Privacy Policy
Version 2026-05-15 · Last updated · May 15, 2026
This Privacy Policy explains how Nicolas Dinh (“we”, “us”) collects, uses, stores, and protects your personal data when you use the Versio Cloud service. This policy does not apply to the source-available Versio Community Edition.
Scope. Versio serves three use cases:
- Individual Users — people who use the Service to manage their own personal CV. Versio is the controller of this data; this policy applies directly.
- Business Customers (consulting and professional-services firms) — manage CVs of their own employees and consultants to prepare client proposals.
- Recruitment Customers — manage CVs of external candidates they represent to third-party employers.
For Business Customers and Recruitment Customers, personal data uploaded by their authorised users is Processed by Versio as a processor on the Customer’s behalf under our Data Processing Agreement; the Customer’s own privacy notice governs that processing. Candidates, consultants, or employees wishing to exercise their rights should contact the Customer that uploaded their data.
In all cases, this policy applies to account, authentication, and billing data of anyone who logs in to the Service, and to visitors of versio-cv.com.
§ Section
1. Who We Are
Versio is operated by Nicolas Dinh, Genève, Switzerland.
Data Controller: Nicolas Dinh, Rue de Lausanne 29bis, 1201 Genève, Switzerland
contact@versio-cv.com
§ Section
2. Data We Collect
2.1 Account Data
| Data | Purpose | Required |
|---|---|---|
| Email address | Authentication, communications | Yes |
| Name | Display in the application | Yes |
| Password (hashed) | Authentication | Yes (unless OAuth) |
| Profile photo | Display in the application | No |
| 2FA secret | Account security | No |
| OAuth provider ID | Authentication via Google/LinkedIn | No |
| Newsletter opt-in flag | Optional marketing communications | No |
| Consent records (terms version, IP, user-agent, timestamp) | Proof of consent under Art. 7 GDPR | Yes (set at signup and on re-acceptance) |
2.2 CV Content (Customer-uploaded data)
CV Content is uploaded by Customers (consulting and recruitment firms) about their consultants, employees, or candidates. Versio acts as a processor for this data — the Customer is the controller and remains responsible for the lawful basis and notice to data subjects. Data managed:
- Personal details (name, job title, location, phone, email, website, summary)
- Work experience (company, role, dates, descriptions)
- Education (institution, degree, dates)
- Skills and skill categories
- Certifications, publications, languages
- Profile photos and CV version configurations
Photos. Profile photos are stored and rendered in CV exports. They are not sent to AI providers except (a) during CV import for automated headshot detection (a single image-classification call per candidate image) and (b) when text extraction fails on image-only PDFs, in which case rasterised pages may contain photos. In both cases the same no-training and 30-day retention terms apply (see Section 6.3).
2.3 Payment Data
We do not store payment card details. Payments are processed by Stripe. We store only Stripe customer ID, subscription ID, and billing status. See Stripe’s privacy policy.
2.4 Technical Data
| Data | Purpose |
|---|---|
| IP address | Security, abuse prevention |
| Browser type | Compatibility, debugging |
| Access timestamps | Security logs |
| Feature usage (anonymized) | Product improvement |
We do not use tracking cookies, advertising cookies, or third-party profiling. We use Cloudflare Turnstile to protect certain actions (e.g., registration, login) from automated abuse. Cloudflare may collect your IP address, browser type, and interaction data to distinguish humans from bots. See Cloudflare’s privacy policy.
§ Section
3. How We Use Your Data
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing the Service | Contract performance | Account data, CV Content |
| Processing payments | Contract performance | Payment references |
| AI-powered features | Contract + consent | CV Content (when AI is used) |
| Account security | Legitimate interest | Account & technical data |
| Service notifications | Contract performance | Email address |
| Abuse prevention | Legitimate interest | Technical data |
| Product improvement | Legitimate interest | Anonymized usage data |
| Legal compliance | Legal obligation | As required by law |
We do not use your data for advertising, selling to third parties, training AI models, or automated decision-making with legal effects.
§ Section
4. Where Your Data Is Stored
4.1 Primary Storage
Your data is stored on servers operated by Infomaniak Network SA in Switzerland (Geneva) — ISO 27001 and ISO 9001 certified. Your data does not leave Switzerland for primary storage.
4.2 AI Processing
When you use AI Features, relevant Content is transmitted to our AI provider. See Section 6 for details.
4.3 Payment & Email
Payments are processed by Stripe (US, with SCCs). Transactional emails are sent via our email provider with minimal content.
§ Section
5. Data Sharing and Sub-Processors
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Infomaniak Network SA | Database & file hosting | All Content | Switzerland |
| Infomaniak AI Tools | Vector embeddings (semantic search / matching) | Profile text | Switzerland |
| Anthropic, PBC | AI Features (import, generation, review, matching, ATS check, translation) | CV text, job descriptions; profile images only for headshot detection or image-only PDFs | US (DPF + SCCs via Anthropic Ireland Ltd) |
| Stripe, Inc. | Payment processing | Payment refs, email | US (DPF + SCCs) |
| Cloudflare, Inc. | Bot protection (Turnstile CAPTCHA) | IP address, browser metadata | Global (SCCs) |
| Resend / transactional email | Verification, password reset, notifications | Email address, message content | US / EU (SCCs) |
We maintain DPAs with all sub-processors. The full current list and the notification mechanism for changes are also available in our Data Processing Agreement (Annex II). We do not sell or trade your data.
