We process candidate CVs as a data processor under GDPR Art. 28. The controller is you, our customer. This page summarises our posture — the binding details live in our DPA.
You must have a lawful basis (typically Art. 6(1)(b) contract or 6(1)(f) legitimate interests) to send us a candidate's CV. We assume you do. If you can't show one, don't use the Service.
Processor only. We don't decide what to parse, when, or why. We follow your documented instructions through the API.
We only extract the sections you've enabled in Schema. File contents are wiped within 60 seconds of a successful parse. We don't train on customer data.
Default region is eu-west (London). Cross-border transfers use SCCs (2021/914 module 3) where applicable. Pin to UK/EU only on Scale.
We provide a DPIA template covering the typical CV-parsing use case. Email privacy@cvparser.io to request.
We commit to notifying you within 24 hours of confirming a breach. Includes scope, root cause, and remediation plan.