Privacy Policy
Last updated: 1 June 2026
This Privacy Policy explains how GritScore ("we", "us", "our"), operated by Alexander Andronov, collects, uses, stores, and protects personal data when you use gritscore.xyz. GritScore is available globally.
We handle personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (which apply to us as a UK-based operator), and we respect applicable privacy rights of users in other jurisdictions, including California (CCPA/CPRA) and the EU (GDPR).
1. Who We Are and Our Role
Operator / data controller: Alexander Andronov, trading as GritScore Email: hello@gritscore.xyz Website: gritscore.xyz
Controller vs processor. When you upload a candidate's CV, you (the recruiter, founder, or hiring professional) are the data controller of that candidate's personal data — you decide why the candidate is being evaluated. GritScore acts as a data processor, processing the CV on your instructions to produce the report. GritScore is an independent controller only for your own account data, IP/operational data, and the running of the service.
2. What Personal Data We Process
Account data (about you, if you sign in)
| Data | Why we process it | Legal basis |
|---|---|---|
| Email address | To create and authenticate your account and let you access your reports | Performance of a contract |
| Authentication provider identifier | To sign you in via email magic link or Google | Performance of a contract |
| Basic Google profile data (name, email) | Only if you choose Google sign-in | Performance of a contract / Legitimate Interests |
You can use GritScore without an account; in that case no account data is collected.
Operational data (about you)
| Data | Why we process it | Legal basis |
|---|---|---|
| IP address | Rate limiting — we limit analysis requests per IP to prevent abuse | Legitimate Interests |
Candidate data (CV content you upload)
When you upload a candidate's CV, that CV contains personal data belonging to the candidate. To generate and re-serve your report, we store the following:
| Data | Why we process it | Legal basis |
|---|---|---|
| The uploaded CV file (PDF) | Generating the analysis and allowing re-download of your report | Processed on your instruction as controller; your basis is Legitimate Interests (recruitment evaluation — a recognised lawful purpose under UK GDPR Recital 47) |
| Extracted candidate details — name, email, phone, location, current job title, employment history, links, years of experience, education | Producing the structured analysis and letting you find a prior report | As above |
| The AI analysis result | Delivering and re-serving the report you requested | As above |
We store this data — it is not discarded immediately after analysis. See Section 4 for how long we keep it.
3. How We Use Your Data
We use personal data solely to provide the GritScore analysis service — to generate your report, store it for the retention period so you can re-download it, and operate the service securely. We do not:
- Use CV content or analysis results to train AI models.
- Sell, share, or broker personal data to third parties.
- Build profiles, run advertising, or track individuals across sessions.
4. Data Retention
We keep personal data only as long as needed for the purpose it was collected (the GDPR storage-limitation principle).
CV files, extracted candidate data, and analysis results: retained while needed to provide and re-serve your report, and deleted on request (see Section 8). As a small, early-stage service we do not yet operate automated retention windows; we keep this data minimal and remove it promptly when asked or when it is no longer needed. Account data: retained while your account is active; deleted when you ask us to close your account. IP addresses: processed ephemerally for rate limiting by our hosting infrastructure. Not stored by us in a queryable form.
5. Third Parties and Sub-Processors
To provide the GritScore service, we use the following sub-processors:
| Sub-processor | Role | Location | Privacy policy |
|---|---|---|---|
| Supabase | Database, file storage (CV files), and authentication | EU / United States (region-dependent) | supabase.com/privacy |
| Mistral AI | AI analysis (Mistral) — receives CV text | European Union | mistral.ai/privacy |
| Anthropic | AI analysis (Claude) — may receive CV text | United States | privacy.anthropic.com |
| Stripe | Payment processing — receives billing name, card details | United States | stripe.com/privacy |
| Vercel | Frontend hosting and CDN | United States | vercel.com/legal/privacy-policy |
| Railway | Backend hosting — processes IP addresses | United States | railway.app/legal/privacy |
Each sub-processor processes data under its own data processing agreement and only as needed to deliver its part of the service.
6. International Data Transfers
Some sub-processors operate outside the UK/EU. CV text may be sent to Mistral AI (European Union) and/or Anthropic (United States) for analysis; CV files and candidate data are stored with Supabase in its hosting region. Stripe, Vercel, and Railway operate from the United States.
Transfers outside the UK/EU are covered by the relevant sub-processor's Data Processing Agreement and appropriate safeguards (such as Standard Contractual Clauses). For current transfer details, see each sub-processor's privacy policy linked in Section 5.
7. Cookies and Browser Storage
GritScore does not use tracking cookies or analytics cookies.
We use the following browser storage for functional purposes only:
| Key | Storage | Purpose |
|---|---|---|
gritscore_theme | localStorage | Remembers your light/dark mode preference |
gritscore_result | sessionStorage | Holds your analysis result temporarily across the Stripe payment redirect. Cleared when the browser tab is closed. |
| Supabase auth session | localStorage | Keeps you signed in if you have an account. Set only when you log in. |
These are strictly functional — they enable the service to work correctly. No consent banner is required for strictly necessary storage.
8. Your Privacy Rights
UK and EU users (UK GDPR / EU GDPR)
You have the right to: access your personal data, request rectification, request erasure, restrict processing, request portability, and object to processing based on Legitimate Interests.
California users (CCPA/CPRA)
California residents have the right to know what personal information we collect, the right to access and delete it, the right to correct it, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information.
Candidates whose CV was uploaded
If a CV about you was uploaded to GritScore, you may contact us to exercise your rights. Because the uploading user is the controller of that data (Section 1), where GritScore acts as processor we will coordinate your request with, or forward it to, the relevant controller and assist them in responding.
Automated decision-making
GritScore output is a decision-support tool only. We do not make decisions producing legal or similarly significant effects about any individual on a solely automated basis — a human reviewer must apply their own judgement (UK GDPR / GDPR Article 22).
All users
To exercise any privacy right, email hello@gritscore.xyz. We will respond within 30 days.
9. Data Security and Breaches
Candidate and account data is held in a database that is locked down at the row level and accessible only through our backend using a privileged service key — the public/anonymous keys used by the website cannot read or write it. Data is encrypted in transit. In the event of a personal data breach that poses a risk to individuals, we will notify the relevant supervisory authority and any affected individuals as required by applicable law.
10. Right to Complain
UK users: You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/concerns, phone 0303 123 1113.
EU users: You may lodge a complaint with your local data protection authority.
California users: You may contact the California Privacy Protection Agency at cppa.ca.gov.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The current version is always available at gritscore.xyz/privacy. We will update the "Last updated" date at the top when changes are made.
12. Contact
Questions about this Privacy Policy? Email hello@gritscore.xyz.