Privacy Policy

Introduction

This privacy policy aims to explain how the company Annotly SRL, headquartered in Str. Regele Ferdinand, Nr 27, Ap 5, 400110 Cluj Napoca, Romania, with unique registration code (Romanina: CUI) 44697377 (hereinafter AY) processes your personal data, in accordance with the relevant all data protection laws and regulations, including the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”).

More specifically, through this document we want to inform you about the personal data that we collect from you or that you make available to us through Gransbe™ (https://www.gransbe.com) and how we process your personal data when you interact with us.

Please read this Privacy Policy carefully, together with any other privacy notice we may provide, so that you are fully informed of how and why we are using your data.

Who Are We?

Annotly SRL, headquartered in Str. Regele Ferdinand, Nr 27, Ap 5, 400110 Cluj Napoca, Romania, with unique registration code (Romanina: CUI) 44697377 is a company established and functioning in accordance with the Romanian legislation; email: info@annotly.ro.

We offer you our services, as presented on our platform and notifications through messenger apps, by means of which we made available to you Gransbe™ application, an online application tracking system that evaluates your CVs.

To Whom This Privacy Policy Is Applying?

This privacy policy covers the processing of personal data of our users (customers) as well as our business partners.

How We Collect Your Data?

As a rule, we collect your personal data that you provide to us directly, by creating a user account on the Gransbe™ platform or while you discuss with our representatives. In some cases, personal data may be collected by filling in the forms requesting information about our services or through conversations through our messenger app services.

What Data We Collect About You?

Personal data, or personal information, means any information that relates to an identified or identifiable natural person or any information about an individual from which that person can be identified. Also, personal data that has been anonymized, encrypted or pseudonymized, but can be used to re-identify a person, remains personal data.

Processing personal data includes all the operations we can perform regarding the data, such as collecting, recording, storing, adjusting, organizing, using, disclosing, transferring and deleting them.

Our policy is to process data that is necessary to provide you with our services by means of Gransbe™ application (including the conclusion of the contract). In general, in order to provide our services, we process the following types of personal data:
- Identification and contact data: first name, last name, phone number, email address and password and login data/ username
- Billing address and details about payments from or to you and other details of services we provide you with.

Also, every time you visit www.gransbe.com, some data may be automatically transmitted to our server, such as:
- IP address of the internet connection (private or public depending on the network to which the device used to access the online store is connected);
- Date and time of access, information about how you use our website;
- The address of the page or file accessed;
- The address of the page or the identifier of the application that linked the user to our page;
- The name and version of the application used to access the website;
- Browser type and version;
- Name and version of the operating system;
- Geolocation information, if you have activated this feature on your device.

We will process your preferences in receiving marketing communications. With your consent, we will process your first, last name, phone number and email address in order to send you newsletters or other commercial offers.

Purpose And Lawful Basis Of Processing Personal Data
PurposeLawful Basis
Creating your account in order to become our customerYour consent
Providing you with the services ordered as per the Contract concluded according to the Terms and Conditions, including processing the paymentsPerformance of the Contract Comply with our legal obligations (such as keeping the accounting documents)
Administering our business, maintaining the functionality of our website and applicationOur legitimate interests Comply with our legal obligations
Surveys and customer feedback, marketing, analysis and communications.Your consent Our legitimate interests
To Whom We May Disclose Your Personal Data?

As a rule, we will not disclose your personal information with any third party, unless required by law or when necessary to perform the contract with you and administer our business.

Your personal data may be disclosed, as follows:
- To business partners and subcontractors, for the purpose of performing our contracts;
- To service providers that offer technical support for IT matters (maintenance, software development etc.) and security;
- To external consultants (i.e. lawyers, accountants, auditors), when necessary, in order to carry out their activity.

Transferring Your Personal Data Abroad

When performing our activity, your personal data may be transferred abroad to countries of the European Union (“EU”) or the European Economic Area (“EEA”), in accordance with the GDPR provisions.

