Privacy Policy (Processor Notice)
AI CV Scanner provides recruitment tooling to business customers. This Privacy Policy explains how AI CV Scanner processes information when you use the Service as a Customer and how we handle candidate CV data uploaded by Customers.
1. DATA CONTROLLER
For company account information (such as business email and company name), the Customer is typically the controller of its personnel/administrator data. The Customer’s name and contact details are those provided at registration and in the Customer’s account settings.
2. DATA PROCESSOR
For candidate CV data uploaded by the Customer into the Service, AI CV Scanner acts as a processor on behalf of the Customer under Article 28 GDPR.
3. WHAT DATA WE COLLECT
3.1 Company account data: email, password hash, company name, billing-related identifiers from Stripe (where applicable), and product usage metadata required to operate accounts, jobs, and credits.
3.2 CV data: files (PDF/DOCX) uploaded by the Customer, extracted text used to generate advisory scores, and resulting outputs (scores and reasoning snippets) stored as metadata for display.
4. PURPOSE
We process data to provide CV ranking analysis and to operate authentication, billing, security, and support for the Service.
5. LAWFUL BASIS
For candidate CV processing, the Customer, as controller, must identify the lawful basis (commonly legitimate interests under Article 6(1)(f) GDPR for recruitment, where applicable). AI CV Scanner processes such data on the Customer’s instructions as processor.
For AI CV Scanner’s own operational processing (such as security logs), AI CV Scanner relies on legitimate interests and, where required, other lawful bases consistent with GDPR.
6. SUB-PROCESSORS
We use OpenAI (API) for CV analysis, S3-compatible object storage (for example AWS S3 or Cloudflare R2) for encrypted CV file blobs, MongoDB Atlas for application metadata, and Stripe for payments. CV content is not sent to Stripe.
7. DATA RETENTION
7.1 Raw CV files are intended to be deleted within twenty-four (24) hours of upload in typical operation, and are removed after ranking completes as implemented.
7.2 Metadata may be retained until the Customer deletes jobs or deletes the account, subject to backups and legal obligations.
8. DATA SECURITY
We implement encryption, access controls, and tenant isolation (including partition-scoped data access patterns) designed to reduce unauthorized access risk.
9. DATA SUBJECT RIGHTS
Candidates should contact the Customer (employer or recruiting organization) to exercise GDPR rights. AI CV Scanner assists the Customer, as processor, in fulfilling requests where required.
10. INTERNATIONAL TRANSFERS
The Service supports EU-oriented deployment when Customers configure MongoDB Atlas, object storage, and OpenAI-related settings consistent with their transfer and residency requirements. Customers are responsible for their cloud and vendor configuration.
11. BREACH NOTIFICATION
If we become aware of a breach affecting Customer or candidate data processed on behalf of a Customer, we will notify the Customer without undue delay in line with our DPA commitments (including 72-hour notification where Article 33 GDPR applies and is relevant).
12. CONTACT
Contact details are published in the Service. For privacy inquiries relating to AI CV Scanner’s processing, email the address shown in-product.
This policy is a template for implementation. Legal review is recommended.