Legal

GDPR Compliance

How we protect your data under EU regulations.

MVP / early-access notice. CV Cleaner Pro is in MVP stage. The safeguards below describe what we have implemented today; items still on the roadmap (formal DPIA, AI Act conformity, counter-signed sub-processor DPAs, incorporated legal entity, EU Representative) are called out explicitly so prospective customers can make an informed decision. Full status: compliance documentation.

Access your data

View all personal data we hold

Export your data

Download a copy of your data

Delete your data

Request complete data removal

Manage consent

Control how your data is used

Our Commitment

CV Cleaner Pro is fully committed to GDPR compliance. We process personal data lawfully, fairly, and transparently. We collect only what's necessary and protect it with industry-standard security measures.

Legal Basis for Processing

Contract performance — Processing CVs as part of service delivery
Legitimate interest — Improving detection algorithms, preventing fraud
Consent — Marketing communications (opt-in only)
Legal obligation — Tax records, regulatory compliance

Your Rights Under GDPR

Right to Access (Art. 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

Correct any inaccurate or incomplete personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Art. 18)

Limit how we use your data while disputes are resolved.

Right to Data Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

Data Protection Measures

AES-256 encryption at rest
TLS 1.3 encryption in transit
Regular security audits and penetration testing
Strict access controls with role-based permissions
Automatic data deletion per retention schedules
Incident response procedures for data breaches

Data Retention

Data Type	Retention
Uploaded CV files	30 days
Processed outputs	30 days
Processing history	12 months
Account data	Until deletion
Payment records	7 years (legal)

Sub-Processors

Provider	Purpose	Location	Transfer Safeguard
Cloudflare	Compute, database (D1), storage (R2)	Global	Cloudflare's published DPA + SCCs
OpenRouter	LLM routing proxy → upstream providers	US	Provider's published terms; we request data_collection: deny on every call
Paddle	Payment processing	UK / EU	UK-EU Adequacy
Google	Sign-In (OAuth)	Global	Google's published OAuth terms

At MVP stage we rely on each provider's published DPA and SCC annexes — we have not yet executed counter-signed agreements with most Sub-Processors. Customers whose procurement requires a counter-signed DPA should contact privacy@cv-cleaner.pro before onboarding. We notify customers at least 30 days before adding or replacing a Sub-Processor.

EU AI Act

CV Cleaner Pro processes CVs for recruitment, which makes it a high-risk AI system under Annex III of Regulation (EU) 2024/1689 (the EU AI Act). Obligations for high-risk systems begin to apply on 2 August 2026, with full applicability on 2 August 2027.

At MVP stage we are not yet conformant with all the Chapter III obligations of the AI Act. The work on risk management, technical documentation, human oversight UX, bias testing, and AI-Database registration is on the roadmap and tracked publicly in our AI Act compliance document. Customers deploying us before 2 August 2026 should factor in their own Article 26 deployer obligations and contact us for the latest status.

DPIA Status

A Data Protection Impact Assessment is required under GDPR Article 35 for AI-driven CV processing. A working draft DPIA is published; the formal, signed version is on the roadmap and will be completed before we accept enterprise contracts.

Subject Access Request SLA

We respond to all requests under Art. 15-22 within 30 calendar days of receipt, in line with Art. 12(3). For complex or volumetric requests this period may be extended by up to two further months, and we will notify you within the initial 30 days if so.

You can self-serve most rights from the Settings page — "Export My Data" produces a JSON of everything we hold, and "Delete Account" removes your account along with all stored files.

Data Breach Notification

In the event of a data breach affecting your personal data, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33 and 34. Our internal incident response procedure is documented and tested — see docs/gdpr/INCIDENT_RESPONSE.md in the source repository.

Privacy Contact

Single point of contact for all privacy matters: privacy@cv-cleaner.pro (general privacy) or gdpr@cv-cleaner.pro (SARs and authority enquiries).

At MVP stage we have not formally designated a Data Protection Officer under Article 37 GDPR — the privacy contact above is the founder. A DPO will be appointed if and when our processing meets the Article 37 thresholds or a customer contract requires it.

You have the right to lodge a complaint with your local data protection authority (e.g. CNIL, ICO, AEPD, BfDI, DPC) without contacting us first. Our lead Supervisory Authority will be confirmed once a legal entity and (if required) an EU Representative under Article 27 are in place.