Outside EEA, we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

For How Long Will We Use Your Personal Data?

For the purposes above-mentioned, we will process your personal data throughout the contractual relationship.
We will also process your data after the termination of the contractual relationship in order to fulfill our legal obligations (for example, within the legal deadlines, including those on accounting/fiscal aspects).
Last but not least, if you are still a user of the customer account, we will retain your personal data for as long as your account is active. If you become inactive, your data is retained for 90 days, after which it will be deleted from our systems.

We respect your rights as a customer to determine how your personal information is used. These rights include:

  1. Right to information: You have the right to obtain, free of charge, on request, information on the processing of your personal data
  2. Access to your personal data: You have the right to obtain from us the confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you may access to the personal data and the conditions under which they are processed, by making a request in this sense. We shall provide you with a copy of the personal data undergoing processing.
  3. Right to rectification: You have the right to obtain the correction of inaccurate data and complete any incomplete data.
  4. Right to erasure: You have the right to obtain erasure of personal data without undue delay in case: (a) the data is no longer required for the original purpose (and there is no new legal purpose), (b) the legal basis for the processing is the consent of the data subject, the data subject withdraws his consent and there is no other legal basis, (c) the data subject exercises his right to object and the controller has no legitimate reasons to continue processing, (d) the data has been processed unlawfully, (e) the deletion is necessary for compliance with EU or Romanian law; or (f) data has been collected in connection with information society services provided to children (if applicable), when specific consent requirements apply. We will not delete your personal data if we are required to comply with legal obligations to retain the data or if your personal data is necessary for us to establish, exercise or defend a right in court.
  5. The right to restriction of processing: You have the right to obtain from the controller restriction of processing where one of the following applies: (a) you contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data; (b) you consider the processing is unlawful and you do not want us to erase the personal data but request the restriction of their use instead; (c) if we no longer need your personal data for the purposes mentioned above, but they are required by you for the establishment, exercise or defense of legal claims; (d) you objected to the processing, for the period of time in which to verify whether the legitimate grounds of the data controller prevail over the rights of the data subject.
  6. Right to data portability: You have the right to receive the personal data concerning you, which you provided to a controller, in a structured, commonly used and machine-readable format and also the right to transmit those data to another controller if the processing is based on your consent or the performance of a contract and is performed by automatic means.
  7. Right to oppose: You have the right to object to processing of personal data on grounds relating to your particular situation, when the processing is based on a legitimate interest, as well as to oppose the processing of data for direct marketing purposes, including the creation of profiles.
  8. Automated individual decision-making, including profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  9. The right to withdraw your consent: You have the right to withdraw your consent to the processing at any time, when the processing is based on the consent, without affecting the legality of the processing activities carried out up to that time.
  10. Right to file a complaint: You have the right to file a complaint with the Data Protection Authority (ANSPDCP) and the right to go to the competent courts in case of unlawful processing.

Security Of The Data

To ensure that your personal data is not subject to unauthorized access, unauthorized use of data, or destruction, loss or alteration of data, we use appropriate technical and organizational measures, taking all reasonable safeguards.
We work to protect you and Gransbe™ from unauthorized access, alteration, disclosure, or destruction of information we hold, including:
- We use encryption to keep your data private while in transit
- We review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems
- We restrict access to personal information to Gransbe™ employees, contractors, and agents who need that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

Amending The Privacy Policy

From time to time, we may update or modify our Privacy Policy. In this case, such amendments will be made available on our platform, section Privacy Policy and will be communicated to you by any means that ensures an effective communication.

Use Of Cookies

The Gransbe™ platform uses so-called “cookies“. Cookies are small text files that are automatically generated by your browser (such as for example Safari, Chrome, or Internet Explorer), and are stored to your hard drive (laptop, tablet, smartphone etc.) by the web server.

