Happr

Legal

Privacy Policy

Last updated: 11 June 2026

1. Controller

WE HUMAN, MB (registration code: 305711625) is the data controller for personal data processed through the Platform. Contact our data protection point of contact at privacy@happr.dev.

2. Data we collect

All users (Candidates and Hirers):

  • Name, email address, and password hash (account creation).
  • Profile information you choose to provide (location, bio, links).
  • Authentication tokens from OAuth providers (GitHub, Google) where used.
  • Usage data: pages visited, features used, timestamps, IP addresses.
  • Communications with us (support emails, discovery call bookings).

Candidates additionally:

  • CV / résumé (uploaded or parsed from LinkedIn / GitHub).
  • GitHub profile data and public repositories (with your consent during onboarding).
  • Task submissions, code, and any work product uploaded to the Platform.
  • Skill assessments derived from your profile and submissions.

Hirers additionally:

  • Company name, VAT number, billing address.
  • Payment method tokens (stored by our payment processor; we do not store raw card data).
  • Task briefs, evaluation notes, and hiring decisions.

3. How we use your data

PurposeLegal basis (GDPR Art. 6)
Provide and operate the PlatformContract (Art. 6(1)(b))
Account authentication and securityContract / Legitimate interest
Process prize pool paymentsContract (Art. 6(1)(b))
AI-assisted CV parsing and candidate matchingLegitimate interest (Art. 6(1)(f)) — see Section 7
Send service notifications (booking confirmations, task updates)Contract
Send marketing emails to opted-in usersConsent (Art. 6(1)(a))
Comply with legal obligations (tax, anti-fraud)Legal obligation (Art. 6(1)(c))
Analytics to improve the PlatformLegitimate interest
Respond to support requestsLegitimate interest / Contract

4. Data sharing and processors

We share personal data only with:

  • Supabase — authentication and database hosting (EU region).
  • Resend — transactional email delivery.
  • Vercel — application hosting and edge delivery.
  • Payment processor — for prize and fee payments (PCI-DSS compliant).
  • Hirers — your profile and submission data is shared with the specific Hirer whose task you apply to, for evaluation purposes only.

We do not sell personal data to third parties. We do not share data for advertising purposes. All processors are bound by GDPR-compliant data processing agreements (DPAs).

5. International transfers

Our primary infrastructure is hosted within the EU/EEA. Where any processor operates outside the EEA, transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46.

6. Retention

Data categoryRetention period
Active account dataFor the duration of your account
Account data after deletion request30 days (recovery window), then erased
Task submissions (non-winning)90 days after task closes, then erased
Prize payment records7 years (VAT / accounting obligation)
Server logs (IP, timestamps)90 days
Marketing consent recordsUntil consent is withdrawn + 3 years
Discovery call bookings2 years

7. Automated decision-making and profiling

Happr uses AI tools to assist Hirers with candidate matching and submission ranking. This constitutes automated processing within the meaning of GDPR Article 22. We take the following safeguards:

  • AI-generated rankings are presented as recommendations only. All final hiring decisions are taken by a human Hirer.
  • No candidate is rejected solely on the basis of automated processing.
  • Candidates may request a human review of any AI-generated assessment by emailing privacy@happr.dev.
  • The criteria used by matching algorithms are described in our EU AI Act Transparency Notice.

8. Your rights (GDPR Chapter III)

As a data subject in the EU/EEA you have the right to:

  • Access — obtain a copy of your personal data (Art. 15).
  • Rectification — correct inaccurate data (Art. 16).
  • Erasure ("right to be forgotten") — request deletion where no overriding legitimate ground exists (Art. 17).
  • Restriction — request that processing be restricted while a dispute is pending (Art. 18).
  • Portability — receive your data in a machine-readable format (Art. 20).
  • Object — object to processing based on legitimate interest, including profiling (Art. 21).
  • Withdraw consent at any time for processing based on consent, without affecting prior lawful processing.

To exercise any right, email privacy@happr.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (SDPI) at vdai.lrv.lt.

9. Cookies

We use the following cookies:

CookiePurposeType
sb-auth-tokenSupabase authentication sessionStrictly necessary
themeLight/dark theme preferenceFunctional
_vercel_*Deployment routing (Vercel)Strictly necessary
analytics_*Aggregate usage analytics (no advertising)Analytics — requires consent

You may withdraw analytics consent at any time via the cookie banner or by emailing us. Strictly necessary and functional cookies cannot be disabled without impairing the service.

10. Security

We apply appropriate technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest, access controls, regular dependency updates, and security review of AI pipeline inputs/outputs. No transmission over the internet is 100% secure; you use the Platform at your own risk.

11. Children

The Platform is not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us immediately.

12. Changes to this policy

Material changes will be announced by email and on the Platform at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.