1  Name and Address of the Responsible Party

The responsible party according to Art. 4 No. 7 of the EU General Data Protection Regulation (GDPR) is:
TODAY Experts GmbH
Favoritenstraße 34/Top 11
1040 Vienna, Austria
Phone: +43 1 504 80 90‑0
E‑mail: office@today‑experts.com

2  Contact Option for Data‑Protection Inquiries

TODAY Experts GmbH
Favoritenstraße 34/Top 11
1040 Vienna, Austria
Phone: +43 1 504 80 90‑0
E‑mail: dataprotection@today‑experts.com

3 General Information on Data Processing

3.1 Scope of Processing Personal Data

Personal data are any information relating to an identified or identifiable natural person. We collect and use personal data of our users only insofar as it is necessary to provide a functional website and to present our content and services. Collection and use occur only after the user’s consent, except where processing is permitted by law.

3.2 Legal Bases for Collecting and Processing Your Personal Data

Consent – Art. 6 (1) (a) GDPR.
Performance of a contract – Art. 6 (1) (b) GDPR (covers pre‑contractual measures as well).
Legal obligation – Art. 6 (1) (c) GDPR.
Vital interests – Art. 6 (1) (d) GDPR.
• Legitimate interests – Art. 6 (1) (f) GDPR (provided the data subject’s rights do not override those interests).

3.3 Data Deletion and Retention Period

Personal data are deleted or blocked as soon as the storage purpose no longer exists. Additional storage may occur when required by EU or national law. Deletion also happens when a statutory retention period expires, unless continued storage is needed for contract performance or other legal reasons.

4 Provision of the Website and Creation of Logfiles

When you access and use our website, your browser automatically sends certain data to our server. These data are temporarily stored in logfiles.
Collected data:
• IP address (anonymised – last octet set to 0). Stored only for troubleshooting and deleted once logs reach a predefined length.
• Date and time of access – stored when logged‑in users edit data; removed when an account is deleted.
These logs do not combine the IP address with other personal identifiers.

4.1 Legal Basis for Processing

Art. 6 (1) (f) GDPR – the processing is necessary for providing the website and protecting a legitimate interest of the controller.

4.2 Retention Period

The IP address is kept only for the duration of the session, which is required to deliver the website to the user’s device.

5 Use of Cookies

Cookies are small text files stored in the browser’s cache. They enable the website to recognise your browser on subsequent visits. Cookies cannot execute programs or contain viruses.
We use cookies to improve usability; some site elements require the browser to be identified across page changes. Cookies may be technically necessary or serve other purposes.

5.1 Session Cookies vs. Persistent Cookies

• Session cookies – deleted automatically when the browser is closed.
• Persistent cookies – remain on the device to remember login credentials, settings or preferences for future visits. Their lifespan varies per cookie; users can delete them manually via browser settings.

5.2 Technically Necessary Cookies

Only technically necessary cookies are used to ensure core website functionality (navigation, access). Without them the site would not work correctly. Legal basis: Art. 6 (1) (f) GDPR.

5.3 Retention Period

Cookies are deleted when they are no longer needed for the purposes described, especially when deactivated. Longer storage may occur if legally required.

5.4 Legal Basis for Cookie Processing

• Technically necessary cookies: Legitimate interest – Art. 6 (1) (f) GDPR.
• Non‑necessary (third‑party) cookies: User consent required – Art. 6 (1) (a) GDPR. Consent can be withdrawn at any time via browser settings.

5.5 Configuring Browser Settings

All major browsers accept cookies by default. You can block, limit, delete existing cookies, or receive a warning before a cookie is stored. Disabling cookies may reduce website functionality. Refer to your browser’s help menu for detailed instructions.

5.6 Cookies Used on the Site

• sessionid – First‑party (Today Hub). Keeps the user logged in and securely links requests to the account. Expires after up to 14 days or when the user logs out. Classified as a technically required HTTP cookie.
• csrftoken – First‑party (Today Hub). Protects forms from CSRF attacks. Expires after up to 1 year. Classified as a technically required HTTP cookie.

6 Contact Form

6.1 Scope of Processed Personal Data

When you submit the contact form, the following data may be collected:
• Name
• E‑mail address
• Type of inquiry
• Message
Providing this information is voluntary and initiated by you. Consent is obtained at submission, and this privacy policy is referenced.

6.2 Purpose of Processing

To enable you to contact us electronically via the form.

6.3 Retention Period

Data are deleted once the purpose is fulfilled, unless a legal retention period applies. No third‑party sharing occurs without your consent.

6.4 Legal Basis

• With consent: Art. 6 (1) (a) GDPR
• For e‑mail transmission: Art. 6 (1) (f) GDPR
• If the contact leads to a contract: Art. 6 (1) (b) GDPR

7 Applicant Contact

7.1 Scope of Processed Personal Data

When you contact us as a job applicant (e‑mail or online platform), the data you provide are stored in our internal system and an applicant profile is created. Only information necessary for the recruitment process should be supplied; we will request additional data if needed.
If you have a profile on a professional network (e.g., Xing, LinkedIn, StepStone, Karriere.at) or we receive your details as a recommendation, we may process publicly available information from that profile based on our legitimate interest under Art. 6 (1) (f) GDPR. Only data you have published (contact details, uploaded CVs, etc.) are used.

7.2 Purpose of Processing

To create your record, manage the recruitment workflow, and possibly initiate a hiring process. Consent is assumed at submission and can be withdrawn at any time by emailing dataprotection@today‑experts.com.

7.3 Retention Period

Applicant data are retained for maximum six months and then deleted, unless you request longer storage in our talent pool. Upon request we will stop processing or erase your record.

