This notice explains what personal data Hirefel SL handles, why, and how you can exercise your rights over it. We keep this short, plainly written, and up to date. If something is unclear, email [email protected] — a human replies.
01Who we are
The data controller is Hirefel SL, a company registered in Spain, operating from Barcelona. When you engage us on a project, a contract-specific Data Processing Agreement takes precedence over this notice for data you entrust to us.
02What we collect
- Contact intake. Name, company, email, and whatever you write in a scope message. Nothing more, unless you send it.
- Applications. CV, links (GitHub/LinkedIn), your answers to role-specific questions, and any attachments you upload.
- Site analytics. Page, referrer, country, coarse device type — aggregated and stripped of IPs.
- Service delivery. During an engagement, whatever is contractually in scope — typically production logs, eval datasets, and workflow artifacts. Always governed by the engagement DPA.
- LinkedIn engagement on our own posts. When we publish content on the Hirefel SL LinkedIn company page via the LinkedIn Marketing API, the platform returns aggregate metrics (impressions, reactions, comments, shares) and the public identities of members who comment on our posts. See section 07 for the full disclosure.
03Why we process it
Only for the thing you came here for: answering a scope enquiry, reviewing an application, or delivering the work you hired us to do. We do not sell or trade personal data, ever.
04Lawful basis (GDPR Art. 6)
- Contact & applications
- Your consent (Art. 6(1)(a)) and, once a contract begins, contract necessity (Art. 6(1)(b)).
- Service delivery
- Contract necessity (Art. 6(1)(b)), plus legitimate interest (Art. 6(1)(f)) for internal operational logging.
- Tax & compliance records
- Legal obligation (Art. 6(1)(c)) — Spanish tax law requires we retain invoices for six years.
05Retention
| Data class | Retention | Basis |
|---|---|---|
| Scope enquiries | 90 days after last contact | Consent |
| Applications | 12 months, or until you withdraw | Consent |
| Engagement artifacts | As specified in the DPA | Contract |
| Invoices & tax records | 6 years | Legal obligation |
| Site analytics | Aggregated indefinitely; raw events 30 days | Legitimate interest |
| LinkedIn member data (commenters) | 30 days raw; aggregated indefinitely | Legitimate interest |
| LinkedIn post-level metrics | Indefinite (aggregate only, no per-member breakdown) | Legitimate interest |
07LinkedIn Marketing API
Hirefel SL uses LinkedIn’s Community Management API to publish posts to its own organisation page (linkedin.com/company/hirefel) and to read post-level engagement metrics. This section describes the LinkedIn-specific processing in detail, as required by the LinkedIn API Terms of Use and the Additional Terms for the LinkedIn Marketing API Program.
What LinkedIn data we receive
- Aggregate post metrics. Impressions, reactions, comments count, share count, click count — at the post level, no per-member breakdown.
- Comment content + commenter identity on posts published from our company page. This is data the commenter voluntarily made public on LinkedIn by replying to our content.
- Organisation-page metadata. Page name, follower count, page admins (Hirefel team members only).
- Authentication tokens issued by LinkedIn to identify Hirefel SL as the API caller.
What we do not do
- We do not scrape, crawl, or otherwise collect LinkedIn member profiles outside of comments on our own posts.
- We do not send unsolicited messages (InMail or otherwise) to LinkedIn members via the API.
- We do not sell, rent, lease, or transfer LinkedIn-sourced data to any third party.
- We do not merge LinkedIn-sourced data with non-LinkedIn data sources to enrich personal profiles without explicit member consent.
- We do not use LinkedIn data to build a competitor to LinkedIn or any of its products.
Retention
Raw LinkedIn member data (commenter identities, comment text) is retained for at most 30 days in our systems, after which it is deleted or aggregated beyond identification. Post-level metrics (no personal identifiers) are retained indefinitely for editorial analytics. Authentication tokens are rotated per LinkedIn’s recommended cadence and revoked on disconnection.
Lawful basis
Our legitimate interest (GDPR Art. 6(1)(f)) in operating our own LinkedIn presence and understanding the public reach of our published content. Where applicable, also the member’s consent (Art. 6(1)(a)) given via LinkedIn’s platform when they comment on or follow public Hirefel content.
Your rights regarding LinkedIn-sourced data
If you have commented on a Hirefel SL post and want your comment-derived data removed from our analytics systems (independent of LinkedIn’s own retention), email [email protected] and we will erase it within 30 days. To delete the comment itself from LinkedIn, you can do so directly from your LinkedIn account at any time.
Compliance
Hirefel SL operates under the LinkedIn API Terms of Use, the Additional Terms for the LinkedIn Marketing API Program, and LinkedIn’s Community Management API guidelines. Reach out to us at [email protected] with any LinkedIn-data-specific questions.
08Your rights
Under GDPR you have the right to access, rectify, erase, restrict, or port your data, and to object to processing. Write to [email protected] — we respond within 30 days. If we ever fall short, you can complain to the Spanish DPA (AEPD) at aepd.es.
10Contact
Questions, requests, corrections:
Hirefel SLBarcelona, Spain
[email protected]