Privacy Policy

Last updated: 2026-05-18

1. Data Controller

MB Rinkis Darbą (company no. 307633488), operating the platform at Rinkis Darbą (rinkisdarba.lt), Vilnius, Lithuania. Contact: info@rinkisdarba.lt.

2. Data We Collect

When you use Rinkis Darbą, we may collect:

  • Email address — required for registration and login.
  • Name — optional, used for display only.
  • Hashed password — stored using bcrypt; your original password is never stored.
  • Job preferences — target title, skills, location, salary expectations, seniority, remote preferences, and target industries you enter in your profile.
  • CV-extracted data — skills, work experience, education level, and career functions extracted from your CV using AI. The CV file itself is not stored after processing.
  • Employer reviews — text and ratings you submit about companies.
  • Saved jobs — job listings you bookmark.
  • Match feedback — thumbs up, thumbs down, or dismiss signals on job matches.
  • Email preferences — weekly email shortlist opt-in/out status.
  • Email confirmation status — whether your email has been confirmed and when.
  • Session data — login timestamps and session identifiers, used for authentication and security.
  • IP address — used for login rate limiting and security only; not used for tracking or analytics.
  • Issue reports — when you submit a "Report an issue" form, we collect your message (up to 3,000 characters), the page URL you were on, your browser's user agent string, language, and (if provided) your contact email. If you are logged in, the report is linked to your account. This data is accessible only to platform administrators and is used solely to investigate and resolve the reported issue.
  • Job listing click history — when you click an external job listing link, we record which listing you clicked and from which page. If you are logged in, this click is linked to your account via user_id. Used for internal analytics and service improvement only.

3. Legal Basis for Processing

We process your personal data on the following legal bases under GDPR Art. 6:

  • Account registration, authentication, and profile management → Performance of contract (Art. 6(1)(b)).
  • CV processing and personalised job matching → Performance of contract (Art. 6(1)(b)) — you initiate this by uploading your CV.
  • Weekly email shortlist → Consent (Art. 6(1)(a)) — you opt in via Account Settings; you can withdraw consent at any time without affecting the lawfulness of prior processing.
  • Market analytics and salary statistics → Legitimate interest (Art. 6(1)(f)) — providing aggregated market intelligence to increase labour market transparency. No individual personal data is used in public analytics.
  • Security (rate limiting, session management, fraud prevention) → Legitimate interest (Art. 6(1)(f)) — maintaining platform security and preventing unauthorised access and abuse.
  • Service improvement → Legitimate interest (Art. 6(1)(f)) — improving service quality and analysing platform usage.
  • Issue reports → Legitimate interest (Art. 6(1)(f)) — responding to user-initiated bug reports and improving platform quality.
  • Job listing click analytics → Legitimate interest (Art. 6(1)(f)) — understanding platform usage and improving job-matching quality.
  • Compliance with legal obligations → Legal obligation (Art. 6(1)(c)).

We do not sell your data to third parties or use it for advertising.

4. AI Processing

When you upload a CV, its extracted text is sent to the Google Gemini API for skill and experience extraction. Only the text content is transmitted — the original file is never sent externally.

Roles: MB Rinkis Darbą processes your CV data as a data controller, and Google LLC acts as a data processor under the paid-tier Gemini API terms and Google's Cloud Data Processing Addendum. Under those terms, Google is not permitted to use your prompts or responses to improve its products or train its AI models, and your CV data is not used to train models on either Google's or Rinkis Darbą's side.

Safety and security logging: Google logs prompts and responses for a limited period solely to detect and prevent violations of Google's Prohibited Use Policy and to meet legal and regulatory obligations. This logging is time-limited and is separate from model training (source: Google Gemini API Additional Terms of Service).

International transfers and data location: Google does not guarantee EU-only storage — data transmitted to Google may be stored transiently or cached in any country where Google maintains facilities. The legal basis for transfers from the EU to the US and other third countries is the EU–US Data Privacy Framework (DPF), under which Google LLC is certified, with Standard Contractual Clauses (SCCs) as a supplementary safeguard.

