Effective date: 4 September 2025

Last updated: 17 December 2025

This Privacy Policy explains how Nafite B.V. (“Resumaro”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use our websites, apps, APIs and services (collectively, the “Service”).

Controller: Nafite B.V., Standaardruiter 9, 3905 PT Veenendaal, The Netherlands.

KvK: 76060217 • VAT: NL860493222B01

Contact: hello@resumaro.com

Resumaro is a B2B service. For most candidate data that our customers manage in the Service, the customer is the Controller and Resumaro acts as Processor. For our own account, billing, security, product analytics and marketing data, Resumaro is the Controller.

We process personal data in accordance with GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

1. What we process

1.1 Account and billing data (Controller)

Identity and contact: name, business email, role, company, address.

Account data: login identifiers, plan, preferences, support history, credit usage (AI credits, export credits).

Billing: payer details, invoices, payment confirmations (via Stripe; we don’t store full card numbers), purchase history for export credits and custom templates.

Product telemetry: feature usage events, timestamps, device/browser info, IP, approximate location, crash logs.

1.2 Candidate and CV data (Processor)

CV content: personal details provided by you or the candidate (e.g., work history, education, skills, languages, summaries, profile photo), and files you upload.

Edits and versions: change history, visibility flags, translations, AI improvements you apply.

Sharing: secure, time-limited candidate edit links (no login required by default).

Exports: generated PDF/DOCX files (including anonymized versions if you enable that option).

1.3 Integrations and API

Connectors: systems you choose to connect (e.g., ATS/CRM). We process and transmit data you instruct us to sync.

API/Webhooks: payloads you send to our endpoints and event notifications we deliver.

2. Sources

Directly from you and your authorized users (manual input, uploads, API calls).

From candidates who use secure edit links you share with them.

From your configured integrations (ATS/CRM) and our product telemetry.

3. Purposes and legal bases

3.1 As Controller

Provide the Service and support: Art. 6(1)(b) GDPR (contract) and Art. 6(1)(f) (legitimate interests).

Security and abuse prevention: authentication, logging, fraud prevention, incident response – Art. 6(1)(f) (legitimate interests).

Billing and compliance: invoicing, tax and accounting records – Art. 6(1)(c) (legal obligation).

Product improvement and analytics: aggregated usage metrics, troubleshooting, UX research – Art. 6(1)(f) (legitimate interests).

Marketing communications: with consent where required; you can opt out anytime – Art. 6(1)(a) (consent) or 6(1)(f) (legitimate interests).

3.2 As Processor (on your documented instructions)

Recruitment enablement: create/import/edit CVs, AI enhancements, translations, exports, sharing, integrations to your ATS/CRM – Art. 28 GDPR.

You remain responsible for your lawful basis to process candidate data in Resumaro (e.g., consent, contract, legitimate interests).

4. AI features

We use reputable AI providers (e.g., OpenAI API) to enhance text, correct grammar, and translate content you select. Content is transmitted securely to the provider and returned to your session.

Data protection: We do not sell Customer Data. We have configured our AI providers (including OpenAI) to not use Customer Data for training or model improvement. Customer Data is used solely for processing your requests and is not shared with third parties or used to train AI models.

Accuracy: AI output may be inaccurate or biased; your users must review before use.

Automated decisions: We do not conduct solely automated decision-making producing legal or similarly significant effects.

5. Sharing and sub-processors

We share personal data only with the following categories of sub-processors:

Infrastructure and product: Google Cloud / Firebase (hosting, storage, authentication, analytics).

AI services: OpenAI (text generation, correction, translation). We have configured OpenAI to not use your data for training or model improvement.

Document conversion: Microsoft Graph API (temporary processing for PDF conversion only; files are deleted immediately after conversion and are not stored).

Job search: JSearch API (we only send job search queries such as job titles and locations; no personal candidate data is transmitted).

Payments: Stripe (subscription billing).

Email delivery: SendGrid or equivalent (transactional email).

Customer-configured destinations: the ATS/CRM and tools you connect (e.g., Workday, Greenhouse, Lever, SmartRecruiters, iCIMS, Bullhorn, Teamtailor, Recruitee, Salesforce, BambooHR, etc.).

Professional services: auditors, legal counsel (as necessary and under confidentiality).

