Privacy Policy
How Reqcore collects, uses, and protects your personal data. Covers analytics, cookies, data retention, and your rights under GDPR and CCPA.
Privacy Policy
Effective date: March 9, 2026 Last updated: March 9, 2026
Reqcore, Inc. ("Reqcore," "we," "us," or "our") operates the Reqcore applicant tracking system available at https://reqcore.com (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.
If you have questions about this policy, contact us at privacy@reqcore.com.
1. Scope
This policy applies to:
- Visitors to reqcore.com and its subdomains
- Candidates who apply to jobs through the public job board
- Registered users (recruiters, hiring managers, administrators) who operate the Service
- Self-hosted instances only insofar as they connect to Reqcore-operated services (e.g., optional analytics)
Self-hosted deployments operate on your infrastructure. Reqcore has no access to data stored in self-hosted instances unless you explicitly configure a connection to our services.
2. Data We Collect
2.1 Account Data
When you create an account, we collect:
| Data | Purpose |
|---|---|
| Name | Display in the application, team collaboration |
| Email address | Authentication, account recovery, notifications |
| Organization name | Multi-tenant isolation |
2.2 Candidate Application Data
When a candidate submits an application through the public job board, the organization operating the job board is the data controller for that application data. Reqcore acts as a data processor. Application data may include:
- Name, email, phone number
- Resume / CV and cover letter
- Responses to custom application questions
- Any files uploaded during the application process
This data is stored in the organization's database and object storage (MinIO/S3) and is not shared with Reqcore or any third party. For self-hosted deployments, all data remains on the operator's infrastructure.
2.3 Analytics Data
We use PostHog (EU instance: eu.i.posthog.com) for product analytics on the hosted version at reqcore.com. Analytics data is collected only after you grant explicit consent via the cookie banner.
What we collect when you opt in:
| Data | Purpose |
|---|---|
| Page views and page leave events | Understand which features are used |
| Anonymized user ID (UUID, not your name) | Distinguish unique sessions without collecting personal data |
| Organization ID and name (for logged-in users) | Aggregate feature usage by organization |
| Browser and device metadata | Ensure compatibility across platforms |
Data minimisation: Only user IDs (opaque UUIDs) are sent — not names, email addresses, or account creation dates. URL query parameters and fragments are stripped from all captured URLs before transmission to prevent accidental token or PII leakage.
What we do NOT collect:
- Your name, email address, or any directly identifying personal data
- Session recordings
- Autocapture / DOM interaction tracking
- Console logs
- Form inputs or keystrokes
- Survey responses
- Candidate application content
- URL query parameters or fragments (stripped before capture)
PostHog is configured with the following privacy settings:
opt_out_capturing_by_default: true— No data is collected until you consentrespect_dnt: true— We honor Do Not Track browser signalsautocapture: false— No automatic click/form/input trackingdisable_session_recording: true— No screen recordingssecure_cookie: true— Cookies are only transmitted over HTTPScross_subdomain_cookie: false— No cross-subdomain tracking
2.4 Technical Data
Our servers automatically log:
- IP addresses (for rate limiting and abuse prevention, not stored long-term)
- HTTP request metadata (method, path, status code, user agent)
These logs are used for security monitoring and are rotated regularly.
3. Cookies and Local Storage
Reqcore uses a minimal set of cookies and local storage entries:
| Name | Type | Purpose | Duration |
|---|---|---|---|
better-auth.session_token | HTTP-only cookie | Session authentication | Session (expires on logout or after configured timeout) |
reqcore-consent | Cookie | Stores your analytics consent choice (granted or denied). Shared across reqcore.com and app.reqcore.com via a cross-subdomain cookie. | 1 year |
reqcore_i18n_redirected | Cookie | Prevents repeated language-detection redirects | Session |
PostHog cookies (ph_*) | Cookie + Local storage | Analytics session identification (only set after consent) | Up to 1 year |
No third-party advertising cookies are used. No data is sold to third parties.
4. How We Use Your Data
We use personal data for the following purposes:
- Provide the Service — Authenticate users, manage organizations, process job applications
- Improve the Service — Analyze aggregated usage patterns to prioritize features (analytics, opt-in only)
- Security — Rate limiting, abuse prevention, audit logging
- Communication — Account-related emails (password resets, critical security notices)
- Legal compliance — Respond to lawful requests from authorities
We do not use personal data for:
- Advertising or ad targeting
- Selling or renting to third parties
- Automated decision-making or profiling that produces legal effects
- Training AI / machine learning models on your data
5. Legal Bases for Processing (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under these legal bases:
| Purpose | Legal basis |
|---|---|
| Account management and authentication | Performance of contract (Art. 6(1)(b) GDPR) |
| Analytics | Consent (Art. 6(1)(a) GDPR) — opt-in via cookie banner |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f) GDPR) |
| Legal compliance | Legal obligation (Art. 6(1)(c) GDPR) |
6. Data Sharing and Sub-processors
We share personal data only with the following categories of service providers:
| Sub-processor | Purpose | Location |
|---|---|---|
| PostHog | Product analytics (opt-in only) | EU (eu.i.posthog.com) |
| Railway | Application hosting | US |
| Cloudflare | CDN and DDoS protection | Global (edge network) |
| GitHub | Source code hosting, authentication (if configured) | US |
We do not sell, rent, or trade personal data. Data is shared with sub-processors only as necessary to operate the Service, under data processing agreements that include appropriate safeguards.
For international transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions where applicable.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Candidate application data | Controlled by the organization operating the job board; Reqcore does not set retention periods for processor data |
| Analytics data | Up to 24 months from collection, then automatically deleted |
| Server logs | Rotated and deleted within 90 days |
| Consent records | Retained as long as the consent is valid, plus 3 years for compliance records |
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
8.1 GDPR Rights (EEA, UK, Switzerland)
- Access — Request a copy of your personal data
- Rectification — Correct inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten")
- Restriction — Limit how we process your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Revoke analytics consent at any time via the cookie banner or by clearing local storage
To exercise these rights, contact privacy@reqcore.com. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority.
8.2 CCPA Rights (California)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination for exercising your rights
To exercise these rights, contact privacy@reqcore.com.
9. Security
We implement appropriate technical and organizational measures to protect personal data, including:
- HTTPS-only connections with HSTS
- HTTP-only, secure session cookies
- Server-side session storage
- Tenant-isolated database queries
- Rate limiting on public endpoints
- Input validation with Zod schemas on all API endpoints
- Proxied document access (no direct S3/MinIO URLs exposed)
For more details, see our Security documentation.
10. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact privacy@reqcore.com and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the Service or via email. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
For privacy-related inquiries:
- Email: privacy@reqcore.com
- GitHub: github.com/reqcore-inc/reqcore
If you are in the EEA and believe we have not adequately addressed your concerns, you may contact your local data protection authority.