Privacy Policy

SeeVee — Privacy Policy

Last updated: March 25, 2026

This policy supplements the aperAI Privacy Policy with details specific to the SeeVee platform.

1. Who We Are

SeeVee is operated by aperAI OÜ, a company based in Estonia, European Union.

  • Registered address: Narva mnt 5, 10117 Tallinn, Estonia
  • Data protection contact: hello@aperai.eu
  • Website: https://aperai.eu

Under the General Data Protection Regulation (GDPR), aperAI is the data controller for account and usage data. For CV data uploaded by organizations, aperAI acts as a data processor on behalf of the organization (the data controller), which determines the purposes and means of processing its employees' or candidates' personal data.

2. What Data We Collect

2.1 Account Data

When you sign in, we receive basic profile information from your identity provider:

  • Name and email address
  • Profile picture URL (if provided by the identity provider)
  • OAuth provider identifier (an opaque ID from Google, Apple, or Microsoft)

We do not receive or store your password. Authentication is handled entirely by your identity provider.

2.2 CV Data

Organizations upload CV/resume documents (typically PDFs) containing personal data of job candidates or employees. This may include:

  • Full name, date of birth, contact details
  • Work history, education, skills, certifications
  • Photographs (if present in the uploaded document)
  • Any other information the candidate included in their CV

After AI processing, this data is stored as structured JSON.

2.3 Usage Data

We collect minimal technical data necessary to operate the service:

  • Audit logs: timestamped records of who accessed or modified what data, stored in a tamper-evident hash-chained log
  • Session data: a short-lived JWT token (24-hour expiry) to maintain your authenticated session
  • Error logs: technical error information for debugging (no personal data beyond user ID)

2.4 What We Do Not Collect

  • We do not use tracking cookies, analytics scripts, or advertising pixels.
  • We do not collect device fingerprints or behavioral data.
  • We do not purchase or obtain personal data from third-party data brokers.

3. Why We Collect It (Legal Bases)

Under the GDPR, we process personal data on the following legal bases:

Data Legal Basis Explanation
Account data (name, email) Contract performance (Art. 6(1)(b)) Necessary to provide you with the SeeVee service you signed up for.
CV data Legitimate interest of the data controller (Art. 6(1)(f)) / Consent Your organization (the data controller) determines the legal basis for uploading candidate data. aperAI processes it on their behalf under a data processing agreement.
Audit logs Legal obligation (Art. 6(1)(c)) and Legitimate interest (Art. 6(1)(f)) Required for GDPR accountability and to maintain data security.
Session cookies Contract performance (Art. 6(1)(b)) Strictly necessary to keep you logged in while using the service.

4. How We Process Your Data

4.1 AI Processing

When a CV is uploaded, it is sent to Google Vertex AI (Gemini models) for extraction, validation, and structuring. Specifically:

  • The PDF content is sent to Google's API for text extraction and structuring into JSON.
  • AI may also be used for CV curation (correcting inconsistencies), tailoring CVs for specific job descriptions, and design assistance.
  • Google does not retain your data beyond the duration of the API call (Zero Data Retention). Processing occurs under Google Cloud's enterprise Data Processing Agreement, which strictly prohibits Google from using your personal data for training its foundational models or any other purpose.

4.2 Encryption

  • All CV data is encrypted at rest using AES-256-GCM.
  • The encryption key is stored securely in an industry-standard external secrets management service, and is never stored directly on the application server.
  • Data is encrypted in transit using TLS 1.2 or higher.

4.3 Multi-Tenant Isolation

Each organization operates in a logically isolated workspace. Strict access controls enforced at the application level ensure that one organization cannot access another organization's data.

4.4 Team Galleries

Organizations can create shareable gallery links to present CVs to their clients. These galleries support optional anonymization, which strips personally identifiable information (names, contact details, photographs) from CVs before sharing.

