UUniformCV← Back to home
⚠️ DRAFT — pending legal review and company details finalization. This document is a template. Placeholders (e.g. company address, tax IDs) will be replaced once the final corporate identity and legal review are in place.

UniformCV · Legal

Privacy Policy

How UniformCV collects, uses and protects personal data under the GDPR.

Effective date: 3 June 2026 · Version 1.0.0

1. Data controller

For personal data relating to Institution account holders, the data controller is Digifox s.r.o., registered seat Trávníky 322/7, 691 52 Kostice, company identification number 23894865 (not a VAT payer).

For personal data submitted by applicants through an Institution's template, the Institution is the controller and UniformCV acts as its processor under Article 28 GDPR. This policy therefore describes both layers of processing.

You can reach our privacy team at privacy@uniformcv.com.

2. What personal data we collect

2.1 Institution accounts

  • identity data: name of the institution, contact person;
  • contact data: work email, optional billing address;
  • account data: hashed password (bcrypt), Supabase user ID, locale, plan tier;
  • payment data: transaction ID, last four digits of card, currency and amount (full card numbers are held by our payment provider, not by us);
  • usage data: login timestamps, templates created, submissions received, downloads generated.

2.2 Applicants

  • identity data: name, optional photograph, date of birth if the Institution's template asks for it;
  • contact data: email, phone, residential address if the template asks for it;
  • CV content: education, work experience, languages, projects, skills and any additional custom questions defined by the Institution;
  • technical data: a hashed IP address (SHA-256 with a rotating salt), timestamp and a honeypot/time-trap signal used solely for abuse prevention;
  • consent record: text hash of the consent statement the applicant accepted, together with timestamp.

3. Legal basis (GDPR Art. 6)

Processing activityLegal basis
Providing the Service to the InstitutionArt. 6(1)(b) — performance of a contract
Billing, accounting and tax recordsArt. 6(1)(c) — legal obligation
Applicant CV processing on behalf of the InstitutionArt. 6(1)(a) — consent, captured with textHash + timestamp
Abuse prevention and platform securityArt. 6(1)(f) — legitimate interest
Service improvement (aggregate usage metrics only)Art. 6(1)(f) — legitimate interest

4. Retention

  • Institution accounts: kept while your account is active. If the account is inactive for 24 months we notify you and delete the account unless you reactivate it.
  • Applicant submissions: retained for 12 months from submission, unless the Institution sets a shorter period or the applicant asks for erasure.
  • Billing records: kept for 10 years as required by Czech accounting and tax law.
  • Generated PDF CVs: cached in private Supabase Storage for the same window as the underlying submission.
  • Hashed IPs and rate-limit counters: rolling 30-day window.

5. Sub-processors

We use a small, vetted set of sub-processors. Each is bound by a written data-processing agreement and EU hosting where available.

ProviderPurposeLocation
SupabasePostgres database, authentication, object storageEU (Frankfurt)
VercelApplication hosting and CDNEU (Frankfurt) with global edge caching
ResendTransactional email (account, submissions, support)EU
ThePay.czPayment processing (EUR and CZK)Czech Republic
Sharp / file-typeServer-side image validation, EXIF stripping and resizing (runs inside UniformCV, no external transfer)In-process

6. International transfers

Personal data is stored and processed within the European Union. Where a sub-processor uses global edge caching (e.g. Vercel for static assets), no personal data is stored at those edge locations; only public marketing assets are served from them.

7. Your rights

Under the GDPR you have the right to:

  • access the personal data we hold about you (Art. 15);
  • rectify inaccurate data (Art. 16);
  • request erasure of your data where one of the Art. 17 grounds applies;
  • restrict or object to processing (Art. 18, 21);
  • receive your data in a portable format (Art. 20);
  • withdraw consent at any time without affecting past processing.

Institution users can exercise most of these rights directly from their dashboard. Applicants should contact the Institution they applied to first, because the Institution is the controller of the submission. You may also write to us at privacy@uniformcv.com and we will route the request appropriately.

8. Cookies and similar technologies

We use a minimal set of cookies:

  • Authentication cookies set by Supabase to keep your session active (strictly necessary).
  • Locale preference to remember whether you prefer English or Czech (functional).

We do not run third-party analytics, advertising or tracking pixels at this time. If we introduce analytics in the future we will update this policy and add a consent banner.

9. Right to lodge a complaint

If you believe our processing infringes the GDPR you may lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů): https://www.uoou.cz. EU residents may also contact the supervisory authority in their country of residence.

10. Contact

Privacy questions and data-subject requests: privacy@uniformcv.com.