Privacy Policy
Last updated: February 14, 2026
1. Data Controller
PayProof SRL ("PayProof", "we", "us") is the data controller for personal data processed through the PayProof platform. We are registered in Romania and comply with the EU General Data Protection Regulation (GDPR) and Romanian data protection law. Contact: privacy@payproof.co.
2. Data We Collect
Account Data
Email address, phone number (optional), role (candidate/employer), company name (employers), preferred currency, authentication tokens. Legal basis: contract performance.
CV / Resume Data
Uploaded CV files, extracted text, AI-generated summaries (name, skills, experience, education, languages, domain). Legal basis: consent (you choose to upload).
Salary Data
Voluntarily submitted salary information including job title, company, salary amount, location, experience level. Displayed anonymously. Legal basis: consent.
Transaction Data
Wallet top-ups, fees paid, earnings, offer interactions, bid war participation. Payment card details are processed by Stripe and never stored on our servers. Legal basis: contract performance.
Communication Data
Messages between candidates and employers. Legal basis: contract performance (messaging is a core platform feature).
Technical Data
IP address, browser type, device information, access logs. Collected automatically for security and service operation. Legal basis: legitimate interest (security, abuse prevention).
3. How We Use Your Data
We use your data to: operate the platform and provide services; process CV uploads via AI for summarization and matching; match candidates with job listings; facilitate offers, bid wars, and messaging; process payments and manage wallet balances; send transactional emails (offer notifications, bid war updates, messages); prevent fraud and enforce our Terms of Service; improve our AI matching algorithms (aggregated, anonymized data only); and comply with legal obligations.
4. AI Processing
Your CV text is processed by third-party AI services (currently OpenAI and/or Anthropic) to generate structured summaries and match scores. We send only the CV text content — not your email, phone, or payment details. AI processing falls under GDPR Article 22 (automated decision-making). You have the right to request human review of any AI-generated assessment. AI outputs are used to assist, not to make final hiring decisions.
5. Data Sharing
With Employers (Candidate data)
Anonymized profile data (skills, domain, experience level, match score) is shared with Employers during matching. Full CV and contact details are only shared after the Employer pays to unlock them.
With Candidates (Employer data)
Company name and job details are shared after the Candidate unlocks the offer. Competing offer insights are anonymized (no company names revealed).
Service Providers
We share data with: Stripe (payments), Resend (transactional emails), Neon (database hosting), Vercel (frontend hosting), Cloudflare (file storage), and AI providers (OpenAI/Anthropic for CV processing). All providers are GDPR-compliant or operate under adequate safeguards.
6. Data Retention
Account data: retained while your account is active, deleted within 30 days of account deletion. CV data: retained while active, deleted upon request or account deletion. Salary submissions: retained indefinitely (anonymized; cannot be linked back to you after account deletion). Transaction records: retained for 7 years for financial compliance. Messages: retained for 1 year after account deletion, then permanently deleted. Technical logs: retained for 90 days.
7. Your Rights (GDPR)
Under GDPR, you have the right to: access your personal data (request a copy); rectify inaccurate data; erase your data ("right to be forgotten"); restrict processing in certain circumstances; data portability (receive your data in a structured format); object to processing based on legitimate interest; withdraw consent at any time (for consent-based processing); not be subject to solely automated decisions; and lodge a complaint with a supervisory authority (ANSPDCP in Romania). To exercise these rights, contact privacy@payproof.co or use the account deletion feature in Settings.
8. International Transfers
Your data may be transferred to and processed in the United States (by our service providers). These transfers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, or by the EU-US Data Privacy Framework where applicable.
9. Security
We implement appropriate technical and organizational measures to protect your data, including: HTTPS/TLS encryption in transit, JWT-based authentication, role-based access controls, rate limiting, input validation, parameterized database queries (SQL injection prevention), security headers (Helmet), and Stripe PCI-DSS compliance for payment processing. Despite these measures, no system is 100% secure.
10. Cookies
PayProof primarily uses localStorage for authentication tokens (JWT). We do not use tracking cookies or third-party advertising cookies. Functional cookies may be used by our service providers (Stripe for payment processing). No cookie consent banner is required as we do not use non-essential cookies.
11. Children's Privacy
PayProof is not intended for users under 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
12. Changes to This Policy
We will notify you of material changes via email at least 30 days before they take effect. The updated policy will be posted on this page with a new "Last updated" date.
13. Contact & DPO
Data Protection Officer: privacy@payproof.co. General inquiries: support@payproof.co. Supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), Bucharest, Romania.