5. Third-Party Processors

We use the following third-party services to operate SeeVee. Each processes data strictly on our behalf and under contractual obligations:

Processor Purpose Data Processed Location
Google Cloud (Vertex AI) AI-powered CV extraction and processing CV content (during API calls only; no retention) EU/Global endpoints
Google / Apple / Microsoft OAuth authentication Name, email, OAuth ID USA (with Standard Contractual Clauses)
Hetzner Online GmbH Application hosting (VPS) All application data (encrypted at rest) EU (Germany/Finland)
External KMS provider Encryption key management Encryption keys only (no CV data) EU

We do not sell, rent, or share personal data with any third party for marketing or advertising purposes.

6. Data Retention

Data Type Retention Period
CV data (JSON and source PDFs) Stored until manually deleted by the organization owner.
Account data Retained while the account is active. Deleted upon account deletion request.
Audit logs Retained for 12 months, then automatically purged.
Session tokens Expire automatically after 24 hours.
AI processing data Not retained by Google beyond the API call. Temporary processing artifacts on our servers are deleted upon job completion.

Organizations can delete individual CVs or their entire workspace at any time through the application interface.

7. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:

  • Right of access (Art. 15) — You can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — You can request correction of inaccurate personal data.
  • Right to erasure (Art. 17) — You can request deletion of your personal data ("right to be forgotten").
  • Right to restriction (Art. 18) — You can request that we limit how we process your data.
  • Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format (JSON).
  • Right to object (Art. 21) — You can object to processing based on legitimate interests.
  • Right to withdraw consent — Where processing is based on consent, you can withdraw it at any time.
  • Right to lodge a complaint — You can file a complaint with your local data protection authority.

For CV subjects (candidates whose CVs are uploaded): If your CV has been uploaded to SeeVee by a recruitment agency or employer, they are the data controller for your CV data. Please contact them directly to exercise your rights. If you are unable to reach them, you may contact us at hello@aperai.eu and we will assist in routing your request.

To exercise your rights as an account holder: Contact us at hello@aperai.eu. We will respond within 30 days.

8. Security Measures

We implement the following technical and organizational measures to protect your data:

  • Encryption at rest: AES-256-GCM
  • Encryption in transit: TLS 1.2+
  • Secrets management: The encryption key is stored in a secure external secrets manager, never directly on the application server
  • Container security: Application runs on a read-only filesystem, as a non-root user, with zero Linux capabilities
  • Audit logging: Tamper-evident hash-chained logs of all data access events
  • Multi-tenant isolation: Logical separation and strict application-level access controls between organizations
  • Admin access controls: Two-factor authentication (TOTP) and IP allowlisting required; no standing access to client data
  • Authentication: Delegated to enterprise identity providers (Google, Apple, Microsoft); no passwords stored

9. International Data Transfers

Your data is primarily stored and processed within the European Union:

  • Application hosting: Hetzner data centers in the EU (Germany/Finland)
  • AI processing: Google Vertex AI. While we target EU endpoints, some processing may occur on Google's global infrastructure. This is covered by Google Cloud's Data Processing Agreement and EU Standard Contractual Clauses (SCCs).
  • Authentication providers: Google, Apple, and Microsoft are US-based companies. Transfers are protected by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.

All international transfers are safeguarded by appropriate legal mechanisms as required by Chapter V of the GDPR.

10. Cookies

SeeVee uses only strictly necessary cookies:

Cookie Purpose Duration
Session token (JWT) Maintains your authenticated session 24 hours

We do not use advertising or tracking cookies, third-party analytics cookies, or social media cookies or pixels. Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

11. Children's Privacy

SeeVee is a business-to-business service designed for recruitment agencies and employers. It is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and notify active account holders via email or an in-app notification.

13. Contact Information

aperAI OÜ
Narva mnt 5, 10117 Tallinn, Estonia

Data Protection Contact: hello@aperai.eu

For unresolved concerns, you have the right to lodge a complaint with your local data protection authority. In Estonia:

Andmekaitse Inspektsioon
(Estonian Data Protection Inspectorate)
Tatari 39, 10134 Tallinn, Estonia
https://www.aki.ee/