies and similar technologies on our website. Here is what we use:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| _session_id | Essential | Keeps you logged in and maintains your session | Session |
| locale | Essential | Remembers your language preference | 1 year |
| theme | Essential | Remembers your dark/light mode preference | 1 year |
| _clck, _clsk | Analytics (consent required) | Microsoft Clarity user/session identification for heatmaps and session recordings on marketing pages only | 1 year / session |
| CLID, MUID | Analytics (consent required) | Microsoft Clarity cross-site identification | 1 year |
Essential cookies are necessary for the Service to function and do not require consent. Analytics cookies are loaded only after you provide consent via our cookie banner. Microsoft Clarity is only active on public marketing pages and is never loaded on authenticated application pages. Microsoft acts as an independent data controller for Clarity data under their own terms.
You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service.
7. Data Retention
We retain your personal data for as long as necessary for the purposes described in this policy:
- Account data: For the duration of your account. If you delete your account, we delete your personal data within 30 days.
- Server logs: Retained for up to 90 days for security and debugging purposes.
- Payment and billing records: Retained for 7 years as required by Polish tax law.
- Email communication records: Retained for the duration of your account, then deleted with your account.
- Analytics data: Microsoft Clarity retains session data for 30 days.
- Backup data: Backups containing your data are retained for up to 30 days after the primary data is deleted.
8. International Data Transfers
Kit's primary infrastructure is hosted in the European Union (Hetzner Cloud, Nuremberg, Germany). Your core account data is stored and processed within the EU.
Some of our sub-processors are located in the United States (Stripe, Sentry, Cloudflare). For these transfers, we rely on:
- The EU-US Data Privacy Framework (DPF) where the provider is DPF-certified
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
Details of transfer mechanisms per provider are listed in our DPA (Annex 3).
9. AI and Automated Processing
Kit offers AI-assisted features using third-party AI providers configured by you (BYOK). When you use these features:
- Data you choose to send to AI providers is transmitted to the provider you configured. Kit does not select or control these providers.
- Kit does not use your data to train AI models.
- No solely automated decisions with legal or similarly significant effects are made about individuals without human review.
- You have the right to request human review of any decision that was informed by AI-generated output.
10. Your Rights
Under the GDPR, the UK GDPR, and applicable data protection laws, you have the following rights regarding your personal data:
- Right of access (Art. 15): You can request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You can ask us to correct inaccurate or incomplete data.
- Right to erasure (Art. 17): You can request that we delete your personal data.
- Right to restrict processing (Art. 18): You can ask us to limit how we use your data.
- Right to data portability (Art. 20): You can request your data in a structured, machine-readable format.
- Right to object (Art. 21): You can object to our processing of your data where we rely on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.
- Right to withdraw consent (Art. 7): Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right regarding automated decisions (Art. 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.
To exercise any of these rights, contact us at [email protected]. We will respond without undue delay and within one calendar month. If your request is complex, we may extend this by up to two additional months with notice.
You also have the right to lodge a complaint with your supervisory authority. For users in Poland, this is UODO (Urzad Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland.
11. Email Communications
We send the following types of emails:
- Transactional emails (account notifications, security alerts, billing receipts): These are necessary to operate your account and cannot be unsubscribed from.
- Product updates and onboarding emails: You can unsubscribe from these at any time using the unsubscribe link in each email or from your notification preferences in account settings. We support one-click unsubscribe per RFC 8058.
12. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Application-level encryption of sensitive data fields (Active Record Encryption)
- All core infrastructure hosted within the EU (Hetzner Cloud, Nuremberg, Germany)
- Database traffic isolated on a private network
- Regular security scanning and dependency auditing
- Role-based access controls and API token scoping
No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
13. Children's Privacy
Kit is a business tool not intended for use by children. We do not knowingly collect personal information from anyone under 18 years of age. If you believe a child has provided us with personal information, please contact us and we will delete it.
14. CCPA Notice (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA provides you with additional rights:
- We do not sell or share your personal information as defined by the CCPA.
- You have the right to know what personal information we collect and how it is used.
- You have the right to request deletion of your personal information.
- You have the right to non-discrimination for exercising your privacy rights.
To exercise these rights, contact us at [email protected].
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 30 days before the changes take effect. For changes affecting the lawful basis for processing, we will seek your consent where required.
16. Contact Us
If you have questions about this Privacy Policy or our data practices:
- Email: [email protected]
- Address: Ernest Bursa, Dabrowskiego 96/5b, 60-576 Poznan, Poland
You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.