Last updated · 2026-05-12

Privacy policy

This Privacy Policy explains how Staffer.com AS (“Staffer”, “we”, “us”) processes personal data about users of the Staffer platform — typically recruiters, hiring managers, and talent acquisition professionals at our customer organisations.

This policy is for you if you log in to and use Staffer as part of your work. If you are a professional whose profile appears in our sourcing database (a Candidate), please see our separate Candidate Privacy Policy at staffer.com/privacy.

1. Who we are

Staffer.com AS is a Norwegian limited company (Org. No. 935 665 825), registered at Tjuvholmen allé 1, 0252 Oslo, Norway.

For all privacy questions or to exercise your rights, contact us at: privacy@staffer.com.

2. Roles and responsibilities

Staffer is the controller for the personal data we process about you as a user of the platform, including account management, authentication, security, billing, and product analytics. This notice covers Staffer’s processing in that role.

3. What personal data we process

We process the following categories of personal data about you:

  • Account and profile data: name, business email address, and (where available from your single sign-on provider) profile picture.
  • Authentication data: metadata from your single sign-on provider (Google, Microsoft, or LinkedIn) needed to verify your identity. We do not store passwords.
  • Usage data: your activity in the platform, including chat prompts and queries you submit, role descriptions you upload, candidates you view, searches you save, and clicks and navigation events.
  • Technical data: IP address, device and browser information, timestamps, and similar metadata generated when you use the platform.
  • Communications: messages you exchange with our support team and your responses to surveys or feedback requests.

4. Why we process your data and our lawful basis

We process your personal data for the following purposes, on the lawful bases identified in GDPR Article 6:

Providing the Service

Lawful basis: Performance of a contract (with your employer), or our legitimate interest in operating the Service (Art. 6(1)(b) / 6(1)(f)).

Examples: account creation, authentication, running searches, generating relevance scores.

Security and fraud prevention

Lawful basis: Legitimate interest (Art. 6(1)(f)).

Examples: detecting unauthorised access, abuse prevention, audit logging.

Service communications

Lawful basis: Performance of a contract / legitimate interest (Art. 6(1)(b) / 6(1)(f)).

Examples: onboarding emails, product updates affecting your use, security notices.

Product analytics and improvement

Lawful basis: Legitimate interest (Art. 6(1)(f)).

Examples: understanding feature usage to improve the platform.

Billing and financial administration

Lawful basis: Performance of a contract / legal obligation (Art. 6(1)(b) / 6(1)(c)).

Examples: generating usage records for invoicing, tax records.

Marketing communications

Lawful basis: Consent (Art. 6(1)(a)).

Examples: product newsletters, promotional content (only if you have opted in).

Legal claims

Lawful basis: Legitimate interest / legal obligation (Art. 6(1)(f) / 6(1)(c)).

Examples: establishing, exercising, or defending legal claims.

Where we rely on legitimate interest, we have conducted a balancing test against your rights and freedoms. A summary is available on request.

5. How we use AI

The Staffer platform uses large language models (LLMs) to interpret your chat prompts and to match queries against our candidate database. Your prompts and uploaded role descriptions are processed by LLM providers under agreements that include:

  • No use of your data to train the providers’ models.
  • Short or zero retention by the providers.
  • Standard Contractual Clauses for international transfers.

We do not use your chat content or other usage data to train AI models, our own or anyone else’s.

6. Who we share your data with

We may share personal data with the following categories of recipients:

A. Service providers (sub-processors)

Such as:

  • Cloud infrastructure and database hosting providers
  • LLM providers powering chat and matching
  • Single sign-on (OAuth) authentication providers
  • Observability, logging, and error-tracking tools
  • Product analytics and customer support tools
  • Object storage for files uploaded through the platform

All sub-processors are bound by written agreements that include appropriate data protection commitments.

You may contact us at privacy@staffer.com to request the names of specific sub-processors and the regions in which they operate.

B. Authorities and legal parties

Where required by law, or to establish, exercise, or defend legal claims.

C. Successors in interest

In the event of a corporate transaction such as a merger or acquisition, subject to appropriate protections.

We never sell personal data.

7. International transfers

Some of our sub-processors are located outside the European Economic Area, including in the United States. Where personal data is transferred to a country that has not been recognised by the European Commission as providing an adequate level of protection, we ensure that appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (Decision 2021/914).

8. How long we keep your data

We retain personal data about you for 90 days after your account is closed or your employer’s agreement with Staffer ends, after which it is deleted from our active systems.

Some data is retained beyond this period where required:

  • Financial records, for the period required by accounting and tax law (typically five years under Norwegian law).
  • Records necessary for the establishment, exercise, or defence of legal claims, for the duration of the relevant limitation period.
  • Data subject to a legal hold or regulatory request.

9. Your rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15): a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): deletion of your personal data.
  • Right to restriction (Art. 18): restriction of processing in certain circumstances.
  • Right to object (Art. 21): objection to processing based on legitimate interest.
  • Right to data portability (Art. 20): receiving your data in a structured, commonly used format.
  • Right to withdraw consent (Art. 7): where we rely on consent (e.g., marketing), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at privacy@staffer.com. We will respond within one month, as required by the GDPR.

Note: some rights, such as the right to erasure, may be limited where the data is needed to provide the Service to your employer, comply with a legal obligation, or establish or defend legal claims. In such cases, we will explain why we cannot fully comply with your request.

10. Marketing communications

We only send marketing communications to you if you have opted in. You can withdraw your consent at any time:

  • By using the unsubscribe link in any marketing email we send you.
  • By contacting us at privacy@staffer.com.

Withdrawing consent for marketing does not affect service-related communications (onboarding, product updates, security notices, billing), which we send on a different lawful basis.

11. Cookies and similar technologies

We use cookies and similar technologies on staffer.com and within the platform. For details about which cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy at staffer.com/cookies.

12. Security

We maintain appropriate technical and organisational measures to protect your personal data, including encryption in transit and at rest, role-based access control, multi-factor authentication for privileged access, and security monitoring.

13. Right to lodge a complaint

If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Norway, this is Datatilsynet. You may also lodge a complaint with the supervisory authority in the EU/EEA country where you live or work.

14. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top indicates when it was most recently revised. Material changes will be communicated to you, including by email where appropriate.

15. Contact

Email: privacy@staffer.com

Postal address: Staffer.com AS, Tjuvholmen allé 1, 0252 Oslo, Norway