Privacy Policy
Last updated: March 26, 2026
We built TDW to be the platform we'd want to use. That means no selling your data, no ad targeting, no dark patterns. Only two cookies — both strictly necessary. You control when companies see your identity. This document explains exactly what we collect and why.
The Dream Work ("we", "us", "our") operates the platform at thedream.work — a job matching service connecting software engineers with technology companies. For data protection purposes, we are the data controller.
Candidates: Name, email address, professional headline, years of experience, technology skills, salary expectations, work type preference, region, work history, and education — all provided during profile setup. We also store your application history and match scores computed from your profile.
Companies: Company name, website, industry, size, description, and the email address of the account owner. We store job listings you create and your billing history (payment metadata only — card details are held by Stripe).
All users: Login credentials (email + hashed password), session data, and activity logs for security and fraud prevention.
We use your data to operate the matching service, present relevant job opportunities to candidates, present relevant applicants to companies, process payments, send transactional emails (verification, password reset, connection notifications), and maintain platform security.
We do not sell your data to third parties. We do not use your data for advertising.
Candidate profiles are anonymous to companies until both parties mutually agree to connect. A company sees only your professional headline and match score until you accept a connection request. Upon accepting, your name and email address are shared with that company so they can contact you directly. You control this by accepting or declining connection requests.
We process your data on the following legal bases: contract performance (to provide the service you signed up for); legitimate interests (platform security, fraud prevention, abuse detection); legal obligation (tax and billing records); and consent where specifically requested.
We use the following sub-processors: Hetzner (server infrastructure, EU-based); Stripe (payment processing); Resend (transactional email delivery). Each processes only the data necessary for their function.
Active account data is retained while your account exists. If you delete your account, your profile and application history are soft-deleted and no longer accessible. Billing records may be retained for up to 7 years for legal and tax compliance. Activity logs are retained for 90 days.
Under GDPR and applicable law, you have the right to: access your data (use the Export feature in account settings); correct inaccurate data (edit your profile); delete your account and associated data (available in account settings); withdraw consent where processing is consent-based; and lodge a complaint with your local data protection authority.
We use two strictly necessary cookies. No tracking, advertising, or analytics cookies are used.
session_id — stores your login session on the server. Set when you visit the site, deleted when you close your browser (or after 12 hours of inactivity). Required for authentication and form submissions.
_nosurf — a CSRF protection token that prevents cross-site request forgery attacks. Set alongside the session cookie and deleted at the same time.
Both cookies are HttpOnly (not accessible by JavaScript), transmitted over HTTPS only, and scoped to this domain. Because they are strictly necessary for the platform to function, no consent banner is required under the ePrivacy Directive.
We apply technical controls including HTTPS-only access, HSTS, secure session cookies, CSRF protection, password hashing, rate limiting, and audit logging. No system is completely risk-free and we cannot guarantee absolute security.
For privacy questions or data requests, email privacy@thedream.work.