You are being redirected to Discord. If not redirected automatically, click here.

PurpleBox Privacy Policy and Cookie Policy

Effective Date: 16th November 2025.

This Privacy Policy and Cookie Policy (collectively, the "Policy") describe how we collect, use, disclose, and safeguard personal data when you access or use PurpleBox, including the website, employer tools, candidate features, and associated online services (the "Services").

We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Belgian data protection legislation. This Policy provides a comprehensive explanation of our data processing practices.

1. Data Controller

Handshake acts as the Data Controller with respect to the personal data processed through the Services.

Contact details:

Handshake (PurpleBox)

Rue César Frank 60, 1050 Brussels, Belgium

Email: hello@purplebox.co

2. Scope of This Policy

This Policy applies to:

  • individuals creating candidate accounts or profiles;
  • individuals applying for job opportunities through our platform;
  • representatives of employers posting job listings or accessing candidate data;
  • visitors accessing or interacting with the PurpleBox website.

The Services are not intended for individuals under 16 years of age, and we do not knowingly collect personal data relating to such individuals.

3. Categories of Personal Data Processed

We process the following categories of personal data. These categories reflect the nature of our Services and are designed to remain accurate as the platform evolves.

3.1 Personal data you provide directly

Candidate-related personal data

  • Identity data: first name, last name.
  • Contact data: email address, location details.
  • Professional data: headline, role information, certifications, years of experience, preferred engagement type, preferred collaboration mode.
  • CV/resume data: any information you include in uploaded documents.
  • Availability indicators: whether you elect to make your profile available to employers.

Employer-related personal data

  • Company data: company name, website, logo, locations, size, industries, languages spoken.
  • Representative data: name and contact information of employer representatives creating accounts.
  • Professional details: partner level, certifications, years implementing Odoo, average project size, geographic focus.
  • Billing data: VAT number, billing address, country, and subscription or transaction history.

3.2 Data collected automatically

When accessing the Services, we may process:

  • IP address;
  • browser type and version;
  • device information, operating system, screen resolution;
  • time zone and approximate geolocation;
  • interactions on the website, including pages viewed and clicks;
  • cookie-derived data and analytics data.

3.3 Data obtained from third parties

We may receive certain personal data from third parties, including:

  • analytics data from Google Analytics;
  • payment confirmation data from Stripe;
  • limited metadata from JBoard subprocessors relating to hosting or system performance.

We do not process special categories of personal data or data relating to criminal convictions.

4. Methods of Data Collection

We collect personal data through:

  • forms completed by candidates and employers;
  • uploaded files such as CVs;
  • account creation and subscription purchase processes;
  • automated technologies such as cookies and analytics tools;
  • payment processors handling subscription transactions;
  • direct communication with us.

5. Purposes of Processing and Legal Bases

We process personal data only where permitted under GDPR.

5.1 Performance of a Contract (Article 6(1)(b) GDPR)

Processing necessary to:

  • create and manage accounts;
  • enable job postings and candidate profiles;
  • facilitate employer access to the candidate database;
  • process and administer subscription payments;
  • provide customer support and essential communications.

5.2 Legitimate Interests (Article 6(1)(f) GDPR)

Processing necessary for:

  • ensuring platform security and fraud prevention;
  • analysing and improving the Services;
  • maintaining technical functionality and performance.

We always balance these interests with your fundamental rights and freedoms.

5.3 Legal Obligations (Article 6(1)(c) GDPR)

Processing necessary to comply with obligations relating to:

  • tax and accounting record retention;
  • regulatory compliance and lawful requests by authorities.

5.4 Consent (Article 6(1)(a) GDPR)

Processing based on your consent includes:

  • marketing and newsletter communications;
  • non-essential cookies (including future advertising cookies).

You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Marketing Communications

Where you subscribe to our newsletter or promotional communications, you provide consent for such communications. You may withdraw consent at any time by:

  • selecting the "unsubscribe" option within any communication; or
  • contacting us at hello@purplebox.co.

We do not share personal data with third parties for their own marketing activities.

7. Disclosure of Personal Data

We disclose personal data only as necessary and in accordance with this Policy.

7.1 Subprocessors and Service Providers

The PurpleBox platform is hosted and operated through JBoard, which relies on the following subprocessors:

  • Amazon Web Services (AWS) – hosting and infrastructure;
  • Stripe – payment processing;
  • Google Analytics / GA4 – analytics services;
  • Mailgun – transactional email;
  • Google Workspace – file storage (where relevant);
  • Crisp – customer support (if enabled).

A full and updated list of subprocessors is maintained by JBoard.

7.2 Employers Accessing Candidate Data

Employers with eligible subscription plans may access candidate profiles where candidates have elected to make such profiles visible. Employers act as independent data controllers when processing candidate data and must comply with all applicable data protection obligations.

7.3 Legal and Regulatory Disclosures

We may disclose personal data to comply with legal obligations, enforce our terms, or respond to lawful requests from competent authorities.

7.4 Business Transfers

In the event of a merger, acquisition, restructuring, or transfer of the PurpleBox platform, personal data may be transferred to the acquiring entity under continued protection consistent with this Policy.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs);
  • adequacy decisions issued by the European Commission;
  • additional contractual, organizational, and technical measures.

You may obtain further information by contacting us.

