Privacy
Privacy Policy
This privacy policy describes how personal data is processed in connection with the website lazyhead.at, the LazyHead app (web, iOS, Android, desktop) and support. It deliberately distinguishes between the information website and the application.
1. Controller
The controller under the GDPR is [REGISTERED_NAME], sole proprietor Andrii Snikhovskyi, Morizgasse 2/2/14, 1060 Wien, Österreich.
Email for privacy matters: privacy@lazyhead.at.
2. Scope
This policy covers the website lazyhead.at, the web app, the mobile apps (iOS, Android), the desktop app and support requests.
3. Website data (server logs)
When you visit the website, technically necessary data is processed: IP address, timestamp, requested URL, HTTP status code, data volume, user agent and referrer. Security logs are also generated.
The legal basis is our legitimate interest in secure, stable operation (Art. 6(1)(f) GDPR). This data is not analysed for marketing.
4. Theme and language preference
Your theme (light/dark) and language choice may be stored locally in your browser (localStorage) so the site can reuse it on your next visit. This storage serves functionality only and is not used for advertising tracking.
5. Support and contact requests
When you use the contact form or one of our email addresses, we process your email address, optionally your name, subject, category, message text and anti-abuse metadata.
Legal bases: Art. 6(1)(b) (handling your request), (f) (secure operation) and (c) where legal retention applies.
Support requests are retained by default for 6 months after closure.
For an Enterprise request we additionally process the company details you provide: company name, contact person, optionally phone number and website, number of locations, expected number of users and preferred payment method. The purpose is to handle the request, prepare an offer and conduct pre-contractual communication. No bank or payment data (e.g. IBAN, SEPA mandate), invoices or payment history are processed at this stage.
When the contact form is active, we use Cloudflare Turnstile to prevent abuse and Resend (Resend, Inc.) to deliver the request by email. The website is served via Cloudflare Pages, which produces technical server logs. These providers act as processors.
6. Registration and sign-in
For an account we process your email address, the chosen role (candidate or employer), one-time-code (OTP) sign-in metadata, login timestamps and account status.
If sign-in via Apple or Google is enabled, we process the identifier and email address supplied by the provider. There is no phone-number/SMS sign-in.
7. Candidate profiles
As a candidate you may provide name, photo, experience, skills, languages, location, CV, preferences and your own files.
We distinguish between publicly visible fields, fields visible only to employers you engage with, and private fields. You decide what you share.
8. Employer profiles and vacancies
As an employer we process company name, contact person, company details, role content, location, working hours, salary information, requirements and the status (active/archived) of a vacancy.
9. Chat and attachments
For direct communication we process message text, timestamps, sender and recipient, delivery and read metadata, shared files (e.g. CVs) and moderation/security metadata.
We do not claim end-to-end encryption while it is not implemented.
10. Message translation
Message translation is described only once a provider is connected. In that case the text to be translated is transmitted to the translation service; provider, processing region and safeguards will be added here.
Machine translation can be inaccurate and does not replace a verified translation.
11. Maps and location
Map and location features are described only when actually enabled. We distinguish between an approximate job/search location and a precise device location. A precise location is used only with your permission and only when necessary.
12. Interview planner
For scheduling we process date, time, participants, format, status and notification metadata. An external video provider is named only once connected.
13. Notifications
Push tokens and notification preferences are processed only if push notifications are enabled.
14. Account deletion
You can delete your account in the app or by request via the website. Your profile, vacancy and communication data is removed unless a legal retention obligation applies.
Data is removed from backups within the usual backup cycles. See the “Account deletion” page for details.
15. Your rights
You have the right to access, rectification, erasure, restriction, data portability and objection and — where applicable — to withdraw consent and to lodge a complaint with a supervisory authority.
You can make requests via the “Data request” page or at privacy@lazyhead.at.
16. Processors
We use service providers only on instruction under data-processing agreements. Only providers actually in use are published.
No external processors are currently published. The overview is maintained and shown here as soon as a provider is engaged.
17. International transfers
Any transfer outside the EEA happens only with providers actually in use and only with appropriate safeguards (e.g. an adequacy decision or Standard Contractual Clauses).
18. Retention
We store data only as long as necessary for the respective purpose or legal obligations. The overview below states the default periods.
| Data | Retention | Trigger |
|---|---|---|
| Security logs | 90 days | creation |
| Support requests | 6 months | closure |
| Account data | until deletion + legal exceptions | deletion |
| Messages | per configured policy | deletion |
| Vacancies | active + limited archive | removal |
| Interview data | 12 months | interview |
| Legal records | statutory period | transaction |
19. Security
We treat security as an ongoing task: considered access controls, transport encryption (HTTPS), data minimisation, backups, logging, patching and an incident-response process.
No one can guarantee absolute security. You can report possible vulnerabilities responsibly to developer@lazyhead.at. We never ask for your password by email.
20. Automated decisions
There is no solely automated decision-making producing legal effects concerning you.
21. Minors
Use requires the necessary legal capacity or the consent of a legal guardian. A fixed minimum age will be added here once defined.
23. Version
Last updated: 2026-07-03. Version 1.0.