Qualefy

This Privacy Policy describes how Qualefy, Inc. (“we”, “us”, “our”) operates the Qualefy platform (the “Platform”) and processes personal data in accordance with Regulation (EU) 2016/679 (“GDPR”), Italian Legislative Decree 196/2003 as amended (“Italian Privacy Code”), and applicable ePrivacy legislation.

1. Data Controller and Contact Information

2. Scope of This Policy

This Policy applies to all users of the Platform, including:

• Candidates: individuals seeking employment opportunities
• Gig Workers / Professionals: individuals offering occasional or freelance services
• Service Seekers: individuals posting tasks or requesting services
• Employers: registered businesses posting job listings
• Visitors: users browsing the website without registration

The Platform operates as a digital marketplace facilitating connections between users. We do not act as employer, recruitment agency, or agent in relation to user-to-user interactions.

3. Categories of Personal Data Processed

We process the following categories of personal data depending on user type:

We do not intentionally collect or process special categories of personal data under Article 9 GDPR. Users are requested not to include such data in profiles, listings, or communications.

4. Purposes of Processing

Personal data is processed for the following purposes:

• Provision and operation of the Platform
• Account creation and authentication
• Enabling communication between users
• Matching of job listings, services, and requests
• Verification of Employer VAT/IVA information, company existence, and active business status
• Security, fraud prevention, and abuse detection
• Customer support and technical assistance
• Compliance with legal obligations
• Subscription and billing management (business users)

We do not use automated decision-making producing legal or similarly significant effects under Article 22 GDPR.

5. Legal Basis for Processing

We process personal data under the following legal bases:

• Article 6(1)(b) GDPR (Contract): platform provision and user services
• Article 6(1)(c) GDPR (Legal obligation): tax, accounting, and regulatory compliance
• Article 6(1)(f) GDPR (Legitimate interests): security, fraud prevention, service improvement
• Article 6(1)(a) GDPR (Consent): optional cookies and marketing communications (where applicable)

Where processing is based on legitimate interests (Article 6(1)(f) GDPR), such interests include ensuring platform security, preventing fraud and abuse, maintaining service integrity, and improving the Platform. We conduct a balancing test to ensure that such interests do not override the fundamental rights and freedoms of data subjects.

6. DATA RECIPIENTS AND SHARING

We do not sell personal data.

We may share personal data with the following categories of recipients:

• Stripe, Inc. (payment processing for Employers; Stripe acts as independent controller)
• Italian Revenue Agency / VIES systems and business verification providers, including API providers used to verify VAT/IVA numbers, company existence, and active business status for Employers
• Infrastructure, hosting, deployment, and analytics providers acting as data processors, including cloud hosting, database, performance monitoring, and website analytics services used to operate, maintain, monitor, and improve the platform.
• Tax and regulatory authorities, where required by law
• Professional advisors (legal, accounting), where necessary

All processors are bound by Data Processing Agreements (DPAs) pursuant to Article 28 GDPR.

7. Payments

Payments are processed exclusively by Stripe, Inc.

We do not store or access full payment card data, including:

• Card numbers
• CVV codes
• Bank account details

We receive only transactional metadata such as payment status and subscription information.

Stripe acts as an independent data controller for payment processing activities.

8. Messaging and Communications

The Platform enables direct communication between users. Messages are stored securely and transmitted via encrypted channels. Messages are accessible only to sender and recipient, subject to Platform functionality. We do not use message content for advertising or profiling purposes.

We may access or review message content strictly where necessary for:

• Technical support
• Investigation of suspected abuse or unlawful activity
• Ensuring compliance with applicable laws or Platform rules

Such access is based on our legitimate interest in maintaining the safety and integrity of the Platform. We do not carry out systematic or automated monitoring of message content. Users are advised not to share sensitive personal data via messaging features.

9. Cookies and Tracking Technologies

We use cookies in compliance with EU ePrivacy rules and GDPR

Users may withdraw consent or modify preferences at any time via browser settings or Platform controls. Disabling essential cookies may impair Platform functionality.

10. International Data Transfers

As a US-based company, personal data may be transferred outside the European Economic Area.

Where such transfers occur, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary technical and organizational measures (encryption, access restrictions, minimization)
• Data Processing Agreements with all relevant providers
• Access limitation and role-based controls

Where applicable, we also consider transfer impact assessments (TIA) to ensure adequate protection of data subjects’ rights. Copies of relevant safeguards may be requested at privacy@qualefy.com. Where applicable, certain providers may be certified under the EU-U.S. Data Privacy Framework.

11. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy:

• Active accounts: duration of account existence
• Closed accounts: deletion or anonymization without undue delay following account closure
• Employer business profile data: immediate deletion upon account closure. Employer fiscal and accounting records are retained for 10 years as required by applicable law, strictly limited to legally mandated information and isolated from active platform data
• Security logs: up to 12 months
• Messaging data: immediate anonymization upon account deletion
• VAT verification data: duration of the active business relationship, deleted upon account closure
• Inactive accounts: deletion after 24 months of inactivity (defined as no login or activity during such period), subject to prior notice

Backups may persist for a limited period for disaster recovery purposes and are overwritten on a rolling basis.

12. Data Security

We implement appropriate technical and organizational measures including:

• Encryption of data in transit (TLS 1.2+)
• Encryption at rest for stored data
• Access control mechanisms based on role and necessity
• Authentication and session security controls
• Monitoring for fraud, abuse, and unauthorized access
• Regular security reviews and system updates

In the event of a personal data breach likely to result in a risk to individuals, we will notify the competent supervisory authority within 72 hours, in accordance with GDPR requirements.

13. Data Subject Rights

Under GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Request deletion ("right to be forgotten")
• Restrict processing
• Data portability
• Object to processing based on legitimate interests
• Withdraw consent at any time (where applicable)
• Lodge a complaint with a supervisory authority (e.g., Garante per la Protezione dei Dati Personali)

Requests can be submitted to: privacy@qualefy.com

We respond without undue delay and in any case within 30 days.

14. Children’s Privacy

The Platform is not intended for individuals under 16 years of age, or a lower age where permitted by applicable national law. We do not knowingly collect personal data from minors. If such data is identified, it will be deleted without undue delay.

15. USERS AS INDEPENDENT DATA CONTROLLERS

In certain contexts, users act as independent data controllers, including:

• Employers processing candidate data for recruitment purposes
• Service Seekers and Gig Workers exchanging personal data to complete services

In such cases:

• Users determine their own purposes and means of processing
• Users are responsible for ensuring compliance with applicable data protection laws
• We act solely as a technical intermediary providing the Platform infrastructure

We do not determine the purposes or means of such processing and therefore do not act as joint controllers with users.

16. AUTOMATED DECISION-MAKING

We do not carry out automated decision-making producing legal effects or similarly significant impacts under Article 22 GDPR.

We may apply limited rule-based logic (e.g., filtering by location, category, availability) to improve search and matching functionality. Such processing does not produce legal effects or significantly affect users.

17. Changes to This Policy

We may update this Privacy Policy from time to time.

In the event of material changes:

• Users will be notified via the Platform or email
• The updated version will include a revised effective date
• Where required, renewed consent will be obtained

18. Supervisory Authority

Users have the right to lodge a complaint with the Italian supervisory authority or with the supervisory authority in their country of residence within the European Union.

Italian Supervisory Authority: