Legal & Compliance Overview

1. Data Controller

Under Article 4(7) GDPR, the Data Controller is the natural person operating CVScouting in Romania.

Controller name: Drimbau Florentina

Contact channels: support@cvscouting.com, privacy@cvscouting.com, content@cvscouting.com, and noreply@cvscouting.com (automated messages only).

Controller Address (Required)

Controller correspondence address:
Oficiu Postal Calea Republicii nr.71, Bl.M4, Marghita, cod postal 415300.

1.1 Deployment context

CVScouting is operated on managed web infrastructure using a Node.js runtime. These implementation details do not change user rights, legal obligations, or data protection safeguards.

2. Data Protection by Design and by Default (Art. 25)

• No account requirement for core matching features.
• Resumes are processed temporarily and are not stored permanently.
• Temporary local result sessions with a hard 15-minute TTL and automatic cleanup every 60 seconds.
• No automatic resume forwarding to employers.

3. Data Minimization (Art. 5(1)(c))

We process only data required to provide requested functionality and protect service integrity. CVScouting does not create persistent personal profiles from resume content.

• Resume file and text: used for one-time rule-based matching and not retained as permanent records.
• Security data: limited technical metadata for abuse prevention and service integrity.
• Operational counters: stats-counter.json stores numeric counters only.
• Rate limiting: IP data is used in temporary local runtime storage for short security windows only.

4. Storage Limitation (Art. 5(1)(e))

• Resume files and extracted resume text: never stored.
• Match result session summaries: 15 minutes (temporary local server session store).
• sessionId in browser: session-only in sessionStorage.
• Resume Builder draft data: until user clears browser data (localStorage only).
• Rate-limit IP data: temporary local server storage with automatic cleanup.
• Raw server access logs: up to 2 months.
• GA4 analytics data: 2 months, only for consent-enabled analytics.
• Support email communications: retained only as long as necessary to resolve the inquiry.
• Provider internal infrastructure backups: 3-7 days (provider-managed, same US datacenter; not customer-accessible; not guaranteed).
• stats-counter.json: kept while operationally necessary, reviewed periodically, and deleted when no longer needed; numeric counters only.

5. Security Measures (Art. 32)

• Rate limiting and anti-abuse controls on forms and upload endpoints.
• File validation, MIME checks, and size restrictions.
• CNP detection checks with upload rejection on valid national ID patterns.
• No resume content logging and no request-body retention for resume text.
• No-store caching headers on sensitive endpoints.
• Operational monitoring and controlled infrastructure access.

6. No Automated Decision-Making with Legal Effect (Art. 22)

CVScouting provides informational, rule-based match suggestions. It does not make legal or similarly significant decisions about users. Hiring decisions remain exclusively with employers and source platforms.

7. International Transfer Safeguards (Art. 44+)

Hosting is in a US datacenter and analytics services may involve transfer outside the EEA. Where required, transfers are handled through GDPR-compliant mechanisms such as Standard Contractual Clauses, with supplementary safeguards including data minimization, consent-gated analytics, and limited technical data processing.

8. Legal basis under Art. 6

• Consent (Art. 6(1)(a)): used for resume upload confirmation and optional analytics. Analytics scripts load only after explicit consent and can be revoked.
• Legitimate interests (Art. 6(1)(f)): used for security, abuse prevention, and service integrity with minimization controls.

Consent status is stored in browser localStorage. No GA4 snippet is embedded in initial HTML.

9. Processors and Third-Party Service Providers

• Hosting provider: Namecheap (Stellar hosting plan, US datacenter).
• Analytics provider (if consent is given): Google LLC (Google Analytics 4).
• Email infrastructure: Zoho Mail (Zoho Corporation Pvt. Ltd.).

Processors receive limited technical data required for hosting, consented analytics measurement, and email delivery.

Email communications are processed via Zoho Mail infrastructure.

No processor receives stored resume content because resume files and extracted resume text are not persisted.

Where transfers outside the EEA occur, Standard Contractual Clauses (SCCs) or adequacy mechanisms apply.

10. Transparency and user rights

Full processing details, retention periods, legal bases, and rights are documented in the Privacy Policy. Users may request access, correction, erasure, and other rights under GDPR Articles 15-22.

Users may lodge a complaint with a supervisory authority.

Supervisory Authority:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
Romania
Website: https://www.dataprotection.ro