7.4 Legal Basis

Processing is based on Art. 6 (1) (a) GDPR (your explicit consent). Participation in the recruitment process is voluntary; without it we cannot consider you for a position.

7.5 Service Providers Used for Applicant Data

• monday.com (Israel) – Organises applicant data. We have a Data Processing Addendum (Art. 28 GDPR). Transfers to third countries rely on Standard Contractual Clauses and the EU‑US Data Privacy Framework; data are stored within the EU.
• Microsoft Outlook API (USA) – Sends GDPR confirmations and e‑mail communications. Covered by an Art. 28 GDPR agreement; transfers use SCCs and the EU‑US Data Privacy Framework; Microsoft provides encryption, access controls, and ISO certifications.
• OpenAI (USA) – Provides skill‑normalisation using only non‑personal, abstracted data. Covered by an Art. 28 GDPR agreement; transfers use SCCs and appropriate safeguards.
• Google Locations API (USA) – Supplies approximate geographic references (no personal data). Covered by an Art. 28 GDPR agreement; transfers use SCCs and the EU‑US Data Privacy Framework; Google provides encryption, access controls, and ISO certifications.

8 E‑mail Contact

8.1 Scope of Processed Personal Data

If you contact us via the listed e‑mail address, the personal data contained in that e‑mail are stored and used solely to handle your request.

8.2 Purpose of Processing

To enable communication through e‑mail (or the contact form).

8.3 Retention Period

Data are deleted once the request has been dealt with, unless a legal retention period applies. No third‑party sharing occurs without your consent.

8.4 Legal Basis

• E‑mail transmission: Art. 6 (1) (f) GDPR
• If the e‑mail leads to a contract: Art. 6 (1) (b) GDPR

9 Registration on Our Website

We allow users to register on the site free of charge by providing personal data. The data are entered into a form, transmitted to us, and stored. No data are shared with third parties.

9.1 Scope of Processed Personal Data

During registration the following information is collected:
• E‑mail address
• First name
• Last name
• Telephone number
• Password and password confirmation
• Optional CV upload
• Language skills (German, English, Bulgarian, Hungarian – selectable)
• Preferred language
Technical data stored at registration time:
• User’s IP address
• Date and time of registration

9.2 Purpose of Processing

Registration is required to provide certain content and services on our website. The services are linked to the registered account, and user identification is necessary to deliver them.

9.3 Retention Period

Data are deleted once they are no longer needed for the purpose for which they were collected. This includes data gathered during registration if the registration is cancelled or modified.

9.4 Legal Basis

Consent is obtained from the user during registration. The legal basis is Art. 6 (1) (a) GDPR.

9.5 Revocation of Consent

You may terminate your registration at any time, request amendment or deletion of your data, and withdraw consent. The legality of processing that occurred before withdrawal is unaffected by the revocation.

10 Rights of the Data Subject

If your personal data are processed, you are a data subject under the GDPR and have the following rights with respect to the controller:
• Right of access – Art. 15 GDPR. You may request confirmation of whether we process your data and obtain a copy of the data.
• Right to rectification – Art. 16 GDPR. You may ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) – Art. 17 GDPR. You may request deletion of your data when the processing no longer has a lawful basis.
• Right to restriction of processing – Art. 18 GDPR. You may ask us to limit the way we use your data while the request is examined.
• Right to data portability – Art. 20 GDPR. You may receive your data in a structured, commonly used, machine‑readable format and transmit it to another controller.
• Right to object – Art. 21 GDPR. You may object to processing based on legitimate interests or direct marketing.
If you receive our newsletter, you may withdraw your consent for its receipt at any time without affecting the lawfulness of processing that was based on consent before the withdrawal.

10.1 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your residence, workplace, or where the alleged violation occurred, if you believe that the processing of your personal data breaches the GDPR.
The supervisory authority that receives the complaint will inform you about the status and outcome, including the possibility of judicial recourse under Art. 78 GDPR.
If you believe that the processing of your data violates data‑protection law or otherwise infringes your rights, you may contact the competent supervisory authority.
In Austria, the authority is:

Austrian Data Protection Authority
Barichgasse 40‑42, 1030 Vienna, Austria
Phone: +43 1 52 152‑0
E‑mail: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

11 Hyperlinks to Third‑Party Websites

Our websites contain hyperlinks to the sites of other providers. Clicking such links will take you directly to the external site(s). We cannot assume responsibility for the confidential handling of your data on third‑party sites because we have no control over whether those companies comply with data‑protection regulations. Please consult the privacy policies of those external sites directly.

12 Data Security

We are committed to protecting your privacy and treating your personal data confidentially. To prevent manipulation, loss, or misuse of the data we store, we implement extensive technical and organisational security measures that are regularly reviewed and adapted to technological progress.
Nevertheless, due to the nature of the Internet, it is possible that the rules of data protection and the security measures described above are not observed by persons or institutions outside our responsibility. In particular, unencrypted transmissions (for example, e‑mail) can be read by third parties. We have no technical control over such interceptions. It is therefore the user’s responsibility to protect the data they provide, for example by using encryption or other suitable safeguards.

13 Changes to This Privacy Policy

Through the further development of our apps, services, websites, newsletters, and the content and services we offer, it may become necessary to amend this privacy policy. TODAY Experts GmbH reserves the right to modify the privacy policy at any time with effect for the future.

The current version is available at:
https://today-hub.com/legal/privacy/

We recommend that you review the privacy policy periodically to stay informed about any updates.
Date of latest revision: 16 January 2026