Legal
Privacy Policy
Last updated: [EFFECTIVE DATE]
1. Who We Are
Rekvo is operated by [COMPANY NAME] Limited, a company incorporated in England and Wales under company number [COMPANIES HOUSE REGISTRATION NUMBER], with its registered office at [REGISTERED ADDRESS, UK] ("Rekvo", "we", "us", "our").
Rekvo provides an AI-powered recruitment platform at rekvo.io that enables businesses to upload, organise, and evaluate candidate CVs, run AI-assisted candidate matching, and manage their hiring pipeline.
For data protection enquiries, contact us at: privacy@rekvo.io
We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER].
2. Scope of This Policy
This policy covers two distinct categories of personal data we handle:
Account Data — personal data belonging to our customers (recruiters, HR teams, hiring managers) who register and use Rekvo. For this data, Rekvo is the Data Controller.
Customer Data — personal data belonging to third-party candidates whose CVs and information are uploaded into Rekvo by our customers. For this data, the customer is the Data Controller and Rekvo is the Data Processor acting under the customer's instruction.
3. The Data We Collect
3.1 Account Data (about you as our customer)
When you register and use Rekvo, we collect:
- Identity data: first name, last name
- Contact data: work email address
- Organisation data: company name
- Account credentials: your password, stored as a one-way cryptographic hash — we never store your plaintext password
- Billing data: subscription plan, payment history. Card details are collected and stored exclusively by our payment processor, Stripe. We do not receive or store full card numbers.
- Usage data: features you use, AI match runs performed, CVs uploaded, jobs created, timestamps of activity
- Technical data: IP address, browser type, operating system, session identifiers
- Communications: emails or support messages you send us
3.2 Customer Data (candidate data you upload)
When you upload CVs and candidate information to Rekvo, that data is processed on your behalf. Candidate CVs typically contain names, email addresses, phone numbers, employment history, educational qualifications, skills, and any other information the candidate has included in their CV.
We do not solicit special category data (health information, ethnic origin, biometric data, etc.) about candidates. If such data appears in an uploaded CV, it is incidental and processed solely to provide the service.
4. Legal Bases for Processing Account Data
| Purpose | Legal Basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Providing the Rekvo service | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, platform improvement | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance (tax records, court orders) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
5. Customer Data — Our Role as Data Processor
When you upload candidate CVs to Rekvo, you are the Data Controller for that data. Rekvo acts as your Data Processor and processes candidate data only to provide the services described in our Terms of Service.
You are responsible for ensuring you have a lawful basis to upload and process candidate personal data, and that your privacy notices to candidates disclose that their data may be processed by AI-powered third-party service providers.
6. AI Processing — Important Disclosure
Rekvo uses artificial intelligence to power its core features. The following AI processing occurs:
- CV parsing: CV content is analysed by AI to extract structured information (name, skills, employment history, etc.)
- Candidate matching: Job descriptions and CV data are processed by AI to generate relevance scores
- Interview question generation: CV data and job descriptions are processed to generate tailored interview questions
- Job description generation: Text you provide is processed by AI to generate or expand job description content
- Candidate comparison: CV data for selected candidates is processed to generate a comparative analysis
AI Provider: These features are powered by Groq, Inc. (USA), using large language models (Llama series). Data submitted to Groq via API is used solely to generate responses and is not used by Groq to train their models.
Human oversight: All AI outputs on Rekvo are tools to assist human decision-making. No hiring decision is made automatically without human review. You remain responsible for all employment decisions made using our platform.
No training on your data: We do not use your Customer Data to train, fine-tune, or improve AI models.
7. Data Sharing and Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Groq, Inc. | AI inference — CV parsing, matching, question generation, JD generation, comparison | USA |
| Stripe, Inc. | Payment processing and subscription management | USA |
| Brevo (Sendinblue SAS) | Transactional email delivery (verification, password reset, team invites) | France (EU) |
| Google LLC | Website analytics (Google Analytics 4) — anonymised usage data only | USA |
We do not sell personal data to third parties. We do not share personal data with advertisers or data brokers.
8. International Data Transfers
Some sub-processors are located in the United States. We transfer personal data to the USA under UK International Data Transfer Agreements (IDTAs) and/or EU Standard Contractual Clauses (SCCs). You may request a copy of the relevant transfer safeguards by contacting privacy@rekvo.io.
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account Data (active account) | Duration of your account |
| Account Data (after deletion) | 30 days, then permanently deleted |
| Customer Data (candidate CVs) | Deleted when you delete the candidate or close your account |
| Billing and payment records | 7 years (UK tax law) |
| Security logs | 12 months |
| Support correspondence | 3 years |
10. Your Rights
Under UK GDPR and EU GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data. You can delete your account from Account Settings → Delete Account.
- Restriction — request we restrict processing in certain circumstances
- Portability — request a machine-readable copy of data you provided to us
- Object — object to processing based on legitimate interests or for direct marketing
- Withdraw consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact privacy@rekvo.io. We will respond within one month.
Candidates: If your CV was uploaded by a recruiter, your rights requests should be directed to that recruiter (the Data Controller). You may also contact us and we will forward your request appropriately.
11. Right to Complain
You may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113. EU residents may contact their local data protection authority.
We would appreciate the chance to address your concerns first — please email privacy@rekvo.io.
12. Security
We protect personal data using:
- Passwords stored as bcrypt hashes
- Authentication via JWT tokens in HttpOnly, Secure cookies (inaccessible to JavaScript)
- Encrypted connections (TLS/HTTPS) for all data in transit
- Full tenant data isolation — each customer's data is separated at the database schema level
In the event of a personal data breach likely to result in risk to your rights, we will notify the ICO within 72 hours and notify affected individuals without undue delay.
13. Cookies
We use essential authentication cookies and Google Analytics 4 cookies to understand how rekvo.io is used. IP addresses are anonymised before any data reaches Google. We do not use advertising or retargeting cookies. Full details, including how to opt out, are in our Cookie Policy.
14. Changes to This Policy
We may update this policy from time to time. When we make material changes, we will notify you by email and/or within the platform at least 14 days before changes take effect.
15. Contact Us
[COMPANY NAME] Limited
[REGISTERED ADDRESS]
England and Wales
Email: privacy@rekvo.io