Privacy Policy
Version of 2026-07-10
This document explains what personal data we collect on bauhub-pl.de, why we process it, who we share it with, and what rights you have.
It describes only what the platform actually does. If any statement turns out not to match reality, please contact us — we will correct both the document and the mechanism.
1. Who is the data controller
The controller of your personal data is ASELLES spółka z ograniczoną odpowiedzialnością, Aleja Jana Pawła II 43A/35B, 01-001 Warszawa, NIP 5273115124.
For any matter concerning personal data, write to kontakt@bauhub-pl.de.
We have not appointed a data protection officer.
2. What data we process
The scope depends on the role in which you use the platform.
- Account (all users): email address, first and last name or company name, password stored as an irreversible hash, chosen language, account creation date and last login date.
- Worker profile: occupation, years of experience, languages, availability, location, phone number, CV file, photo, description.
- Brigade profile: name, country and city, phone number, website, description, specialisation, team size, settlement type.
- Company profile: company name, tax identification number, address, contact person, verification status.
- Job offers and applications: offer content, application content, application status.
- Messages: the content of correspondence conducted through the built-in messenger.
- Technical data: IP address and a session token stored in a cookie.
3. Purposes and legal bases
- Creating and maintaining your account and providing the platform's features — Article 6(1)(b) GDPR (performance of a contract).
- Publishing your profile in the public directory and disclosing your contact details and CV to verified companies — Article 6(1)(a) GDPR (your consent). See section 4.
- Email notifications about events in your account, such as registration approval, a new application, or a password reset — Article 6(1)(b) GDPR.
- Verifying companies, moderating content, protecting against abuse and automated attacks, and rate limiting — Article 6(1)(f) GDPR (our legitimate interest in the security of the platform and its users).
- Establishing, exercising or defending legal claims — Article 6(1)(f) GDPR.
4. Profile publication and disclosure to companies
This is the most important section of this document, because it concerns disclosure of your data to other parties.
The public directory of workers and brigades, visible without logging in, shows limited information only: first name with the initial of the surname, occupation, region, approximate experience, and whether a CV is attached. It does not show your phone number, email address, or the CV file itself.
Full contact details and the CV file are disclosed exclusively to logged-in companies that we have verified. Such a company is a separate controller in relation to you and is responsible for how it uses your data once it has obtained it.
The legal basis for both operations is your consent. You may withdraw it at any time, without giving a reason and without affecting the lawfulness of processing carried out before withdrawal. After withdrawal, your profile disappears from the public directory and is no longer available to companies; the account itself remains active until you delete it.
We do not sell personal data and do not share it with third parties for marketing purposes.
5. Recipients of the data
We use external providers who process data solely on our documented instructions, under data processing agreements.
- Supabase — database and storage of CV files and photos. Servers in the European Union.
- Render — application hosting.
- Cloudflare — network layer, bot protection, and the Turnstile mechanism at registration. Processes the IP address.
- Resend — email delivery.
- OpenAI — automatic translation between Polish and German. This covers the content of job offers, the content of applications, and messages sent through the messenger. Text you write in those places is therefore transmitted to OpenAI. Under the terms of the OpenAI application programming interface, that data is not used to train models.
- Google — address suggestions when adding accommodation (Places API).
- The contractor responsible for maintaining and developing the platform, to the extent necessary to resolve incidents.
6. Transfers outside the European Economic Area
The database and files are located on servers in the European Union.
The providers listed in section 5, in particular OpenAI, Resend, Render and Cloudflare, may process data on servers in the United States. Transfers take place on the basis of a European Commission adequacy decision (EU–US Data Privacy Framework) or on the basis of standard contractual clauses.
You may obtain a copy of the safeguards applied to these transfers by writing to our contact address.
7. How long we keep the data
- Account and profile data — until you delete your account or request its deletion.
- Data published in the directory and disclosed to companies — until you withdraw your consent.
- Messages, applications and offers — for as long as the account exists, and afterwards for the limitation period of any claims.
- Session token — for 30 days from login, or until you log out.
- IP address — held only in the server's memory for rate limiting. We do not store IP addresses in the database.
8. Your rights
You have the right to:
- access your data and obtain a copy of it,
- rectify inaccurate data and complete incomplete data,
- erasure of your data,
- restriction of processing,
- data portability to another controller,
- object to processing based on legitimate interest,
- withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal,
- lodge a complaint with a supervisory authority.
9. Complaint to a supervisory authority
If you believe we process your data unlawfully, you may lodge a complaint with the supervisory authority of your place of residence, place of work, or the place of the alleged infringement.
In Poland this is the President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw. In Germany, the competent authority is the data protection authority of the relevant federal state.
10. Cookies
We use only cookies strictly necessary for the platform to function. We do not use analytics, tracking or advertising cookies, and therefore we do not display a cookie banner.
- bauhub_session — maintains the session of a logged-in user. A technical cookie, inaccessible to scripts, valid for 30 days.
- Cloudflare Turnstile cookies — used to distinguish a human from a bot during registration.
11. Security and voluntariness
Passwords are stored solely as an irreversible hash. Session, invitation and password-reset tokens are stored in hashed form, and activation and reset links expire after a set period. The connection to the platform is encrypted.
We do not take decisions about you based solely on automated processing, including profiling that produces legal effects.
Providing your data is voluntary but necessary to create an account and use the platform. Providing a phone number and attaching a CV is voluntary and serves only to allow companies to contact you.
12. Changes to this policy
We will inform you by email, at the address associated with your account, of any material change to this policy before it takes effect. If a change concerns the scope of disclosure of your data, we will ask for your consent again.