Plain-language summary: we hold your email, a hashed password (via our auth provider), the jobs you save, and the notes you keep on your applications — including anything you choose to log about interviews and salary. We don't run analytics, we don't use tracking pixels, and every company we share data with is in the EU. You can read or delete everything we hold about you at any time.
Who runs unspook
unspook is operated by Sam Vanspauwen, a private individual based in København, Denmark. Business registration with the Danish CVR register is pending. For any privacy-related question (including access, correction, or deletion requests), write to sam@unspook.com.
Under the GDPR, this means Sam Vanspauwen is the data controller for everything described below. There is no separate data protection officer; the controller handles all requests directly.
What we collect, and why
Account data
When you create an account we collect your email address, your name, and the password you choose. Passwords are not stored in our database; they are hashed and held by our authentication provider (see sub-processors below). If you sign in with Google instead of a password, we receive your Google email address and basic profile information (name) for the sole purpose of identifying your account. We also store one preference — whether you have opted in to product update emails — and the timestamps of when your account was created and last seen.
Legal basis: performance of a contract (GDPR Art. 6(1)(b)); you cannot have an account without us knowing what to call it.
Saved jobs & application tracking
When you save a job, we store a reference to that job and a timestamp, linked to your account. If you use the tracker to follow an application, we also store the data you choose to enter: the application status (applied, interview, offer, rejected, and so on), interview dates, the interview format and round, free-text notes, and any salary figures you record (what you asked for, what you were offered, the currency and period, and your reaction to it). Each change is kept as a dated event so the tracker can show your timeline. You can also add your own jobs that aren't on the site — the title, company, link, and description you type are stored against your account.
We do not log which jobs you merely opened, which you scrolled past, or how long you spent reading. The tracker only holds what you deliberately save or type.
Legal basis: performance of a contract (Art. 6(1)(b)); the tracker is the feature you signed up for. Salary and interview details are optional — you decide whether to record them.
Watched searches & the updates feed
You can save one set of search filters (keywords, company, location, salary, recency) so the Updates tab can show you new jobs that match. We store those filters, a label you give them, and the timestamps of when you last checked, so we know which postings are "new since you last looked". Jobs you set aside from the feed are remembered for a short while (about a day) and then resurface.
Legal basis: performance of a contract (Art. 6(1)(b)).
Feedback & company suggestions
If you send feedback or suggest a company for us to add, we store what you wrote, a snapshot of your email address, and whether you're happy to be contacted about it. For feedback we also record the page you were on and your browser's user-agent string, which helps us reproduce bugs. For a company suggestion we store the company name and careers-page link you provide.
Legal basis: legitimate interest (Art. 6(1)(f)) in improving the service and acting on what you tell us.
Waitlist & invites
If you join the waitlist from the landing page, your email address is sent to our email provider (Brevo) and added to a waitlist contact list so we can let you in later. Signup is invite-only: when an invite is issued we store a hashed copy of the invite token (never the raw token) and, optionally, the email it was meant for; once redeemed we record which account claimed it.
Legal basis: consent (Art. 6(1)(a)) for the waitlist — you ask to be added and can ask to be removed; performance of a contract (Art. 6(1)(b)) for issuing and redeeming invites.
Ghost-score signals
To work out how trustworthy a posting is, we look at aggregated, anonymised signals across all users — for example, how many people have logged an interview or an offer for a given job. We also keep a single per-account "reliability" number, derived only from how consistently you update your own applications, which weights your contribution to those aggregates. We do not publish which jobs you applied to, and the scores shown to others never identify you.
Legal basis: legitimate interest (Art. 6(1)(f)) in making the score meaningful for everyone.
Server logs
Our hosting provider records standard server-access information when you visit unspook.com: your IP address, the page you requested, your user-agent string, and the timestamp. These logs are used to keep the service running, debug errors, and detect abuse. They are not used to build a profile of you, sold to anyone, or fed into any advertising system.
Legal basis: legitimate interest (Art. 6(1)(f)) in operating a secure service. Logs are retained for no more than 30 days.
