CeeVeeMatch← Home

⚠ Draft — pending legal review

This document is a working draft. It is not yet legally binding and may change. For questions or to request the final version, email legal@ceeveematch.com.

Legal

Privacy Policy

Last updated: 2026-06-03

1. Who we are

CeeVeeMatch ("we", "us", "our") operates the CeeVeeMatch service — an AI-powered CV/resume screening platform for recruiters and hiring teams. This Privacy Policy explains how we handle personal data when you use our website, sign up for an account, or upload CVs for screening.

Data controller: The recruiter / hiring organization that uploads CVs is the "data controller" for those CVs under GDPR and the equivalent role under PDPA. CeeVeeMatch acts as the data processor — we process CV data on instructions from our customer. The terms of that processing relationship are set out in our Data Processing Agreement (DPA).

2. What data we collect

2.1 Account data (from you, our customer)

  • Name, work email, organization name, job role
  • Authentication credentials (passwords are stored hashed, never plaintext)
  • Billing details (collected and processed by Stripe — we never see card numbers)
  • Usage logs (login time, IP address, browser type)

2.2 Candidate CV data (from CVs you upload)

  • Candidate name, contact details, work history, education, skills
  • The original CV file (PDF/DOCX/TXT)
  • AI-extracted structured fields and match scores
  • A semantic embedding (vector representation) of the CV body, with PII (email/phone/URLs) redacted before storage

3. How we use your data

  • To run the screening service — parse uploaded CVs, generate match scores against your job descriptions, surface shortlists.
  • To bill you — process payments via Stripe under Stripe's own privacy terms.
  • To improve our AI — we use aggregated, de-identified usage signals (e.g. score distributions) to calibrate our models. We do NOT train AI models on the raw text of your CVs.
  • To comply with the law — respond to lawful requests, enforce our Terms, prevent fraud.

4. Legal bases (GDPR)

For users in the EEA, we rely on:

  • Contract (Art. 6(1)(b)) — to provide the service you've signed up for.
  • Legitimate interest (Art. 6(1)(f)) — for security logging and product analytics, balanced against your privacy rights.
  • Legal obligation (Art. 6(1)(c)) — to retain billing records as required by tax law.

For candidate CVs, the data controller is our customer (the recruiter). They are responsible for the lawful basis to process candidate data, typically the candidate's consent or the controller's legitimate interest in hiring.

5. Who we share data with

We share personal data with the following service providers, each bound by a data processing agreement:

  • Supabase (auth, database) — US/EU regions
  • Cloudflare R2 (encrypted CV file storage) — global
  • Vercel (web hosting, CDN) — US/EU regions
  • OpenAI (AI parsing + scoring) — US. CVs are sent PII-redacted where possible. OpenAI does not train on API inputs.
  • Stripe (payments) — global
  • Sentry (error monitoring) — US/EU. PII is scrubbed before send.

We do not sell personal data. We do not share data with advertising networks.

6. International transfers

Because some of our providers are based in the United States, your data may be transferred outside the EEA, UK, or Thailand. We rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and (for PDPA) the data subject's consent or our cross-border transfer mechanism under Section 28 PDPA.

7. How long we keep data

  • Account data: retained for as long as your account is active, plus 12 months after closure for audit and tax purposes.
  • CV data: retained for as long as the associated job description is active. When a JD is deleted, CVs are soft-deleted immediately and hard-deleted from our systems and from R2 storage within 30 days.
  • Billing records: retained for 7 years per applicable tax law.
  • Audit logs: retained for 24 months for security monitoring.

8. Your rights

Depending on where you are, you have some or all of the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate data.
  • Erasure ("right to be forgotten") — ask us to delete your account and all associated personal data.
  • Restriction / objection — ask us to stop processing your data in certain ways.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — where we rely on consent, you can withdraw it at any time.

To exercise these rights, email privacy@ceeveematch.com. We'll respond within 30 days. Candidates whose CVs were uploaded by a recruiter should contact that recruiter directly (they are the data controller); we will support them on request.

9. Security

We protect personal data with the controls described in our DPA, including encryption at rest (AES-256) and in transit (TLS 1.3), org-scoped access controls, PII redaction in logs and AI embeddings, and an append-only audit log of access to CV data.

10. Cookies

We use a small number of cookies strictly necessary for the service to function (authentication, CSRF). We do not use advertising or tracking cookies. See our Terms of Service for more details.

11. Children

The service is intended for B2B use by HR professionals. We do not knowingly collect personal data of children under 16. If you believe a candidate CV uploaded to our service includes data of a child, please contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app banner at least 14 days before they take effect.

13. Contact

Privacy questions: privacy@ceeveematch.com
General questions: hello@ceeveematch.com