Recruiter Platform — Privacy Policy

1. Data Controller

Resumelyn, operated by an independent developer based in the Netherlands. Contact: hello@resumelyn.com. As an EU-based operator, Resumelyn fully complies with GDPR (Regulation (EU) 2016/679).

2. Data We Collect from Recruiters

When you register and use the Platform as a Recruiter, we collect:

• Account data: company name, contact name, email address, and password (hashed).
• Billing data: transaction references from our payment processor. We do not store payment card data.
• Usage data: search queries performed, profiles viewed, CVs downloaded, session data for security purposes.
• Communication data: emails exchanged with our support team.

3. Legal Basis for Processing (GDPR Art. 6)

4. Joint Controller Arrangement (Candidate Data)

As described in the Terms of Service (Section 3), Resumelyn and the Recruiter act as joint controllers under GDPR Art. 26 for candidate personal data accessed through the Platform. This means:

• Resumelyn is responsible for: obtaining and documenting candidate consent for Talent Pool inclusion, maintaining the candidate database, and processing deletion requests from candidates.
• The Recruiter is responsible for: lawful use of downloaded data, secure storage, timely deletion after hiring processes conclude, and compliance with GDPR in their own jurisdiction.

Resumelyn maintains records of the joint controller arrangement and will provide documentation upon request by a data protection authority.

5. Data Retention

Recruiter account data is retained while the account is active and deleted within 30 days of a confirmed account deletion request. Usage logs are retained for 12 months. Billing records are retained for 7 years as required by Dutch tax law.

6. Sub-processors

The following third parties process Recruiter data on our behalf:

• Supabase: Database and authentication. Recruiter account data and usage logs are stored here with Row Level Security enforced.
• DodoPayments: Payment processing. Billing references only. No account or usage data is shared.
• Resend: Transactional emails. Email address only.

All sub-processors are contractually bound to GDPR-compliant data handling. Where sub-processors operate outside the EEA, transfers are covered by Standard Contractual Clauses approved by the European Commission.

7. Your Rights as a Data Subject

As a Recruiter, you have the following rights under GDPR. Submit requests to hello@resumelyn.com. We will respond within 30 days.

• Right to access: Request a copy of all data we hold about your account.
• Right to rectification: Request correction of inaccurate account data.
• Right to erasure: Request deletion of your account and associated data, subject to legal retention obligations.
• Right to data portability: Receive your account data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.

8. Right to Lodge a Complaint

If you believe your data is being processed in violation of GDPR, you may lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl

9. Security

We implement Row Level Security via Supabase to ensure Recruiter accounts can only access their own usage data. All data is transmitted over encrypted HTTPS. Passwords are cryptographically hashed and are never readable by our team.

10. Changes to This Policy

For material changes that affect how Recruiter data is processed, we will notify you by email at least 14 days before the change takes effect. Continued use of the Platform after receiving notice constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your rights: hello@resumelyn.com