Privacy & Cookies Policy

HRGuru

Privacy & Cookies Policy

EU · Republic of Moldova · Ukraine · United States

Effective: 2 June 2026 · Version 1.0

WEBSITE DOCUMENT — Publish at hrguru.io/privacy · Available in EN, RO, UK, RU

1. Who We Are

HRGuru ('we', 'us', 'our') is an AI-powered recruitment platform operated by HRGuru SRL, registered in Republic of Moldova, registration number [NUMBER]. Our registered address is [ADDRESS]. Data protection contact: privacy@hrguru.io.

This Policy applies to: visitors to hrguru.io; Company users (HR professionals, recruiters); Candidate users (job seekers); candidates whose CVs are processed on behalf of B2B clients.

Jurisdiction: We apply the strictest applicable standard across EU GDPR, Moldova Law 195/2024, Ukraine Law 2297-VI, and US state privacy laws (CCPA/CPRA for California residents). See jurisdiction-specific rights in Section 7.

2. Data We Collect

2.1 Company Users (HR / Recruiters)

Data

Legal Basis

Purpose

Retention

Name, work email, phone

Contract (GDPR Art.6(1)(b))

Account management

Contract + 2 years

Login logs, IP address

Legitimate interest (Art.6(1)(f))

Security, fraud prevention

12 months

Billing details

Contract + legal obligation

Payment processing, tax law

7 years

Company profile

Contract

Platform customisation

Contract + 30 days

Support communications

Contract

Customer support

3 years

2.2 Candidates (Direct Users)

Data

Legal Basis

Purpose

Retention

Name, email, phone, location

Contract / Consent

CV Builder, applications

Until account deletion

CV content (work history, skills)

Contract

CV storage and AI improvement

Until deletion + 30 days

Job applications, stage history

Contract

Application tracking

2 years

Usage analytics

Consent (cookie)

Product improvement

13 months

2.3 Candidates Processed for B2B Clients

When our B2B clients upload CVs or receive applications, the hiring company is the Data Controller. HRGuru processes candidate data as Data Processor per Art. 28 GDPR. We process: CV text for AI scoring; AI-generated scores and analysis; stage history and recruiter notes; extracted metadata (name, email, phone, LinkedIn).

We do NOT process: biometric data, photos, video, protected characteristics (race, religion, disability, etc.). Our AI is designed to evaluate skills and experience only.

3. How Our AI Works — Transparency Notice

HRGuru's CV scoring system is classified as a HIGH-RISK AI system under EU AI Act Annex III (employment decision support). We are committed to transparency.

What the AI does

Parses CV text and extracts experience, skills, and qualifications

Compares candidate profile against predefined role standards

Generates a score (0-100), seniority classification, and human-readable explanation

Flags candidates requiring additional human review ('Controversial' flag when evaluator spread >30pts)

What the AI does NOT do

Make final hiring decisions — all decisions require human review by the hiring company

Use demographic data — race, gender, age, disability, religion are never input to scoring

Learn from or store candidate data for model training (API processing only)

Generate binding employment assessments without human oversight

Your rights regarding automated processing

Right to be informed: this policy provides required AI transparency (EU AI Act Art. 13, GDPR Art. 22)

Right to human review: contact the hiring company to request human-only review of your application

Right to explanation: request rationale for AI score from the hiring company or privacy@hrguru.io

Right to object (EU/EEA/UK): object to automated processing under GDPR Art. 21

NYC candidates: HRGuru is an Automated Employment Decision Tool (AEDT) subject to NYC Local Law 144. Hiring companies using HRGuru for NYC candidates must conduct annual bias audits and provide notice.

4. Data Retention

Data Type

Default Retention

Configurable?

