PRIVACY POLICY

EFFECTIVE DATE: 26.03.2026

1. GENERAL PROVISIONS

This Privacy Policy describes how ONEJOB OÜ (registry code 17092880, hereinafter the Company) processes personal data in connection with the use of the onejob.ee website and web application, including all forms, booking flows, and features offered through it, and in the course of providing its Software as a Service (SaaS) platform to business clients.

The Company acts as a data controller in respect of website visitors, marketing and interest-registration contacts, demo enquiries, and its own client-facing activities. When providing the ONEJOB platform to business clients under a SaaS Agreement, the Company acts as a data processor on behalf of those clients, who are the data controllers for their own users’ and end-customers’ personal data.

Processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Estonian data protection law.

2. ROLES AND RESPONSIBILITIES

A key feature of the ONEJOB platform is the embeddable client inquiry form, which client organisations integrate into their own websites. When end-customers of a B2B client submit data through such an embedded form, that data flows directly into the ONEJOB system. In this context, the B2B client is the data controller who determines the purpose and means of collection; ONEJOB acts as processor handling that data on the client’s behalf in accordance with the Data Processing Agreement (ANNEX 3) of the SaaS Agreement.

B2B clients are responsible for providing their own users and end-customers with appropriate transparency notices, for ensuring a lawful basis for processing, and for configuring the platform (including retention settings) in accordance with their data protection obligations.

3. PERSONAL DATA WE PROCESS

The specific data collected depends on how you interact with ONEJOB. The following table sets out all processing activities, the data involved, the legal basis, and retention period.

Activity	Data collected	Legal basis	Retention
Account creation & service provision	Name, email, phone, address, account data	Art. 6(1)(b) — contract	Duration of account + 60 days
Register Interest form (launch notifications)	Email address	Art. 6(1)(a) — consent	Until unsubscribed or erasure requested
Contact form enquiries	Name, email, message content	Art. 6(1)(f) — legitimate interest	Until enquiry resolved, max. 2 years
Demo booking via Calendly	Name, email, calendar/timezone (processed by Calendly)	Art. 6(1)(b) — pre-contractual steps	Governed by Calendly privacy policy
SaaS platform — B2B client data (processor role)	As per DPA Schedule 1	Determined by client as controller	Per client retention policy or 60 days post-termination
Free trial accounts	Account data, usage data	Art. 6(1)(b) — pre-contractual steps	Deleted 30 days after trial expiry if no conversion
Security & access logs	IP address, access logs, technical data	Art. 6(1)(f) — legitimate interest	Minimum necessary for security purposes
Accounting & compliance	Invoice and transaction data	Art. 6(1)(c) — legal obligation	7 years (Estonian Accounting Act)

Within the SaaS platform, the categories of personal data processed on behalf of B2B clients (including employee data, end-customer contact details, job records, and communication data) are governed by the applicable Data Processing Agreement and are determined by each client as data controller.

4. SPECIFIC DATA COLLECTION ACTIVITIES

Register Interest form.

The Register Interest page (onejob.ee/en/register-interest/) collects your email address so that ONEJOB can notify you about the platform launch and related updates. You may unsubscribe at any time by unsubscribe link included in every communication.

Contact form.

The contact form at onejob.ee/en/kontakt/ collects your name, email address, phone number, and message content for the purpose of responding to your enquiry. This processing is based on ONEJOB’s legitimate interest in communicating with prospective clients and in providing customer support. Data submitted via the contact form is retained until the enquiry is resolved and for a reasonable period thereafter (up to two years), unless you request earlier deletion.

Demo booking via Calendly.

The ‘Book a Demo’ button on the website redirects to Calendly (calendly.com), a third-party scheduling service operated by Calendly, Inc. (United States). When you book a demo, Calendly collects your name, email address, and calendar/timezone information directly. ONEJOB receives the booking details (name, email, chosen time) to prepare for and conduct the demo. The data collected by Calendly is governed by Calendly’s own privacy policy. ONEJOB’s use of Calendly constitutes a subprocessor engagement; appropriate data processing safeguards are in place.

Free 14-day trial.

ONEJOB offers a free 14-day trial. During the trial, account data and platform usage data are processed on the same basis as a paid subscription (performance of pre-contractual steps, Art. 6(1)(b) GDPR). If no subscription is taken up after the trial period expires, all account and usage data will be permanently deleted within 30 days of trial expiry. You will be notified before deletion.

Automated reminders and feedback emails.