Cookies enable us to enhance our service quality and allows us for example to optimize the use of our Services for you so that we can better tailor our Services to your needs and display it in the most efficient way on your device. We use so- called “session cookies”, which allow us to recognize that you have already visited certain pages on our platform. These cookies will be deleted when you leave our platform and log out.

In case you do not log out when leaving our platform, the session cookies will be deleted after 30 days.The data generated by these cookies is necessary for the above stated purposes and we will only make use of the data strictly in accordance with the applicable laws and regulation and any contractual terms.

The majority of browsers automatically accept cookies. However, you can prevent the storage of cookies by selecting the appropriate settings on your browser software to change the preferences to reject cookies or always to be notified when you receive a cookie, before it would be stored.

Please note that disabling cookies may limit the functionality of our platform and may also limit or prevent the use of our services.

Use Of Analysis And Tracking Tools (Matomo)

  1. Purpose of the processing

Matomo is used to analyse the behaviour of the website visitors to identify potential pitfalls; not found pages, search engine indexing issues, which contents are the most appreciated… Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports for website owners to take action, for example changing the layout of the pages, publishing some fresh content… etc.

Matomo is processing the following personal data:

  • Cookies
  • IP address
  • User ID
  • Custom Dimensions
  • Custom Variables
  • Location of the user

And also:

  • Date and time
  • Title of the page being viewed
  • URL of the page being viewed
  • URL of the page that was viewed prior to the current page
  • Screen resolution
  • Time in local timezone
  • Link clicks to an outside domain
  • Pages generation time
  • Country, region, city
  • Main Language of the browser
  • User Agent of the browser
  • Session recording, mouse events (movements, content forms and clicks)
  • A/B Tests

The processing of personal data with Matomo is based on legitimate interests.

  1. The legitimate interests

Processing your personal data such as cookies is helping us identify what is working and what is not on our website. For example, it helps us identify if the way we are communicating is engaging or not and how we can organize the structure of the website better. Our team is benefiting from the processing of your personal data, and they are directly acting on the website. By processing your personal data, you can profit from a website which is getting better and better.

Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

  1. Recipient of the personal data

The personal data received through Matomo are sent to:

  • Our company.
  • Our service provider: InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand
  1. Details of transfers to third country and safeguards

Matomo data is hosted in Germany.

  1. Retention period or criteria used to determine the retention period

We are keeping the personal data captured within Matomo for a period of 12 months..

  1. The existence of each of the data subject’s rights

As Matomo is processing personal data on legitimate interests, you can exercise the following rights:

  • Right of access: you can ask us at any time to access your personal data.
  • Right to erasure: you can ask us at any time to delete all the personal data we are processing about you.
  • Right to object: you can object to the tracking of your personal data by using the following opt-out feature:
  1. The right to lodge a complaint with a supervisory authority

If you think that the way we process your personal data with Matomo analytics is infringing the law, you have the right to lodge a complaint with a supervisory authority.

  1. Whether the provision of personal data is part of a statutory or contractual requirement; or obligation and possible consequences of failing to provide the personal data

If you wish us to not process any personal data with Matomo, you can opt-out from it at any time. There will be no consequences at all regarding the use of our website.

  1. The existence of automated decision-making, including profiling and information about how decisions are made, the significance and the consequences

Matomo is not doing any profiling.

Use Of Google Login And User Data

Google offers a secure and convenient authentication service called “Log in with Google,” which allows users to sign into third-party applications using their Google account credentials. By leveraging Google’s OAuth 2.0 protocol, this feature provides a fast and secure way to access apps without needing to create new login details. It also helps enhance security by utilizing Google’s infrastructure, which includes features like multi-factor authentication and encrypted communication, to protect users’ data during the login process. Our application uses “Log in with Google” solely for authentication purposes, ensuring a streamlined and secure login experience.

1. Data Collection and Usage

Our application uses Google OAuth for user authentication. When you log in using your Google account, we collect and store the following information from your Google account:

  • Email Address: This is collected to identify your account for login purposes and to personalize your experience within the app.