Deletion Method

Candidate CVs (B2B)

365 days from upload

Yes (30–730 days)

Auto-deleted from storage; score anonymised

AI scores and analysis

Same as CV

Yes

Anonymised; aggregate data retained

Audit logs

3 years

No

Permanently deleted

Consents

Consent period + 5 years

No

Permanently deleted

Company accounts

Contract + 2 years

No

Permanently deleted on request

Backups

30 days rolling

No

Auto-purged from backup cycle

5. International Data Transfers

Our infrastructure is in the EU (Frankfurt, Germany). Sub-processors outside the EU/EEA use Standard Contractual Clauses (SCCs):

Sub-processor

Country

Purpose

Safeguard

Supabase

EU Frankfurt

Database, storage, auth

EU data residency — no transfer

OpenAI

USA

AI CV scoring (API only)

SCCs; no CV training per API terms

Vercel

USA/EU

App hosting

EU region primary; SCCs for US

Resend

USA

Email delivery

SCCs; email content only, no CVs

Upstash Redis

EU West

Queue

EU region; transient data only

Sentry

USA/EU

Error monitoring

Anonymised errors; no CV content

6. Cookies

Category

Examples

Can opt out?

Essential — required for service

Session, CSRF, auth tokens

No

Functional — language, preferences

NEXT_LOCALE, theme preference

Yes

Analytics — privacy-friendly

Plausible Analytics (no cross-site tracking)

Yes

Marketing — none currently

—

N/A

We do not use Google Analytics, Facebook Pixel, or behavioural advertising cookies. We honour the Global Privacy Control (GPC) signal for California residents.

7. Your Rights

Right

EU/EEA/UK

Moldova

Ukraine

California (CCPA)

How to Exercise

Right to know / access

✅ Art.15

✅

✅ 30 days

✅

privacy@hrguru.io

Right to rectification

✅ Art.16

✅

✅

✅ Correct inaccuracies

Account or email

Right to erasure

✅ Art.17

✅

✅

✅ Right to delete

Account or email

Right to portability

✅ Art.20

✅

❌

✅ Data portability

privacy@hrguru.io

Right to object (AI)

✅ Art.21-22

✅

⚠️ Partial

✅ Opt-out ADMT

Contact hiring company

Do Not Sell/Share (CA)

N/A

N/A

N/A

✅ CCPA/CPRA

privacy@hrguru.io or footer link

Right to complain

✅ National DPA

✅ CNPDCP

✅ Ukomdatazakhyst

✅ California AG / CPPA

See Section 9

Response time: 30 days (extendable to 90 days for complex requests with notice). We do not charge a fee for first requests.

8. California Residents — CCPA / CPRA

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: request disclosure of personal information collected, used, shared, or sold

Right to Delete: request deletion of personal information we collected from you

Right to Correct: request correction of inaccurate personal information

Right to Opt-Out of Sale/Sharing: we do not sell or share personal data for cross-context behavioural advertising

Right to Limit Use of Sensitive Personal Information: contact privacy@hrguru.io

Right to Non-Discrimination: we will not discriminate against you for exercising your rights

To submit a CCPA request, email privacy@hrguru.io with subject 'CCPA Request'. We will verify your identity before processing. Response within 45 days.

Do Not Sell: HRGuru does not sell personal information. We do not share personal information for cross-context behavioural advertising purposes.

9. Supervisory Authorities

Jurisdiction

Authority

Contact

EU

Your national DPA (via edpb.europa.eu)

edpb.europa.eu/about-edpb/board/members_en

Moldova

CNPDCP — National Centre for Personal Data Protection

datepersonale.md · +373 22 820 801

Ukraine

Ukomdatazakhyst — Commissioner for Human Rights

ombudsman.gov.ua

California

California Privacy Protection Agency (CPPA)

cppa.ca.gov

All US

FTC — Federal Trade Commission

ftc.gov/contact

10. Contact and Updates

Data Controller: HRGuru SRL · privacy@hrguru.io · [ADDRESS]

DPO (if appointed): [NAME] · dpo@hrguru.io

We will notify you of material changes to this Policy via email (for registered users) and by posting an updated version at hrguru.io/privacy with a new effective date.

WEBSITE NOTE: This document should be available in EN, RO, UK, RU. The English version is authoritative in case of conflict between translations.