The ONEJOB platform sends automated email reminders to both employees and clients ahead of scheduled jobs, and a feedback request email to end-clients after job completion. These communications are sent on behalf of, and at the instruction of, the B2B client who is the data controller for their employees’ and customers’ contact details. ONEJOB processes this data as a data processor. B2B clients are responsible for ensuring that their employees and end-customers have been appropriately informed of such communications.

5. IMAGES AND FILE UPLOADS

Users may upload images and files to the ONEJOB platform in connection with tasks, jobs, or accounts. Such content is processed solely for the purpose of providing the service and managing accounts. Uploaded content is visible to other platform users only if explicitly shared by the uploading user. The Company does not use uploaded content for any other purpose.

6. COOKIES AND THIRD-PARTY LINKS

The web application uses the following categories of cookies:

Essential cookies: required for core functionality and security; no consent required
Functional and analytical cookies: used to improve usability and analyse platform usage; consent is requested before these are set
Marketing cookies: used to display relevant content where applicable; consent is required

Users may manage or restrict cookies at any time through their browser settings or via the cookie consent mechanism on the platform. For full details, including a list of specific cookies and their retention periods, see the Cookie Policy at onejob.ee/en/kupsiste-poliitika/.

Social media links.

The ONEJOB website contains links to the company’s profiles on Instagram, Facebook, and LinkedIn. Clicking these links will take you to third-party platforms that operate under their own privacy policies and terms of service. Company does not control the data practices of these platforms. If social media tracking technologies (such as pixels or tags) are used on the onejob.ee website, this will be disclosed in the Cookie Policy and managed through the cookie consent mechanism.

7. DATA SHARING AND SUBPROCESSORS

Personal data is not sold or rented. Data may be shared with the following categories of recipients:

Subprocessors — trusted technology service providers engaged to deliver parts of the platform infrastructure
Professional advisors — legal, audit, or financial advisors bound by confidentiality obligations
Competent authorities — where required by law or court order, to the minimum extent necessary

The Company currently engages the following subprocessors:

Subprocessor	Location	Service
Microsoft Corporation	North Europe (EEA)	Cloud infrastructure and data hosting (Microsoft Azure)
Zone Media OÜ	Estonia (EEA)	Website hosting
Calendly, Inc.	United States *	Demo booking and scheduling (third-party redirect)

* Calendly, Inc. is based in the United States. Bookings submitted through the Calendly scheduling tool are subject to Calendly’s own privacy policy. ONEJOB ensures that appropriate safeguards are in place for any personal data received from Calendly in connection with demo bookings.

Where the Company engages a new subprocessor that will process personal data on behalf of a B2B client, the client will be notified in advance in accordance with the Data Processing Agreement.

8. INTERNATIONAL TRANSFERS

Personal data is not transferred outside the European Economic Area (EEA) unless adequate safeguards under Chapter V GDPR are in place. All primary infrastructure subprocessors (Microsoft Azure, Zone Media OÜ) are located within the EEA.

Calendly, Inc. is based in the United States. Data submitted through the Calendly booking tool is transferred to the US under appropriate GDPR transfer mechanisms as described in Calendly’s privacy policy. Company’s receipt of booking confirmation data from Calendly does not involve a separate transfer outside the EEA.

Where additional subprocessors located outside the EEA are engaged in the future, the Company will ensure that an adequate transfer mechanism (such as EU Standard Contractual Clauses) is in place before any transfer takes place.

9. DATA RETENTION

Personal data is retained only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The retention periods for each processing activity are set out in the table in Section 3. Key periods are:

Active accounts: for the duration of the active account or service relationship
After termination: erased or anonymised within 60 days, unless law requires longer retention
Free trial accounts: deleted within 30 days of trial expiry if no subscription is taken up
Register Interest / marketing contacts: until consent is withdrawn
Contact form enquiries: until resolved, up to 2 years
Accounting records: 7 years (Estonian Accounting Act)
Security and access logs: minimum period necessary for security purposes

B2B clients may configure their own data retention policies within the ONEJOB platform. Where no client-configured policy is in place, the default 60-day post-termination retention period applies.

10. DATA SUBJECT RIGHTS

Individuals whose personal data the Company processes as controller have the following rights under the GDPR:

Access their personal data
Rectification of inaccurate data
Erasure (‘right to be forgotten’)
Restriction of processing
Object to processing
Withdraw consent at any time (without affecting prior lawful processing)
Data portability
Lodge a complaint with a supervisory authority

To exercise any of these rights, please contact us at the details in Section 13. We will respond within one month of receiving a verifiable request.

Note for employees and end-customers of B2B clients If your personal data is processed within the ONEJOB platform by a business that uses our service (e.g. your employer, a cleaning company, or a property manager), that business is the data controller for your data. Please contact them directly to exercise your rights. ONEJOB will forward any requests received directly to the relevant client without undue delay and will not respond to such requests without the client’s authorisation.

