Skip to content
JobNRoll
EL

This policy explains in detail how KOSSIORIS CHRISTOS collects and processes personal data in connection with JobNRoll.

Privacy Policy

Effective date: April 7, 2026 · Version: 1

1. Who We Are

This Privacy Policy explains how KOSSIORIS CHRISTOS ("we", "us", "our", or "JobNRoll") processes personal data when you use the JobNRoll mobile app, any associated web app or public pages, and related support channels.

Controller details:

  • Legal name: KOSSIORIS CHRISTOS
  • Registered address: PEIRAIOS 16-18, ATHENS
  • Support email: info@elpidajob.gr
  • Privacy email: info@elpidajob.gr

2. Scope

This Policy applies to:

  • candidate accounts;
  • company or employer-side accounts;
  • public profile and job-listing pages made available through the service;
  • support, moderation, account-management, billing, and security processes linked to the service.

This Policy does not govern third-party services that you choose to use separately, such as Apple, Google, or your mobile app store, except to explain how our service interacts with them.

3. Categories Of Personal Data We Collect

The current repository shows the following data categories.

Data collected directly from users:

  • account data, such as email address and chosen sign-in method;
  • candidate profile data, such as first name, last name, profile description, desired role/category, age confirmation, optional gender field, location, languages, experience, avatar, phone number, and email address;
  • company profile data, such as company name, description, logo, location, phone number, VAT ID, and company contact email where provided;
  • job-marketplace data, such as job listings, job photos, salary range fields, work pattern fields, perks, and application messages;
  • moderation data, such as content reports, report reasons, and report details;
  • support data that you send to us by email, phone, or other support channels.

Data collected automatically:

  • account and session metadata from Supabase Auth;
  • device-level service data such as device ID, platform, locale, app version, last-seen timestamp, and push-notification token/status when push is enabled;
  • service-security data such as rate-limit events, write-gating checks, and operational error logs;
  • limited local-storage or similar client-side state in the web build, such as device_id, preferred_language, app_config_cache_v1, hide_good_choice, and job-specific cooldown keys.

We did not identify an app analytics SDK, ad SDK, crash-reporting SDK, or session-replay SDK in the current repository.

Data from third parties:

  • Google or Apple account data if you sign in using Google Sign-In or Sign in with Apple;
  • location normalization results returned by Google Places when you use location search;
  • purchase and entitlement event data returned by RevenueCat and the mobile app stores for paid features;
  • public URLs or media metadata required to display uploaded images.

4. Data Collected Directly From Users

You may provide us with:

  • your email address to receive one-time sign-in codes;
  • optional profile and contact details;
  • company information and job listings if you use the employer/company side of the service;
  • uploads such as avatars, logos, and job photos;
  • job-application content and other user-generated content;
  • reports about content or users;
  • messages or information you send through support channels.

5. Data Collected Automatically

The repository indicates that we automatically collect or generate:

  • authentication/session state;
  • technical account/device records in user_visits and devices;
  • push token and push permission status when notifications are enabled;
  • security and abuse-prevention records such as rate-limit entries and some audit/operational logs;
  • local preference and cache data on device or browser storage.

The current web implementation appears to use in-memory storage for authenticated Supabase sessions rather than persistent browser cookies for sign-in persistence.

6. Data From Third Parties

If you choose third-party login or other third-party-dependent features, we may receive:

  • your Google or Apple account identifier and profile metadata needed to create or complete your account;
  • location lookup results from Google Places based on the text you enter;
  • purchase status, entitlement, and product information from RevenueCat and the relevant app store.

7. Why We Process Data And The Legal Bases We Rely On

We process personal data for the following purposes.

  • Create and manage accounts: email, auth IDs, session data, and provider metadata. Legal basis: contract.
  • Provide candidate and company profiles, job listings, and applications: profile, company, listing, application, contact, and upload data. Legal basis: contract.
  • Publish public-facing marketplace content: public profile/listing fields and public media. Legal basis: contract; legitimate interests in operating a public marketplace.
  • Enable optional third-party sign-in: Google/Apple login data. Legal basis: contract, based on your use of that sign-in option.
  • Provide location autocomplete and normalized place results: search query, place ID, and location results. Legal basis: contract when you use the feature.
  • Deliver push notifications if you enable them: push token, device data, and notification routing data. Legal basis: consent for the push channel; contract or legitimate interests for the content of enabled service notices.
  • Operate paid features and entitlements: app user ID, product/entitlement data, and job credits. Legal basis: contract; legal obligation for accounting where applicable.
  • Provide support and respond to requests: support content and account details. Legal basis: contract; legitimate interests.
  • Moderate content, investigate abuse, enforce rules, and keep the service secure: report data, block data, audit/rate-limit data, and logs. Legal basis: legitimate interests; legal obligation where required.
  • Handle data subject requests, exports, and deletion workflows: export payloads, account records, and request metadata. Legal basis: legal obligation; contract for self-service account tools.
  • Remove stale accounts after prolonged inactivity: user ID, last-seen data, and warning-notification data. Legal basis: legitimate interests in data minimization and storage limitation.