We maintain a current list of sub-processors in our DPA or documentation and will notify you of material changes as required.

6. International transfers

Some providers are located outside the EEA/UK. Where we transfer personal data internationally, we rely on adequacy decisions (where available) or Standard Contractual Clauses (SCCs) and implement supplementary safeguards. Details are in our DPA and sub-processor list.

7. Retention

Account and billing records: typically 7 years (Dutch tax law).

Support and ticketing: up to 24 months after closure.

Security logs: typically 12 months (longer for investigations).

Backups: normally 30-90 days rolling.

Candidate/CV data: retained as long as your account remains active or until you delete it or instruct us to delete it.

Candidate edit links: time-limited by default; you control expiry and revocation.

We may retain data longer where required by law, to resolve disputes, or enforce agreements.

8. Security

We implement appropriate technical and organizational measures, including:

Encryption in transit and at rest

Role-based access controls and least privilege

Multi-factor authentication for privileged access

Secure development practices, logging and monitoring

Regular backups and disaster recovery procedures

Audit trail and version history within the app

Anonymized export option you can enable for CVs

No system is 100% secure. If we identify a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by GDPR Article 33-34.

9. Your rights (EU/EEA and UK)

Subject to conditions and your role (Controller vs Processor), you may have the right to:

Access your personal data (Art. 15 GDPR): Request a copy of personal data we hold about you.

Rectify inaccurate data (Art. 16 GDPR): Request correction of inaccurate or incomplete data.

Erase data (Art. 17 GDPR, right to be forgotten): Request deletion of your personal data, subject to legal obligations.

Restrict processing (Art. 18 GDPR): Request limitation of how we process your data.

Data portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and transmit it to another controller.

Object to processing (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes.

Withdraw consent (Art. 7 GDPR): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights: Send a written request to hello@resumaro.com with sufficient information to identify you and specify the right(s) you wish to exercise. We may request additional information to verify your identity.

When we act as Processor: Please send data subject requests to your organization (the Controller). We will assist the Controller as required by the DPA and within the timeframes specified therein.

Response time: We aim to respond to your request within one month (30 days) of receipt. This may be extended by two months for complex requests, in which case we will inform you within one month and explain why.

No charge: Exercising your rights is generally free of charge. We may charge a reasonable fee if requests are manifestly unfounded or excessive, particularly if repetitive.

Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your personal data in accordance with GDPR. In the Netherlands: Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).

10. Cookies and similar technologies

We use essential cookies to run the Service and (with consent, where required) analytics/marketing cookies to improve performance and measure usage. For details, see our Cookie Notice. You can change preferences in our consent banner at any time. Not consenting may affect certain features.

11. Children and special categories of data

Our Service is not directed to children under 16. We do not knowingly process children’s data. If you believe a child has provided personal data, contact us to delete it immediately.

Special categories of personal data: If you process special categories of personal data (e.g., health data, biometric data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, sexual orientation) through our Service, you must ensure you have a valid lawful basis under GDPR Article 9 and any applicable national law. We process such data only on your documented instructions as Processor.

12. Data Processing Addendum (DPA) and Records of Processing

For Customer Data where we act as Processor, our DPA (incorporated by reference into our Terms) governs processing instructions, confidentiality, sub-processors, international transfers (SCCs), security, assistance with data subject rights, and deletion/return of data at end of service.

We maintain records of processing activities as required by GDPR Article 30, documenting the purposes of processing, categories of data subjects and personal data, recipients, transfers, retention periods, and security measures.

Privacy by design and default: We implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose is processed, and that data is not made accessible to an indefinite number of persons without your intervention.

13. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational, legal, or regulatory reasons. Material changes will be notified in-app or by email at least 30 days before they take effect. The updated Policy takes effect on publication unless otherwise stated. Continued use of the Service after changes constitutes acceptance of the updated Policy.

14. Contact

14. Contact and Data Protection Inquiries

For privacy-related inquiries, data subject requests, or to exercise your rights:

Nafite B.V. (Resumaro)

Standaardruiter 9, 3905 PT Veenendaal, The Netherlands

Email: hello@resumaro.com

Subject line: “Privacy Request” or “Data Subject Request”

For general inquiries: hello@resumaro.com