§ Section
6. AI Features and Data Processing
6.1 When AI Processing Occurs
AI processing happens only when you actively use an AI Feature: CV import, AI generation, quality analysis, summary rewriting, ATS checking, candidate matching, or translation. If you don’t use these features, no Content is sent to AI providers.
6.2 What Data Is Sent
We send the minimum Content necessary — typically CV text, job descriptions, or version content.
We do not send profile photos, payment information, account credentials, or other users’ data (unless required for candidate matching within your Organization).
6.3 AI Provider: Anthropic (Claude API)
- No training on customer content
- 30-day retention for trust & safety, then permanent deletion
- US processing — transfers via Standard Contractual Clauses (Anthropic Ireland Ltd)
6.4 Your Control
AI is always user-initiated. You can use the Service without AI. You review all AI-generated content before accepting it. We may change AI providers while maintaining equivalent data protection standards.
6.5 Candidate Matcher (AI Act classification varies by use case)
The Candidate Matcher scores and ranks profiles against a job description using a three-stage pipeline: requirement extraction (LLM), semantic pre-filter (vector embeddings), and deep analysis (LLM). It produces a match score (1–10), matched/missing skills, and a recommendation.
The Matcher is available only to Business Customers and Recruitment Customers; it is not offered to Individual Users. Classification under the EU AI Act (Regulation 2024/1689) depends on the Customer’s use case:
- Business Customers (consulting / professional services) — matching their own employees / consultants for a client proposal. May fall within Annex III §4(b) (work allocation) if the result is used to allocate work to employees based on individual traits.
- Recruitment Customers — matching external candidates for presentation to third-party employers. Falls within Annex III §4(a) (recruitment and selection) — high-risk AI system.
Where the use case is high-risk, Versio is the provider and the Customer is the deployer. Provider commitments and deployer obligations are detailed in the Terms of Service (§6.5) and the DPA. Scores are advisory; the Service does not auto-shortlist, auto-reject, or auto-contact candidates.
Every Matcher run is logged (job description, candidate IDs, scores, model used, timestamp) and retained in the Customer’s account for audit. Customers may delete individual runs at any time.
§ Section
7. Data Retention
| Scenario | Retention Period |
|---|---|
| Active account | Retained while account is active |
| Deletion requested | 30-day grace period (cancellable), then permanently deleted |
| Cancelled subscription | Read-only; 30 days after billing period, then deleted |
| Inactive cancelled/expired account (12 months) | Email reminder; deleted 30 days after if no login. Active subscriptions not affected. |
| AI provider (Anthropic) | Deleted within 30 days of processing |
| Security logs | Up to 12 months |
| Billing records | Up to 10 years (Swiss law) |
§ Section
8. Your Rights
Under the Swiss FADP and EU GDPR (where applicable):
Access & Portability
Access all your data through the Service. Export in JSON, PDF, or Word format at any time.
Rectification & Deletion
Edit your data directly. Delete your account through settings — all Content is removed within 30 days.
Object & Restrict
Object to processing based on legitimate interest. Request restriction while disputes are resolved.
Withdraw Consent
Where processing is based on consent (e.g., AI Features), withdraw at any time by ceasing use of the feature.
Contact contact@versio-cv.com to exercise your rights. We respond within 30 days.
Complaints: Switzerland — FDPIC (edoeb.admin.ch). EU — your local supervisory authority.
§ Section
9. Data Security
- Encryption in transit (TLS/HTTPS) and at rest
- Hashed passwords (bcrypt) with optional two-factor authentication
- Role-based access control within Organizations
- ISO 27001 certified infrastructure (Infomaniak)
- 72-hour breach notification to users and authorities
§ Section
10. Cookies and Local Storage
We do not use tracking or advertising cookies. The Service uses only essential browser storage (authentication token and UI preferences in localStorage).
Cloudflare Turnstile may set a security cookie (cf_clearance) as part of its bot detection. This cookie is strictly necessary for security and does not track you across websites.
No cookie consent banner is required.
§ Section
11. Children’s Privacy
The Service is not intended for individuals under 16. We do not knowingly collect data from children.
§ Section
12. International Transfers
Primary data is stored in Switzerland (adequate protection per EU Commission). Transfers to the US (AI, payments) are governed by Standard Contractual Clauses and DPAs.
§ Section
13. Changes to This Policy
Material changes are notified at least 30 days in advance. During the beta period (as defined in our Terms of Service, Section 2.1), changes to this Privacy Policy require only 7 days’ notice. Previous versions available upon request.
§ Section
14. Contact
Nicolas Dinh
Rue de Lausanne 29bis
1201 Genève, Switzerland
contact@versio-cv.com