Skip to content
Back to home

GDPR Compliance — Ceevee Recruitment Platform

Last updated: April 27, 2026

Ceevee, operated by Correct Context sp. z o.o., is committed to protecting personal data in full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Polish Act on Personal Data Protection. This page summarizes how our platform meets GDPR requirements and clarifies the responsibilities of each party.

1. Our Role Under GDPR

Ceevee operates in two capacities depending on the type of data:

  • Data Controller — for account data (employer name, email, password) and usage data (analytics, logs, IP addresses). We determine the purposes and means of processing this data.
  • Data Processor — for all candidate personal data uploaded by employers. We process this data solely on the employer's documented instructions and exclusively for the purpose of providing the Service, in accordance with Article 28 GDPR.

2. The Employer's Role

The employer (organization using Ceevee) is the data controller for candidate data. This means the employer bears primary GDPR responsibility for:

  • Establishing a lawful basis for collecting and processing candidate personal data
  • Providing candidates with privacy notices that describe the processing, including the use of AI tools
  • Responding to data subject access requests (DSAR) within 30 days
  • Conducting Data Protection Impact Assessments (DPIA) where required
  • Ensuring data minimization — only uploading data relevant to recruitment
  • Defining and enforcing data retention periods
  • Not uploading special category data (Art. 9) without explicit consent and legal basis
  • Complying with employment law, anti-discrimination law, and GDPR in their jurisdiction

3. GDPR Principles We Follow

Lawfulness, Fairness, and Transparency (Art. 5(1)(a))

We process data based on clear legal grounds (contract, legitimate interest, legal obligation, or consent) and maintain transparent policies.

Purpose Limitation (Art. 5(1)(b))

Candidate data is processed exclusively for recruitment purposes as instructed by the employer. We never use candidate data for our own marketing, analytics, or AI training.

Data Minimization (Art. 5(1)(c))

We collect only the data necessary to provide the Service. Our platform encourages employers to collect only what is relevant for recruitment.

Accuracy (Art. 5(1)(d))

Employers can update and correct candidate information at any time through the platform. AI-generated data is clearly labeled as such.

Storage Limitation (Art. 5(1)(e))

We retain candidate data only as long as the employer's account is active. Data is deleted within 30 days of account termination or upon employer request.

Integrity and Confidentiality (Art. 5(1)(f))

We implement encryption, access controls, audit logging, and row-level security to protect all data.

4. Data Subject Rights

GDPR grants data subjects (candidates and employers) the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to automated decisions (Art. 22)

For employers: Contact us at duke.vu@correctcontext.com to exercise your rights regarding account data.

For candidates: Contact the employer who collected your data. If you contact us directly, we will forward your request to the employer and assist them in responding.

5. AI and Automated Processing

Ceevee uses AI for CV scanning, skill extraction, and candidate assessments. Important safeguards:

  • AI outputs are recommendations only — not automated decisions under Art. 22 GDPR
  • The employer must apply human review before any hiring decision
  • We do not use candidate data to train AI models
  • Our AI provider (Anthropic) is bound by a data processing agreement prohibiting model training on customer data

6. Technical and Organizational Measures

In accordance with Art. 32 GDPR, we implement:

  • Encryption in transit — TLS 1.2+ for all connections
  • Encryption at rest — AES-256 database encryption
  • Access controls — Row-level security (RLS) policies isolating data between organizations
  • Authentication security — bcrypt password hashing, MFA for production systems
  • Audit logging — Security-relevant events are logged and monitored
  • Infrastructure security — Regular patching, dependency updates, and security reviews
  • Data center location — EU-based hosting where possible

7. Data Breach Notification

In accordance with Articles 33 and 34 GDPR:

  • We will notify the employer (data controller) within 48 hours of becoming aware of a breach affecting candidate data
  • The employer is responsible for notifying the supervisory authority (within 72 hours) and affected data subjects where required
  • For breaches of account data where we are the controller, we will notify the supervisory authority and affected users directly

8. International Data Transfers

Some sub-processors operate in the United States. We ensure adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework, where applicable
  • Data processing agreements with all sub-processors

9. Sub-processors

We use the following sub-processors, each bound by a data processing agreement:

  • Supabase (US/EU) — Database, authentication, file storage
  • Vercel (US/EU) — Application hosting and CDN
  • Anthropic (US) — AI processing for CV scanning and assessments
  • Resend (US) — Transactional email delivery

10. Data Processing Agreement

A formal Data Processing Agreement (DPA) compliant with Article 28 GDPR is available and can be reviewed on our DPA page. By creating an account and using the Service, the employer agrees to the terms of this DPA. Enterprise customers may negotiate custom DPA terms.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority. In Poland, this is:

  • Prezes Urzędu Ochrony Danych Osobowych (UODO)
  • ul. Stawki 2, 00-193 Warsaw, Poland
  • uodo.gov.pl

12. Contact

For GDPR-related questions or requests:

  • Email: duke.vu@correctcontext.com
  • Address: Correct Context sp. z o.o., ul. Joachima Lelewela 27, 85-652 Bydgoszcz, Poland