Privacy Policy provides a highly sophisticated recruiting platform enabling fast and accurate matching between job seekers and professional recruiters or potential employers. Dealing with personal data is therefore Lionstep’s core activity and this is why to us personal data protection is an absolute priority. We are committed to observing the utmost protection of personal data and to keeping personal data strictly confidential as long as they are not processed for the purposes and within the scopes described in this lionstep privacy policy (hereinafter “PP”).

In case you have questions, remarks, criticism or you want to enforce your rights described in this PP, please contact our data protection officer specified at sec. 1.3.

1. Controller, Representative, Data Protection Officer

1.1 Controller

The owner of the website (hereinafter “Website”) and provider of the services delivered via the Website is:

Lionstep AG

Riesbachstrasse 59

8008 Zurich (Switzerland)


tel.:    +41 44 585 15 68

Lionstep collects and processes personal data through the Website to deliver its services as “Controller”.

1.2 Representative

The Controller has appointed the following entity as Representative of the European Union:

Alexander Mazzara

Riesbachstrasse 59

8008 Zürich (Switzerland)

1.3 Data Protection Officer

The Controller has furthermore appointed a data protection officer (hereinafter “DPO”) in charge of monitoring all processes involving personal data, including compliance with applicable legislation. The DPO is:

Alexander Mazzara

Riesbachstrasse 59

8008 Zürich (Switzerland)

Furthermore, as the Controller is established outside of the EU and EEA, the following Representative according to Art. 17 GDPR is designated:

Vittorio De Vecchi Lajolo
Rechtsanwalt, Datenschutzbeauftragter (TÜV)
Oranienburger Str. 23
10178 Berlin (Germany)

2. Data collected via the Website

2.1 Whenever an internet user navigates the Website, logfiles related to his/her visit shall be generated by Lionstep, without regard to the fact, whether or not said user has an account on Lionstep. Such logfiles contain standard data, i.e. queries on the database, and information about the rendered output.

2.2 Further personal data may be collected and processed on one of the legal grounds specified at sec. 4. In particular, whenever personal data are collected on the grounds of the performance of the contract closed between Lionstep and the Data Subject, please refer to Lionstep’s Terms and Conditions (T&C) for Customers, if applicable, to find out, which personal data might be involved.

3. Data Subjects

3.1 The services provided via the Website are available to natural persons looking for a job (hereinafter “Candidates”) and professional recruiters or potential employers (hereinafter “Customers”; Candidates and Customers jointly referred to as “Users”) interested in intermediating or hiring new employees or collaborators. Whenever personal data relating to Users are collected and processed, such Users are referred to as “Data Subjects”.

4. Legal basis

4.1 Unless otherwise specified, personal data relating to Users shall be collected and processed as required by the closing of the contract with the Data Subject and by the performance of such contract, as described in Lionstep’s Terms and Conditions (T&C). Failure to provide such personal data may therefore result in limited or complete unavailability of services, as described in Lionstep’s T&C.

4.2 Furthermore, the Controller’s may collect and process personal data on the grounds of its legitimate interests, such as the legitimate interest in

– advertising for the services offered

– adapting, developing and improving its services with respect to User preferences

– analysing Users’ preferences and Users’ online behaviour for own market research and business development purposes.

In particular, based on these grounds, Customers having previously purchased Lionstep’s Services against payment of a fee may receive promotional newsletters related to products and services similar to those already purchased, as long as they have not objected to receiving such newsletters.

4.3 Should any further personal data be deemed necessary by the Controller, including for the purpose of sending newsletters going beyond what described at the afore-going subsec., the Data Subject’s consent shall be collected.

5. Cookies       

5.1 Cookies in general

5.1.1 In order to make the navigation on the Website more attractive, the Controller implements cookies enabling certain functions. Cookies are small text files stored on the User’s terminal device. Some of these cookies are deleted from the device as soon as the browser session is terminated (“session cookies”). Other cookies persist on the User’s device enabling the Controller to identify it whenever it is used again to visit the Website (“permanent cookies”).

5.1.2 Users can set the preferences of their internet browser in such a way as to be informed each time a cookie is going to be placed on the device, or to have to consent on a case by case basis to the use of cookies, or to deny the use of cookies altogether.

5.1.3 Refusal to accept cookies may result in limitations or exclusions of single or all functionalities of the Website. Users can always delete the cookies placed on their devices manually.

5.2 First party cookies

5.2.1 We only adopt a session cookie allowing us to track the single User as long as he/she is logged in to our Website. Session cookies are deleted automatically after logout. If Users leave out Website without logging out, session cookies may subsist on their terminal devices. [vd2]

5.3 Third party cookies

5.3.1 Google Analytics is an analytics tool provided by Google Inc., placing a cookie file on the user’s terminal device. The information thus acquired is transferred to and saved on Google servers based in the USA. We adopt the “anonymised” version of Google Analytics: this means that users’ IP-addresses detected by Google Analytics are abridged within the European Union or the EEA. Only in exceptional cases may unabridged IP-addresses be transferred to the Google servers in the USA. Google uses such information to evaluate the use of our website, elaborate statistics and provide us further services related to the website. IP-addresses thus collected will not be shared with other Google data.

