1. Who we are
TrueFitCV.ai is a software service that helps employers, recruitment agencies, and HR or recruitment technology partners process job requirements and candidate information, including by extracting signals, normalising language, and generating candidate scores, rankings, and related recruitment workflow outputs.
For the purposes of UK data protection law, TrueFitCV.ai may act either as a controller or as a processor, depending on the type of data and the context in which it is processed.
When we handle website, marketing, account administration, billing, support, and service-security data for our own business purposes, we act as a controller.
When we handle candidate and recruitment data through our product on behalf of a customer, we generally act as a processor and our customer is the controller.
In some support, compliance, and security situations, we may process limited personal data for our own legitimate interests as a controller.
Controller contact details: [Insert legal entity name, registered address, and contact email].
2. Scope of this Privacy Policy
This Privacy Policy applies to personal data processed by TrueFitCV.ai in connection with:
our website and demo request or contact forms;
our sales, onboarding, contracting, account management, and billing processes;
our product and related support services;
our recruitment-data processing activities carried out on behalf of customers; and
our security, logging, and compliance processes.
This Privacy Policy does not replace our customers’ own privacy notices. Where a customer uses TrueFitCV.ai to process candidate data for recruitment purposes, that customer is usually responsible for providing the relevant privacy information to candidates and other data subjects.
3. Personal data we collect and process
A. Website, sales, and business contact data
name, work email address, company name, telephone number, and job title;
details you provide in enquiries, demo requests, or other correspondence;
marketing preferences and records of communications;
website usage data, device data, and analytics information where used.
B. Customer account and service administration data
account holder and authorised user names, business email addresses, and login details;
workspace configuration data and administrative settings;
billing contacts, invoice data, payment status, and contract records;
support tickets, correspondence, and implementation notes.
C. Recruitment data processed on behalf of customers
candidate CVs, résumés, application materials, and profile information;
employment history, education, skills, qualifications, salary expectations, and role preferences;
job descriptions, hiring criteria, vacancy settings, and workflow metadata;
candidate scores, rankings, matching outputs, fit indicators, and related evidence or explanatory signals generated through the service;
records imported from ATS, CRM, job board, or other HR and recruitment technology integrations.
We do not intend in the early phase of the business to collect special category data or criminal offence data as a core part of the service. Customers should avoid submitting such data unless clearly necessary, lawful, and expressly agreed.
D. Technical, security, and usage data
IP address, browser type, device information, and access timestamps;
authentication logs, user activity logs, permission changes, and audit records;
system events, diagnostics, error logs, and security monitoring data.
4. How we receive personal data
We may receive personal data:
directly from you, for example when you contact us, request a demo, sign up for an account, or communicate with support;
from our customers, who upload or connect candidate and job data to the service;
from Partner Platforms such as ATS, CRM, job boards, and other HR or recruitment technology platforms where a customer enables an integration or a partner relationship permits that flow;
from cookies, analytics, and similar technologies, where used.
5. How we use personal data
A. Where TrueFitCV.ai acts as controller
to host, import, store, organise, normalise, analyse, score, rank, and return candidate and job data on behalf of customers;
to support customer recruitment workflows and integrations with Partner Platforms;
to provide support, troubleshooting, and technical maintenance requested by customers;
to carry out deletion, export, or other processing actions under customer instructions.
6. Lawful bases where we act as controller
Where we act as controller, we rely on one or more of the following lawful bases under UK GDPR:
Legitimate interests: to run and improve our business, manage customer and prospect relationships, secure the service, prevent fraud and misuse, and support our operations, where those interests are not overridden by your rights and interests.
Contract: where processing is necessary to take steps before entering into a contract or to perform a contract with you or your organisation.
Legal obligation: where processing is necessary to comply with applicable law, regulatory requirements, tax obligations, or lawful requests from authorities.
Consent: where consent is required, for example for certain analytics or marketing activities, we will rely on consent and you may withdraw it at any time.
7. Recruitment data processed for customers
Where we process candidate and recruitment data on behalf of a customer, that customer is usually the controller and is responsible for determining the purpose of processing, the lawful basis, candidate-facing privacy notices, and retention decisions.
In that context, TrueFitCV.ai generally acts only on the customer’s documented instructions, subject to applicable law and our Data Processing Agreement.
If a candidate or other individual contacts us directly about recruitment data we process on behalf of a customer, we may direct that request to the relevant customer and provide reasonable assistance to the customer as processor.
