Resmind AIResmind AI
Privacy Policy & Data Protection
Our commitment to GDPR compliance and protecting your privacy rights
Introduction
This privacy policy explains how Resmind AI processes, stores, and protects candidate data when you use our CV screening and recruitment platform. We are committed to GDPR compliance and protecting the privacy rights of all data subjects.
What We Do & Why We Process Data
How We Process Your Data
We convert PDF CVs into structured data, extracting information like contact details, work experience, education, skills, and qualifications to enable efficient screening and matching.
We analyze job descriptions to understand role requirements, company details, required qualifications, and preferred skills.
We use AI technology to match candidate profiles with job requirements, providing relevance scores from 0-10. Your specific hiring preferences enhance matching accuracy when provided.
We facilitate interview coordination between recruiters and candidates through calendar integrations and scheduling platforms.
Our Processing Commitments
- We process data only as instructed through platform features - no hidden processing
- Personal data is removed from CVs before any processing outside the EU (for AI matching)
- We do not use candidate data to train our own AI models
- Original CVs with full personal data remain stored only within EU boundaries
- Application logs are scrubbed of all personal information for security
Legal Basis for Processing
Legitimate Interest
We process candidate data based on our legitimate interest in operating an effective recruitment platform, matching candidates with opportunities, and maintaining service quality and security. We have assessed that these interests do not override your fundamental rights, and you have the right to object to this processing.
Contract Performance
Processing is necessary to perform our services contract with recruiters and to fairly evaluate candidate applications as part of the recruitment process.
Where Your Data is Stored & Processed
Application Hosting Infrastructure
Our application runs on Scalingo, a European Platform-as-a-Service provider based in France. Scalingo provides the infrastructure that delivers the Resmind AI platform to users.
The application is hosted exclusively in EU data centers (Paris-Pantin and Magny-les-Hameaux, France) through OUTSCALE's infrastructure, ensuring full GDPR compliance and data sovereignty.
- ISO 27001:2013 certified for information security management
- HDS certified for hosting health data in France
- SecNumCloud qualified infrastructure
- Comprehensive GDPR Data Processing Agreement (DPA)
EU Data Storage Infrastructure
Primary Storage (AWS EU)
- Original CVs and Job Descriptions: Complete document files
- Structured Data: Processed information from documents
- Matching Analysis: AI-generated compatibility scores
- Recruiter Preferences: Questionnaire responses and requirements
Database (Supabase EU)
- User Profiles: With encrypted tokens
- Job & CV Metadata: Upload tracking and status
- Interview Records: Scheduling and status data
- Audit Logs: Data processing and deletion records
Limited Non-EU Processing
GDPR-Compliant Processing
All CV and job description parsing is performed within EU regions using GDPR-compliant cloud infrastructure and EU-hosted AI services.
Document analysis and data extraction happen entirely within European boundaries, ensuring full compliance with EU data protection regulations.
How Your Platform Works
Upload job descriptions → Complete requirements assessment → Upload CVs → View matched results. Each step is tracked with real-time progress updates.
Files are uploaded directly to secure cloud storage using temporary, signed URLs. No files pass through our application servers.
Document parsing and AI matching happen automatically in the background. You receive notifications when processing is complete.
Access all your data through a secure, personalized dashboard. Only you can see your uploaded documents and results.
Third-Party Service Integrations
Microsoft Graph API
Required for sending interview invitations via email through Microsoft's Graph API. When you click "Schedule Interview" on candidate profiles, we use your Microsoft account to send professional email invitations to candidates.
Calendly API
Optional integration configured in Profile Settings that enables candidate self-scheduling. When connected, we include your Calendly scheduling links in interview invitation emails, allowing candidates to book their own interview slots.
Security & Protection Measures
Encryption at Rest & in Transit
- • HTTPS encryption for all data transmission
- • AWS S3 server-side encryption (default)
- • Supabase EU region encryption
- • pgcrypto encryption for sensitive tokens in database
- • HMAC-based request signing for API security
Access Control & Authentication
- • Row-level security (RLS) policies in database
- • JWT-based authentication with secure cookies
- • Multi-Factor Authentication (MFA) support for enhanced account security
- • Principle of least privilege for all access
- • Tenant isolation - users can only access their own data
Data Protection
- • Signed URLs for secure file access (no direct S3 exposure)
- • Personal data scrubbed from all application logs
- • Email addresses and names masked in logs
- • Tokens automatically redacted from logs
- • Automatic data anonymization before non-EU processing
Infrastructure Security
- • HTTPS everywhere with security headers
- • CORS headers for API security
- • Secure authentication headers
- • AWS STS role-based access with temporary credentials
- • Separate IAM roles for different operations
Advanced Security Features
Token Security:
- All API tokens encrypted using AES-128
- Microsoft Graph tokens with automatic refresh
- Calendly API keys encrypted in database
- Decryption only for authorized users via secure views
Data Retention & Automated Deletion
Automated Data Retention System
Fixed Retention Period
All candidate data is automatically deleted after 90 days from upload, ensuring consistent data protection across all users.
Automated Deletion Process
Our automated system identifies and deletes expired data daily, ensuring compliance with our 90-day retention policy.
Manual Controls
Delete individual CVs, entire job descriptions, or complete user accounts immediately through your dashboard controls.
Comprehensive Audit Trail
Every deletion is logged with detailed audit records including timestamps, affected files, and processing details.
Candidate Rights & Data Subject Requests
Under GDPR, candidates have the following rights regarding their personal data:
- Access: View and download all your personal data including CV content, job matching results, and interview records in PDF and JSON formats through your dashboard
- Erasure: Delete individual CVs, entire job descriptions, or your complete account with immediate removal from all systems
- Data Portability: Export your structured data in machine-readable JSON format for transfer to other services
- Rectification: Request correction of inaccurate personal data (implementation in progress)
How to Exercise Your Rights
Most rights can be exercised directly through your dashboard.
Note: All data is automatically deleted after 90 days, ensuring consistent data protection.
Contact Information
For any questions about this privacy policy, data processing, or to exercise your rights, please contact us:
Policy Updates
This privacy policy may be updated to reflect changes in our practices or legal requirements. We will notify users of any material changes through the platform and maintain previous versions for reference. Last updated: 7/5/2025.