Privacy notice

Last updated: 5 May 2026

1. Who is the data controller?

Brian Gillingham, t/a ProperFit Hire, Lincoln, LN2 2HL, United Kingdom. ICO registration: ZC140339 at the time of writing; enquiries to brian@properfithire.co.uk.

2. What data is processed?

• Customer data (name, email, company, billing details) when you sign up or place an order.
• Candidate data (CV contents, including names, contact details, employment history, qualifications, RTW status, DBS references) when uploaded by a customer for cohort scoring.
• Job specification data (role, salary, requirements) provided by the customer.
• System logs (IP address, request timestamps) retained for security purposes for 90 days.

3. Lawful basis (UK GDPR)

• Customer data: Article 6(1)(b) — performance of contract.
• Candidate data: Article 6(1)(f) — legitimate interests of the customer in conducting recruitment, with Article 6(1)(b) flowdown when a candidate enters a hiring process. The candidate retains all UK GDPR rights including the right to object (Art. 21).
• Special-category data (health, criminal-record-related DBS data): Article 9(2)(b) and Schedule 1 Part 1 paragraph 1 of the Data Protection Act 2018 — employment, social security, and social protection.

4. Retention

• CVs + job specs: deleted 7 days after report delivery.
• Audit reports + scoring metadata: 18 months (the limitation period for typical employment-tribunal claims), unless you ask me to delete sooner.
• Customer billing records: 6 years (HMRC tax-record requirement).
• System logs: 90 days, then automatically purged.

5. Where data is stored

Mermoid runs on a virtual machine in the European data residency (Switzerland North, EU-equivalent under the UK adequacy regulations for Switzerland). Persistent storage of CV contents and account data lives only on this VM — never in third-party clouds.

The scoring engine (cohort ranking, retention prediction, skills compliance) is fully deterministic and runs on the VM only — no LLM inference touches the scoring path.

Generative features — cover-letter writing, CV-line AI rewrites, structured-CV extraction at /me/profile-setup, STAR writeups, interview-prep packs and the candidate chatbot — DO send text to LLM providers (see Sub-processors below). For each LLM call:

• Only the specific text you act on is sent (a CV line, the JD, your CV) — never your full account or other candidates' data.
• We use providers' API tier, where the standard contract excludes training on customer prompts (see each provider's Data Processing Addendum).
• No CV is sent to an LLM without you triggering an action that explicitly asks for one (clicking "Generate cover letter", "AI rewrite this line", "Extract structured profile", etc.).
• You can audit which actions hit which LLM by checking /admin/connectors/health (admin only).

6. Sub-processors

Full transparent list. Each section says what data the sub-processor sees, and why we use them.

• Microsoft Azure — VM hosting (Switzerland North). Sees: everything, but only at rest on the VM disk.
• Stripe — payment processing. Sees: name, email, billing address, payment method. Never CV content.
• Microsoft 365 (Exchange/Outlook) — outbound email delivery. Sees: email recipient + body of the messages we send you.
• Cloudflare — DNS + privacy-first analytics (no cookies, no fingerprinting). Sees: HTTP request metadata only.
• LLM providers (used only for generative features above):
  • Cerebras — primary cascade. UK/EU API region.
  • Groq — fallback. US, no training on API tier.
  • GitHub Models — fallback. Subject to GitHub's Acceptable Use; no training on prompts.
  • Anthropic — fallback. UK/EU residency available; no training under standard API contract.
  • OpenAI — fallback. EU residency; no training on API tier (zero-retention available on request).
  • Mistral / Google Gemini / Azure OpenAI — final fallbacks if all above are rate-limited. Each has equivalent no-training-on-API guarantees.
  You can request that we exclude any specific provider from your account's cascade by emailing dpo@properfithire.co.uk.
• DocuSeal — e-signature for adjustments-passport consent and employment offer letters. Used only when you click a "Sign" button. Sees: the document being signed and your signature.
• Reed.co.uk — read-only job-board API used by /me/jobs. Sees: search keywords + your sector. Never your CV.
• Companies House — UK government registry, read-only employer lookup. Public-data only, no PII shared.
• Postcodes.io — UK government postcode geocoding, no auth required. We pass only postcodes for commute calculations.

No analytics that track individuals. No advertising trackers. No data brokers. We commit to listing every new sub-processor here within 14 days of adoption.

7. Your rights

Under UK GDPR you can exercise the rights of access, rectification, erasure, restriction, portability, and objection. To exercise any of these, email me. I respond within 30 days (typically same-day). You also have the right to complain to the UK Information Commissioner's Office.

8. Automated decision-making

Mermoid's scoring is decision-support, not solely automated decision-making. Final hiring decisions are always made by a human (the customer's hiring manager). Per the ICO's April 2026 guidance, where a human merely "rubber stamps" the AI ranking that becomes ADM under Article 22; my reports are designed to support meaningful human review with citations and signal evidence so the human can substantively challenge any rank position.

9. Candidate-specific notice

If you are a candidate whose CV has been processed: contact me directly to request access, correction, or erasure. I will respond within 30 days. I do not contact candidates directly without my customer's authorisation.