Privacy Policy

1.1 Information You Provide

We collect different information depending on how you use Tanova:

• Account Information: Name, email address, company name (for recruiters), and job title when you create an account
• CVs and Resumes: Candidate CVs uploaded for evaluation (includes personal information, work history, education, skills), either manually uploaded, submitted via public applications, or automatically synced via API integrations
• Job Descriptions: Job postings and requirements you upload for candidate evaluation
• Payment Information: Billing details processed securely through our payment provider
• API Integrations: CVs may be uploaded automatically via authorized API keys from agency systems for efficient recruitment operations
• Job Seeker Data (Registered Accounts): When you create a job seeker account, we additionally collect:
• • Target role and career preferences
• • CV library (multiple versions for different roles)
• • Evaluation history and match scores
• • Generated career materials (cover letters, interview prep, career insights)
• • LinkedIn profile data (if you use our LinkedIn optimization tool via OAuth - read-only access)
• • Candidate pool preferences (opt-in/opt-out status)
• • Credit balance, transaction history, and promotional offers accepted (trial credits, bonuses)
• • Purchase intent signals (when you attempt to purchase credits)
• • Subscription and billing information

1.2 Automatically Collected Information

• Usage Data: How you interact with our platform, features used, and evaluation history
• Device Information: IP address (hashed for privacy), browser type, operating system
• Cookies: We use essential cookies for authentication and session management (Supabase auth). No tracking or advertising cookies.
• Access Tokens: Temporary tokens to link anonymous evaluations to your account if you later sign up (enables "claim previous evaluations" feature)

• Provide Services: Process CV evaluations using AI, generate match scores, provide recruitment insights, and generate career materials (cover letters, interview prep)
• CV Improvement Tracking: Compare multiple versions of your CV to track improvements over time and provide iteration insights
• Credit Management: Track credit usage and eligibility for promotional offers to prevent abuse and ensure fair access
• Purchase Intent Analysis: Analyze signals when users attempt to purchase credits to improve our pricing and product offerings
• Improve Platform: Analyze usage patterns to enhance our AI models and user experience
• Communication:
• • Transactional emails: Evaluation results, account security alerts, service updates (you cannot opt-out of these)
• • Marketing emails: Product updates, tips, promotions (opt-in only, you can unsubscribe anytime)
• Security: Detect fraud, prevent abuse, and enforce our terms of service
• Legal Compliance: Comply with applicable laws and regulations

3.1 Free CV Checker

Before using our free CV evaluation tool, you must:

• Explicitly consent to AI processing of your CV and job description
• Acknowledge that data will be automatically deleted after 30 days
• Understand that we use Anthropic's Claude AI for evaluation
• You can withdraw consent by requesting immediate deletion at privacy@tanova.com

3.2 Job Seeker Accounts

When you create a job seeker account to access advanced features:

• You consent to storing your CVs, evaluations, and career materials
• Your data is automatically deleted after 30 days (see Section 11.3 for details)
• You can export all your data at any time from your account settings
• You can delete your account and all data immediately via account settings
• Claim Previous Evaluations: When you sign up, you can claim anonymous evaluations you created before registration. This links your email to previously anonymous data.
• CV Synthesis: We can combine multiple CV versions using AI to create tailored CVs for specific roles. This uses the same AI processing (Anthropic Claude) as evaluations.
• Candidate Pool (Optional): You may opt-in to make your profile visible to recruiters in our talent pool. You can opt-out at any time.
• Career Tools: We use AI to generate cover letters, interview prep, and career insights based on your CV and preferences
• LinkedIn Optimization: If you connect your LinkedIn account (via OAuth), we access your profile data (read-only) to provide optimization suggestions. We do not post to LinkedIn without your explicit permission. You can disconnect at any time.