We also use AI (Google Gemini) to enrich job listing data: extracting skills, classifying job functions, inferring seniority levels, normalising salaries, and translating job titles. This processing applies to job listing content, not to your personal data.

We have assessed the data protection implications of our AI processing in accordance with GDPR requirements.

5. Automated Decision-Making and Profiling

In the interest of transparency (GDPR Art. 22 / Art. 13(2)(f)):

  • Match scores — when you upload a CV, our system automatically generates match scores for all active job listings. These scores reflect how closely a listing matches your profile based on skills, experience, seniority, and job function. Match scores are AI-assisted estimates — they do not determine your eligibility for any position.
  • Salary estimates — salary figures displayed on the platform are statistical calculations from aggregated listing data. They are estimates, not guarantees.

You are not subject to decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you. Match scores and salary estimates are informational tools to help you discover relevant listings.

You can contact us at info@rinkisdarba.lt to request an explanation of how your match scores are generated or to raise any concerns about automated processing.

6. Analytics

We use Umami Cloud for aggregate traffic statistics. Umami is privacy-focused: it does not use cookies, does not collect personal data, and does not track individual users. We see page view counts and referral sources — nothing tied to individual users.

7. Cookies

We use three cookies:

  • A session cookie (HttpOnly, Secure, SameSite=lax) that keeps you logged in. Strictly necessary for the service to function.
  • A CSRF token cookie (Secure, SameSite=lax) for security on form submissions. Strictly necessary for the service to function.
  • A lang cookie (Secure, SameSite=lax) — stores your chosen language (Lithuanian or English) for one year so you don't need to re-select it each visit. Functionality cookie; contains no personal data.

Session and CSRF cookies are strictly necessary; the language cookie is a functionality cookie (remembering your preference). We do not use any tracking, advertising, or analytics cookies. Under the Lithuanian Electronic Communications Law (Elektroninių ryšių įstatymas), none of these cookies require prior consent, so no cookie consent banner is shown.

8. Data Storage and International Transfers

Your data is stored on a Hetzner Cloud server located in Helsinki, Finland (EU). Passwords are hashed with bcrypt and never stored in plain text. All connections to the site use HTTPS.

International transfers: When you upload a CV, the extracted text is transmitted to Google's API infrastructure for processing. Google is certified under the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795). Standard Contractual Clauses (SCCs) are also in place as a supplementary transfer mechanism.

Transactional emails are sent via Resend, a US-based service certified under the EU–US Data Privacy Framework with SCCs as backup.

Error monitoring data may be processed by Sentry (US-based, DPF-certified, SCCs in place). This data is technical in nature and may include IP addresses in error reports.

9. Data Retention

  • Account data — retained until you delete your account.
  • Account deletion — under GDPR Art. 17 (right to erasure), when you delete your account all personal data (profile, CV data, saved jobs, reviews, feedback, preferences) is removed without undue delay, and no later than 30 days from your request. Data in automated backups is overwritten on the next backup rotation cycle. Under GDPR Art. 19 (notification obligation to processors), we notify our processors (Google, Resend, Sentry) of deletion requests where applicable.
  • Job listing data — sourced from public employer listings and does not contain personal data about job seekers. This data is retained indefinitely for historical market analysis purposes.
  • Session data — login sessions are automatically cleaned up periodically.
  • Issue reports — retained for 2 years from submission or until account deletion, whichever is sooner. Issue reports tied to your account are deleted together with your account.
  • Job listing click history — retained for 12 months on a rolling basis; afterwards aggregated into summary statistics without individual identifiers.
  • Email delivery status (bounces, complaint flags) — retained for the lifetime of the account; used to manage email deliverability and stop sending to unreachable addresses.
  • Talent Pool data — if you have enabled the Talent Pool feature, additional retention rules (including 3 years for consent records after withdrawal) are set out in our Privacy Addendum.

