Privacy Policy
[PLACEHOLDER] fields with your actual company information before publishing.
1. Data Controller
The data controller within the meaning of the GDPR and the German BDSG is:
[COMPANY NAME / OWNER]
[Street and number]
[Postal code] [City], Germany
Email: privacy@onlymini.de
Phone: [Phone number]
2. Data We Collect and Why
onlymini is a digital job board exclusively focused on mini-jobs (Minijobs, § 8 SGB IV) in Germany. We only process personal data that is necessary to operate the platform.
| Category | Examples | Legal Basis (GDPR) |
|---|---|---|
| Account data | Email address, hashed password, role (applicant/employer) | Art. 6(1)(b) – contract performance |
| Applicant profile | Name, address, birth date, phone, photo, availability, skills, languages | Art. 6(1)(b) – contract performance |
| Sensitive data (encrypted at rest) | Tax ID, social security number, IBAN | Art. 6(1)(b) GDPR, Art. 88 GDPR / § 26 BDSG |
| Employer profile | Company name, address, VAT ID, contact details, logo | Art. 6(1)(b) – contract performance |
| Applications | Cover letters, shared profile data, application status | Art. 6(1)(b) – contract performance |
| Billing data | Invoice address, payment history | Art. 6(1)(c) – legal obligation (tax retention) |
| Technical usage data | Anonymised IP address, session ID, browser type, timestamps | Art. 6(1)(f) – platform security (legitimate interest) |
| Push notifications | Browser endpoint (VAPID) | Art. 6(1)(a) – consent |
3. Cookies and Sessions
We use only technically necessary cookies. No consent banner is required for these (Art. 6(1)(b)/(f) GDPR):
| Cookie | Purpose | Duration |
|---|---|---|
session (HttpOnly, SameSite=Lax) | Authentication, 2FA state, wizard progress | Browser session |
| CSRF token | Protection against Cross-Site Request Forgery | Max. 1 hour |
| Consent cookie | Stores your cookie preference decision | 365 days |
4. Third-Party Services
4.1 OAuth Login Providers
You may optionally sign in using a third-party account. We receive only name, email address, and a unique user ID:
- Google Sign-In – Google LLC, USA (EU Standard Contractual Clauses)
- Microsoft Account – Microsoft Corp., USA (EU Standard Contractual Clauses)
- LinkedIn – LinkedIn Ireland Unlimited Company, Ireland (EEA)
- Facebook / Meta – Meta Platforms Ireland Ltd., Ireland (EEA)
Legal basis: Art. 6(1)(b) GDPR. Transfers to the USA rely on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
4.2 Two-Factor Authentication (2FA)
Optional TOTP-based 2FA (RFC 6238). Your 2FA secret is stored encrypted and never shared with third parties.
4.3 AI-Assisted Job Description Drafting (Gemini API)
For employer-facing AI assistance, we use Google's Gemini API (Google LLC, USA). No applicant personal data is transmitted. Legal basis: Art. 6(1)(f) GDPR.
4.4 Location / Routing (OpenRouteService)
For distance-based job search, we use the OpenRouteService API (Heidelberg Institute for Geoinformation Technology, Germany). Only postal codes or place names are transmitted – no personal data.
4.5 Push Notifications
With your explicit consent, we send browser push notifications about matching jobs (VAPID protocol). You can withdraw consent at any time in your browser settings or profile. Legal basis: Art. 6(1)(a) GDPR.
4.6 Email Communication
Transactional emails are sent via SMTP. Provider: [SMTP PROVIDER]. Legal basis: Art. 6(1)(b) GDPR (transactional), Art. 6(1)(a) GDPR (job alerts).
5. Data Sharing
We never sell your data. Sharing occurs only:
- Employers: Your shared profile data is transmitted to the employer when you apply for their job. You control visibility in profile settings.
- Processors: Technical service providers (hosting, email) are bound by Data Processing Agreements under Art. 28 GDPR.
- Authorities: When legally required (law enforcement, court orders).
6. Data Retention
| Data type | Retention period |
|---|---|
| Active user accounts | Until deleted by user or upon request |
| Deleted accounts | Immediate anonymisation; invoices: 10 years (§ 147 AO) |
| Applications | Max. 6 months after rejection / hire |
| Server logs (IP) | Max. 7 days (anonymised after 24 hours) |
| Consent records | 3 years (Art. 7 GDPR proof requirement) |
7. Security Measures
- All connections encrypted via TLS/SSL (HTTPS)
- Passwords stored using secure one-way hashing
- Sensitive fields (Tax ID, IBAN, SSN) additionally encrypted at rest
- CSRF protection on all forms
- HttpOnly, SameSite=Lax session cookies
- Regular security updates and access controls
8. Your Rights Under GDPR
As a data subject, you have the right to:
- Access (Art. 15) – request a copy of your stored data
- Rectification (Art. 16) – correct inaccurate data
- Erasure (Art. 17) – request deletion ("right to be forgotten")
- Restriction (Art. 18) – restrict processing in certain cases
- Portability (Art. 20) – receive your data in machine-readable format
- Object (Art. 21) – object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)) – at any time, with effect for the future only
To exercise your rights: privacy@onlymini.de
You also have the right to lodge a complaint with a supervisory authority: www.bfdi.bund.de
9. Automated Decisions / Profiling
We do not make automated decisions with legal effect (Art. 22 GDPR). Job matching is based solely on search criteria you set yourself.
10. Changes to This Policy
This policy is reviewed regularly. The current version is always available at /rechtliches/privacy. We will notify registered users by email of material changes.
Last updated: April 2026
Zuletzt aktualisiert: 28.04.2026 02:08 · SYSTEM