3.3 Job Applications

When applying to public job postings:

• You consent to the recruiting agency processing your CV
• The agency uses Tanova's AI (powered by Anthropic Claude) for evaluation
• Your data is subject to both the agency's and Tanova's privacy policies
• Data is automatically deleted after 30 days unless the agency converts you to a candidate

3.4 Agency Users

When agencies upload candidate CVs:

• The agency confirms they have obtained candidate consent
• The agency is responsible for informing candidates about AI processing
• Tanova processes data on behalf of the agency as a data processor

3.5 Automated CV Processing via API

Recruitment agencies may use our API integration to automatically sync CVs from their systems. When CVs are submitted via API:

• Legal Basis: CVs are processed under the agency's legitimate interest in efficient recruitment operations (GDPR Article 6(1)(f))
• Standard Protections: All standard data retention periods and candidate rights apply
• Security: API access is secured with encrypted keys and monitored for security
• Agency Responsibility: The uploading agency is responsible for informing candidates about automated processing and ensuring they have a lawful basis for data transfer
• Compliance: Agencies using API integrations must follow our CV Sync GDPR Guide for compliance requirements

4.1 Anthropic Claude AI

• The content is sent to Anthropic's API for AI analysis
• Data Processing Agreement: Anthropic processes data on our behalf under a Data Processing Agreement (DPA) that ensures GDPR compliance
• No Training on Your Data: Anthropic does not train AI models on your data per their commercial terms and Trust & Safety commitments
• International Transfers: Data transfers to Anthropic (US-based) are protected by Standard Contractual Clauses (SCCs) approved by the European Commission
• Security: Anthropic maintains SOC 2 Type 2 certification and industry-leading security practices
• Learn More: Anthropic Trust Center and Privacy Policy

4.2 Other Third Parties

• Amazon S3 (Singapore): Secure storage of CV files (encrypted at rest and in transit)
• Supabase (Singapore): Authentication and user management
• Railway (Singapore): PostgreSQL database hosting
• Umami Analytics: Privacy-first, self-hosted analytics (no cookies, GDPR-compliant)
• We do not share candidate personal information with other third parties for marketing

4.3 Automated Decision Making

Our AI evaluations involve automated processing. Under GDPR Article 22, you have the following rights:

• For Job Seekers: AI provides advisory feedback only - you decide how to use the insights and recommendations
• For Recruiters: AI scores are recommendations, not final hiring decisions - human review and judgment are required
• No Solely Automated Decisions: No hiring or career decisions are made solely by automated means without human involvement
• Right to Object: You can object to automated processing or request human review by contacting privacy@tanova.com
• Transparency: Our AI evaluation criteria are explained in our 7D Framework documentation

5.1 Data Location

• Primary Infrastructure: Singapore (Asia-Pacific region) - Database (Railway), Authentication (Supabase), File Storage (Amazon S3)
• AI Processing: United States (Anthropic Claude API)
• For Job Seekers: When you use our service, your CV data is transferred to the United States for AI processing (Anthropic). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and Anthropic's Data Processing Agreement.
• For Recruiters: Candidate data you upload is similarly transferred to the US for AI evaluation, protected by the same safeguards.
• Data Transfers: All data transfers between regions are encrypted in transit (TLS 1.3) and protected by Standard Contractual Clauses (SCCs) for GDPR compliance
• No EU Storage: We do not currently operate infrastructure in the European Union

5.2 Security Measures

• Encryption: All data encrypted at rest and in transit using industry-standard protocols (TLS 1.3, AES-256)
• API Authentication: Third-party integrations secured with encrypted API keys and access controls
• Key Management: API keys are monitored for usage, can be revoked instantly, and support optional expiration dates
• Free CV Tool: Personal data in public evaluations automatically deleted after 30 days (see Section 10 for details on anonymization)
• Recruiter Accounts: You control your data and can delete evaluations at any time
• IP Addresses: Stored as SHA-256 hashes for rate limiting (not reversible to original IP)
• Access Controls: Only authorized personnel can access stored data
• Anonymized Data: Stored separately from personal data with no identifiable information

• With Your Consent: When you explicitly authorize sharing (e.g., sharing evaluation links, opting into candidate pool)
• Candidate Pool: If you opt-in as a job seeker, your profile (CV, skills, experience) may be visible to registered recruiters searching our talent pool
• Service Providers: Anthropic (AI processing), hosting providers, payment processors
• Legal Requirements: When required by law, court order, or government request
• Business Transfers: In case of merger, acquisition, or sale of assets

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete information
• Deletion: Request deletion of your data (subject to legal obligations)
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing of your personal data
• Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, contact us at privacy@tanova.com

• Contractual Necessity: To provide our recruitment services
• Legitimate Interest: To improve our platform and prevent fraud
• Consent: Where you have explicitly agreed (e.g., marketing emails)
• Legal Obligation: To comply with applicable laws

• Essential Cookies: Authentication, session management, security
• Analytics: Understanding how users interact with our platform (aggregated data only)

You can control cookies through your browser settings, but disabling essential cookies may affect platform functionality.

