Privacy Policy
Updated: June 2, 2026
This Privacy Policy describes how Craftled, MB ("Craftled", "Bordfeed", "we", "us", "our") collects, uses, and protects personal data when you visit bordfeed.com, create an account, use the Bordfeed dashboard or Feeds API, or otherwise interact with our services.
Bordfeed is an API-first job-data platform owned and operated by Craftled. For the agreement governing your use of Bordfeed, see our Terms of Service. For details on cookies and similar technologies, see our Cookie Policy.
1. Who We Are
Bordfeed is operated by:
Craftled, MB Eduardo Andre 14-5, LT-02232 Vilnius, Lithuania Registration: 305722486 VAT: LT100015273316
For privacy inquiries, contact support@bordfeed.com.
Craftled acts as the data controller for personal data processed through Bordfeed. This includes both the account data of our customers and any limited personal data contained in the job and company records we collect from publicly accessible sources (see Section 4).
2. Scope
This policy covers two categories of data:
- Customer and visitor data — the account, billing, support, and usage data of people who sign up for or visit Bordfeed.
- Job and company data — the job postings and company information Bordfeed collects from public sources to power the platform, which may occasionally include limited personal data about third parties (for example, a named hiring contact in a posting).
3. Information We Collect
We collect the minimum information needed to operate Bordfeed and provide our services.
Information you provide directly
- Account registration: your email address, and (optionally) your name, when you sign up. If you sign in with Google, we receive your email address, name, and profile picture from Google.
- Organization data: organization name and the email addresses of team members you invite.
- Billing information: when you subscribe to a paid plan or purchase credits, Stripe collects and processes your name, billing address, and payment details. We do not store full card numbers on our servers; we retain only a Stripe customer reference, plan, and billing status.
- Feed and API configuration: the filters, delivery settings, and webhook endpoint URLs you configure for your feeds.
- Support correspondence: any information you include when you contact us.
Information collected automatically
- Usage and API data: requests to the Feeds API and dashboard, including the API key used, endpoints called, parameters, response codes, timestamps, and credit consumption, retained for billing, rate limiting, abuse prevention, and debugging.
- Server and access logs: IP address, user agent, request path, response code, and timestamp.
- Product analytics: aggregated, anonymized usage metrics via Umami, a privacy-first analytics tool that we self-host. Umami does not use cookies, does not collect personal data, anonymizes IP addresses, does not fingerprint your device, and does not track you across sessions or other websites. It records only metrics such as page views, referrers, browser, operating system, device type, and country-level geography.
- Error monitoring: when something breaks, Sentry captures diagnostic data (such as the error, browser, and a limited session replay) to help us fix it. We configure Sentry not to send default personally identifying information.
- Bot protection: when you submit certain forms (for example, sign-up), Cloudflare Turnstile may briefly assess your browser and IP to verify you are not a bot.
Information we do not collect
- We do not use advertising or cross-site tracking pixels, and we do not build advertising profiles.
- We do not sell or share personal information for cross-context behavioral advertising as defined under the CPRA.
- We do not collect Sensitive Personal Information as defined under the CPRA (such as precise geolocation, racial or ethnic origin, religious beliefs, biometric data, or health information).
4. Job and Company Data From Public Sources
Bordfeed's core function is to aggregate, enrich, and serve job-posting and company data. We collect this data from publicly accessible sources — primarily company career pages and applicant tracking systems — and use AI to structure and enrich it.
This data is overwhelmingly about companies and roles, not individuals. However, a job posting may occasionally contain limited personal data, such as the name or contact details of a hiring manager or recruiter named in the posting.
- Legal basis: we process this data on the basis of our legitimate interest in operating a job-data aggregation and search service that helps developers and businesses discover open roles, balanced against the rights and freedoms of any individuals named.
- Source: we collect only data that is already publicly accessible at its source; we do not bypass logins, paywalls, or technical access controls.
- Enrichment datasets: to enrich company records we also draw on third-party reference datasets, including People Data Labs, which provide attributes such as industry, company size, and location.
- Removal requests: if you are an individual whose personal data appears in a job or company record served by Bordfeed and you would like it corrected or removed, email support@bordfeed.com and we will action your request, subject to any legal retention obligations.
5. How We Use Information
We use the information we collect to:
- Provide the service: authenticate you, operate your organization and feeds, deliver feed results via the API and webhooks, and serve the dashboard.
- Process payments: manage subscriptions and credit purchases via Stripe, track credit balances, and issue receipts.
- Send service communications: transactional emails (sign-in, billing, security, webhook failures) and feed digest emails you have configured. Digest emails include a one-click unsubscribe link.
- Maintain and improve the platform: monitor performance, prevent abuse and fraud, debug errors, and understand aggregate usage.
- Communicate with you: respond to inquiries sent to support@bordfeed.com.
- Comply with legal obligations: maintain accounting records (7 years per EU tax law) and respond to lawful requests from authorities.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
6. Legal Basis for Processing (GDPR)
We process personal data on the following legal bases under the EU and UK General Data Protection Regulations:
- Contract performance: creating and operating your account, organization, feeds, and billing.
- Consent: optional feed digest emails (you configure and can disable them at any time) and any optional cookies.
- Legitimate interest: securing the platform against abuse and fraud, debugging and improving the service, aggregating publicly available job and company data, and responding to your correspondence.
