Home/Privacy Policy

Privacy Policy

Version: 1.0 — Effective April 2026

Data Controller: Ai Consulting (operating the Karrify platform at cvmatch.norabot.ai)

Contact: privacy@cvmatch.norabot.ai

Legal framework: GDPR (EU) 2016/679

Danish law: Databeskyttelsesloven, Act No. 289 of 8 March 2024

Supervisory authority: Datatilsynet (dt.dk)

1. Introduction and Controller Identity

Ai Consulting ("we", "us"), the operating entity of the Karrify platform, is the data controller responsible for personal data processed on this platform. We are committed to protecting your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven, Act No. 289 of 8 March 2024).

For data matters: privacy@cvmatch.norabot.ai — we respond within 30 days (GDPR requirement).

2. Data We Collect and Why (GDPR Art. 13/14)

Account Registration Data

Data
Full name, email address, password (hashed)
Why
Create and manage your account
Legal basis
Contract performance (GDPR Art. 6(1)(b))
Retention
Duration of account + 30 days after deletion

Professional Profile Data

Data
CV content, work history, education, skills, career preferences, profile photo, languages
Why
Provide CV building and job matching services
Legal basis
Contract performance (GDPR Art. 6(1)(b))
Retention
Duration of account + 30 days after deletion

Job Application Data

Data
Applications submitted, cover letters, status, employer responses
Why
Facilitate job applications and tracking
Legal basis
Contract performance (GDPR Art. 6(1)(b))
Retention
2 years after application

AI Processing Data

Data
CV content and profile data processed for AI suggestions and job match scores
Why
Provide AI-powered features you request
Legal basis
Contract performance + your explicit request for AI features (GDPR Art. 6(1)(b))
Important
We do NOT use your data to train AI models without your explicit separate consent.

Technical and Usage Data

Data
IP address, browser type, pages visited, feature usage, session duration
Why
Platform security, fraud prevention, performance
Legal basis
Legitimate interest (GDPR Art. 6(1)(f))
Retention
90 days for logs, 1 year for aggregated analytics

Consent Records

Data
Cookie consent, marketing consent, terms acceptance with timestamp
Why
Demonstrate compliance (GDPR accountability principle)
Legal basis
Legal obligation (GDPR Art. 6(1)(c))
Retention
3 years

3. Special Category Data

Karrify does not intentionally collect special category data (GDPR Art. 9) such as health data, racial/ethnic origin, political opinions, or religious beliefs.

If your CV voluntarily includes such information, you provide it voluntarily and we process it only on the basis of your explicit consent by submitting it.

We recommend not including sensitive personal information in your CV unless professionally necessary for your specific field.

4. AI Processing and Automated Decisions

Karrify uses AI for: CV improvement suggestions, job match score calculation, skill gap analysis, and content generation assistance.

GDPR Art. 22 rights: Our AI systems produce advisory scores and suggestions that support your decisions — they do not make binding automated decisions with legal or similarly significant effects on you or employers.

You have the right to request human review of any AI output. Contact: support@cvmatch.norabot.ai

EU AI Act: Our job matching AI may qualify as a high-risk system under EU AI Act Annex III (employment/recruitment). We are implementing compliance measures aligned with the phased obligations through 2026.

5. Data Sharing

We share data ONLY in these circumstances:

With employers

ONLY when you actively apply to a job or explicitly enable profile visibility for employers. You control this through Settings → Profile Visibility.

With infrastructure providers

Hetzner (server hosting, Germany, EU) — under a Data Processing Agreement per GDPR Art. 28. These providers process data only per our instructions.

With payment processors (when enabled)

Stripe Inc. — under their GDPR-compliant terms and our DPA. Only payment data, not CV content.

When legally required

If required by Danish courts, Datatilsynet, or law enforcement with valid legal authority.

We will NEVER:

  • Sell your personal data to any third party
  • Share data with advertisers or marketing brokers
  • Use your CV to train AI models without consent
  • Transfer data outside EU/EEA without adequate protection

6. Data Storage and Security

Location: EU-based servers (Hetzner, Germany). No transfers outside EU/EEA.

Security measures we implement:

  • HTTPS/TLS encryption for all data in transit
  • Encrypted storage for sensitive data at rest
  • bcrypt password hashing (we cannot see passwords)
  • httpOnly secure cookies for authentication
  • Regular security updates and monitoring
  • Strict access controls — minimal staff access
  • Automated database backups (7-day retention)

Data breach procedure:

If we experience a personal data breach, we will: (a) notify Datatilsynet within 72 hours if risk to your rights exists (GDPR Art. 33); (b) notify affected users without undue delay if high risk exists (GDPR Art. 34); (c) document all breaches internally (GDPR Art. 33(5)). Security concerns: privacy@cvmatch.norabot.ai

7. Your Rights Under GDPR

15

Right of Access

Request a copy of all personal data we hold about you.

How: Settings → Privacy & Data → Export My Data, or email privacy@cvmatch.norabot.ai

16

Right to Rectification

Correct inaccurate or incomplete data.

How: Edit your profile directly, or contact us.

17

Right to Erasure — "Right to be Forgotten"

Delete your account and all personal data. Note: some data may be retained where we have legal obligation.

How: Settings → Privacy & Data → Delete Account (data deleted within 30 days)

20

Right to Data Portability

Receive your data in a structured, commonly used, machine-readable format.

How: Settings → Privacy & Data → Export My Data (machine-readable JSON)

21

Right to Object

Object to processing based on legitimate interest (e.g., analytics). We will stop unless compelling legitimate grounds override your interests.

How: Email privacy@cvmatch.norabot.ai

22

Right re Automated Decisions

Request human review of AI-generated outputs that significantly affect you.

How: Contact support@cvmatch.norabot.ai

Response time: within 30 days. Complex requests may take up to 3 months with notice. Exercising rights is FREE of charge.

8. Cookies

See full Cookie Policy.

Essential cookies (required for login/security) cannot be disabled. Functional and analytics cookies require your consent and are managed via the cookie banner or Settings → Privacy → Cookie Preferences.

9. Marketing Communications

We send marketing emails only with your explicit opt-in consent at registration or later. Every marketing email includes an unsubscribe link. We comply with the Danish Marketing Practices Act (Markedsføringsloven).

10. Children

Karrify is not directed at persons under 16. If you believe a person under 16 has registered, contact privacy@cvmatch.norabot.ai for deletion.

11. Changes to This Policy

We will notify you of material changes by email or platform notice at least 30 days before they take effect. This policy is dated and versioned. Previous versions available on request.

12. Complaints and Supervisory Authority

Contact us first: privacy@cvmatch.norabot.ai

Datatilsynet (Danish Data Protection Agency)

Carl Jacobsens Vej 35, 2500 Valby, Denmark

dt.dk·+45 33 19 32 00

EU residents may also contact their local supervisory authority under GDPR Art. 77.

Terms & ConditionsCookie Policyprivacy@cvmatch.norabot.ai