Privacy Policy

CV-Transformer B.V. Nieuwe Erven 3 5431 NV Cuijk The Netherlands Chamber of Commerce: 97295167 privacy@cv-transformer.com

Last updated: 2026-02-16

1. Introduction

CV-Transformer B.V. (“CV-Transformer”, “we”, “us”, or “our”) processes personal data in accordance with:

  • The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); and

  • The UK GDPR, where applicable.

This Privacy Policy explains how we process personal data when:

  • You visit our website;

  • You use our services as a customer or authorized user;

  • Candidate personal data is processed within our platform on behalf of our customers.

Our services are intended for recruitment professionals and organizations. They are not directed to individuals under the age of 18.

If we become aware that personal data relating to a minor under the age of 18 has been processed in violation of applicable law, we will take appropriate steps to delete such data without undue delay.

2. Roles Under Data Protection Law

Depending on the context, CV-Transformer acts as either a Data Controller or a Data Processor.

2.1 Data Controller

We act as Data Controller for personal data relating to:

  • Customers

  • Authorized users

  • Website visitors

  • Billing and account management

  • Marketing and communications

2.2 Data Processor

We act as Data Processor for candidate personal data uploaded to and processed within the platform on behalf of our customers.

Where we act as Data Processor:

  • We process personal data only on documented instructions from the customer.

  • Processing is governed by a separate Data Processing Agreement (DPA).

  • The legal basis for processing candidate data is determined by the customer acting as Data Controller.

  • Customers are responsible for ensuring that candidate data is collected and uploaded lawfully, including where special categories of personal data are included.

As Data Processor, we process candidate personal data only on documented instructions from the customer and in accordance with Article 28 GDPR. We assist customers in fulfilling their obligations under Articles 28–36 GDPR where applicable, including data subject rights requests, security obligations, and data breach notifications.

3. Categories of Personal Data

3.1 Customer and User Data (Controller Processing)

We process the following categories of personal data:

  • Name

  • Email address

  • Account credentials

  • Profile information configured by the customer

  • Subscription and billing information

  • Communication records

  • Usage data and service logs

IP addresses and technical identifiers may be processed by our infrastructure providers for security, authentication, and operational logging purposes. We do not use IP addresses for profiling, marketing, or advertising.

3.2 Candidate Data (Processor Processing)

On behalf of our customers, we process personal data included in:

  • CVs and résumés

  • Cover letters

  • Supporting documents

  • AI-generated candidate profiles

  • Metadata related to uploaded documents

  • AI prompts and prompt history

AI prompts are stored together with the associated candidate record for as long as the candidate data is retained. This supports change tracking and transparency within the platform.

Candidate data may include:

  • Name

  • Contact details

  • Professional history

  • Education

  • Skills

  • Certifications

  • Other information included by the candidate or customer

Candidate data may include special categories of personal data where included by the customer or candidate. CV-Transformer does not require such data and processes it only under the instructions of the customer acting as Data Controller.

Candidate content may be accessed by authorized CV-Transformer personnel where a customer reports an issue and requests investigation or support. Access is logged and limited to what is necessary to resolve the reported issue.

We process only the personal data necessary for the purposes described in this Privacy Policy and apply data minimization principles in the design and operation of our platform.

We process personal data for the following purposes:

  • Providing access to the platform Article 6(1)(b) – Performance of a contract

  • Account management and support Article 6(1)(b)

  • Billing and tax compliance Article 6(1)(c) – Legal obligation

  • Product updates and service communications Article 6(1)(f) – Legitimate interest

  • Platform analytics (first-party) Article 6(1)(f) – Legitimate interest

  • Marketing communications (opt-in) Article 6(1)(a) – Consent

Where we rely on Article 6(1)(f) (legitimate interests), such interests include ensuring platform security, preventing fraud or misuse, maintaining service reliability, communicating service-related updates, and improving the performance and usability of our services. We have carried out balancing assessments and determined that these interests are not overridden by the rights and freedoms of affected individuals.

In conducting these assessments, we considered the reasonable expectations of users, the limited scope of data processed, and the safeguards implemented.

Where consent is relied upon for marketing communications, it can be withdrawn at any time via the account settings within the CV-Transformer platform.

5. AI Processing

CV-Transformer uses artificial intelligence tools to assist customers in transforming CVs and related materials into structured candidate profiles.

5.1 AI Model Selection

Customers may select from available AI models within the platform.