Complaints may be lodged with the Estonian Data Protection Inspectorate (www.aki.ee) or with the supervisory authority in your country of residence.

11. DATA SECURITY AND BREACH NOTIFICATION

The Company implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Key measures include:

Encryption of data at rest and in transit (TLS)
Access controls and multi-factor authentication
Role-based access management with documented removal processes
Regular security reviews and vulnerability assessments
Automated monitoring and alerting for suspicious activity
Daily data backups stored in cloud infrastructure

No online transmission is fully secure, and the Company cannot guarantee absolute security. We are committed to maintaining appropriate safeguards and responding promptly to any security incidents.

Personal data breach notification In the event of a personal data breach, the Company will notify affected B2B clients within 72 hours of becoming aware of the breach, where feasible. Notification will include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed. Where notification of the supervisory authority or affected individuals is required, the Company will provide all necessary support to the data controller.

Security incidents that do not result in unauthorised access to personal data (e.g. unsuccessful login attempts, port scans, or firewall-blocked attacks) do not trigger notification obligations.

12. CHANGES TO THIS POLICY

The Company may update this Privacy Policy from time to time to reflect changes in its services, applicable law, or data processing practices.

The current version of this Privacy Policy is always available at onejob.ee/en/privaatsuspoliitika/. The effective date at the top of this page indicates when the policy was last updated.

13. CONTACT

For any questions regarding this Privacy Policy, to exercise your data subject rights, or to unsubscribe from marketing communications, please contact us :

1. Общие положения

Настоящая политика конфиденциальности описывает, как ONEJOB OÜ (регистрационный код 17092880, далее – Компания) обрабатывает персональные данные в связи с использованием веб-приложения onejob.ee.
Компания является контролером персональных данных в соответствии с Общим регламентом по защите данных Европейского Союза (ЕС) 2016/679 (GDPR).

2. Обрабатываемые персональные данные

Компания может обрабатывать следующие персональные данные:

адрес электронной почты
номер телефона
адрес
данные, связанные с учетной записью и профилем
изображения и файлы, загруженные пользователем
технические данные (IP-адрес, информация об устройстве, логи)

3. Цели и правовые основания обработки персональных данных

Персональные данные обрабатываются для следующих целей и на следующих правовых основаниях:

исполнение договора – создание учетной записи, предоставление и администрирование услуги
выполнение обязательств по закону – бухгалтерский учет и отчетность
законный интерес – безопасность сервиса, развитие и анализ
согласие пользователя – маркетинговые уведомления и необязательные cookies

4. Обработка изображений и файлов

Пользователь может загружать изображения и другие файлы. Они используются исключительно для предоставления услуги и обеспечения функциональности учетной записи. Изображения видны другим пользователям только в случае, если пользователь сам поделился ими через соответствующие функции.

5. Cookies

Веб-приложение использует cookies:

необходимые cookies – для работы сервиса
функциональные и аналитические cookies – для улучшения пользовательского опыта

Для использования аналитических и маркетинговых cookies запрашивается отдельное согласие пользователя. Пользователь может ограничить использование cookies в настройках своего браузера.

6. Передача данных третьим лицам

Персональные данные могут передаваться надежным поставщикам услуг (например, IT- и облачные сервисы) только в объеме, необходимом для предоставления услуги.
Персональные данные не продаются и не сдаются в аренду.

7. Передача данных за пределы ЕС

Персональные данные не передаются за пределы Европейской экономической зоны, за исключением случаев, когда применяются меры защиты, соответствующие GDPR.

8. Хранение данных

Персональные данные хранятся до тех пор, пока это необходимо для предоставления услуги или выполнения обязательств по закону. При удалении учетной записи персональные данные удаляются, за исключением случаев, когда закон требует их сохранения.

9. Права субъекта данных

Пользователь имеет право:

ознакомиться со своими персональными данными
требовать исправления или удаления данных
ограничить или оспорить обработку данных
отозвать ранее данное согласие
запросить перенос данных
подать жалобу в Инспекцию по защите данных (www.aki.ee)

10. Безопасность данных

Мы применяем соответствующие технические и организационные меры для защиты персональных данных. Однако передача данных через интернет не может считаться полностью безопасной.

11. Изменения политики конфиденциальности

Компания имеет право изменять политику конфиденциальности. О существенных изменениях пользователи будут уведомлены через веб-приложение или по электронной почте.

12. Контакт

ONEJOB OÜ
Регистрационный код: 17092880
E-mail: