We (Storyblok GmbH, Peter-Behrens-Platz 2, 4020 Linz, Austria, a company registered in Austria, FN 479743 f) are committed to protecting and respecting your privacy. This Privacy Policy (together with any other documents referred to herein) sets out the basis on which personal data collected from you, or that you provide to us, will be processed by us in connection with our recruitment processes. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Where you apply for a job opening posted by us, these Privacy Notice provisions will apply to our processing of your personal information in addition to our other Privacy Notice, which is available on our website under this link: https://www.storyblok.com/legal/privacy-policy

How to contact us

You can contact us at: Storyblok GmbH, Peter-Behrens-Platz 2, 4020 Linz, Austria.

If you have any questions or complaints in relation to the use of your personal data or this Privacy Policy, you can contact us via e-mail at: legal@storyblok.com

or under the address above.

Data we collect from you

We collect and process some or all of the following types of information from you:

1. Information that you provide during the job application process. This includes information provided through an online job site, via email, LinkedIn, in person at interviews, in your CV, covering letter and/or by any other method, including:

• Information about you & contact data (e.g. surname, form of address, email address, telephone number, street address, date of birth, citizenship).
• Qualification data (e.g. cover letter, CV, previous employment, professional qualifications and skills).
• Optional information, such as application photo, or other information that you provide to us in your application or upload.

2. Information collected or created by us during the recruitment process, including:

• Communications & correspondence between you and us.
• Interview notes, test scores, and/or a record of your progress through any hiring process that we may conduct.

3. Information obtained from publicly available sources, including information we may collect such as details of your employment and education history from business-related public sources available online (e.g. LinkedIn, other social media or similar).

How we use your data

Lawful basis for processing

We process your data based on the implementation of contractual or pre-contractual measures (Art. 6 para. 1 letter b GDPR) our legitimate interest in accordance with (Article 6 (1) lit f GDPR), your consent (Article 6 (1) lit a GDPR) or to fulfill legal obligations (Art.6 (1) lit c GDPR) a):

Contractual or pre-contractual measures

We process your data to find candidates to fill our job openings – so for the initiation of a potential contractual relationship with you.

Legitimate interests:

In certain cases, we process your data to protect our legitimate interests or that of third parties. Such legitimate interests are: ensuring IT security, the effective administration and management of the recruitment process, and/or to deal with disputes and accidents and take legal or other professional advice; to conduct data comparison with EU anti-terrorist lists in accordance with Regulations (EC) No. 2580/2001 and 881/2002 for the purpose of combating terrorism and/or within the framework of AEO certification (Authorised Economic Operator). As a company EU law obliges us to play our part in the fight against terrorism. No funds may be made available to persons and organizations on the terrorist lists (provision prohibition). We are also obliged to carry out this comparison for the AEO certificate as an authorized economic operator.

Legal obligations

As a company we are subject to various legal obligations. The processing of personal data may be necessary to fulfil these obligations, including:

• For the protection of legal retention periods (such as Section 15 (1) and (29) Equal Treatment Act (Gleichbehandlungsgesetz, GlBG);

• To comply with Storyblok's legal obligations such as Section 18 Austrian Employee Act (Angestelltengesetz, AngG) or Section 1157 Austrian Civil Code (Allgemenies Bürgerlichers Gesetzbuch, ABGB).

Your consent

If you have given us your consent to the collection, processing or transfer of certain personal data, then this consent forms the legal basis for the processing of this data. This applies to the following cases:

• Group-wide sharing of your application in case we do not hire you for the job opening you applied for, but see opportunities in other companies belonging to the group;

• Saving your application for a period of seven (7) months after the legal retention period in case we cannot consider you for the job opening you applied for, but maybe for other job openings in the future.

You can revoke your consent at any time by letter or e-mail, so that the processing of your data for the named purposes are no longer permitted from the time of receipt of your revocation. The lawfulness of the processing of your data until revocation remains unaffected by your revocation.

Purposes of processing

We use information held about you in the following ways:

• To consider your application in respect of a role for which you have applied or any other potential engagement within our organization or our subsidiaries and affiliates.

• To assess and make a decision about your suitability for a role

• To communicate with you in respect of the recruitment process.

• To communicate about your engagement with any of our suppliers or service providers, especially such as consultants, covered with a confidentiality agreement.

• To enhance any information that we receive from you with information obtained from third-party sources.

• To find appropriate candidates to fill our job openings.

Disclosure of your data

Your data will be processed mainly by our human resources department and the department responsible for the respective processing purpose. In some cases, however, other group companies or external bodies are also involved in the processing of your data. We share your personal information with the following third parties for the purposes of processing your application.

