1. Company Information & Data Protection Roles

CVFormatter is operated by Aimanack Company Limited, a company incorporated in Hong Kong.

Roles under GDPR and Similar Laws

• Clients (e.g. recruitment agencies, consultancies, or organisations) act as Data Controllers with respect to personal data they upload or submit to the Services.
• CVFormatter acts as a Data Processor, processing personal data solely on documented instructions from Clients and in accordance with this Privacy Policy, our Terms & Conditions, and our Security & Data Processing Overview.

CVFormatter does not determine the purposes for which Clients process candidate data.

2. Scope of This Privacy Policy

This Privacy Policy applies to:

• https://www.cvformatter.co and its subdomains; and
• the CVFormatter application, APIs, and related services.

By using the Services, you confirm that you have read and understood this Privacy Policy.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Client: An organisation or individual using the CVFormatter Services.
• End User / Data Subject: A natural person whose personal data appears in uploaded CVs or related content.
• Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

4. Categories of Personal Data We Process

CVFormatter processes only the data necessary to provide and operate the Services.

Account & Contact Data

• Name
• Work email address
• Job title
• Company name
• Authentication credentials (stored securely in hashed or encrypted form)

Client-Uploaded Content

• CVs, resumes, and recruitment-related documents
• Candidate employment, education, skills, and professional information
• Outputs generated at the Client's request (e.g. formatted, anonymised, summarised, or translated CVs)

Technical & Security Data

• IP address
• Device and browser information
• Access logs, audit logs, and security events

CVFormatter does not intentionally collect special-category (sensitive) personal data, unless Clients choose to include such data within uploaded documents under their own responsibility.

5. Lawful Bases for Processing

Where applicable under GDPR, UK GDPR, or similar laws, CVFormatter processes personal data on the following lawful bases:

• Performance of a contract – to provide the Services requested by Clients
• Legitimate interests – to operate, secure, and improve the platform
• Consent – where explicitly required (e.g. marketing communications)

6. Purpose Limitation

Personal data is processed strictly for the following purposes:

• Providing and operating the CVFormatter Services
• Formatting, anonymising, summarising, translating, or proofreading CVs as instructed by Clients
• User authentication and account management
• Platform security, fraud prevention, monitoring, and audit logging
• Compliance with legal and regulatory obligations

CVFormatter does not:

• sell personal data,
• monetise uploaded CVs,
• use client data for advertising, profiling, or unrelated purposes without explicit client instruction.

7. Access Control, Confidentiality & Data Ownership

Access Limitation

Client-uploaded data is accessible only to:

• authorised users within the Client's organisation; and
• a limited number of authorised CVFormatter personnel, strictly where necessary for service delivery, security, maintenance, or customer support.

All internal access is:

• role-based and least-privilege,
• logged and auditable, and
• subject to confidentiality and data-protection obligations.

No Unauthorised Data Sharing

CVFormatter does not share client data with advertisers, data brokers, or unrelated third parties.

Client data is disclosed only to vetted sub-processors or authorised personnel where required to provide the Services, and always under contractual confidentiality and data-protection obligations.

Data Ownership

Clients retain full ownership and control of all uploaded data. CVFormatter acts solely as a data processor.

AI Processing Safeguards

• Client data is not used to train general or third-party AI models.
• AI-powered features operate only within the Client's workspace and process data solely for the requested task.

Client data is processed only on documented instructions and accessed solely by authorised personnel for service delivery, support, maintenance, or security purposes.

8. Data Retention & Deletion

Personal data is processed for as long as the Client maintains an active account and retains data within the platform.

Clients may delete CVs, documents, or accounts at any time through the platform. Deleted data is removed from active systems promptly and removed from backups in accordance with our backup retention schedule, after which it is no longer recoverable, unless retention is required by law.

9. Security Measures & Incident Response

CVFormatter implements reasonable and proportionate technical and organisational measures, including:

• encryption of data in transit (TLS) and at rest;
• secure cloud infrastructure with isolated environments;
• role-based access controls;
• continuous monitoring, logging, and incident-response procedures.

While no system can guarantee absolute security, CVFormatter takes appropriate measures to protect personal data against unauthorised access, loss, or misuse.

In the event of a personal data breach affecting Client data, CVFormatter will notify the Client without undue delay and support compliance with applicable regulatory notification obligations.

10. International Data Transfers

CVFormatter does not transfer or provide routine access to client personal data to Hong Kong.

The platform is operated by a globally distributed team, and access to production data is restricted to authorised personnel located outside Hong Kong, solely for service delivery, maintenance, and support purposes.

Where international data access or processing outside the EU/EEA may occur, CVFormatter applies appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs – 2021/914/EU, Module Two).

CVFormatter does not voluntarily disclose client data to government authorities. As of the date of this Policy, CVFormatter has not received requests from public authorities for access to client data.

11. Sub-Processors

CVFormatter uses reputable infrastructure and service providers to operate the platform, including but not limited to:

• Amazon Web Services (AWS)
• Microsoft Azure
• Vercel
• Google Cloud (optional AI and translation features)
• SendGrid
• MongoDB Atlas

All sub-processors are bound by contractual obligations consistent with GDPR standards. A current list of sub-processors is available upon request.

12. Data Subject Rights

Where CVFormatter acts as a data processor, data subject requests are handled in coordination with the relevant Client as data controller.

Where applicable, individuals may have the right to:

• access their personal data;
• rectify inaccurate data;
• request erasure;
• restrict or object to processing;
• request data portability; and
• lodge a complaint with a supervisory authority.

Requests may be submitted using the contact details below. We respond within applicable statutory time limits.

13. Cookies

CVFormatter uses essential cookies required for platform functionality and limited performance analytics.

Cookies do not contain personally identifiable information. Users may manage cookies through browser settings.

14. Children's Privacy

The Services are not intended for individuals under the age of 13. CVFormatter does not knowingly collect personal data from children.

15. Contact Us

For privacy, data-protection, or security-related enquiries, please contact:

📧 Email: admin@cvformatter.co