Email delivery
Account-related emails (sign-up verification, password reset) are sent through our transactional-email provider. The provider receives your email address and the message we asked it to deliver. We do not send marketing emails, and there is no newsletter to unsubscribe from because we do not run one.
What we don't collect
unspook does not run analytics. No Google Analytics, no Meta Pixel, no Plausible, no Hotjar, no session replay, no heatmaps, no fingerprinting library. No advertising network has access to the site. If we ever add analytics (most likely a cookie-free EU-hosted product like Plausible), this policy will be updated first, and we will tell you what changed.
Who else processes your data
We use a small set of EU-based service providers to actually run the website. Each one is bound by a data-processing agreement (GDPR Art. 28) and only handles the categories of data described beside its name.
- Hetzner Online (Germany): hosting and database. Receives everything stored in your account.
- Zitadel (self-hosted on Hetzner, Germany): identity and password hashing. Receives your email address and authentication events.
- INWX (Germany): domain registration. Does not process user data; listed for completeness.
- Bunny.net (Slovenia): DNS resolution. Sees DNS queries but no account data.
- Brevo (France): transactional email delivery (verification, password reset) and the waitlist contact list. Receives your email address and the message body.
- Mistral AI (France): language-model extraction on collected job postings. Receives the public job description text from the company career site, never any data about you.
- Geoapify (Austria): geocoding for job locations. Receives location strings from public job postings, never any data about you.
All sub-processors operate inside the European Union or European Economic Area. There are no international transfers to third countries that would require Standard Contractual Clauses under Chapter V of the GDPR.
How long we keep your data
- Account data, saved jobs & tracker history: for as long as your account exists. When you delete your account, all of it — saved jobs, application events, custom jobs, watched searches, set-aside jobs, and your ghost-score signals — is erased.
- Feedback & company suggestions: kept while we act on them, and deleted along with your account if you close it.
- Waitlist email: held in Brevo until you are invited in or ask to be removed.
- Server access logs: up to 30 days, then rotated out.
- Backups: encrypted database backups are kept on a separate Hetzner Storage Box for up to 6 months on a rolling schedule. When you delete your account, your data is removed from the live database immediately and falls out of backup rotation within that window.
About the jobs on this site
The job postings on unspook are collected from companies' public career pages. We treat these postings as content about organisations, not about individuals. Where a posting accidentally contains personal data (for example, a named recruiter or hiring manager), we either drop the field at ingest time or, if you notice one we missed, will remove it on request.
If you are a named individual in a posting we display and want it removed, write to sam@unspook.com and we will take it down within a few working days.
Your rights
Under the GDPR you have the right to:
- Access: ask for a copy of the data we hold about you.
- Rectification: ask us to correct anything that's wrong.
- Erasure: delete your account, which removes your data from our live systems. Go to Settings → Account → Delete my account. This is immediate and cannot be undone.
- Portability: ask for your saved jobs and account data as a JSON file.
- Restriction & objection: ask us to pause processing, or object to processing based on legitimate interest.
- Withdraw consent: wherever we rely on consent (for example, future analytics if we ever introduce it), withdraw it without affecting earlier processing.
Email sam@unspook.com and we will respond within 30 days. There is no fee for any of the above unless a request is repetitive or manifestly unfounded.
Complaint to a supervisory authority
If you think we are handling your data unlawfully, you can file a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk. If you live elsewhere in the EU/EEA, you can complain to the supervisory authority of your country of residence.
Cookies
unspook uses only strictly-necessary cookies for keeping you signed in. We do not use cookies for analytics, advertising, or behavioural tracking. See our cookie notice for the specifics.
Children
unspook is intended for adults looking for work and is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.
Changes to this policy
We will update this page if we change what we collect, who processes it, or how long we keep it. The effective date at the top reflects the most recent change. Material changes that affect existing accounts will also be communicated by email.
Contact
Sam Vanspauwen
København, Denmark
sam@unspook.com