Your data is yours.
Here's exactly what we do with it.

1. Who we are

Justneed AB (the "Company", "we", "us") is a Swedish-registered company that operates the website justneed.ai and the Justneed mobile application (collectively, the "Service"). We are the data controller for the personal data described in this policy under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen).

If you have any questions about this policy or about how we handle your data, contact us at privacy@justneed.ai.

2. What we collect

We collect only what we need to make the Service work for you. Here's the full list:

Account information

• Your name and email address (always)
• A password (only if you sign up with email; we never store the plain-text password — only a one-way hash)
• Your Digital Skill ID code (auto-generated, e.g. JN-2026-XXXXX)
• Profile photo (optional, if you upload one)

Career data

• Skills, work experience, education, certifications you add to your profile
• Resume / CV file (if you upload one — PDF or Word)
• Cover letter (if you upload one or generate one with our AI)
• Preferred locations, job types, salary expectations

Activity data

• Jobs you swipe on (like / skip / superlike) and jobs you save
• Applications you submit through the Service and their status
• Searches you run and filters you apply
• Messages you exchange with recruiters through the Service (when that feature is live)

Technical data (automatic)

• IP address (used for security and to detect abuse)
• Device type, operating system, browser type
• App version, crash reports (anonymous unless you opt in to detailed reports)
• Approximate location based on IP (city/country level only — we do not access GPS unless you grant permission for a specific feature)

What we do not collect

3. Why we collect it (legal basis)

Under GDPR, every piece of personal data we process must have a lawful basis. Ours are:

• To perform the contract with you (Art. 6(1)(b)) — your name, email, password, Skill ID, profile content, swipes, and applications are all needed to deliver the Service you signed up for.
• Your consent (Art. 6(1)(a)) — for things like profile photo, optional features such as AI cover letter generation, and any marketing emails. You can withdraw this consent at any time without affecting your account.
• Our legitimate interest (Art. 6(1)(f)) — for technical/security data like IP and device info, used to detect abuse and keep the Service safe. We have weighed this against your rights and believe the impact on your privacy is minimal.
• Legal obligation (Art. 6(1)(c)) — to comply with Swedish accounting law, tax law, and lawful requests from authorities.

4. Who we share it with

Short answer: as few parties as possible. Here is the complete list of data processors and sub-processors:

Infrastructure providers

• Render (or equivalent hosting provider) — application hosting. EU region (Frankfurt).
• PostgreSQL database — managed by our hosting provider. EU region.
• Cloudflare — content delivery and DDoS protection. We use Cloudflare for caching and routing; they do not see your personal data, only IP-level traffic.
• Firebase (Google) — authentication when you sign in with Google, and push notification delivery when you opt in.

Service-specific processors

• Google Gemini API — when you ask the Service to generate a cover letter, the job description and your profile summary are sent to Google's Gemini AI for processing. Google does not store this data per their API terms. We never send your full resume or contact details.
• Arbetsförmedlingen (Swedish Public Employment Service) public API — we fetch publicly listed jobs from their open API. Your personal data is never sent to them.
• Email provider (SendGrid / Postmark) — for transactional emails like OTP codes and application updates.

When you choose to share

If you apply to a job through the Service, your selected profile information is shared with the recruiter or company you applied to. Once shared, that recruiter becomes a separate data controller for the data they receive. If you make your Digital Skill ID profile public, anyone with the link or QR code can view the public-safe fields (name, skills, verification level) — but not your email, phone, or personal contact info.

5. How long we keep it

We keep your data only as long as we need it. Here's the breakdown:

• Active account data — kept as long as your account is open.
• If you delete your account — we remove your profile, swipes, saved jobs, and resume within 30 days. Some anonymised activity data may be retained longer for product analytics, but it cannot be linked back to you.
• Inactive accounts — if you haven't signed in for 24 months, we email you a warning and delete the account 60 days later unless you sign in.
• Backups — encrypted backups are retained for up to 35 days, then permanently destroyed.
• Financial records (invoices, payments) — kept for 7 years as required by Swedish accounting law.

6. Your rights

Under GDPR, you have the following rights regarding your personal data. To exercise any of them, email privacy@justneed.ai — we respond within 30 days.

• Right of access — get a copy of all the personal data we hold about you.
• Right to rectification — correct anything that's wrong. (For most fields, you can do this yourself in the Profile screen.)
• Right to erasure ("right to be forgotten") — delete your account and all associated personal data. You can also do this directly from the Profile screen → Delete Account.
• Right to data portability — get your data in a machine-readable format (JSON) to take it elsewhere.
• Right to restrict processing — tell us to stop processing your data in specific ways while we sort out a dispute.
• Right to object — object to processing based on our legitimate interest, including profiling and direct marketing.
• Right to withdraw consent — for processing based on consent (like marketing emails), withdraw at any time.
• Right to lodge a complaint — you can complain to the Swedish data protection authority, Integritetsskyddsmyndigheten (IMY), at imy.se.

7. How we protect it

Security is built in, not bolted on. Our key controls:

• All data in transit is encrypted with TLS 1.2+ (HTTPS everywhere)
• All data at rest in our database is encrypted
• Passwords are stored as bcrypt hashes — we cannot read them, and neither can anyone else who got hold of our database
• Database access is restricted to a small set of authorised engineers; access is logged
• We require strong, unique passwords for all employee and contractor accounts and enforce multi-factor authentication
• Regular automated security scanning and dependency updates
• EU-only hosting (Frankfurt / Stockholm) — your data never leaves the EU unless explicitly required for a specific feature (like Gemini AI), and even then only minimal data

If we ever experience a data breach affecting your personal data, we will notify the Swedish authority within 72 hours and notify affected users without undue delay, as required by GDPR Articles 33–34.

8. Cookies & tracking

We use minimal cookies and we tell you upfront. On justneed.ai:

• Essential cookies — for login session, language preference, CSRF protection. No consent needed (legally required for the Service to work).
• Analytics cookies — we may use a privacy-respecting analytics tool (Plausible or Fathom — both EU-hosted, no personal data, no cross-site tracking). We will ask for your consent before setting these.
• We do not use advertising cookies, retargeting cookies, or third-party social media trackers. No Facebook pixel, no Google Ads tag, no LinkedIn Insight Tag.

In the mobile app, we use only Firebase Analytics in anonymous mode for crash reports and app stability. You can opt out in your device settings or in the app's Privacy settings.

9. International transfers

Justneed is hosted in the European Union. Most of your data never leaves the EU. The exceptions are:

• Google services (Firebase Auth, Gemini API, Firebase Cloud Messaging) — when used, may involve data transfers to Google servers in the US. These transfers are protected by the EU-US Data Privacy Framework and Google's Standard Contractual Clauses.
• App store providers (Apple, Google) — handle their own data when you download the app; we do not transfer additional data to them.

We do not transfer your data to any country outside the EU/EEA without an appropriate safeguard in place.

10. Children

The Service is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, contact us at privacy@justneed.ai and we will delete it promptly.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email and through an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects when this policy was last changed.

12. Contact us

Questions, requests, complaints — we read everything.

• Email: privacy@justneed.ai
• Postal address: Justneed AB, [Address to be confirmed], Stockholm, Sweden
• Organisation number: [To be added]
• Data Protection Authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm — imy.se