Legal

Privacy Policy

Last updated: 1 January 2026

CV Matcher is built for recruitment agencies. We take the privacy of your candidate data seriously. This policy explains clearly what we collect, why, and how it is protected.

1. Who we are

CV Matcher ("we", "our", "us") operates the platform available at cvmatcher.work. We provide AI-powered CV screening software to recruitment agencies and individual recruiters.

For questions about this policy, contact us at: [email protected]

2. What data we collect

We collect the following categories of data:

Account data: Your name, email address, company name, and password (stored as a one-way hash) when you register.
Job description data: Job descriptions you upload or import to use for candidate matching.
CV data: CVs and resumes you upload for screening. This includes candidate names, contact details, employment history, skills, and qualifications contained within those documents.
Usage data: Log data including IP addresses, browser type, pages visited, and timestamps — collected automatically for security and performance monitoring.
Payment data: If you subscribe to a paid plan, payment is processed by our third-party payment provider (Stripe). We do not store your card details.

3. How we use your data

We use your data only for the following purposes:

Providing the CV matching and screening service you signed up for
Authenticating your account and maintaining session security
Processing your subscription payments via Stripe
Sending transactional emails (account confirmation, password reset)
Monitoring for security incidents and preventing abuse
Improving the platform based on aggregated, anonymised usage patterns

We do not sell your data. We do not use candidate CV data to train AI models. We do not share your data with third parties for marketing purposes.

4. Data isolation and security

Each agency account operates in a completely isolated data environment. Your uploaded CVs and job descriptions are never accessible to or shared with any other agency or user on the platform.

We apply the following security measures:

All data is encrypted in transit using TLS 1.2 or higher
Stored files and database records are encrypted at rest
Passwords are stored as one-way cryptographic hashes (bcrypt) — we cannot recover your password
Access to production systems is restricted to authorised personnel only
Session tokens are HTTP-only and protected against CSRF attacks

5. Candidate data — your responsibilities

When you upload CVs to CV Matcher, you are the data controller for the personal data of those candidates. This means:

You are responsible for ensuring you have a lawful basis to process each candidate's personal data
You should only upload CVs of candidates who have applied for roles or given consent for their details to be processed
You are responsible for responding to any data subject requests from candidates regarding their personal data

CV Matcher acts as a data processor on your behalf for candidate data. We process it only to provide the screening service and do not use it for any other purpose.

6. Data retention

Uploaded CVs: Retained for as long as your account is active. You can delete individual CVs at any time from your dashboard.
Job descriptions: Retained for as long as your account is active. You can delete them at any time.
Account data: Retained until you request account deletion.
Usage logs: Retained for up to 90 days for security monitoring, then deleted.

To request full account and data deletion, email [email protected]. We will action deletion requests within 30 days.

7. Third-party services

We use the following third-party services to operate the platform:

Stripe — payment processing. Stripe Privacy Policy
Umami Analytics — privacy-preserving, cookieless website analytics. No personal data or cross-site tracking.

We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

8. Cookies

We use a single session cookie to keep you logged in. This cookie contains no personal information — only an encrypted session identifier. It is deleted when you log out or after 7 days of inactivity.

We do not use advertising cookies, tracking cookies, or third-party cookies.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Right to access — request a copy of the personal data we hold about you
Right to correction — request that inaccurate data be corrected
Right to deletion — request that your account and data be deleted
Right to restriction — request that we limit processing of your data
Right to portability — request your data in a machine-readable format
Right to object — object to processing based on legitimate interests

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of material changes by email or by displaying a notice on the platform. The "last updated" date at the top of this page reflects the most recent revision.

11. Contact

For any privacy-related questions or concerns: [email protected]