We do not collect any other information from your Google account beyond the email address.

2. Data Storage and Retention

The email address and authentication tokens associated with your Google login are stored securely on our servers. These are retained to facilitate future logins and to provide you continuous access to your account without needing to log in each time.

  • Data Retention: We store this data until you choose to delete your account. Upon account deletion, all related data, including your email address and authentication tokens, will be permanently removed from our systems.
3. Data Sharing

We do not share your Google login data, including your email address or authentication tokens, with any third parties. Your data is used solely for login authentication and internal purposes related to account management.

4. Security Measures

We implement the following security measures to protect your data:

  • Encryption in Transit: All data transferred between our app and servers, including login tokens and email addresses, is encrypted using HTTPS (SSL/TLS), ensuring that it remains secure during transmission.
  • Access Control: Access to user data is strictly limited to authorized personnel who require it to maintain and operate the system. We take all reasonable steps to ensure that your data remains protected from unauthorized access.
5. Use of Analytics (Matomo)

In addition to Google login data, we collect anonymized usage data through Matomo, an open-source analytics platform, to better understand how users interact with our app. This data helps us improve the app’s functionality and user experience. The data collected by Matomo is not linked to your Google account or email address.

You can choose to opt out of analytics tracking at any time by adjusting your privacy settings..

6. Your Rights

You have the right to:

  • Access or Update your Google account data used for login.
  • Delete Your Account and all associated data, including your email address and authentication tokens, from our systems.

Document Storage (AWS S3)

Amazon S3 (Simple Storage Service) is a cloud-based storage service provided by Amazon Web Services (AWS). It offers scalable, secure, and durable storage for data such as files, documents, and backups. With Amazon S3, data is stored across multiple facilities, ensuring high availability and redundancy. Our application uses S3 to store user-uploaded files, such as CVs, with robust encryption both in transit and at rest, ensuring your data is securely stored and easily accessible when needed.

1. Document Upload and Storage

When users upload documents (e.g., CVs) to our application, these files are stored securely in an Amazon S3 bucket hosted by Amazon Web Services (AWS). The documents you upload may contain personally identifiable information, such as your name, contact details, and other personal data included in your CV.

2. Data Retention and User Control

Documents uploaded to our platform are stored as long as the user requires them. Users have full control over their documents and can:

  • Upload new documents.
  • Overwrite existing documents.
  • Delete documents at any time.

When a document is deleted by the user, it is permanently removed from our servers and cannot be recovered.

3. Data Security

We take the following measures to ensure the security and privacy of the documents stored in our system:

  • Encryption at Rest: All documents stored in our AWS S3 bucket are encrypted using industry-standard encryption methods to ensure they remain protected while stored.
  • Restricted Access: Access to documents stored in the S3 bucket is restricted to authorized personnel only. This access is strictly limited to personnel who need it to maintain and operate the system, and is governed by internal access control policies.
  • Encryption in Transit: All data transferred between the app, the user, and the S3 bucket (such as when uploading or downloading documents) is encrypted using HTTPS (SSL/TLS) to prevent unauthorized interception.
4. Third-Party Sharing

We do not share or provide access to the documents stored in our AWS S3 bucket with any third parties. Your documents are only accessible through our platform and under the control of authorized personnel as described above.

5. Your Rights

You have the right to:

  • Upload and Update your documents at any time.
  • Delete your documents permanently from our systems, which will result in their permanent removal from our AWS S3 storage.

We encourage users to regularly review and manage the documents they store in the system to ensure their personal information remains up-to-date and securely managed.