- Legal obligation: accounting and tax records.
You may withdraw consent at any time by disabling digest emails in your dashboard, using the unsubscribe link in any digest email, or emailing support@bordfeed.com.
7. Third-Party Processors
We use the following service providers to operate Bordfeed. Each is bound by a data processing agreement (DPA) and processes data only on our instructions.
- Vercel Inc. — Web hosting, edge CDN, serverless functions, and cron jobs. United States / EU (Frankfurt).
- Neon — Primary PostgreSQL database. EU.
- Cloudflare, Inc. — Object storage (R2), background processing workers, and bot protection (Turnstile). Global / EU.
- Resend — Transactional and feed digest email delivery. United States.
- Stripe, Inc. — Payment processing for subscriptions and credit purchases. United States / Ireland (EU customers).
- OpenAI — AI enrichment of job and company data (no customer account data is sent for enrichment). United States.
- Anthropic — AI enrichment and AI-assisted features using Claude models (no customer account data is sent for enrichment). United States.
- Google LLC — Optional Google sign-in (OAuth) for account authentication. United States.
- Sentry (Functional Software, Inc.) — Error monitoring and diagnostics. United States.
- Apify — Collection of publicly available job-posting data (no customer account data). EU / United States.
- Logo.dev — Company logo delivery via CDN (receives company domain names to render logos). United States.
- Umami (self-hosted) — Cookie-free product analytics, hosted on our own infrastructure. Analytics data is not shared with a third party. EU.
Where data is transferred outside the European Economic Area (EEA) or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-US Data Privacy Framework, or other equivalent safeguards.
8. Cookies and Similar Technologies
Bordfeed is designed to be lightweight on tracking. We use only strictly necessary cookies (for example, to keep you signed in and to protect against bots) and store some preferences (such as your light/dark theme) locally in your browser. Our analytics (self-hosted Umami) are cookie-free. We do not use advertising or cross-site tracking cookies. For full details, see our Cookie Policy.
9. Data Sharing
We do not sell personal data. We share data only with:
- The third-party processors listed in Section 7, bound by DPAs.
- Law enforcement or regulators when required by a valid legal request.
- Successors in the event of a merger, acquisition, or sale of assets, with notice to affected users where required by law.
Note that when you configure a webhook, feed results are delivered to the endpoint URL you specify. You are responsible for the security and handling of data at that endpoint.
10. Data Retention
- Account data — Retained for the life of your account, then deleted or anonymized within 90 days of account closure, subject to legal retention requirements.
- Billing and payment records — 7 years, per Lithuanian / EU tax law.
- API and usage logs — Up to 12 months, for billing, security, and abuse prevention.
- Server and access logs — 30 days.
- Error and diagnostic data (Sentry) — Up to 90 days.
- Job and company data — Retained while relevant to the platform; closed or stale job records are expired and removed on a rolling basis.
11. Your Rights
Under the GDPR, UK GDPR, and CPRA, you have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectify: correct inaccurate personal data.
- Erase ("right to be forgotten"): request deletion of your personal data, subject to legal retention requirements.
- Restrict processing: ask us to limit how we use your data.
- Object to processing: object to processing based on legitimate interest, including personal data appearing in job records.
- Data portability: receive your data in a structured, machine-readable format.
- Withdraw consent: at any time, for any consent-based processing.
- Lodge a complaint: with your local data protection authority. In Lithuania, this is the State Data Protection Inspectorate (VDAI). In the UK, this is the Information Commissioner's Office (ICO).
California residents (CPRA)
If you are a California resident, you additionally have the right to know what personal information we collect, use, and share; to request deletion; to opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information for cross-context behavioral advertising); and to non-discrimination for exercising your rights. We honor Global Privacy Control (GPC) signals as a valid opt-out request under the CPRA. We do not currently respond to traditional Do Not Track (DNT) browser signals.
To exercise any right, email support@bordfeed.com. We will respond within 30 days (GDPR) or 45 days (CPRA), and may request reasonable verification of your identity.
12. International Data Transfers
Some of our processors are located outside the EEA and UK (notably in the United States). Where this occurs, we rely on European Commission Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or other lawful transfer mechanisms.
13. Children's Privacy
Bordfeed is a developer tool not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact support@bordfeed.com and we will delete it.
14. Security
We protect personal data using:
- TLS encryption in transit for all connections to Bordfeed.
- Database encryption at rest (Neon Postgres) and encrypted object storage (Cloudflare R2).
- API keys that are hashed at rest; we never store them in plaintext.
- Optional two-factor authentication (2FA) on your account.
- Access controls limiting administrative access to authorized personnel.
- Bot protection on public forms (Cloudflare Turnstile).
- Regular dependency updates and vulnerability monitoring.
No internet transmission or storage system is completely secure. We cannot guarantee absolute security, but we apply reasonable measures consistent with industry practice. If you discover a security issue, please report it to support@bordfeed.com.
15. Changes to This Policy
We may update this Privacy Policy from time to time. The "Updated" date at the top reflects the most recent revision. Material changes will be communicated by email or via a notice in the Bordfeed dashboard. Continued use of Bordfeed after the effective date of an updated policy constitutes acceptance of the changes.
16. Contact
For privacy questions, data requests, or to exercise your rights: support@bordfeed.com
Bordfeed is owned and operated by Craftled, MB.