Privacy Policy

SwiftShortlist (“we”, “us”, “our”) operates the SwiftShortlist platform at swiftshortlist.com. We are the data controller for account and usage data. For candidate CV data you upload, you are the data controller and we act as your data processor.

Contact: privacy@swiftshortlist.com

Account data: Name, email address, and password (hashed) when you create an account. If you sign in with Google, we receive your name and email from Google — we do not receive or store your Google password.

Usage data: Pages visited, features used, job postings created, number of CVs analysed, IP address, browser type, and session timestamps. Collected to improve the Service and for billing purposes.

Payment data: Billing information is collected and processed directly by Lemon Squeezy (our merchant of record). We store only your Lemon Squeezy customer ID and subscription status — we never store full card numbers.

Candidate CV data: When you upload CVs, they are processed by our AI to generate rankings. CV text is sent to our AI provider (Google) solely for analysis. We do not use candidate data for any purpose other than providing you with rankings.

Communications: If you contact us, we retain your messages to respond and improve support.

If you choose to sign in with Google, we use your Google account data as follows:

• Email address: Used to create and identify your SwiftShortlist account, send transactional emails (receipts, password resets, important service notices).
• Name: Used to personalise your account interface.
• Profile picture (if provided): Displayed in the account area only.

We do not:

• Use Google user data for advertising or marketing purposes.
• Share Google user data with third parties except as required to provide the Service (e.g. Supabase for authentication, Lemon Squeezy for billing).
• Use Google user data to build profiles for purposes unrelated to the Service.
• Store Google access tokens beyond what is necessary for authentication.

Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

For users in the UK and EEA, our legal bases for processing personal data are:

• Contract performance: Processing necessary to provide the Service you have subscribed to.
• Legitimate interests: Service security, fraud prevention, product improvement, and analytics — where these are not overridden by your rights.
• Consent: Marketing emails (where you have opted in). You may withdraw consent at any time.
• Legal obligation: Retaining billing records as required by tax law.

When you upload candidate CVs, you are the data controller for that personal data. You are responsible for ensuring:

• You have a lawful basis to process candidates' personal data.
• Candidates have been informed their data may be processed using AI tools.
• You comply with GDPR, UK GDPR, and any other applicable data protection law.
• You respond to candidate data subject requests (access, erasure, portability).

To request deletion of candidate data from our systems, email privacy@swiftshortlist.com.

We share data only with trusted sub-processors required to deliver the Service:

• Supabase — Authentication, database hosting (EU region).
• Lemon Squeezy — Payment processing (merchant of record). Governed by Lemon Squeezy's Privacy Policy.
• Google — AI processing of CV and job description text to generate rankings.
• Resend — Transactional email delivery.

We do not sell, rent, or share your personal data with advertisers or data brokers. We may disclose data if required by law or to protect our legal rights.

• Account data: Retained while your account is active and for 30 days after deletion.
• CV and job data: Retained while your account is active. Deleted within 30 days of account closure or on request.
• Billing records: Retained for 7 years as required by UK tax law.
• Usage logs: Retained for 12 months.

We implement appropriate technical and organisational measures to protect your data, including:

• TLS encryption for all data in transit.
• AES-256 encryption for data at rest.
• Row-level security policies on all database tables.
• Access controls limiting staff access to personal data on a need-to-know basis.
• Regular security reviews and dependency updates.

In the event of a data breach affecting your rights and freedoms, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your personal data.
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Request that we limit processing of your data.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw marketing consent at any time.

To exercise any of these rights, email privacy@swiftshortlist.com, or delete your account directly from your profile settings. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

SwiftShortlist uses AI to read CVs and produce a relevance score and ranking against a job description. This is a form of profiling. Importantly:

• It is decision support, not an automated decision. The AI ranks and explains candidates; it does not hire, reject, or make any final decision. A human recruiter reviews the output and makes all hiring decisions.
• The Service does not carry out solely automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 UK GDPR.
• Candidates have the right to be informed that AI is used, to obtain a meaningful explanation of the logic involved, to request human review, and to contest a decision. These requests are handled by the recruiter (the data controller for candidate data).

Recruiters using SwiftShortlist must keep a human in the loop and must not rely on AI scores as the sole basis for a rejection or hiring decision.

If you are applying for a role and have submitted your CV through a SwiftShortlist application link, this section is for you.

• Who controls your data: The employer or recruiter who advertised the role is the data controller. SwiftShortlist processes your data on their behalf.
• What we process: The information in your application — name, contact details, location, LinkedIn, CV contents, and any cover letter.
• Why: To let the hiring team assess your suitability, including an AI-generated score and ranking against the role's requirements (see section 10).
• AI use: Your CV is analysed by AI to support — not replace — human review. A person makes the final decision.
• Retention: Your data is kept by the recruiter for their hiring process and deleted in line with their retention policy or on request.
• Your rights: You can ask for access, correction, deletion, human review of any AI assessment, and you may complain to the ICO. Direct these requests to the recruiter you applied to; if you cannot reach them, email privacy@swiftshortlist.com and we will help route your request.

We use only strictly necessary cookies, for authentication and session management. We do not use advertising, tracking, or third-party analytics cookies, so no cookie consent banner is required under PECR. If this changes, we will request your consent first.

Your data may be processed in the United States by our sub-processors (Google, Lemon Squeezy, Resend). Where required, such transfers are covered by Standard Contractual Clauses or equivalent safeguards under UK GDPR.

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 14 days before they take effect. The effective date at the top of this page will be updated accordingly.

For privacy-related questions, data subject requests, or to request our Data Processing Agreement:

privacy@swiftshortlist.com