Hosting and Data Processing (Contabo)

Contabo is a cloud and VPS hosting provider known for offering reliable and affordable server solutions. Our application’s servers are hosted by Contabo, which operates data centers in Germany. These data centers are equipped with high-performance infrastructure and adhere to stringent European data protection standards, ensuring the security and privacy of your personal data**.**

1. Data Storage and Processing

Our frontend application, API, and database are hosted on servers provided by Contabo. The following types of personal data are stored and processed on these servers:

  • User Credentials: We store user email addresses and passwords. Passwords are encrypted using a secure hashing algorithm (including salting) to ensure the confidentiality of your login information.
  • CV Information: When you upload a CV, the extracted data (such as names, contact information, work experience, etc.) is stored in our database.
  • Logs: We store system logs related to user activities and API interactions for operational purposes and to improve our services.

The uploaded files (such as CVs) are temporarily stored in memory and transferred to an Amazon S3 bucket on AWS for long-term storage.

2. Data Retention

We retain your personal data and other associated information for as long as you need it:

  • Active Users: Personal data, including credentials and CV information, is retained for the duration of your use of our service.
  • Inactive Users: If you become inactive, your data is retained for 90 days, after which it will be deleted from our systems.
  • Account Deletion: If you delete your account, all your personal data, including any parsed CV information and login credentials, will be permanently deleted from our database and systems.
3. Data Security

We implement robust security measures to protect the data stored and processed on Contabo servers:

  • Password Encryption: All passwords are securely encrypted using a salt-based hashing algorithm to ensure your credentials are protected.
  • Access Control: Access to your personal data is strictly limited to authorized personnel within our organization. We follow strict internal policies to ensure data privacy and security.
  • Encryption in Transit: Data transmitted between the frontend, API, and other parts of the system is encrypted using HTTPS (SSL/TLS) to protect it from unauthorized interception during transfer.
4. Third-Party Sharing

We do not share the personal data stored on Contabo servers with any third parties. Access to this data is restricted solely to internal personnel responsible for maintaining and operating the system.

5. No Data Backups

Please note that we do not currently maintain separate backups of the data stored on Contabo servers. In the event of a system failure, we may not be able to restore data unless it is currently available within the system.

6. Your Rights

You have the right to:

  • Access, Update, or Delete your data at any time. If you delete your account, all associated personal data will be permanently removed from our systems in accordance with our data retention policy.

CV Analysis Via OpenAI

To enhance our services and improve job-matching accuracy, we use OpenAI’s technology to analyze the CVs uploaded by users. Here’s how we handle and protect this data in relation to OpenAI’s services:

1. Data Sent to OpenAI

When you upload a CV to our platform, we transmit the entire CV content to OpenAI for analysis. This analysis helps us evaluate and improve the alignment between your qualifications and job requirements.

2. Data Processing and Retention by OpenAI

OpenAI may securely retain data (including CV content) sent via the API for up to 30 days to identify potential misuse and ensure the security of their platform. OpenAI does not use this data to improve their models, and data retention is strictly limited to abuse detection purposes only.

3. Data Security

We use encryption in transit to protect your data while it is transferred to and from OpenAI, ensuring it is safeguarded from unauthorized access during transmission.

By using our platform to upload your CV, you acknowledge and agree that your CV data will be analyzed by a third party (OpenAI) as part of our service to improve job-matching functionality. If you do not wish for your data to be processed by OpenAI, please refrain from using this feature or contact us directly for alternatives.

Communication Via Email

When users contact us via email, their messages are handled and stored through Google Workspace, which includes Gmail. This means that your emails and any personal information contained in them (such as your email address and message content) are processed and stored on Google’s servers. Google Workspace adheres to strict security standards, including encryption in transit and at rest, ensuring your communications with us are kept secure.

We use these emails to respond to your inquiries, support requests, or other communications. We do not share your email content with third parties unless required to do so for legal or operational purposes.

Privacy Policy Location And Availability

This privacy policy is available on our verified domain at www.gransbe.com/privacy-policy. It is also accessible from the app’s home page and linked directly to the OAuth consent screen on the Google Cloud Console to comply with Google’s User Data Policy.

Contact

You may contact us in respect to any issue or concern regarding the Privacy Policy by email: contact@annotly.com.

This privacy policy was last updated on the 24th of October 2024.