9. Data Security

We implement technical and organizational measures designed to safeguard personal data, including:

  • encryption and secure transmission protocols;
  • strict access controls and authentication procedures;
  • storage within hardened hosting environments (via AWS and JBoard);
  • regular monitoring for unusual activity.

While we take reasonable steps to protect personal data, no system can guarantee full security.

10. Data Retention

Personal data is retained only for as long as necessary for the purposes for which it was collected, subject to legal or regulatory requirements.

Retention periods include:

  • Candidate accounts: retained until deletion and up to 24 months of inactivity;
  • Employer accounts: retained for the duration of the account’s existence;
  • Billing and invoicing data: retained for 7 years in accordance with legal obligations;
  • Job posts: archived after 12 months;
  • Analytics data: retained for 12–24 months;
  • Backups: typically retained for 30–90 days.

Where data is no longer required, it is securely deleted or irreversibly anonymized.

11. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access – obtain confirmation and a copy of your personal data.
  • Right to rectification – correct inaccuracies.
  • Right to erasure – request deletion in certain circumstances.
  • Right to restrict processing – limit processing where permitted by law.
  • Right to object – object to processing based on legitimate interests or for direct marketing.
  • Right to data portability – receive your data in a structured, machine-readable format.
  • Right to withdraw consent – withdraw consent where processing is based on consent.

Requests may be submitted to hello@purplebox.co.

You also have the right to lodge a complaint with the Belgian Data Protection Authority (GBA). We encourage you to contact us first to address any concerns.

12. Third-Party Links

The Services may contain links to external websites or applicant tracking systems. We do not control and are not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies before providing personal data.

13. Changes to This Policy

We may update or amend this Policy from time to time. The "Effective Date" will be updated accordingly. Material changes may be communicated via email or through notices on our website.

Continued use of the Services following publication of changes constitutes acceptance of the updated Policy.

14. Cookie Policy

This Cookie Policy explains how Handshake ("we", "us", "our") uses cookies and similar technologies on the PurpleBox website (the "Website"). It forms an integral part of the PurpleBox Privacy Policy.

We use cookies to ensure the proper functioning of the Website, to analyse usage, to enhance user experience, and, in the future, to support advertising and retargeting activities.

14.1 What Are Cookies?

Cookies are small data files that are placed on your device when you access the Website. Cookies may contain a unique identifier and may store or retrieve information about your browsing activity.

Cookies may be:

  • Session cookies, which expire once you close your browser; or
  • Persistent cookies, which remain on your device for a defined period.

Cookies may also be:

  • First-party cookies, set directly by us; or
  • Third-party cookies, set by third parties providing integrated services.

We may also use similar technologies, such as:

  • web beacons and pixel tags, which monitor Website usage; and
  • local storage technologies that perform functions similar to cookies.

14.2 Types of Cookies We Use

We use the following categories of cookies:

(a) Strictly Necessary Cookies

These cookies are essential for the Website to function. They enable:

  • secure access to your account;
  • subscription and payment processes;
  • essential platform functionality.

These cookies cannot be disabled.

(b) Functional Cookies

These cookies enable the Website to remember preferences, such as:

  • language settings;
  • region and display preferences;
  • user selections during browsing sessions.

(c) Analytical and Performance Cookies

These cookies help us understand how users interact with the Website. We currently use:

  • Google Analytics 4 (GA4), which collects aggregated data relating to usage patterns, page views, and user flows.

At present, analytics cookies may load automatically. A full cookie consent mechanism will be introduced in the near future, after which analytics cookies will only load upon obtaining user consent.

(d) Advertising and Targeting Cookies (Future Use)

In future, we may deploy advertising cookies for purposes such as:

  • measuring campaign performance;
  • enabling retargeting across platforms (e.g., Google Ads, Meta, LinkedIn);
  • understanding which external ads brought you to the Website.

These cookies will only be activated with your explicit consent once a cookie banner is implemented.

14.3 Why We Use Cookies

We use cookies to:

  • ensure the operational integrity and security of the Website;
  • manage session functionality;
  • remember user preferences and improve usability;
  • analyse Website traffic and performance (GA4);
  • monitor and detect irregular behaviour and prevent fraud;
  • enable future advertising and retargeting capabilities.

14.4 Managing Cookies

You may control or disable cookies through your browser settings. Most browsers allow you to:

  • block all cookies;
  • delete existing cookies;
  • receive alerts before cookies are stored.

If you disable cookies, certain features of the Website may not function properly or may become inaccessible.

For additional guidance, you may consult:

http://www.allaboutcookies.org or http://www.youronlinechoices.eu.

Please note:

  • Disabling browser cookies may not affect technologies such as local storage or flash cookies.
  • Third-party advertising cookies can often be controlled only through third-party tools.

14.5 Future Consent Mechanism

We will implement a cookie consent banner to:

  • obtain explicit consent before placing non-essential cookies;
  • allow users to manage preferences for analytics, functional, and advertising cookies;
  • provide transparency regarding third-party cookie usage.

Once implemented, certain cookies (including GA4 and all advertising cookies) will only load after consent is provided.

14.6 Changes to This Cookie Policy

We may update this Cookie Policy periodically to reflect technological changes, legal requirements, or enhancements to the Website. Updates will be posted on this page with a revised Effective Date.