Privacy Policy.
How we collect, use, and protect your personal data. Last updated: 10 April 2026.
1. Who we are
myjob.mt (“we”, “us”, “our”) operates the website at myjob.mt (“the Site”). We are the data controllerfor the personal data we process through the Site, within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Malta's Data Protection Act (Cap. 586).
For any questions about this Privacy Policy or your personal data, contact us at hello@myjob.mt.
2. What we do
myjob.mt is a job listing bulletin boardfor employment opportunities in Malta and Gozo. Recruiters sign up, pay €49, and publish a job listing that stays live for 30 days. Each listing contains either a link to the employer's own website where candidates can apply, or a contact email address that registered users can reveal to send a CV directly to the recruiter.
We do not collect CVs, resumes, or job applications. We do not process or store candidate applications. We do not facilitate, intermediate, or participate in the hiring process in any way. When a candidate clicks an external application link, they leave our Site. When a candidate reveals a recruiter's email address and sends a CV, that communication happens entirely outside our platform. We have no involvement in, and no responsibility for, what happens after that point.
3. What personal data we collect
We collect a very limited amount of personal data — only what is strictly necessary to operate the Site. Here is everything we collect:
3.1 Account data (via Google sign-in)
The only way to create an account on myjob.mt is through Google OAuth. When you sign in with Google, we receive and store the following from your Google account:
- Your name
- Your email address
- Your profile picture (if available)
We also store your account role (user, recruiter, moderator, or admin), whether your email is verified, account creation date, and — if you purchase a listing — your Stripe customer ID.
We do not store your Google password. Google handles authentication entirely on its side.
3.2 Session data
When you log in, we create a session record that includes a session token, your IP address, your browser user agent string, and the session expiry time. This is necessary to keep you logged in and to protect against unauthorised access.
3.3 Job listing data
When a Recruiter posts a job listing, we collect the information they enter in the listing form: company name, job title, job description, location, salary information, and either an application URL or a contact email address. This content is published publicly on the Site.
3.4 Payment data
Payments are processed entirely by Stripe. We never collect, see, or store your full card number, CVV, or complete card details. Stripe returns to us only limited information: the last 4 digits of your card, card brand, billing country, transaction amount, and payment status. We also store a Stripe customer ID linked to your account for transaction reference.
3.5 Newsletter data
If you subscribe to our newsletter, we collect your email address. You can unsubscribe at any time using the link in every newsletter.
3.6 Analytics data
We use Vercel Analytics, which is a cookieless, privacy-friendly analytics service. It does not use cookies, does not track individual users across sessions, and does not collect personally identifiable information. Vercel Analytics provides us with aggregate data only, such as page views, visitor counts, and referral sources. No consent is required because no cookies or personal data are involved.
That is everything we collect. We do not collect CVs, resumes, identity documents, dates of birth, phone numbers, physical addresses, or any other personal data beyond what is listed above.
4. Why we process your data and our legal basis
Under GDPR Article 6, we must have a lawful basis for every processing activity. Here is each purpose and the legal basis we rely on:
| Purpose | Data used | Legal basis |
|---|---|---|
| Creating and managing your account | Name, email, profile picture (from Google) | Contract performance — Art. 6(1)(b) |
| Maintaining your login session | Session token, IP address, user agent | Contract performance — Art. 6(1)(b) |
| Publishing job listings | Listing content, company name, contact details | Contract performance — Art. 6(1)(b) |
| Processing payments via Stripe | Stripe customer ID, payment metadata | Contract performance — Art. 6(1)(b) |
| Retaining invoices and financial records | Payment records, Stripe transaction data | Legal obligation — Art. 6(1)(c) (Malta Income Tax Management Act, Cap. 372) |
| Sending newsletters | Email address | Consent — Art. 6(1)(a) |
| Fraud prevention and Site security | IP address, session data, account status | Legitimate interests — Art. 6(1)(f) |
| Enforcing our Terms (bans, moderation) | Account status, ban reason | Legitimate interests — Art. 6(1)(f) |
| Responding to legal claims or regulatory requests | Any relevant data | Legal obligation — Art. 6(1)(c) |
Where we rely on legitimate interests, our interests are in operating and securing the Site and enforcing our Terms. We have assessed that this does not override your rights and freedoms given the minimal data involved. You can object at any time (see Section 8).
5. Who we share your data with
We share personal data only with the following, and only to the extent necessary:
5.1 Stripe (payment processor)
Stripe Payments Europe, Limited (Ireland) processes payments on our behalf. Stripe also acts as an independent data controller for its own fraud prevention and regulatory compliance purposes. See Stripe's Privacy Policy.
5.2 Vercel (hosting)
Vercel Inc. (United States) hosts the Site and processes data on our behalf under its Data Processing Addendum. Vercel Analytics is cookieless and does not process personal data. See Vercel's Privacy Policy.
5.3 Google (authentication)
Google Ireland Limited provides sign-in via Google OAuth. Google acts as an independent data controller for the authentication process. We receive your name, email, and profile picture from Google. We do not send any additional data to Google. See Google's Privacy Policy.
5.4 Public visibility
Job listing content (company name, job title, description, location, salary) is published publicly and may be indexed by search engines. Recruiter contact email addresses within listings are visible only to users who are logged in.