If you want to opt out from Google Analytics, please install the appropriate browser plugin available at

6. Recipients

6.1 In order to provide a more efficient and personalised service, Lionstep cooperates with various third parties, providing ancillary services. Third parties included in the following categories, may process Users’ personal data on the Controller’s behalf:

– CV-upload and application process managing tools, allowing for a more efficient categorising and filtering of personal profiles

– payment management tools, i.e. services intermediating major payment methods such as credit cards or bank transfers

– advertising, retargeting and tracking tools, allowing Lionstep to analyse Users’ online behaviour for statistical and marketing-related purposes, such as the provision of personalised services or special offers

– social media, allowing Users to log in to the Website through their social media account, including but not limited to Facebook, Twitter, LinkedIn or GitHub.

6.2 Moreover, in case Users qualify as Candidates, their personal data shall be transferred to Customers having published the job offerings that have been applied for. Such Customer may also act as professional recruiters and thereby transfer the applying Candidates’ personal data further to potential employers.

7. Storage period, transfer of personal data to Switzerland and to other countries

7.1 Storage period

7.1.1 Unless otherwise specified in this privacy policy or on the Website, personal data shall be stored by the Controller only for the period of time necessary to perform the contract with the Data Subject, including contracts closed with Candidates for the use of the Services available over the Website free of charge­. This means that all personal data uploaded to and/or published on the Website shall be stored as long as the contract with the Data Subject does not expire, is cancelled or otherwise ceases to be effective.

Whenever a User decides to terminate the contract closed with the Controller, the latter will irrevocably delete User’s personal data.

7.1.2 Unless otherwise specified in this privacy policy or on the Website, personal data related to a specific job application, such as online chat content, shall only be stored as long as the application process is running (maximum 6 months). After conclusion of the application process, all personal data exclusively relevant to the specific application shall be irrevocably deleted.

7.2 Transfer of personal data to Switzerland and to other countries

7.2.1 The Controller has its legal seat in Switzerland. Personal data are therefore collected and processed in Switzerland, pursuant to the European Commission’s adequacy decision no. 2000/518/EC.

7.2.3  Whenever Candidates actively apply for a job posting published by a Customer based outside of the EU, EEA or Switzerland, or anyway informing in its privacy policy that personal data will be transferred to third countries, their personal data shall be transferred to such third countries.

8. Profiling

8.1 In order to provide the services described in the T&C and in particular to allow an efficient matching between Candidates and Customers, the Controller organises personal data relating to such Data Subjects in profiles that can be viewed, researched and filtered according to all criteria relevant for the matching purposes, such as job qualifications or geographic areas of interest or activity (“profiling”).

8.2 No automated decision shall be taken on the grounds of such profiling. In particular, decisions to match single Candidates with single Customers shall always be made by human intervention, i.e. by the Controller or by Candidates and Customers themselves.

9. Rights of the Data Subject

9.1 Data Subjects have the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability.

9.1.1 Right to access. The Data Subject has the right to obtain information as to which personal data is being processed by the Controller; how it is being processed; the purposes of processing; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; to whom personal data are communicated and whether personal data are transferred abroad. Data Subjects may request a copy of the data undergoing processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.

9.1.2 Right to rectification. The Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

9.1.3 Right of erasure (“right to be forgotten”). The Data Subject has the right to request and obtain from the Controller the erasure of personal data concerning him or her without undue delay whenever

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

– the Data Subject has withdrawn consent as described at sec. 8.2 and no other legal ground for processing applies

– the Data Subject exerts his/her right to object as described at sec. 8.1.5 and no other legal ground for processing applies

– personal data have been or are being processed unlawfully

– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject

– the Data Subject is a child

Where the Controller has made the personal data public and is obliged pursuant to this sec. to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

9.1.4 Right to restrict the processing of personal data. The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

– the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data

– the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead

– the controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims

– the Data Subject has objected to processing pursuant to sec. 8.1.5 pending the verification whether the legitimate grounds of the controller override those of the data subject.

9.1.5 Right to object. The Data Subject has the right to object to any kind of processing of personal data carried out due to public interest, in the exercise of official authority vested in the Controller or for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on such grounds. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

9.1.6 Right to data portability. The Data Subject shall have the right to request from the Controller the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:

– the processing is based on consent or on the performance of a contract; and

– the processing is carried out by automated means.

Where technically feasible, the Data Subject may request from the Controller that personal data be transferred directly to another Controller. The right to data portability shall not affect the right to be forgotten as described at sec. 8.1.3.

9.2 Furthermore Data Subjects whose personal data are being processed on the grounds of their informed, specific and free consent have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exert their right to withdraw consent, Users shall contact the Data Protection Officer at the details specified at sec. 1.3.

9.3 Users always have the right to lodge complaints with the competent supervisory data protection authorities, according to such authorities’ own procedure rules.

10. Closing provisions

10.1 Changes to this privacy policy may be required due to the progress of technology or changes in the Controller’s activities. The newest and applicable version of this privacy policy shall always be available on this Website and shall be evidenced appropriately when first published.

10.2 Changes to the privacy policy shall apply also to data processing of data already collected at the time the change takes place, as long as such data processing is based on grounds different from the Data Subject’s consent.

10.3 Whenever the processing of personal data is carried out on the grounds of the Data Subject’s consent, and such grounds are amended by a new version of this privacy policy, the consent shall be collected anew in the appropriate modalities.