10. Your Rights (GDPR)

As a data subject under GDPR, you have the following rights:

  • Access (Art. 15) — download all your data as JSON via Account Settings → Export Your Data.
  • Erasure (Art. 17) — permanently delete your account and all associated data via Account Settings → Delete Account.
  • Rectification (Art. 16) — edit your profile and preferences at any time via your Profile.
  • Portability (Art. 20) — your data export is provided in machine-readable JSON format. The export includes aggregate counts of your platform activity but does not include identifiers of other users you interacted with — for example, recruiters receive a monthly count of profile views, not the IDs of specific candidates viewed.
  • Restriction (Art. 18) — request restriction of processing by contacting info@rinkisdarba.lt.
  • Objection (Art. 21) — object to processing based on legitimate interest by contacting info@rinkisdarba.lt.
  • Withdraw consent (Art. 7(3)) — you may withdraw consent at any time (e.g. unsubscribe from weekly emails via Account Settings). Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
  • Complaint — you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (VDAI):
    Valstybinė duomenų apsaugos inspekcija, L. Sapiegos g. 17, 10312 Vilnius
    ada@ada.lt · https://vdai.lrv.lt
    Under Lithuanian law (ADTAĮ), you are encouraged to contact us first to resolve the matter directly before filing with VDAI.

To exercise any of these rights, contact us at info@rinkisdarba.lt. We will respond within 30 days.

11. Third-Party Services

  • Google Gemini API — AI processing of CV text (skills/experience extraction) and job listing enrichment. Processes: extracted CV text and public listing content. Location: Google Cloud infrastructure (DPF-certified, SCCs in place).
  • Resend — transactional email delivery. Processes: your email address, email content. Purpose: password resets, email confirmations, weekly job match shortlists. Location: US (DPF-certified, SCCs in place).
  • Sentry — error monitoring. Processes: technical request data, which may include IP addresses. Purpose: identifying and fixing software errors. Location: US (DPF-certified, SCCs in place).
  • Umami Cloud — privacy-preserving analytics. US-based service (Umami Software, Inc.). Processes: no personal data; no cookies. Purpose: aggregate page view statistics.
  • Hetzner Cloud — server hosting. Location: Helsinki, Finland (EU). All platform data is stored on Hetzner infrastructure.
  • Zoho Mail — inbound email reception (info@rinkisdarba.lt). Processes: sender email addresses and message content. Purpose: handling contact enquiries. Location: EU data centres (GDPR compliance policy in place).

No data is shared with advertisers or data brokers.

Public data sources: public-facing salary statistics and company profiles are derived from publicly available Lithuanian government data (Sodra payroll records, Užimtumo tarnyba job listings) and company career pages. No personal data of registered platform users is used in public analytics. To protect the privacy of employees at small employers, Sodra-derived salary statistics on company profile pages are shown only for companies with 5 or more employees; detailed distribution metrics (P25/P75) and gender pay gap figures are shown only for companies with 10 or more employees.

12. Children

Rinkis Darbą is not intended for users under the age of 14. We do not knowingly collect personal data from children under 14.

If we become aware that we have collected personal data from a child under 14, we will delete it promptly.

13. Email Communications

Transactional emails (password resets, email confirmations) are sent as part of the service and do not require marketing consent.

Weekly job match shortlist is an opt-in feature. You can enable or disable it at any time via Account Settings. Your preference is stored and respected immediately.

We do not send unsolicited marketing emails. Your consent for the weekly shortlist is separate from your agreement to the Terms of Use and Privacy Policy.

Every email includes an unsubscribe link.

14. Changes to This Policy

We may update this policy from time to time. We will notify registered users by email of material changes. The date at the top of this page reflects when the policy was last revised.

15. Contact

MB Rinkis Darbą (company no. 307633488), operating the platform at Rinkis Darbą, Vilnius, Lithuania. Email: info@rinkisdarba.lt.

Addendum for Talent Pool and Employer Service →
View Terms of Use →