5.5 Legal and regulatory
We may disclose personal data to law enforcement, courts, regulators, or other authorities where required by applicable law or legal process.
We do not sell your personal data. We do not share your data with advertisers or marketing platforms. We do not use your data for profiling or targeted advertising.
6. International data transfers
Some of our service providers are based in the United States. When your personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:
- Vercel and Stripe are certified under the EU-US Data Privacy Framework (DPF), recognised as adequate by the European Commission (adequacy decision of 10 July 2023). Both also maintain Standard Contractual Clauses (SCCs) as a supplementary safeguard.
- Google relies on the EU-US Data Privacy Framework and Standard Contractual Clauses.
If you would like more information about the safeguards in place, contact us at hello@myjob.mt.
7. How long we keep your data
We retain personal data only for as long as necessary. Here are our specific retention periods:
| Data | Retention | Reason |
|---|---|---|
| Active job listings | 30 days from publication (then deactivated) | Service duration |
| Expired job listings | 12 months after expiry, then deleted | Reference and dispute resolution |
| User accounts (active) | As long as your account exists | Contract performance |
| User accounts (inactive) | 24 months after last login, then we notify you or delete | Data minimisation |
| Session data | Until session expires or you log out | Authentication |
| Payment and invoice records | 9 years from transaction date | Malta Income Tax Management Act (Cap. 372) |
| Newsletter subscriptions | Until you unsubscribe | Consent-based |
| Ban records | Indefinitely while the ban is active | Legitimate interests (platform integrity) |
| Consent records | Duration of processing + 5 years | GDPR accountability (Art. 5(2)) |
When retention periods expire, data is permanently deleted or irreversibly anonymised.
8. Your rights
Under the GDPR, you have the following rights. Contact us at hello@myjob.mt to exercise any of them. We will respond within one month (extendable by two months for complex requests).
- Access (Art. 15) — Request a copy of all personal data we hold about you.
- Rectification (Art. 16) — Ask us to correct inaccurate or incomplete data.
- Erasure (Art. 17) — Ask us to delete your data. We will comply unless we have a legal obligation to keep it (for example, payment records required by tax law).
- Restriction (Art. 18) — Ask us to temporarily stop processing your data in certain circumstances.
- Data portability (Art. 20) — Request your data in a machine-readable format (JSON or CSV). This applies to data you provided to us that we process by automated means under consent or contract.
- Object (Art. 21) — Object to processing based on legitimate interests. For direct marketing (our newsletter), your right to object is absolute — we will stop immediately.
- Withdraw consent — Where we rely on consent (newsletter), you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
9. Cookies
We use a minimal number of cookies, all of which are strictly necessary for the Site to function. We do not use any analytics cookies, marketing cookies, advertising cookies, or tracking cookies.
The cookies we use are:
- Session / authentication cookies — to keep you logged in after you sign in with Google. These are essential for the Site to work and expire when your session ends or you log out.
- Stripe cookies (
__stripe_mid,__stripe_sid) — set by Stripe during the payment process for fraud detection and payment security. These are classified as strictly necessary.
Because all our cookies are strictly necessary for the operation of the Site, no cookie consent banner is required under the ePrivacy Directive (Article 5(3)) or Malta's S.L. 586.01. We do not need your consent for these cookies.
Our analytics (Vercel Analytics) are completely cookieless and do not track individual users.
10. Newsletter
We send newsletters only to people who have explicitly opted in. We will never subscribe you automatically or as a condition of using the Site.
Every newsletter contains a clear unsubscribe link. Once you unsubscribe, we will stop sending within 48 hours. We may retain your email on a suppression list solely to ensure we do not contact you again.
This complies with Malta's S.L. 586.01, which requires prior explicit consent for electronic marketing.
11. Recruiter data responsibility
When a job listing includes a contact email address and a logged-in user reveals it, or when a listing links to an external website, any subsequent communication (including sending CVs or personal data) happens directly between the candidate and the recruiter, entirely outside our platform.
myjob.mt does not receive, store, process, or have access to any CVs, applications, or personal data exchanged between candidates and recruiters. The Recruiter (or the employer they represent) is the sole data controller for any personal data they receive from candidates.
Recruiters are solely responsible for complying with the GDPR and all applicable data protection laws regarding any candidate data they collect. We encourage candidates to review the privacy policy of any employer before sharing personal information.
12. Children
The Site is not intended for children. You must be at least 16 years old to create an account or use the Site. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, contact us at hello@myjob.mt.
13. Security
We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (HTTPS/TLS), secure authentication via Google OAuth, access controls, and regular review of our security practices.
No method of transmission over the internet is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
14. Data breaches
If we experience a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information and Data Protection Commissioner (IDPC) without undue delay and within 72 hours where feasible, as required by GDPR Article 33.
If the breach is likely to result in a high riskto you, we will also notify you directly without undue delay, as required by GDPR Article 34.
15. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will post a notice on the Site or email you at your registered address.
The “Last updated” date at the top indicates when the policy was last revised.
16. Your right to complain
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with Malta's supervisory authority:
Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, Triq Il-Kbira (High Street)
Tas-Sliema SLM 1549, Malta
Phone: +356 2328 7100
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt
You also have the right to an effective judicial remedy through Malta's courts.
17. Contact
If you have any questions about this Privacy Policy or want to exercise your data rights, contact us at: