GDPR Compliance

Last updated: March 12, 2026

1. Data Controller Identity

The data controller for personal data collected through account registration, billing, and dashboard use is:

  • Name: Code Wizard
  • Legal form: Sole trader, Poland
  • Email: privacy@resume-mapper.dev
  • Service: resume-mapper.dev

2. Dual Role: Controller and Processor

As Data Controller

Resume Mapper acts as an independent data controller for: Customer account data (name, email, organisation name), authentication identifiers, billing status, usage counters, and API Key records. We determine the purposes and means of processing this data.

As Data Processor

Resume Mapper acts as a data processor on behalf of its Customers for all Candidate personal data contained in CV files submitted for parsing. Our Customers are the data controllers for this processing. This data processor role is governed by Section 8 of our Terms of Service, which constitutes a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.

3. Legal Bases for Processing

We process personal data on the following legal bases under Article 6 GDPR:

Art. 6(1)(b) — Contractual necessity

  • Providing and operating the Service.
  • Managing accounts, API Keys, and Subscriptions.
  • Delivering parse results and webhook transmissions.

Art. 6(1)(c) — Legal obligation

  • Retaining invoices and transaction records for 5 years (Polish Accounting Act).
  • Responding to requests from supervisory authorities.

Art. 6(1)(f) — Legitimate interest

  • Fraud prevention and abuse detection.
  • Rate limiting for platform security.
  • Aggregated, anonymised service analytics.

4. Categories of Personal Data and Purposes

Customer account data

  • Data: name, email, organisation name, authentication identifiers.
  • Purpose: account creation, authentication, support communication.
  • Retention: active account duration + 90 days.

Billing data

  • Data: Stripe Customer ID, Subscription ID, plan tier, payment status.
  • Purpose: billing management, invoice compliance.
  • Retention: 5 years (legal obligation).

Usage and parse history

  • Data: parse count, file name, file type, file size, timestamp, success flag.
  • Purpose: quota enforcement, debugging, service improvement.
  • Retention: 90 days.

Candidate data (processor role)

  • Data: CV file content (name, email, phone, employment history, education, skills, etc.).
  • Purpose: AI-powered structured data extraction on instruction of Customer.
  • Retention: NOT retained. CV files discarded in-memory; Parsed Data not stored.

5. Sub-processors

We engage the following sub-processors. All sub-processors are bound by Data Processing Agreements and are required to implement equivalent data protection standards:

  • OpenAI, L.L.C. (USA) — AI extraction (GPT-4o-mini, GPT-4o). Transfer basis: Standard Contractual Clauses (2021/914/EU). Policy: openai.com/policies/privacy-policy
  • Google LLC / Firebase (USA) — Authentication and database. Transfer basis: Standard Contractual Clauses. Policy: firebase.google.com/support/privacy
  • Stripe, Inc. (USA) — Payment processing. Transfer basis: Standard Contractual Clauses / Stripe DPA. Policy: stripe.com/privacy
  • Vercel, Inc. (USA) — Hosting and edge delivery. Transfer basis: Standard Contractual Clauses. Policy: vercel.com/legal/privacy-policy

6. International Transfers

All four sub-processors are based in the United States, which is a third country for GDPR purposes. Transfers are made on the basis of Standard Contractual Clauses (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor) as adopted by European Commission Decision 2021/914/EU of 4 June 2021. We have conducted Transfer Impact Assessments for each sub-processor. Copies of relevant SCC documentation are available upon written request to privacy@resume-mapper.dev.

7. Data Subject Rights and How to Exercise Them

Under Articles 15–22 GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy.
  • Right to rectification (Art. 16): Have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations.
  • Right to restriction (Art. 18): Request that processing is restricted in certain circumstances.
  • Right to portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right not to be subject to automated decision-making (Art. 22): We do not make solely automated decisions with significant legal effects on individuals.

8. Supervisory Authority

You have the right to lodge a complaint with the competent supervisory authority. The lead supervisory authority for Resume Mapper is:

  • Name: President of the Personal Data Protection Office (UODO)
  • Address: ul. Stawki 2, 00-193 Warsaw, Poland
  • Website: uodo.gov.pl
  • Email: kancelaria@uodo.gov.pl
  • Phone: +48 22 531 03 00
  • If you are located in another EU/EEA member state, you may also lodge a complaint with your local supervisory authority.