Compys
Log inGet started

Privacy Policy

Last updated: Apr 19, 2026

Compys AB ("Compys," "we," "us") respects your privacy. This policy explains what personal data we collect when you use the Compys platform, how we use it, who we share it with, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and Swedish data protection law.

Who we are

Compys AB (org.nr 559527-0710) is a Swedish limited company (aktiebolag) registered with Bolagsverket. Our registered and postal address is Briljantgatan 50 c, 421 49 Västra Frölunda, Sweden. For questions about this policy or your personal data, email jonathan@compys.com. We are the controller of the personal data described below.

What the platform does

Compys is a recruitment platform that matches student and junior talent with startups and other employers. We support several account types: Students, Professionals, and Companies (with Company Admin and regular Company User roles). Administrators at Compys have limited operational access for support and moderation.

Data we collect

We only collect personal data you provide or that is generated when you use the service. Depending on your account type, we may process:

  • Account and authentication data: email address, a Firebase Authentication user identifier, sign-in method (email and password, or Google Sign-In), and an invitation code if one was used to register.
  • Talent profile data: first and last name, username, account type (Student or Professional), graduation date (for students), job title, location, bio, phone number, languages, competences and soft skills (optionally with experience scores), structured work history (position, company, dates, description), structured education history (institution, program, degree, dates, description), field of study, graduation year, LinkedIn and GitHub URLs, optional salary expectations, optional attachments, profile picture, and job preferences.
  • Company profile data: company name, industry, size, Swedish organisation number (for established companies), address, contact email, contact phone, website, logo, and the user identifiers of the company's administrators and members.
  • Activity and usage data: forum posts, comments and votes, startup posts, job listings you create or save, job search alerts, feedback reports, in-app notifications, profile-visit records, and gamification data (such as levels and streaks).
  • Communications: support messages you send us and email logs (recipient, subject, status, errors) generated when we send you transactional email.
  • Payment data: when you subscribe, Stripe handles payment details on our behalf. We store only a Stripe customer identifier, Stripe subscription identifier, plan tier, subscription status, and subscription period. Card numbers and full billing details are held by Stripe.
  • Technical data: device and browser information, IP address (used transiently for security and rate limiting), request logs, and error logs captured by our hosting provider.

How we use data

  • Create and maintain accounts, authenticate users, and deliver the Compys service.
  • Match student and junior talent with startups and enable employer features such as job posting, candidate discovery, and direct messages when available.
  • Keep the service secure, detect and prevent abuse, enforce our Terms, and debug issues.
  • Process payments and manage subscriptions through Stripe.
  • Send transactional email (such as sign-in, account, and invitation emails).
  • Improve the product by analyzing how features are used. We do not use third-party analytics or marketing cookies today.
  • Comply with legal obligations under Swedish and EU law.

Legal bases

For users in Sweden and the wider European Economic Area, we rely on the following legal bases under the GDPR:

  • Performance of a contract (Art. 6(1)(b)): creating and operating your account, matching talent with opportunities, and providing paid subscriptions.
  • Legitimate interests (Art. 6(1)(f)): security, fraud prevention, product analytics based on server-side data, and improving our matching quality. You can object to processing based on legitimate interests at any time.
  • Consent (Art. 6(1)(a)): optional features such as newsletters or non-essential cookies when we introduce them. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): tax, bookkeeping, and anti-fraud obligations, including retention of billing records under the Swedish Bookkeeping Act (Bokföringslagen).

See our GDPR information page for more on your rights and how to exercise them.

Sharing and sub-processors

We share personal data with other users and with vetted service providers acting on our instructions. Our sub-processors today are:

  • Google Ireland Ltd. — Firebase Authentication and Google Sign-In (account authentication).
  • Microsoft Ireland Operations Ltd. — Azure Blob Storage (profile pictures, company logos, job post images), Azure Communication Services (transactional email delivery from the @compys.se domain), and Azure App Service (application hosting and logging), all running in the Azure West Europe region (Netherlands).
  • MongoDB Limited — MongoDB Atlas (primary application database).
  • Stripe Payments Europe Ltd. (Dublin, Ireland) and Stripe, Inc. — payment processing for subscriptions.

We also share personal data with other users of the platform where the service requires it. For example, your talent profile may be viewed by companies you interact with; company information and your role at a company may be visible to your co-workers on Compys; forum posts you submit are visible to other users. We do not sell personal data.

We may disclose personal data where required by law, to protect the security of the service or the rights of users, or in connection with a corporate transaction such as a merger or acquisition.

International transfers

Primary processing takes place in Microsoft Azure West Europe (Netherlands). Some sub-processors, in particular Google (Firebase Authentication) and Stripe, may process personal data in the United States. Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

Retention

We keep personal data only as long as we need it for the purposes described above. Typical periods are:

  • Account and profile data: while your account is active and for a short period afterwards to handle post-termination requests.
  • Session cookie (_session): up to 30 days.
  • Onboarding cookie (_onboarding): up to 7 days.
  • Stripe webhook events: 90 days.
  • Billing and accounting records: up to 7 years as required by the Swedish Bookkeeping Act (Bokföringslagen).
  • Backups: purged within 30 days.

When you delete your account, we delete your profile, user record, job postings you created, and saved jobs. Some information may remain in the hands of our processors under their own retention rules — in particular, payment records retained by Stripe and authentication identifiers held by Google (Firebase Authentication) — and we may retain records we are legally required to keep. If you want us to remove content you posted in the forum or other community areas, contact us at jonathan@compys.com.

Security

We use Firebase token-based authentication, HTTP-only and Secure session cookies, rate limiting (100 requests per minute per IP by default), standard security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy), and encrypted-at-rest cloud storage provided by Azure West Europe and MongoDB Atlas. No method of transmission or storage is completely secure; please use a strong, unique password and keep your device secure.

Your rights

Under the GDPR you have the right to access, rectify, erase, restrict, or port your personal data, to object to certain processing, to withdraw consent where processing is consent-based, and to lodge a complaint with a supervisory authority. See our GDPR information page for details on how to exercise these rights.

Cookies

For the cookies and similar technologies we use, their purposes, and their lifetimes, see our Cookie Policy.

Children

Compys is intended for students and junior professionals and is not directed at children under 16. Users aged 15 may use the service only with the consent of a parent or legal guardian. If you believe a child has provided us with personal data without proper consent, contact us and we will delete it.

Changes

We may update this policy as our product and practices evolve. We will post the updated version here and change the "Last updated" date at the top of the page. For material changes we will make reasonable efforts to notify you.