We do not rely on consent where the service appears to operate on a contract or legitimate-interests basis, except where the implementation suggests consent is needed, such as optional push notifications and the current optional gender-field handling.

When you provide the optional gender field, the service records a separate gender_data_processing consent for that field.

8. Account Creation And Authentication

The current implementation supports:

  • email one-time-code authentication;
  • Google Sign-In / Google OAuth;
  • Sign in with Apple.

When you sign in with Google or Apple, we may receive and store basic account metadata such as your name and avatar URL to help populate your profile.

9. Payments And Billing

The repository shows paid features implemented through RevenueCat and app-store-managed purchases. We did not identify direct payment-card collection by this codebase.

This means:

  • Apple or Google may process your payment details directly under their own terms;
  • RevenueCat may process purchase event data, entitlement status, app user IDs, and related identifiers to manage your purchases and restores;
  • we may store linked records such as billing customer IDs, entitlements, and company job-credit events.

Current paid offerings are one-time purchases managed through RevenueCat and the relevant app store.

10. Communications

We may send:

  • transactional or operational communications, such as sign-in codes, account-related messages, and service notices;
  • push notifications for job applications, job-listing expiry, and inactivity warnings if you enable push on your device.

The current repository does not show a marketing-email, marketing-SMS, or ad-attribution stack.

If marketing communications are later enabled, we will apply the consent or opt-out rules required under GDPR and Greek electronic communications rules.

11. Support Requests

If you contact us for support, we will process the information needed to respond to you, troubleshoot problems, and document the request.

The repository shows in-app support contact points but does not reveal the full support tooling behind those channels.

12. Analytics, Performance, And Diagnostics

We did not identify a dedicated analytics SDK, crash-reporting SDK, or session-replay SDK in the repository scanned for this draft.

We did identify:

  • device and visit records used for service operation;
  • operational console logging in some client and server code;
  • rate-limiting and audit records for security and manual administrative actions.

If we add separate analytics or diagnostic tools later, we will update this Policy where required.

13. Cookies, SDK Identifiers, And Similar Technologies

If you use a web version of the service, the current code indicates use of browser storage or similar technologies for:

  • remembering preferred language;
  • storing a device identifier used for operational device records;
  • caching app configuration;
  • storing limited UI preferences and cooldown values.

Based on the repository, we did not identify non-essential analytics cookies, advertising cookies, pixels, or session-replay tags.

Strictly necessary or user-requested storage technologies may not require consent under applicable EU/Greek ePrivacy rules, but optional analytics or advertising technologies generally would.

See the separate Cookie Notice for the current storage inventory.

14. Advertising And Attribution

No advertising SDK, mobile measurement partner, or attribution SDK was identified in the current repository.

If we add advertising or attribution tools later, we will update this Policy where required.

15. User-Generated Content And Uploads

Users can create and upload content, including:

  • profile descriptions;
  • company descriptions;
  • job listings and job photos;
  • experience history and other free-text profile content;
  • job-application messages;
  • content reports.

The repository indicates that avatars, company logos, and job photos are stored in public storage buckets. Public job listings and public profile pages may display some of this content to other users and, in some cases, public visitors.

You should not upload personal data about others unless you have a lawful basis to do so. You also should not include special-category or unnecessary personal data in public or free-text fields unless clearly required.

16. AI Features, Automated Processing, And Profiling

We did not identify an AI or LLM integration in the current repository.

The service may still use profile attributes, job attributes, filters, and simple matching logic to present jobs or candidates.

If we add ranking, recommendation, profiling, or AI features that materially affect users, we will update this Policy where required.

