Privacy Policy

1. What personal data we process

We process personal data that you actively provide (for example when filling in your CV) and data that we passively collect when you interact with the Service (such as device and usage data). We only process data that is necessary to deliver the Service you have requested or that you have clearly made available to us for processing.

Depending on how you use Cvida, we may process the following categories of personal data:

• Identification and contact data: first name, last name, email address, phone number, postal address, country, date of birth, photograph (profile picture);

• Account data: account ID, hashed password, language preference, role/permissions, account status, registration date, login timestamps;

• CV content: any information you enter into your CVs and cover letters, such as work experience, education, skills, languages, hobbies, references, certificates, projects and any free-text descriptions you write;

• Payment data: billing name and address, country, the last four digits of your card, card brand, payment status, invoice references and transaction identifiers. Full card numbers are processed directly by our payment provider and never stored on our servers;

• Technical data: IP address, browser type and version, operating system, device identifiers, referrer URL, pages visited, session duration, error logs and similar telemetry;

• Communication data: any messages or feedback you send us through the Service or by email.

2. Purposes and legal grounds for processing

We process your personal data only for clearly defined purposes and on a valid legal ground under Article 6 GDPR. The main purposes are:

• To create and maintain your Cvida account, build your CV(s) and let you preview, edit and download them. Legal ground: performance of a contract (Art. 6(1)(b) GDPR).

• To process your payments, manage subscriptions, issue invoices and prevent fraudulent transactions. Legal ground: performance of a contract and compliance with our legal obligations (Art. 6(1)(b) and (c) GDPR).

• To send you transactional emails related to your account, your subscription, your payments or your CVs (for example registration confirmation, password reset, payment receipts, renewal notices). Legal ground: performance of a contract (Art. 6(1)(b) GDPR).

• To send you optional reminder emails if you started a CV but did not finish it, and other service-related notifications. Legal ground: our legitimate interest in helping users complete their CV (Art. 6(1)(f) GDPR), or your consent where required (Art. 6(1)(a) GDPR).

• To secure the Service, prevent abuse, detect and mitigate attacks, and maintain logs for debugging and audit. Legal ground: our legitimate interest in protecting the Service (Art. 6(1)(f) GDPR).

• To improve the Service, analyse usage in an aggregated manner and develop new features. Legal ground: our legitimate interest in improving our product (Art. 6(1)(f) GDPR).

• To comply with our legal obligations, including accounting, fiscal and consumer-protection obligations under Romanian and EU law. Legal ground: compliance with a legal obligation (Art. 6(1)(c) GDPR).

• To handle requests, complaints or legal claims. Legal ground: legitimate interest and/or compliance with a legal obligation.

3. Account creation and CV building

When you start building your first CV on Cvida, an account is created for you automatically so that your work can be saved. From that moment, the personal data you enter into the editor (your name, contact details, work history, etc.) is stored against your account.

You can log in to your account at any time using the email address and password you provided. We store your CV content so that you do not have to re-enter it each time, so we can deliver the contracted Service to you and so we can make your CVs available to you again when you return.

4. Sharing with third parties (sub-processors)

We do not sell your personal data. We only share it with third parties where this is necessary to deliver the Service, to comply with the law, or where you have asked us to do so. Where third parties process personal data on our behalf, we sign a data-processing agreement with them as required by Article 28 GDPR.

Categories of third parties we currently rely on:

• Payment processing: Stripe Inc. and its affiliates handle card payments and subscription billing. Stripe acts as an independent controller for the purposes of fraud prevention and as our processor for the rest. See stripe.com/privacy for details.

• Hosting and infrastructure: our application, databases and backups are hosted by reputable cloud-infrastructure providers operating within the European Union or under appropriate safeguards.

• Transactional email delivery: a specialised email provider is used to send you account, payment and CV-related emails.

• Optional integrations you trigger yourself, such as importing data from LinkedIn or any other source you connect.

We may also disclose personal data to competent authorities in the case of suspected fraud, abuse, security incidents, or where we are legally required to do so.

