Privacy Policy

Last updated: 18 February 2026

Summary: Treegarden is an Applicant Tracking System (ATS) platform. We process personal data of recruiters, hiring managers, and job applicants in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and Romanian Law no. 190/2018. This policy explains what data we collect, why, how, and your rights over it.

1. Data Controller

The data controller responsible for your personal data is:

Treegarden SRL
Romania
Email: [email protected]
Website: https://treegarden.io
Application: https://app.treegarden.ro

For all privacy-related inquiries, data subject requests, or complaints, please contact us at [email protected].

2. Scope of This Policy

This Privacy Policy applies to all personal data processed through:

  • The Treegarden web application at app.treegarden.ro
  • The Treegarden website at treegarden.ro and treegarden.io
  • Any emails, notifications, or communications sent by Treegarden
  • Any integrations with third-party services (Google, etc.)

It applies to the following categories of data subjects:

  • Recruiters, HR Managers, Hiring Managers, Agency Users – employees or contractors of companies using Treegarden
  • Account Owners – users managing a company account on Treegarden
  • Job Seekers / Candidates – individuals whose CVs and applications are managed within Treegarden
  • Website Visitors – individuals visiting our public websites

3. Categories of Personal Data We Process

3.1 Platform Users (Recruiters, HR Managers, Admins)
  • Full name, email address, job title, phone number
  • Company name, business address
  • Account credentials (hashed passwords; plaintext never stored)
  • Profile photo (optional)
  • Login activity logs (IP address, timestamp, browser/device type)
  • Payment and billing information (card details never stored by Treegarden)
  • Communication preferences and notification settings
  • Usage data (features accessed, actions performed, session duration)
3.2 Job Seekers / Candidates
  • Full name, email address, phone number, address
  • Curriculum Vitae (CV) / résumé – including employment history, education, skills, certifications
  • Cover letters and application materials
  • Interview notes and assessment scores added by recruiters
  • Application status and pipeline stage
  • Communication history between candidate and recruiter
  • References (if provided)
  • Date of birth (if voluntarily provided on CV)
  • Nationality or work permit status (if relevant to the role and provided by candidate)
  • Salary expectations (if provided)
Special categories of data: Treegarden does not intentionally collect special categories of personal data (e.g., health data, racial or ethnic origin, political opinions, religious beliefs) as defined in GDPR Article 9. If such data is included in a CV submitted to the platform, it is stored solely for the purpose of managing the job application and is not processed for any other purpose.
3.3 Website Visitors
  • IP address (anonymised where possible)
  • Browser type and version, operating system
  • Pages visited and time spent
  • Referral source
  • Cookie data (see Section 11)

4. Purposes and Legal Basis for Processing

We process personal data only where we have a valid legal basis under GDPR Article 6 (and Article 9 for special categories).

Purpose Data Categories Legal Basis (GDPR Art. 6)
Account registration and user authentication Name, email, password hash, login logs Art. 6(1)(b) – Performance of a contract
Providing the Treegarden ATS platform and its features All user and candidate data Art. 6(1)(b) – Performance of a contract
Processing subscription payments Billing info, email, company details Art. 6(1)(b) – Performance of a contract
Sending transactional emails (e.g., password reset, notifications) Email address, name Art. 6(1)(b) – Performance of a contract
Sending marketing communications (product updates, newsletters) Email address, name Art. 6(1)(a) – Consent (withdrawable at any time)
Managing job applications and candidate pipelines Candidate CV data, application status, interview notes Art. 6(1)(b) – Performance of a contract (between Treegarden and the employer/recruiter); Art. 6(1)(f) – Legitimate interests of the employer to evaluate candidates
Security, fraud prevention, and abuse detection Login logs, IP addresses, usage data Art. 6(1)(f) – Legitimate interests
Platform analytics and performance improvement Aggregated usage data, anonymised analytics Art. 6(1)(f) – Legitimate interests
Compliance with legal obligations Billing records, contract records Art. 6(1)(c) – Legal obligation
Customer support and dispute resolution Communications, account data Art. 6(1)(b) – Performance of a contract; Art. 6(1)(f) – Legitimate interests

5. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law.

Data Category Retention Period
Active user account data Duration of the active subscription + 90 days after termination (to allow account recovery)
Candidate CV and application data As long as the employer's account is active; max 3 years from last activity unless employer requests earlier deletion
Payment and billing records 10 years (Romanian Accounting Law no. 82/1991 and Fiscal Code)
Security and access logs 12 months
Email communication records 3 years
Marketing consent records Until consent is withdrawn + 1 year (proof of consent)
Deleted account data Securely deleted within 30 days of account deletion request, except where legal retention applies

After the applicable retention period, data is securely deleted or anonymised so it can no longer be attributed to an individual.

