Privacy Policy

Skrevo is a SaaS platform designed to assist recruiters with AI-powered CV screening and recruitment analysis. We are committed to ensuring transparency and compliance with applicable data protection laws, including the GDPR and UK GDPR. 1. Roles of the Parties (Controller / Processor) - For candidate data (e.g. CVs and job descriptions), the User acts as the data controller and Skrevo acts as a data processor. For account, billing, and technical data, Skrevo acts as the data controller. Skrevo processes personal data only on documented instructions from the User, unless required otherwise by applicable law. 2. Scope of Processing - Skrevo processes textual data submitted by users, including job descriptions and candidate CVs, solely for the purpose of generating automated screening insights. 3. Nature of Data Processing – Data is processed transiently in real time - Data is not stored beyond what is necessary for processing, short-term caching, and system reliability. Any temporary storage is limited in duration and strictly controlled. - No profiling or behavioral tracking of candidates is performed. Data may be temporarily stored in volatile memory or short-lived system components strictly necessary for processing. 4. AI Processing and Sub-processors - Skrevo uses external AI providers (e.g. OpenAI) as sub-processors to generate analysis results. Skrevo reserves the right to add or replace sub-processors where necessary for service delivery. Where required by law, Users will be notified of material changes. All sub-processors are contractually bound to process data only for the purposes of providing the service and in accordance with applicable data protection laws. Skrevo does not use submitted data to train its own AI models or any third-party AI models. Users may object to newly added sub-processors where required by applicable law. When using AI providers such as OpenAI, submitted data (including CV content and job descriptions) may be transmitted to these providers for processing in order to generate analysis results. 5. Caching and Performance Optimization To ensure performance and scalability, Skrevo uses temporary caching mechanisms, including in-memory and Redis-based caching. - Cached data may include hashed or transformed representations - Cache entries are time-limited (TTL-based) - Personal data is not stored long-term as part of the system design. 6. Technical Logging Skrevo maintains limited logs for security and system integrity purposes, which may include: - IP address - Request metadata - System diagnostics Logs are not used for tracking, profiling, or marketing. Logs are minimized and access is restricted to authorized personnel only. 7. Background Processing (Workers) Certain operations are processed asynchronously (e.g. via queue systems such as BullMQ). Data in these processes is handled transiently and is not persistently stored. 8. Usage Monitoring Skrevo tracks system usage (e.g. token consumption and operational costs): - Linked to user accounts - Does not include CV content - Used only for internal operational and billing purposes. 9. Legal Basis for Processing - Processing is carried out based on one or more of the following: - performance of a contract (Art. 6(1)(b) GDPR) - legitimate interest (Art. 6(1)(f) GDPR), including service improvement, security, and system reliability - compliance with legal obligations, where applicable. 10. International Data Transfers - Data may be processed outside the EEA. Where this occurs, appropriate safeguards are implemented in accordance with Article 46 GDPR (e.g. Standard Contractual Clauses). When using AI providers such as OpenAI, submitted data (e.g. CV content and job descriptions) may be transmitted to these providers for processing. Such providers act as data processors and are contractually bound to handle data in accordance with applicable data protection laws. 11. Data Retention – Submitted CVs and job descriptions are not persistently stored - Cached data is automatically deleted after short retention periods - Logs are retained only as necessary for security and operational purposes. Upon termination of the service, personal data is deleted or rendered inaccessible, unless retention is required by applicable law. 12. No Tracking or Analytics – No tracking cookies are used - No third-party analytics tools are used - No behavioral profiling is performed. 13. Data Subject Rights - Due to the nature of the service, Skrevo does not maintain persistent records of submitted CV data. However, where identification is possible, Skrevo will support the User in fulfilling data subject rights requests. Data subjects may exercise their rights through the data controller (the User). Requests may also be directed to Skrevo, and reasonable assistance will be provided where possible. Skrevo will assist the User in fulfilling data subject rights requests where technically feasible and required under Article 28 GDPR. Skrevo will make available information reasonably necessary to demonstrate compliance with applicable data protection obligations. 14. Data Breach - In the event of a personal data breach, Skrevo will: - take appropriate technical and organizational measures to mitigate the impact - notify affected Users without undue delay where required by law - cooperate with Users to support any required regulatory notifications. 15. Security Measures - Skrevo implements appropriate technical and organizational measures, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing. Persons authorized to process personal data are subject to confidentiality obligations. 16. Special Categories of Personal Data - Users should not submit special categories of personal data (as defined under Article 9 GDPR) unless they have a valid legal basis to do so. 17. User Responsibility - Users are responsible for ensuring they have a lawful basis for processing any personal data submitted to Skrevo and for complying with applicable data protection laws. 18. Automated Processing Disclaimer - Skrevo provides AI-generated outputs for informational purposes only and does not perform automated decision-making within the meaning of Article 22 GDPR. The User is responsible for human review of all outputs and must not rely solely on AI-generated results for decision-making. 19. Updates - This Privacy Policy may be updated to reflect changes in legal, technical, or operational requirements. 20. Contact - For any privacy-related inquiries, please contact us: Data Controller: SKREVO Email: privacy@skrevo.com