1. Data Controller & Company Information

CVFormatter is operated by Aimanack Company Limited, a company incorporated in Hong Kong.

• Role under GDPR:
  • CVFormatter acts as a data processor when processing CVs and candidate data on behalf of clients.
  • Clients (e.g. recruitment agencies, consultancies, organisations) act as the data controllers for candidate data they upload.

2. Scope of This Policy

This Privacy Policy applies to:

• https://www.cvformatter.co and its subdomains, and
• the CVFormatter application, APIs, and related services.

By using the Services, you confirm that you have read and understood this Privacy Policy.

3. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Client: An organisation or individual using CVFormatter.
• End User / Data Subject: A natural person whose personal data is included in uploaded CVs or related content.
• Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

4. Categories of Personal Data We Process

We collect and process only the minimum data necessary to provide the Services.

Account & Contact Data

• Name
• Email address
• Job title
• Company name
• Authentication credentials (stored securely in hashed or encrypted form)

Client-Uploaded Content

• CVs, resumes, and related documents
• Candidate employment, education, and skills information
• Optional anonymisation, formatting, or AI-assisted outputs requested by clients

Technical & Security Data

• IP address
• Device and browser information
• Access logs, audit logs, and security events

We do not intentionally collect special-category (sensitive) personal data unless clients choose to include such data within uploaded documents under their own responsibility.

5. Lawful Bases for Processing

Where GDPR, UK GDPR or US CCPA/CPRA applies, CVFormatter processes personal data on the following lawful bases:

• Performance of a contract – to deliver the Services requested by clients
• Legitimate interests – to operate, secure, and improve the platform
• Consent – where explicitly required (e.g. marketing communications)

6. Purpose Limitation

Personal data is processed strictly for the following purposes:

• Providing and operating the CVFormatter Services
• Formatting, anonymising, summarising, translating, or proofreading CVs as instructed by clients
• User authentication and account management
• Security monitoring, fraud prevention, and audit logging
• Compliance with legal and regulatory obligations

CVFormatter does not sell personal data, does not monetise uploaded CVs, and does not use client data for advertising, profiling, or any irrelevant purposes without the explicit and documented consent of clients.

7. Access Control, Confidentiality & Data Ownership

Strict Access Limitation

• Uploaded CVs and candidate data are accessible only to:
  • the client organisation that uploaded the data (via authorised users), and
  • a limited number of senior CVFormatter personnel, strictly where access is necessary for platform security, maintenance, or customer support.
• All internal access is:
  • role-based and least-privilege,
  • logged and auditable, and
  • subject to confidentiality and data-protection obligations.

No Third-Party Data Sharing

• CVFormatter does not grant access to uploaded CVs or candidate data to:
  • advertisers,
  • marketing partners,
  • data brokers, or
  • unrelated third parties.

No Data Transfer Without Client Instruction

• Uploaded CVs and candidate data are never transferred, disclosed, or shared outside the client's controlled environment without the explicit instruction or consent of the client.

Client Ownership

• Clients retain full ownership and control of all uploaded CVs and candidate data.
• CVFormatter acts solely as a data processor, processing data only on documented client instructions.

AI Processing Safeguards

• Client data is not used to train general or third-party AI models.
• AI-powered features operate only within the client's workspace and process data solely for the requested task.

8. Data Retention

• Personal data is retained only for as long as necessary to provide the Services or meet legal obligations.
• Clients may delete uploaded data at any time on CVFormatter's platform, and/or terminate the account at any time. After that, all relevant information will be permanently removed from CVFormatter's active systems and will no longer be accessible or recoverable by any party, subject only to legally required retention or backup obligations.

9. Security Measures

CVFormatter implements industry-standard technical and organisational safeguards, including:

• Encryption of data in transit (TLS) and at rest
• Secure cloud infrastructure with isolated environments
• Role-based access controls and internal approval processes
• Continuous monitoring, logging, and incident-response procedures

While no system can guarantee absolute security, we take reasonable and proportionate measures to protect personal data against unauthorised access, loss, or misuse.

In the event of a personal data breach, CVFormatter follows documented incident-response procedures and supports clients in meeting applicable regulatory notification obligations.

10. International Data Transfers

CVFormatter operates globally. Where personal data is stored or processed in servers located in a client's designated country (as specified by the client during registration), any cross-border data transfers occur only where required for service delivery, client instruction, or legally permissible operational purposes, and are safeguarded through:

• Standard Contractual Clauses (SCCs), and
• binding contractual data-protection and confidentiality obligations imposed on all service providers.

11. Use of Sub-Processors

We engage vetted third-party service providers (e.g. Google Cloud infrastructure, Stripe payment processing) strictly as data processors under written agreements imposing confidentiality, security, and data-protection obligations.

A list of sub-processors is available upon request.

12. Data Subject Rights

Where CVFormatter acts as a data processor, data subject requests are handled in coordination with the relevant client as data controller.

Where applicable, individuals have the right to:

• Access their personal data
• Rectify inaccurate data
• Request erasure (clients can execute this easily from their end)
• Restrict or object to processing
• Request data portability
• Lodge a complaint with a supervisory authority

Requests may be submitted using the contact details below. We respond within statutory time limits.

13. Cookies

We use essential cookies required for platform functionality and limited performance analytics.

Cookies do not contain personally identifiable information. Users may manage cookies through browser settings.

14. Children's Privacy

The Services are not intended for individuals under the age of 13, and we do not knowingly collect personal data from children.

15. Contact Us

Data protection enquiries may be directed to our designated privacy contact.

For privacy, data-protection, or security enquiries:

• 📧 Email: admin@cvformatter.co
• 🌐 Website: https://www.cvformatter.co/

Regulatory Statement

CVFormatter is built to support organisations operating in high-compliance environments, including the US, Canada, Australia, Asia, UK and EU public sector.

Our privacy and security practices are continuously reviewed to align with evolving regulatory expectations.