6. Third-Party Data Processors

We share personal data with trusted third-party service providers (data processors) who act on our instructions and are bound by data processing agreements (DPAs) compliant with GDPR Article 28.

Processor Purpose Data Transferred Location
Google LLC (Google OAuth, Google Workspace) Single Sign-On (SSO) authentication via Google OAuth 2.0 Name, email address, Google account ID USA (Standard Contractual Clauses apply)
Payment Processor Payment processing, subscription management, invoicing Name, email, billing address, payment tokens EU / UK (GDPR-compliant)
Email Service Provider (transactional email) Sending platform notifications, password resets, and system emails Email address, name, email content EU/EEA or SCC-protected
Cloud Hosting Provider Server infrastructure, database hosting, file storage All platform data EU (Romania/Germany)

We do not sell, rent, or trade personal data to any third parties for their own marketing purposes.

We may also disclose personal data where required to do so by law or in response to a valid legal request from a competent authority.

7. International Data Transfers

Some of our third-party processors (including Google) are located outside the European Economic Area (EEA). When we transfer personal data to countries that do not have an adequacy decision from the European Commission, we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914/EU)
  • Where applicable, the EU-U.S. Data Privacy Framework

You may request a copy of the relevant transfer safeguards by contacting us at [email protected].

8. Your Rights as a Data Subject

Under the GDPR and Romanian Law no. 190/2018, you have the following rights regarding your personal data:

Right of Access (Art. 15)

You have the right to obtain a copy of the personal data we hold about you and information about how we process it.

Right to Rectification (Art. 16)

You have the right to correct inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 17)

You may request deletion of your personal data where it is no longer necessary for the purposes it was collected, or where you withdraw consent. This right is subject to legal retention obligations.

Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your data in certain circumstances, such as while you contest the accuracy of the data.

Right to Data Portability (Art. 20)

Where processing is based on your consent or a contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Art. 21)

You have the right to object to processing based on legitimate interests, including profiling. You also have an absolute right to object to processing for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Rights re: Automated Decision-Making (Art. 22)

Treegarden does not make solely automated decisions that produce significant legal effects. All candidate evaluations involve human review by recruiters.

How to exercise your rights: Submit your request to [email protected] with sufficient information to verify your identity. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or disclosure, in accordance with GDPR Article 32. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher (HTTPS)
  • Encryption of sensitive data at rest
  • Bcrypt hashing of all user passwords (never stored in plaintext)
  • Role-based access controls (RBAC) ensuring users access only data relevant to their role
  • Multi-tenant data isolation – each company's data is logically separated
  • Regular security assessments and vulnerability scanning
  • Access logging and monitoring for suspicious activity
  • Strict vendor due diligence for all third-party processors
  • Employee training on data protection and security procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, notify affected individuals without undue delay, in accordance with GDPR Articles 33 and 34.

10. Candidate Data and Employer Responsibility

Treegarden provides the technical platform. Companies and recruiters using Treegarden are independent data controllers for the candidate data they upload, import, or collect through the platform. Treegarden acts as a data processor on their behalf for such data.

Employers are responsible for:

  • Having a valid legal basis to collect and process candidate personal data
  • Informing candidates that their data is being managed via Treegarden
  • Responding to candidate data subject rights requests in a timely manner
  • Ensuring candidate data is not retained longer than necessary

Treegarden provides data export and deletion tools to help employers fulfil their obligations. Treegarden's Data Processing Agreement (DPA) is available upon request at [email protected].

11. Cookies and Tracking Technologies

Treegarden uses cookies and similar technologies to operate the platform and improve user experience.

Cookie Type Purpose Legal Basis
Strictly Necessary Session management, CSRF protection, authentication tokens Art. 6(1)(b) – Necessary for platform operation (no consent required)
Preference Dark mode preference, language settings, UI preferences stored in localStorage Art. 6(1)(f) – Legitimate interests (user experience)
Analytics Platform usage analysis (aggregated, anonymised) Art. 6(1)(a) – Consent

You can manage or disable non-essential cookies through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly.

12. Children's Privacy

Treegarden is a professional recruitment platform intended for use by adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has provided us with personal data, please contact us immediately at [email protected] and we will delete such data promptly.

13. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR or applicable Romanian data protection law, you have the right to lodge a complaint with the competent supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Phone: +40.318.059.211
Email: [email protected]
Website: www.dataprotection.ro

We encourage you to contact us first at [email protected] so that we can resolve your concern directly.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users via email or an in-app notification

We encourage you to review this policy periodically. Your continued use of the platform after changes become effective constitutes your acknowledgement of the revised policy.

15. Contact Us

For any questions, requests, or concerns about this Privacy Policy or our data processing practices, please contact:

Treegarden Privacy Team
Email: [email protected]
Website: https://treegarden.io

We are committed to resolving privacy concerns promptly and in accordance with applicable law.