External Services Providers:

We may share your personal data with the following external service providers (data processors) where necessary, including:

Application Management:

Greenhouse (Greenhouse Software Inc. 8 West Street, 11th Floor, New York, NY 10011 USA, Website: https://www.greenhouse.com/; Privacy Policy: https://www.greenhouse.com/uk/privacy-policy)

Digital Signatures:

DocuSign (DocuSign Inc., 221 Main St. Suite 1550 San Francisco California 94105, USA; Website: https://www.docusign.com/; Privacy Policy: https://www.docusign.com/privacy/)

Email, cloud storage, communication, video conferencing

Google Workspace (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://workspace.google.com/; Privacy Policy: https://policies.google.com/privacy?hl=en-US)

Video conferencing

Zoom (Zoom Video Communications, Inc., 55 Almaden Blvd, 6th Floor, San Jose, CA, USA; Website: https://zoom.us/; Privacy Policy: https://explore.zoom.us/en/privacy/)

Other external data recipients

We may share your data with other external third parties as required, based on our legitimate interests (e.g. auditors, pension and employee benefit funds, insurance providers, (tax) consultants, legal representatives), and on a case-by-case basis with credit reference agencies, background check and online test providers or other third parties involved in the fulfilment of the contract with you and third parties otherwise involved in the recruitment or employment relationship, (e.g. travel agencies, online booking portals, telecommunications service providers, IT infrastructure operators, etc.).

All our commissioned data processors only process data on our behalf and on the basis of our instructions for providing the services for which they are engaged.

Storyblok group companies

We may share personal data within our group, with our affiliates and associated companies for the purposes of administration, accounting, reporting purposes and reviewing / furthering / facilitating your job application.

Public bodies and authorities

Where required, we may also share your data with the following public bodies or authorities such as: regulators and competent authorities, employment agencies, financial authorities, social insurance carriers, health insurance companies, chambers of commerce, and investigation authorities.

How we secure your data

We take appropriate measures to ensure that all personal data is kept secure including appropriate security measures to prevent personal data from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal data to those who have a genuine organizational need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means, therefore any transmission remains at your own risk.

How long do we keep your data?

We only store data for as long as it is needed to fulfil its specific purpose.

Legal basis of the contractual relationship

Applicant data is deleted after seven months at the latest after your application is rejected and you are not hired into an employment relationship, unless you have given separate consent to keep your data on file for a longer period.

In case we hire you, we will continue holding your data for the term of your employment and any applicable legal retention periods.

Legal basis of consent:

If you have given your consent to retain records for a longer period of time (in the applicant pool), we will store your data for the period for which you have granted your consent.

Legal requirements:

Data may be stored for longer than specified if required to assert our legal rights or defend against legal claims.

Withdrawing your application

If you like to withdraw your application before completing the application process, i.e. delete your data and your account, the stored data will be blocked for the duration of the ongoing application process and deleted permanently seven months after the conclusion of the application process. You can ask for such deletion of your candidate profile and your application documents by contacting us at any time under the address above.

Your rights in connection with the processing of your data

Your rights

Every data subject has the right of access under Article 15 GDPR, the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR.

• Right to object

Pursuant to Art. 21 para. 1 GDPR, you have the right to object at any time to the processing of personal data concerning you on the basis of Art. 6 para.1 lit. e GDPR (data processing in the public interest) or Article 6 para.1 lit. f GDPR (data processing to protect a legitimate interest), this also applies to profiling based on this provision. In the event of your objection, we will no longer process your personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

• Revocation of consent

You can revoke your consent to the processing of your personal data at any time. Please note that the revocation is only valid for the future. For any revocation of consent, please contact us using the contact details provided above.

• Right to information

You may request information as to whether we have stored personal data about you. If you wish, we will inform you of the data concerned, the purposes for which the data is processed, to whom this data is disclosed, how long the data is stored and what further rights you are entitled to with regard to this data.

• Deletion or correcting of your data

You have the right to have your data corrected or deleted. If there is no reason for further storage, we will delete your data, otherwise we will restrict processing.

• Providing your data

You may also request that we provide all personal information that you have provided to us in a structured, current and machine-readable format either to you or to a person or company of your choice.

• Complaint

In addition, there is a right to lodge a complaint to the responsible data protection supervisory authority (Art. 77 GDPR). The supervisory authority in Austria is the Austrian Data Protection Authority (https://www.data-protection-authority.gv.at/) which may be contacted at dsb@dsb.gv.at.

Assertion of your rights

We hope that we can resolve any query or concern you raise about our use of your information.

If you would like to exercise any of those rights, please:

• contact us using our contact details above,

• let us have enough information to identify you,

• let us have proof of your identity and address, and

• let us know the information to which your request relates

We will process your enquiries immediately and in accordance with legal requirements and inform you of the measures we have taken.

Is there an obligation to provide your data?

In order to take part in the recruitment process, you must provide us with the personal data that is necessary to carry out the recruitment process or that we are required to collect by law. If you do not provide us with this information, we will not be able to consider you for a job opening.

Is there automated decision-making/profiling?

You are not subject to any automated decisions that have legal effect on you or that significantly affect you in a similar way. We also do not perform any profiling measures.

Changes to this policy

If the purpose or manner of processing your personal data changes significantly, we will update this information in time and inform you about the changes.