17. How We Share Data

We may share personal data with:

  • Supabase, which appears to host authentication, database, storage, and function infrastructure;
  • RevenueCat and the relevant app store for paid-feature processing;
  • Google and Apple if you use their login services;
  • Google Places when you use location search;
  • Expo and push-delivery infrastructure when you enable push notifications;
  • other users or public visitors where the service intentionally publishes public profile, company, listing, or media content;
  • service personnel, moderators, or support personnel on a need-to-know basis;
  • courts, regulators, law-enforcement authorities, or other parties where required by law or to protect rights, safety, or the integrity of the service.

We do not state that we "never share data," because the current codebase clearly depends on several third-party service providers and public-sharing features.

18. Service Providers / Processors

Based on repository evidence, the main third-party service providers or relevant external services are:

  • Supabase;
  • RevenueCat;
  • Google Places API;
  • Google Sign-In / Google OAuth;
  • Sign in with Apple;
  • Expo Push;
  • Apple App Store;
  • Google Play.

See the separate Subprocessors / Third-Party Services list for a more detailed operational table.

19. International Transfers

Some of our service providers may process personal data outside Greece or outside the EEA, or may permit remote access from outside the EEA.

Where required, we expect transfers to rely on an adequacy decision, the European Commission's Standard Contractual Clauses, or another lawful transfer mechanism.

The actual hosting region, subprocessors, and transfer mechanism may depend on the provider configurations in effect at the time.

20. Retention

We keep personal data only for as long as necessary for the purposes described above, unless a longer period is required by law.

The current repository supports or suggests the following:

  • Inactive accounts: the inactivity_cleanup function deletes accounts after about 6 months of inactivity, with warning notifications around 30 days and 3 days before deletion if push notifications are available.
  • Rate-limit events: the SQL includes a purge function that removes old rate-limit events after 24 hours.
  • Push token/device records: these appear to be updated, replaced, or disabled over time and removed on account deletion, but no separate fixed period is stated.
  • Export files: the current implementation returns export data inline to the device and does not store a server-side export file in normal flow.
  • Export request metadata, consent records, reports, audit logs, billing records, and general marketplace records: no complete production retention schedule was confirmed from repository evidence.

We may update this Policy with more detailed retention periods by record type where required.

21. Security

The repository includes several technical measures, including:

  • authentication through Supabase Auth;
  • row-level security in the database;
  • service-role use in server-side functions for privileged tasks;
  • secure mobile session storage through expo-secure-store;
  • explicit account-deletion reauthentication checks;
  • rate limiting and audit logging for some sensitive operations.

No claim is made here about certifications, formal penetration testing, or a specific security standard unless separately verified.

22. Children / Age Limits

The onboarding flow requires users to confirm that they are not under 18. On that basis, the service is intended for adults and is not designed for children under 18.

If we learn that the service is being used in breach of this rule, we may suspend or delete the relevant account and associated data where appropriate.

No additional age-verification mechanism is currently described in this Policy beyond the onboarding confirmation.

23. Your Rights Under GDPR

Subject to applicable law, you may have the right to:

  • access your personal data;
  • obtain a copy of your data in a portable format where applicable;
  • correct inaccurate or incomplete data;
  • request deletion of your data;
  • object to certain processing;
  • request restriction of processing;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with a supervisory authority.

The app currently shows self-service export and account-deletion functionality. Other rights processes should also be supported through your privacy contact channel.

24. How To Exercise Rights

You can exercise rights by:

  • using in-app account tools where available, including profile editing, data export, and account deletion;
  • contacting us at info@elpidajob.gr;
  • providing enough information for us to verify your identity and locate the relevant account.

We may need to verify your identity before completing a request. Under GDPR, we generally aim to respond within one month, subject to lawful extensions.

25. Complaints To The Hellenic Data Protection Authority

If you believe our processing infringes applicable law, you can complain to the Hellenic Data Protection Authority (HDPA), especially if you are in Greece.

HDPA details should be checked before publication, but the authority is generally referenced at:

  • Website: https://www.dpa.gr/

If you are in another EU/EEA country, you may also contact your local supervisory authority.

26. Changes To This Policy

We may update this Policy from time to time to reflect legal, technical, or product changes.

When we do, we will update the effective date and, where required, provide additional notice.

27. Contact Details

For privacy questions, support, or rights requests, contact:

  • KOSSIORIS CHRISTOS
  • PEIRAIOS 16-18, ATHENS
  • info@elpidajob.gr
Back to home