11.1 Free CV Checker (No Account)

When you use our free CV checker without creating an account:

• Personal Data Deletion: Your CV text, job description, candidate names, and all personally identifiable information (PII) are automatically deleted after 30 days
• Anonymized Data Retention: We retain anonymized, aggregated data to improve our AI and service quality. This includes:
• • Evaluation scores (aggregate numbers only)
• • Feedback signals (thumbs up/down)
• • General job category (e.g., "Software Engineer", "Marketing Manager")
• • Experience level (e.g., "Junior", "Mid", "Senior")
• • Industry category (e.g., "Technology", "Healthcare")
• Important: This anonymized data cannot be used to identify you or recreate your CV. It contains no names, contact information, or personal details.
• Legal Basis: We process anonymized data under GDPR Article 6(1)(f) - Legitimate Business Interest for service improvement and AI training
• Immediate Deletion: You can request immediate deletion of your evaluation at any time by contacting privacy@tanova.com

11.2 Registered Accounts (Recruitment Agencies)

• Account Data: Retained while your account is active and you control your data
• Candidate Evaluations: Agencies can configure data retention policies:
• • Keep Forever: Evaluation data retained indefinitely (default)
• • 90 Days: Automatic deletion after 90 days
• • 180 Days: Automatic deletion after 180 days
• • 365 Days: Automatic deletion after 365 days
• Before Deletion: Evaluation data is anonymized (same process as Section 11.1) before deletion to preserve analytics
• Manual Deletion: You can delete evaluations at any time through your dashboard
• Account Deletion: All personal data permanently deleted within 90 days of account closure
• Anonymized Analytics: Account activity may be aggregated (anonymously) for platform improvement

11.3 Job Seeker Accounts

When you create a job seeker account:

• Personal Data Deletion: Your CVs, evaluations, career materials, and all personally identifiable information are automatically deleted after 30 days
• Account Data: Your account profile (name, email) is retained while your account is active
• Anonymized Data Retention: Evaluation scores and feedback are anonymized (same process as Section 11.1) before deletion
• Manual Deletion: You can delete individual evaluations or CVs at any time through your dashboard
• Export Your Data: Download all your data in JSON format at any time from Settings > Data & Privacy
• Account Deletion: You can delete your entire account and all associated data immediately from Settings > Account. All personal data is permanently deleted within 90 days.
• Candidate Pool: If you opt-in to the candidate pool:
• • Your profile remains visible to recruiters until you opt-out or delete your account
• • You can opt-out at any time, which immediately removes your profile from recruiter searches
• • Pool opt-out does not delete your account - only removes you from recruiter visibility
• Subscription Data: Billing history retained for accounting purposes per legal requirements (typically 7 years)

11.4 Legal & Compliance

• Legal Holds: Data may be retained longer if required by law, regulation, or legal proceedings
• Fraud Prevention: Anonymized fraud detection data may be retained indefinitely

11.5 Why We Anonymize Instead of Deleting Everything

Anonymized data helps us:

• • Improve AI accuracy and evaluation quality for all users
• • Understand which features are most valuable
• • Identify and fix issues in our platform
• • Provide social proof ("Based on 10,000+ evaluations")
• Your Privacy is Protected: Anonymized data is exempt from GDPR deletion requests because it cannot identify individuals

• Timely Notification: We will notify you within 72 hours of becoming aware of a breach that poses a risk to your rights and freedoms
• What We'll Tell You: The notification will include the nature of the breach, categories of data affected, likely consequences, and measures we're taking to address it
• Regulatory Notification: We will notify relevant supervisory authorities (e.g., data protection authorities) as required by GDPR Article 33
• Our Commitment: We maintain robust security measures to minimize the risk of breaches (see Section 5.2)
• Contact: If you suspect unauthorized access to your data, contact us immediately at privacy@tanova.com

• Email: privacy@tanova.com
• Support: support@tanova.com