Our default model (Mistral Codestral) is configured not to use submitted data for training.

Where customers select AI models provided by third parties, CV-Transformer acts as Data Processor in facilitating the transfer of personal data to the selected provider. Such providers are engaged under appropriate contractual safeguards, including Standard Contractual Clauses where required. Customers remain responsible for determining whether the selected model aligns with their compliance obligations as Data Controller.

5.2 Data Usage and Training

CV-Transformer does not use customer or candidate data to train external AI models.

We do not use candidate content to train internal AI models.

5.3 Internal Service Improvement

We may use aggregated and de-identified statistical data, including usage metrics such as document counts and editing durations, to improve platform performance, reliability, usability, and service development. Such data does not identify customers, users, or candidates.

Organizations may enable a configurable setting within the platform to restrict our access to candidate content for service improvement purposes.

5.4 Automated Decision-Making

CV-Transformer does not evaluate, score, rank, or make automated decisions about candidates within the meaning of Article 22 GDPR.

The platform transforms and structures data but does not make hiring decisions.

If a customer selects an AI model hosted outside the European Economic Area (EEA) or UK, personal data may be transferred internationally (see Section 8).

6. Data Retention

6.1 Customer and User Data

Where a Service Agreement exists, personal data is retained for the duration of the agreement and deleted 30 days after termination, unless retention is required by law (e.g., tax obligations).

Users may request earlier deletion where legally permissible.

6.2 Candidate Data

Customers can configure their own retention period for candidate data. The default retention period is 90 days.

Upon expiry of the configured retention period, candidate data (including AI prompts and generated profiles) is deleted from active production systems and is no longer accessible in the platform.

6.3 Backups

Our database is backed up daily.

Backups are encrypted and retained for 7 days. After this period, backups are automatically overwritten.

Deleted data may remain in encrypted backups until the applicable backup retention period expires.

7. Subprocessors

We engage carefully selected subprocessors to provide our services. These include:

  • ConvertAPI: Word to PDF file conversion. Processes personal data solely for the purpose of providing the contracted service and does not retain such data beyond what is necessary to complete the processing request. Lauksargio 111, Vilnius, LT-10105, Lithuania Privacy Policy: https://www.convertapi.com/privacy-policy

  • DeepL: Text translation. Processes personal data solely for the purpose of providing the contracted service and does not retain such data beyond what is necessary to complete the processing request. Maarweg 165, 50825 Cologne, Germany Privacy Policy: https://www.deepl.com/en/privacy

  • Google Cloud: Translations and OCR. Processes personal data solely for the purpose of providing the contracted service and does not retain such data beyond what is necessary to complete the processing request. 70 Sir John Rogerson’s Quay, Dublin 2, D02 R296, Ireland Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice

  • Paddle: Payments and subscriptions. The Academy, 42 Pearse Street, Dublin, D02 YX88, Ireland Privacy Policy: https://www.paddle.com/legal/privacy

  • Resend: Sending transactional emails (password resets, invites) and campaigns. Email inbox per account. Using servers in Ireland. Stores data for 3 days 2261 Market Street, Suite / #5039, San Francisco, CA 94114, United States Privacy Policy: https://resend.com/legal/privacy-policy

  • Supabase: Database, file storage, authentication. Using servers in Frankfurt. 548 Market St, San Francisco, CA 94104, United States Privacy Policy: https://supabase.com/privacy

  • Vercel: Digital infrastructure. Requests are routed through Vercel’s Edge network to servers located in Frankfurt, Germany. 440 N Barranca Ave Suite 4133, Covina, CA 91723, United States Privacy Policy: https://vercel.com/legal/privacy-policy

Where we act as Data Processor, subprocessors are engaged under written agreements in accordance with Article 28 GDPR.

An up-to-date list of subprocessors, including their locations and applicable transfer mechanisms, is available in our Data Processing Agreement.

8. International Data Transfers

Personal data may be transferred outside the EEA or UK where:

  • A subprocessor is located outside the EEA/UK; or

  • A customer selects an AI model hosted outside the EEA/UK.

In such cases, transfers are based on:

  • An adequacy decision by the European Commission or UK authorities;

  • Standard Contractual Clauses (SCCs); or

  • Participation in the EU-U.S. Data Privacy Framework or UK Extension, where applicable.

