Legal

GDPR & Data Protection

Last updated: March 2026 · How Rekko approaches data protection

The short version: Rekko is built for European data law from day one — not retrofitted. All data lives in the EU, every candidate submission carries a consent record, and anyone can request deletion of their data at any time. We take data protection seriously because our users — Nordic tech companies and their candidates — expect us to.

Our approach to data protection

The General Data Protection Regulation (GDPR) applies across the EU and, via the UK GDPR, in the United Kingdom. Because Rekko operates across Finland, Denmark, Sweden, Norway, and the UK, GDPR is not a compliance checkbox for us — it is a foundational design principle.

Every product decision we make considers the data rights of the people involved: companies, recruiters, and — critically — candidates whose data will flow through the platform.

🇪🇺

EU data residency

All personal data processed by Rekko is stored within the European Union. We do not transfer data outside the EEA without appropriate safeguards.

✅

Consent on every submission

Every candidate submitted via the Rekko platform must confirm their interest before their details are shared with a company. Consent is recorded with a timestamp.

🗑️

Right to erasure

Any individual — company contact, recruiter, or candidate — can request full deletion of their data at any time. We process erasure requests within 30 days.

🔒

Minimal data collection

We collect only the data necessary to operate the service. We do not sell data, use it for advertising, or share it with third parties beyond what is needed to provide Rekko.

Candidate data on the Rekko platform

When Rekko is fully launched, candidate data will be handled as follows:

Candidates must explicitly opt in to being represented for a specific role before their information is submitted to a company
Candidate profiles include only information the candidate has consented to share
Companies may view candidate information only for the purpose of evaluating them for the posted role
Candidate data is deleted from the platform if a hire is not made within 12 months of submission
Candidates can request deletion of all their data at any time via [email protected]

Your rights under GDPR

Whether you are a company contact, recruiter, or candidate, you have the following rights under GDPR:

Right of access

Request a copy of all personal data we hold about you.

Right to rectification

Ask us to correct any inaccurate or incomplete data.

Right to erasure

Ask us to delete all your personal data from our systems.

Right to restrict processing

Ask us to stop using your data while we address a concern.

Right to portability

Request your data in a machine-readable format.

Right to object

Object to processing based on legitimate interest.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to complain to your national supervisory authority — in the UK this is the Information Commissioner's Office (ICO).

Data processing agreements

When Rekko processes personal data on behalf of companies (for example, candidate data submitted by recruiters), Rekko acts as a data processor and the company acts as the data controller. A Data Processing Agreement (DPA) will be available to all companies using the Rekko platform at launch.

Our third-party providers — including Tally.so and Netlify — have their own GDPR-compliant data processing agreements in place.

Contact our data protection contact

For any GDPR or data protection enquiry:

Email: [email protected]

We aim to respond within 48 hours. For formal data subject requests, we will respond within 30 days as requi