GDPR and Data Protection

When you use SwiftShortlist to upload and analyse CVs, the legal roles are as follows: You (the recruiter or employer) are the Data Controller for candidate personal data contained in CVs you upload. You determine why and how that data is processed. SwiftShortlist acts as a Data Processor on your behalf. We process candidate data solely to provide the ranking and analysis service you have requested. Google (Gemini API) acts as a sub-processor for the purpose of AI analysis. Google does not retain or train on API data by default.

SwiftShortlist processes recruiter account data on the basis of contract performance. We process candidate CV data on the basis of legitimate interests pursued by the controller (the recruiter conducting a hiring process). Recruiters are responsible for ensuring they have a valid legal basis for uploading candidate data and that their use of SwiftShortlist complies with applicable data protection law.

We process the following personal data when you use the service: Account data: name, email address, organisation name. Candidate data (from CVs you upload): name, contact details, work history, education, skills, and any other information contained in the uploaded PDF. Usage data: actions taken within the application, timestamps, and browser metadata for security and analytics purposes.

Account data is retained for as long as your account is active. You can delete your account at any time from the profile settings page. Candidate data (CV files and analysis results) is retained until you delete the associated job or candidate record, or until you delete your account. We do not retain CV data beyond your active subscription period after account deletion.

Under UK GDPR you have the right to access, rectify, erase, restrict, or port your personal data. You also have the right to object to processing and to withdraw consent where processing is based on consent. To exercise any of these rights, contact us at privacy@swiftshortlist.com. We aim to respond within one calendar month. For complaints about our data handling, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

SwiftShortlist uses AI to score and rank CVs against a job description. This is profiling, but it is decision support — not a solely automated decision under Article 22 UK GDPR. The AI ranks candidates and explains its reasoning. It does not hire or reject anyone. A human recruiter reviews the results and makes every hiring decision. Candidates have the right to be informed AI is used, to a meaningful explanation of the logic, to request human review, and to contest an outcome. As the data controller, the recruiter is responsible for honouring these rights and for keeping a human in the loop. SwiftShortlist must not be used to auto-reject candidates without human review.

Our primary database and file storage is hosted in the EU (Frankfurt, Germany) via Supabase. AI processing is performed via the Google Gemini API, which may process data in the United States. Google is certified under applicable transfer mechanisms. Our application is hosted on Vercel with edge infrastructure globally. Standard Contractual Clauses (SCCs) govern any transfers of personal data outside the UK or EEA where required.

If you require a formal Data Processing Agreement (DPA) for your organisation's compliance needs, please contact us at enterprise@swiftshortlist.com. We will provide a signed DPA upon request.