Privacy Policy
Effective date: 4 September 2025
Last updated: 4 September 2025
This Privacy Policy explains how Nafite B.V. (“Resumaro”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use our websites, apps, APIs and services (collectively, the “Service”).
Controller: Nafite B.V., Standaardruiter 9, 3905 PT Veenendaal, The Netherlands.
KvK: 76060217 • VAT: NL860493222B01
Contact: hello@resumaro.com
Resumaro is a B2B service. For most candidate data that our customers manage in the Service, the customer is the Controller and Resumaro acts as Processor. For our own account, billing, security, product analytics and marketing data, Resumaro is the Controller.
1. What we process
1.1 Account & billing data (Controller)
Identity & contact: name, business email, role, company, address.
Account data: login identifiers, plan, preferences, support history.
Billing: payer details, invoices, payment confirmations (via Stripe; we don’t store full card numbers).
Product telemetry: feature usage events, timestamps, device/ browser info, IP, approximate location, crash logs.
1.2 Candidate & CV data (Processor)
CV content: personal details provided by you or the candidate (e.g., work history, education, skills, languages, summaries, profile photo), and files you upload.
Parsed data: structured fields extracted via Textkernel from PDFs/DOCX.
Edits & versions: change history, visibility flags, translations, AI improvements you apply.
Sharing: secure, time-limited candidate edit links (no login required by default).
Exports: generated PDF/DOCX files (including anonymized versions if you enable that option).
1.3 Integrations & API
Connectors: systems you choose to connect (e.g., ATS/CRM). We process and transmit data you instruct us to sync.
API/Webhooks: payloads you send to our endpoints and event notifications we deliver.
2. Sources
Directly from you and your authorized users (manual input, uploads, API calls).
From candidates who use secure edit links you share with them.
From files you upload for parsing (Textkernel).
From your configured integrations (ATS/CRM) and our product telemetry.
3. Purposes & legal bases
As Controller
Provide the Service & support (Art. 6(1)(b) GDPR – contract; Art. 6(1)(f) – legitimate interests).
Security & abuse prevention: authentication, logging, fraud prevention, incident response (Art. 6(1)(f)).
Billing & compliance: invoicing, tax and accounting records (Art. 6(1)(c) – legal obligation).
Product improvement & analytics: aggregated usage metrics, troubleshooting, UX research (Art. 6(1)(f)).
Marketing communications: with consent where required; you can opt out anytime (Art. 6(1)(a) or 6(1)(f)).
As Processor (on your documented instructions)
Recruitment enablement: create/import/edit CVs, AI enhancements, translations, exports, sharing, integrations to your ATS/CRM (Art. 28 GDPR).
You remain responsible for your lawful basis to process candidate data in Resumaro (e.g., consent, contract, legitimate interests).
4. AI features
We use reputable AI providers (e.g., OpenAI API) to enhance text, correct grammar, and translate content you select.
Content is transmitted securely to the provider and returned to your session.
We do not sell Customer Data. We contractually require that providers do not train public models on your Customer Data (unless you explicitly opt in with that provider).
AI output may be inaccurate or biased; your users must review before use.
We do not conduct solely automated decision-making producing legal or similarly significant effects.
5. Sharing & sub-processors
We share personal data only with:
Infrastructure & product: Google Cloud / Firebase (hosting, storage, auth, analytics).
Parsing: Textkernel B.V. (EU resume parser).
AI: OpenAI (text generation/correction/translation).
Payments: Stripe (subscription billing).
Email delivery: SendGrid or equivalent (transactional email).
Customer-configured destinations: the ATS/CRM and tools you connect (e.g., Workday, Greenhouse, Lever, SmartRecruiters, iCIMS, Bullhorn, Teamtailor, Recruitee, Salesforce, BambooHR, etc.).
Professional services: auditors, legal counsel (as necessary and under confidentiality).
We maintain a current list of sub-processors in our DPA or documentation and will notify you of material changes as required.
6. International transfers
Some providers are located outside the EEA/UK. Where we transfer personal data internationally, we rely on adequacy decisions (where available) or Standard Contractual Clauses (SCCs) and implement supplementary safeguards. Details are in our DPA and sub-processor list.
7. Retention
Account & billing records: typically 7 years (Dutch tax law).
Support & ticketing: up to 24 months after closure.
Security logs: typically 12 months (longer for investigations).
Backups: normally 30–90 days rolling.
Candidate/CV data: retained as long as your account remains active or until you delete it or instruct us to delete it.
Candidate edit links: time-limited by default; you control expiry and revocation.
We may retain data longer where required by law, to resolve disputes, or enforce agreements.
8. Security
We implement appropriate technical and organizational measures, including:
Encryption in transit and at rest;
Role-based access controls and least privilege;
Multi-factor authentication for privileged access;
Secure development practices, logging and monitoring;
Regular backups and disaster recovery procedures;
Audit trail and version history within the app;
Anonymized export option you can enable for CVs.
No system is 100% secure. If we identify a breach impacting your data, we will notify you without undue delay as required by law.
9. Your rights (EU/EEA & UK)
Subject to conditions and your role (Controller vs Processor), you may have the right to:
Access your personal data;
Rectify inaccurate data;
Erase data (“right to be forgotten”);
Restrict or object to processing;
Portability (machine-readable copy);
Withdraw consent where processing is based on consent.
When we act as Processor, please send requests to your organization (the Controller). We will assist the Controller as required by the DPA.
Contact for rights requests: hello@resumaro.com
We aim to respond within 30 days. You can also lodge a complaint with your local authority; in the Netherlands: Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).
10. Cookies & similar technologies
We use essential cookies to run the Service and (with consent, where required) analytics/marketing cookies to improve performance and measure usage. For details, see our Cookie Notice. You can change preferences in our consent banner at any time. Not consenting may affect certain features.
11. Children
Our Service is not directed to children under 16. We do not knowingly process children’s data. If you believe a child has provided personal data, contact us to delete it.
12. Data Processing Addendum (DPA)
For Customer Data where we act as Processor, our DPA (incorporated by reference into our Terms) governs processing instructions, confidentiality, sub-processors, international transfers (SCCs), security, assistance with data subject rights, and deletion/return of data at end of service.
13. Changes to this Policy
We may update this Policy from time to time. Material changes will be notified in-app or by email. The updated Policy takes effect on publication unless otherwise stated.
14. Contact
Nafite B.V. (Resumaro)
Standaardruiter 9, 3905 PT Veenendaal, The Netherlands
Email: hello@resumaro.com
