Pricing
Changelog
Try for freeSign in
Legal

Privacy Policy

Last updated: April 22, 2026

1. About this policy

This Privacy Policy explains how 3C Consulting d.o.o. ("Backrow", "we", "us") collects and processes personal data when you visit our website, use our applicant tracking platform (the "Service"), or otherwise interact with us. It is written to comply with the EU General Data Protection Regulation (GDPR) and the Croatian Act on the Implementation of the GDPR.

Who we are and how to reach us

3C Consulting d.o.o. is a company registered in Croatia. Full legal details are set out in the Imprint section of our Terms of Service.

For privacy questions or to exercise your rights, contact: support@backrow.app.

2. Our role and who this policy applies to

How we process your personal data depends on who you are:

Website visitors and prospects: we are the controller of your personal data and this policy applies directly.

Authorized Users (our customers' recruiters):for account and service-provision data we are the controller and this policy applies. For data you process about candidates inside the Service, our customer is the controller and we are the processor — this policy does not govern that processing.

Candidates: if you applied for a role through a company that uses Backrow, that company is the controller of your data. Please contact them for privacy questions about your application. We process that data only on their instructions, as their processor. See Section 11 for how we help candidates reach the right controller.

Job applicants to Backrow itself: we are the controller. A separate Candidate Privacy Notice is provided at the point of application.

3. What personal data we collect and why

The categories of personal data we process, the purposes, and the legal bases are summarized below.

Category of dataPurposeLegal basis (GDPR Art. 6)
Account data (name, work email, role, password hash, workspace)Create and manage user accounts; authenticate users; provide supportPerformance of a contract (Art. 6(1)(b)); legitimate interests
Usage and device data (IP address, browser, pages viewed, actions, session IDs, error logs)Operate, secure, and improve the Service; detect abuse; diagnose errorsLegitimate interests (Art. 6(1)(f)) in running a secure, reliable service
Billing data (company name, billing address, VAT ID, invoice history — card data is handled directly by Stripe, our payment processor, and is not stored by Backrow)Invoicing, tax compliance, fraud preventionPerformance of a contract; legal obligation (Art. 6(1)(c))
Communications (emails and support tickets, contact-form submissions)Respond to enquiries; provide support; keep recordsLegitimate interests; performance of a contract
Marketing contact data (business email, company, role)Send product updates and marketing emails (business contacts only); measure engagementLegitimate interests (Art. 6(1)(f)) or consent (Art. 6(1)(a)) where required; every email has an unsubscribe link
Website analytics (aggregated, cookieless via Fathom; see Section 8)Understand aggregate website trafficLegitimate interests
Cookies (essential only; see Cookie section)Keep you signed in and secure the ServiceStrictly necessary (ePrivacy); no consent required for essential cookies

Candidate data inside the Service: when our customers upload CVs, notes, assessments, and related information about candidates, we process it on their behalf. Our customers decide what to collect, how long to keep it, and how to respond to candidate requests. See Section 11.

4. AI-assisted features

Our customers can enable optional AI features inside the Service — including resume parsing, candidate-job matching, and scoring. These features are disabled by default and only run when a customer turns them on.

When enabled, relevant content is sent to AI model providers listed in our Sub-processor list (for example, OpenAI and Anthropic) for inference. Those providers process the content under API terms that prohibit use of customer data for training their models, with short or zero retention. AI outputs are probabilistic and intended to assist human decisions, never to replace them — our customers are contractually required to maintain meaningful human review of hiring decisions.

5. How we use personal data

  • Provide, operate, and support the Service;
  • Authenticate users and protect the security and integrity of accounts and systems;
  • Process payments and meet tax and accounting obligations;
  • Communicate with you about your account, changes to the Service, and legal notices;
  • Send marketing communications to business contacts, where permitted by law — you can unsubscribe at any time;
  • Monitor, analyze, and improve the Service and our website;
  • Comply with legal obligations and defend legal claims.

We do not sell personal data. We do not use personal data for automated decision-making with legal or similarly significant effects under Article 22 GDPR. We do not use customer data to train general-purpose AI models.

6. Who we share personal data with

We share personal data only where necessary and with appropriate safeguards:

  • Sub-processors and service providers that help us operate the Service (hosting on AWS, payments via Stripe, email delivery, analytics, error monitoring, AI inference, customer support). Our current sub-processor list is available at DPA.
  • Our customers, where you are an Authorized User acting on their behalf.
  • Professional advisors (lawyers, accountants, auditors) under confidentiality.
  • Authorities, courts, or regulators where required by law, or to establish, exercise, or defend legal claims.
  • Acquirers or successors, in connection with a merger, acquisition, or sale of assets — with continued protection of personal data.

