ZyvernoZyverno

Confidentiality Charter

Last updated: February 2026

At Zyverno.app, we take your privacy seriously and are committed to processing your personal data responsibly, securely, and transparently.

For UK Users: We comply with all applicable UK data protection and privacy laws, including:

  • UK GDPR (as incorporated into domestic law)
  • The Data Protection Act 2018
  • The Privacy and Electronic Communications Regulations 2003 (“PECR”)
  • Applicable UK employment and equality legislation

For EU / EEA Users: We adhere to EU data protection laws, including:

  • EU GDPR (Regulation (EU) 2016/679)
  • Applicable EU employment and equality legislation

Your data is handled with the highest standards of security, and we only use it to provide and improve our services.

For users outside the UK and EU/EEA: We apply the same high standards of data protection to all users worldwide. Where your local data protection laws provide additional rights, we will honour them. For region-specific enquiries, contact privacy@zyverno.app.

1. Controller Identity

This Confidentiality Charter is issued by:

  • Company name: Zyverno Limited
  • Legal form: Private limited company
  • Company No: 16987963
  • Registered: England and Wales
  • Email: privacy@zyverno.app
  • Platform: Zyverno (zyverno.app)

2. Privacy Contact

For all questions related to personal data processing: privacy@zyverno.app

Zyverno Limited has not yet appointed a formal DPO. A DPO will be appointed if and when required by applicable regulations.

UK Compliance

  • UK GDPR — as incorporated into domestic law via the European Union (Withdrawal) Act 2018
  • Data Protection Act 2018
  • PECR — Privacy and Electronic Communications Regulations 2003
  • Applicable UK employment and equality legislation

EU / EEA Compliance

  • EU GDPR — Regulation (EU) 2016/679
  • EU AI Act — Regulation (EU) 2024/1689
  • ePrivacy Directive — Directive 2002/58/EC
  • Applicable EU employment and equality legislation

4. Controller vs Processor Roles

As Data Processor

When a Customer uses Zyverno for recruitment, the Customer is the Controller and Zyverno Limited is the Processor. Processing is done solely on Customer instructions per a DPA available upon request.

As Data Controller

Zyverno Limited is Controller for: user account data, operational data (analytics, performance, billing), and website visitor data.

5. Categories of Personal Data

Candidate Data (Processor)

  • Identity: name, date of birth, nationality
  • Contact: email, phone, address
  • Professional: CV, experience, education, skills
  • Recruitment: application status, interview notes, screening scores, pipeline stage
  • Communication: emails, SMS, invitations
  • AI-generated: screening transcripts, AI assessments, Lina AI scores

User Data (Controller & Processor)

  • Account: name, email, organisational role
  • Authentication: OTP tokens (not stored after verification), session tokens
  • Activity logs: login history, platform actions

Technical Data

  • IP address, browser type/version, OS, device type
  • Pages visited, features used, timestamps

6. Data Sources (Art. 14 GDPR)

  • Directly from data subjects: applications via public widget, user registration
  • From Customers: CV uploads, manual entries, bulk imports
  • Public application widget: embedded forms on Customer websites
  • Automated: technical data collected during platform use

7. Purposes & Legal Bases

PurposeLegal Basis (GDPR Art. 6)
Providing the ATS platformContract (Art. 6(1)(b))
AI screening & candidate assessmentLegitimate interest (Art. 6(1)(f)) with human oversight
Email/SMS communicationContract / Legitimate interest (Art. 6(1)(b)/(f))
Platform analyticsLegitimate interest (Art. 6(1)(f))
Security & fraud preventionLegitimate interest (Art. 6(1)(f))
Legal complianceLegal obligation (Art. 6(1)(c))
Billing & invoicingContract (Art. 6(1)(b))

8. Data Sharing & Recipients

Customer (Controller)

Candidate data is accessible to the Customer and its authorised Users via role-based access control.

Sub-Processors

Sub-ProcessorLocationPurpose
OpenAIUS (EU API endpoint)AI screening, CV parsing (CV text is anonymised before transmission — email, phone, and address are redacted). API data retained up to 30 days for abuse monitoring per OpenAI DPA.
ResendUSTransactional email
TelnyxUSSMS messaging
ScalewayFrance (EU)Object storage, file hosting
StripeUS (EU entity)Payment processing, subscription billing
DeepgramUSSpeech-to-text
ElevenLabsUSText-to-speech
InngestUSBackground job orchestration

No sale of data: Zyverno Limited does not sell, rent, or trade personal data.