8. Automated processing, scores, and rankings
Our service may generate candidate scores, rankings, summaries, or related outputs using rules-based and automated methods, including natural language and matching techniques. In early versions of the product, this may involve raw scoring and supporting evidence or references to content extracted from CVs or job requirements.
Customers remain responsible for deciding how to use those outputs in their recruitment process, for applying appropriate human review, and for ensuring that their use of the service is lawful, fair, and non-discriminatory.
TrueFitCV.ai does not intend that raw scores alone should determine outcomes where additional safeguards or human involvement are required by law.
9. Sharing personal data
We may share personal data with:
our hosting and infrastructure providers, including Microsoft Azure;
service providers that support email delivery, analytics, error monitoring, customer support, security, and similar operational functions, where used;
Partner Platforms where enabled by the customer or required for the service workflow;
professional advisers, auditors, insurers, or potential investors or acquirers under appropriate confidentiality protections;
courts, regulators, law enforcement, or other third parties where required by law or necessary to establish, exercise, or defend legal claims.
We do not sell personal data or candidate data. We do not use customer-supplied candidate data to build or commercialise an independent or shared talent pool in the current scope of the service.
10. International transfers
Our intention for the early phase of the business is to host and process data in the UK and/or Europe. If personal data is transferred outside the UK, we will put in place appropriate safeguards required by UK data protection law, such as the UK International Data Transfer Agreement, the UK Addendum to the EU standard contractual clauses, adequacy regulations, or another lawful transfer mechanism, as applicable.
11. Data retention
We keep personal data only for as long as necessary for the purposes for which it was collected and processed, taking into account legal, regulatory, contractual, operational, and security requirements.
Website and sales enquiry data: typically up to 12 months from the last meaningful interaction, unless a longer period is justified.
Customer account, contract, and billing data: retained for the term of the relationship and for an appropriate period afterwards for legal, tax, accounting, and dispute-management purposes.
Customer recruitment data in the service: retained in accordance with customer instructions, service settings, contract terms, and any applicable deletion workflow.
Backups and security logs: retained for limited periods consistent with business continuity, accountability, and security requirements.
Customers should decide and document appropriate retention periods for candidate data in their role as controller. While some customers may prefer to retain historic candidate records for ongoing recruitment knowledge, retention should still be justified, proportionate, and compliant with applicable law.
12. Security
We use reasonable and appropriate technical and organisational measures designed to protect personal data. These measures may include role-based access controls, authentication controls, encryption in transit and at rest, network and infrastructure protections, logging and monitoring, backup processes, and incident response procedures.
Our early infrastructure is intended to be hosted on Microsoft Azure using enterprise-grade security controls appropriate for the service and its stage of development.
13. Your rights
Where TrueFitCV.ai acts as controller, individuals may have rights under UK data protection law, subject to applicable conditions and exemptions, including rights to:
request access to personal data;
request rectification of inaccurate personal data;
request erasure in certain circumstances;
request restriction of processing in certain circumstances;
object to processing based on legitimate interests;
request portability where applicable;
withdraw consent where processing is based on consent;
complain to the UK Information Commissioner’s Office.
Where we act as processor for candidate data, requests should usually be directed to the relevant customer, such as the employer, recruitment agency, or platform partner acting as controller. We will assist the controller where required under our contract and applicable law.
14. How to contact us or make a complaint
If you have questions about this Privacy Policy or wish to exercise your rights where TrueFitCV.ai acts as controller, please contact: [Insert privacy contact email and postal address].
You also have the right to lodge a complaint with the Information Commissioner’s Office if you believe your personal data has been handled unlawfully or unfairly.
15. Cookies and analytics
We may use cookies, analytics tools, and similar technologies on our website and in our product. A separate Cookie Policy may be published later. In the meantime, relevant information about analytics and similar technologies should be reflected in our website notices and consent mechanisms, where applicable.
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our services, processing activities, legal requirements, or operational practices. The latest version will be made available on our website and will state the effective date.
Summary for review
This draft clearly separates TrueFitCV.ai’s controller activities from its processor activities.
It keeps customer-supplied recruitment data within the customer-controlled recruitment scope and does not authorise candidate-pool reuse or sale.
It leaves international transfers outside the early operational scope but preserves lawful transfer wording if that changes later.
It gives the designer a public-facing privacy document that can sit on the website now and be refined by counsel before go-live.