7. International data transfers

The Service is hosted on Amazon Web Services in the United States, and several of our sub-processors are based outside the European Economic Area. When we transfer personal data outside the EEA, we rely on one or more of the following:

  • An adequacy decision by the European Commission for the recipient country;
  • The EU-U.S. Data Privacy Framework (and UK/Swiss extensions where applicable), where the recipient is certified;
  • Standard Contractual Clauses approved by the European Commission, together with supplementary technical and contractual safeguards such as encryption in transit and at rest and procedures to challenge overbroad government requests.

You can obtain a copy of the relevant transfer mechanism by contacting support@backrow.app.

8. Cookies and similar technologies

We use only strictly necessary cookies. These are required to keep you signed in, protect your session, and support basic features of the Service. Because they are essential, they do not require consent under the ePrivacy Directive.

We do not use advertising, tracking, or profiling cookies. Website analytics are provided by Fathom Analytics, which is designed to be privacy-friendly and does not set cookies or collect personal data — it produces aggregated, anonymous traffic statistics.

Inside the Service, we use PostHog for product analytics (to understand how features are used) and Sentry for error monitoring (to diagnose and fix bugs). These run on authenticated sessions and do not rely on cross-site tracking.

You can block or delete cookies in your browser settings, but the Service may not work correctly if you block essential cookies.

9. How long we keep personal data

We keep personal data only as long as necessary for the purposes described in this policy or as required by law. Specific retention periods are set out in our Data Retention Policy. In summary:

  • Account data: for the duration of the customer's subscription, then typically 30 days after termination (configurable by the customer), plus short backup-cycle retention.
  • Billing and tax records: for the period required by Croatian tax and accounting law (generally up to 11 years).
  • Support and communications: typically up to 3 years, unless a longer period is needed for legal claims.
  • Marketing contact data: until you unsubscribe or object, and for a short period thereafter to honor your opt-out.
  • Website logs and security logs: typically up to 12 months.
  • Candidate data inside the Service: governed by the hiring company's retention settings. Each hiring company selects a retention period (for example, 6 months, 12 months, 24 months) and chooses whether records are permanently deleted or anonymized at the end of that period. Anonymized records no longer identify the candidate. We notify hiring companies 14 days before scheduled deletions or anonymizations; candidates are not automatically notified and should contact the hiring company directly to ask about timing.

10. Your rights

Under the GDPR, you have the following rights in relation to personal data we hold about you as a controller:

  • Access — obtain a copy of your personal data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion, subject to legal retention obligations.
  • Restriction — limit our processing in certain circumstances.
  • Objection — object to processing based on legitimate interests or to direct marketing.
  • Data portability — receive your data in a structured, machine-readable format.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
  • Complain to a supervisory authority — in Croatia, the Personal Data Protection Agency (Agencija za zaštitu osobnih podataka — AZOP), https://azop.hr. You may also lodge a complaint with the authority in your EU country of residence.

To exercise any of these rights, contact support@backrow.app. We will respond within one month, with a possible two-month extension for complex requests. We may need to verify your identity before acting on a request.

11. If you are a candidate

If you applied for a role through a company that uses Backrow, that company is the controller of your application data. Please direct your privacy requests — including requests to access, correct, delete, or restrict your data — to them. They are best placed to respond, and they control the retention period and whether records are permanently deleted or anonymized.

Each hiring company configures a data-deletion email address in Backrow. That address should appear in the privacy notice shown to you at the point of application or on the hiring company's careers page. If you cannot find it, you can email us at support@backrow.app and we will help you reach the right controller. We will not respond to the substance of a request about application data that is controlled by one of our customers.

12. Security

We take security seriously. Personal data is encrypted in transit and at rest, access to production systems is restricted and logged, and we maintain an incident response process. You can find a summary of our technical and organizational measures in our DPA. No system is perfectly secure, so if you believe your account has been compromised, please contact us immediately.

13. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows when it was last changed. For material changes, we will give advance notice by email or in-product notification before they take effect.

15. Contact

For any questions about this policy or how we handle personal data:

  • Email: support@backrow.app
  • Post: 3C Consulting d.o.o., Sunčana 1, 31500 Našice, Croatia

Full legal and contact details are in the Imprint section of our Terms of Service.