5. Cookies and similar technologies

We use a limited number of cookies and similar technologies (such as localStorage) on www.cvida.io. These fall into three categories:

• Strictly necessary cookies / storage - required to log you in, keep your session, remember your language and theme preferences, and provide core functionality. These cannot be switched off without breaking the Service.

• Functional cookies - used to remember non-essential preferences that improve your experience.

• Analytics cookies - where used, they help us understand, in an aggregated and anonymised way, how visitors interact with the Service so we can improve it. Where applicable laws require consent for such cookies, they are only set after you have given consent.

• Anonymised aggregate measurement - regardless of your cookie choice, we record anonymised, cookieless signals (such as page-view counts, language and approximate region) so we can measure overall traffic to the Service. These signals do not contain cookies or identifiers and cannot be linked back to you. The legal ground is our legitimate interest in measuring traffic to operate and improve the Service (Art. 6(1)(f) GDPR).

You can block or delete cookies through your browser settings at any time. Note that doing so may disable parts of the Service that rely on essential cookies (for example you may no longer be able to stay logged in).

6. Retention periods

We keep your personal data only for as long as is necessary to achieve the purposes set out in this Privacy Policy, or for as long as we are required to keep it by law.

As a guideline:

• Account and CV data - kept for as long as your account is active and for a reasonable period afterwards in case you reactivate it. Inactive accounts may be deleted automatically after a prolonged period of inactivity, after prior notice to you where required by law.

• Payment and invoicing data - retained for the period required by Romanian fiscal and accounting law (typically 10 years for invoicing records).

• Server logs and security data - retained for a limited period, sufficient for debugging, security and audit purposes.

• Communications you send us - retained for as long as needed to answer your request and to keep a record of it for legitimate-interest purposes.

You can request the deletion of your personal data at any time, subject to the legal obligations described above (see Article 8 below).

7. Security

We take appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These measures include, among others, encrypted connections (HTTPS/TLS), password hashing, access controls, network segmentation, monitoring and regular backups.

We require third parties who process personal data on our behalf to apply equivalent security measures.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify you in accordance with Article 34 GDPR.

8. Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access - to receive confirmation of whether we process personal data about you, and a copy of that data;

• Right to rectification - to have inaccurate or incomplete data corrected;

• Right to erasure - to have your personal data deleted in the cases provided by law;

• Right to restrict processing - to limit how we process your data in specific situations;

• Right to data portability - to receive your personal data in a structured, commonly used, machine-readable format;

• Right to object - including the right to object to processing based on legitimate interest;

• Right to withdraw consent - where processing is based on your consent, at any time and without affecting the lawfulness of processing carried out before withdrawal;

• Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.

To exercise these rights, please contact us through the support channels listed on www.cvida.io. So that we can be sure we do not modify or delete data belonging to someone else, please clearly identify yourself in your request.

9. International transfers

We aim to host and process your personal data within the European Economic Area (EEA). Where personal data is transferred outside the EEA (for example to a sub-processor located in another country), we ensure that an appropriate safeguard is in place, such as an adequacy decision of the European Commission or the use of Standard Contractual Clauses adopted by the Commission.

10. Children

Cvida is not directed at children. We do not knowingly collect personal data from children under the age of 16 without parental consent. If you believe that we have inadvertently collected such data, please contact us so we can delete it.

11. Third-party websites

This Privacy Policy does not apply to third-party websites that are linked from www.cvida.io or that you reach by following a link from the Service. We cannot guarantee that those third parties handle your personal data in a reliable or secure manner. We recommend that you read the privacy statement of any third-party website before using it.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in our Service, our sub-processors or the applicable legislation. The most current version is always available on www.cvida.io. Where the change is material, we will notify you in advance through the Service or by email.

13. Filing a complaint

If you believe that we are not handling your personal data correctly, please contact us first so we can address your concerns.

You also have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal - ANSPDCP). More information about the procedure can be found at www.dataprotection.ro.