9. SMS Communications

SMS Communications

When candidates provide their phone number during a job application processed through our platform, they may receive SMS messages from the recruiting company. These messages are limited to interview invitations and reminders related to the application process.

Data Collected

We store the candidate’s phone number, SMS delivery status, and opt-out preferences. We do not share phone numbers with third parties beyond the SMS delivery provider (Telnyx).

Opt-Out Rights

Candidates can opt out of SMS communications at any time by replying STOP to any message received. Once opted out, no further SMS messages will be sent to that number. To resume messages, reply START. For assistance, reply HELP.

Customer Obligations

Customers using our platform are responsible for obtaining proper consent from candidates before enabling SMS communications. Customers must comply with all applicable telecommunications regulations, including the Telephone Consumer Protection Act (TCPA) in the United States and equivalent regulations in other jurisdictions.

10. International Transfers

EU storage: all primary infrastructure on Scaleway servers in France. Non-EU sub-processor transfers are safeguarded by Standard Contractual Clauses (SCCs) and supplementary technical measures.

11. Data Retention

Data CategoryRetention Period
Candidate dataSubscription duration + 30-day export window
Screening sessions & AI assessmentsSubscription duration, then deleted
Soft-deleted records30 days recoverable, then purged
User accountsSubscription duration + 30 days
OpenAI API data (anonymised CV text, screening conversations)Up to 30 days (OpenAI abuse monitoring), then automatically deleted
Security/access logs12 months
Billing/invoice records7 years (UK and EU legal requirements)

12. Data Subject Rights (Art. 15–22 GDPR)

  • Access (Art. 15): obtain confirmation and copy of your data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): request deletion (“right to be forgotten”)
  • Restriction (Art. 18): restrict processing
  • Portability (Art. 20): receive data in machine-readable format
  • Object (Art. 21): object to legitimate-interest processing
  • Automated decisions (Art. 22): not be subject to solely automated decisions with legal effects
  • Withdraw consent: at any time where consent is the basis
  • Lodge complaint: with a supervisory authority (Section 16)

For Candidates: contact the Customer (employer) first. If unresolved, contact privacy@zyverno.app.

Response time: 30 days, extendable by 60 days for complex requests.

13. Automated Decision-Making & AI (Art. 22 + EU AI Act)

Lina AI — Screening Assistant

  • Advisory only: all AI scores and assessments are advisory. No hiring decision is made by AI alone.
  • Human oversight: a qualified recruiter must review before any candidate-affecting decision.
  • Right to explanation: Candidates may request how their assessment was produced.
  • Bias monitoring: Zyverno Limited monitors for bias related to protected characteristics.
  • High-risk classification: AI in recruitment is high-risk under the EU AI Act. Zyverno Limited maintains appropriate risk management and transparency.
  • Data minimisation: CV text is anonymised (email, phone, and address redacted) before being sent to AI sub-processors for parsing. Only the candidate’s name and professional content are transmitted. OpenAI retains API data for up to 30 days for abuse monitoring under its Data Processing Addendum, after which it is automatically deleted. Zero data retention is requested on all API calls.
  • Vision extraction (scanned PDFs): When text extraction fails for scanned or image-based CVs, document page images may be sent to the AI sub-processor for optical analysis. These images may contain visible personal information (name, photo, address). Vision extraction is used only as a last resort when standard text extraction yields insufficient content.

14. Security Measures

  • Encryption in transit: TLS for all data transmission
  • Encryption at rest: server and object storage encryption
  • RBAC: role-based access control
  • Tenant isolation: logical data separation at application level
  • OTP auth: passwordless authentication
  • Breach notification: supervisory authority within 72 hours; affected individuals without undue delay

15. Cookies & Tracking

Only essential cookies: session cookies and security cookies (CSRF). No third-party analytics or advertising cookies. localStorage is used for theme preference only (stays on device).

16. Changes to This Charter

Material changes communicated at least 30 days in advance via email and platform notice. Updated effective date shown at top.

17. Supervisory Authorities

ICO — Information Commissioner’s Office (United Kingdom)

  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
  • www.ico.org.uk
  • Tel: 0303 123 1113

CNIL (France)

  • 3 Place de Fontenoy, 75007 Paris, France
  • www.cnil.fr

Data subjects may also lodge a complaint with the supervisory authority in their country of residence.

18. Effective Date

This Confidentiality Charter is effective as of February 2026.