Where CV-Transformer engages subprocessors located outside the EEA or UK, we ensure that appropriate transfer safeguards are in place prior to any transfer. These safeguards may include the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement (IDTA), or participation in an approved adequacy framework. Copies of relevant transfer safeguards may be requested via privacy@cv-transformer.com.

All CV-Transformer personnel are located within the EEA or UK. Personal data is not accessed outside these regions by our staff. Customers located outside the EEA/UK may access their own data from within their own jurisdiction. Any access by authorized personnel for support or operational purposes is strictly limited and governed by technical and contractual safeguards.

9. Cookies and Analytics

9.1 Non-Logged-In Visitors

We use a functional cookie to store language preferences. We do not use advertising or tracking cookies.

9.2 Logged-In Users

We use cookies and local storage for:

  • Session management

  • Authentication

  • User interface preferences

These are necessary for the functioning of the service.

9.3 Analytics

We use first-party analytics to measure service performance, usage trends, and aggregated usage comparisons across and within customer organizations. These analytics are used solely for service improvement and customer-provided functionality and are not used for advertising or cross-context behavioral tracking.

We may publish aggregated and anonymized usage statistics for informational purposes, such as global platform usage trends or average edit duration per candidate. These statistics do not identify individual customers, users, or candidates and do not include sensitive personal information.

10. Security Measures

We implement appropriate technical and organizational measures designed to protect personal data, including:

  • Encryption in transit (TLS)

  • Encryption at rest

  • Role-based access controls for users

  • Restricted internal access to production systems

  • Event logging of user and candidate-related actions

  • Secure backup procedures

  • Formal incident response procedures

  • Regular review of access rights

Access to candidate content by CV-Transformer personnel is limited to what is necessary for support, troubleshooting, or legal obligations.

We do not currently hold SOC 2 or ISO 27001 certifications. However, we continuously review and improve our security measures in line with industry best practices.

In the event of a personal data breach affecting data under our control, we will notify affected customers within 72 hours in accordance with applicable data protection law.

CV-Transformer maintains a documented incident response plan that defines procedures for identifying, containing, investigating, and remediating security incidents. Security incidents are assessed in accordance with GDPR Articles 33 and 34 where applicable.

Further details are available in our Data Processing Agreement.

11. Data Subject Rights

Where CV-Transformer acts as Data Controller, individuals have the right to:

  • Access their personal data

  • Rectify inaccurate data

  • Erase data

  • Restrict processing

  • Object to processing

  • Data portability

  • Withdraw consent (where applicable)

Requests may be submitted to privacy@cv-transformer.com. We respond within one month.

Individuals also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Where we act as Data Processor, data subject requests should be directed to the relevant Data Controller (our customer).

We may request additional information to verify the identity of the requester before fulfilling a data subject request. In limited circumstances permitted by law, we may refuse or charge a reasonable fee for manifestly unfounded or excessive requests.

11.1 Additional Information for California Residents

California residents have certain rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), in addition to the rights described in Section 11, including:

  • Opt out of the sale or sharing of personal information; and

  • Not be discriminated against for exercising privacy rights.

CV-Transformer does not sell or share personal information as defined under California law.

Requests may be submitted to privacy@cv-transformer.com. We will verify your identity before responding and will respond within the timeframe required by applicable law.

12. Data Sharing

We do not sell or share personal data as defined under applicable data protection laws.

We do not use personal data for advertising purposes.

We share personal data only:

  • With subprocessors necessary for service provision;

  • Where required by law; or

  • Where necessary to establish, exercise, or defend legal claims.

Where personal data is shared with subprocessors, such parties act solely as service providers and are contractually prohibited from retaining, using, or disclosing personal data for purposes other than providing services to CV-Transformer.

13. UK Presence

CV-Transformer B.V. is established in the Netherlands and operates globally. Where the UK GDPR applies, we comply with its requirements in the same manner as under the EU GDPR.

Individuals in the United Kingdom may lodge complaints with the UK Information Commissioner’s Office (ICO). Our primary supervisory authority within the EU is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Where changes are material, we will notify customers and users via email or through the platform.

The updated version will always be available on our website with the revised “Last updated” date.

15. Contact

Our Data Protection Officer (DPO) is Wouter Raateland, who is also our technical co-founder. Despite his dual role, he handles all data protection matters independently and confidentially. He can be contacted directly at privacy@cv-transformer.com for any questions regarding data protection, compliance, or data subject rights.

Slutt å formatere, begynn å plassere