Privacy Policy and Personal Data Protection (GDPR)

§ 1. Subject Matter and Purpose of the Document

1. This Privacy Policy sets out rigorous rules for the processing, protection, and retention of personal data of users of the ATS Buster platform (hereinafter: “Service”).
2. The priority of the Service is to ensure the maximum level of data security, in particular the content of recruitment documents (CVs, cover letters), which by their nature contain sensitive information.
3. Data processing is carried out in strict compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

§ 2. Definitions

1. Personal Data – any information relating to an identified or identifiable natural person, including data contained in uploaded PDF files and e-mail addresses.
2. Processing – operations performed on personal data, such as collection, recording, storage, adaptation, modification, disclosure, and erasure.
3. Sub-processor – an external technology service provider that supports the operation of the Service.

§ 3. Security and Cryptography Standards

1. All connections are encrypted using the TLS/SSL protocol.
2. User passwords are hashed and are never stored in plaintext.
3. The system architecture implements the “Privacy by Design” principle.

§ 4. Scope and Purpose of Data Processing

The Service infrastructure processes data for the following purposes:

1. Document Optimization (AIaaS): Execution of the CV analysis service. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
2. Account Management: Profile support and authorization. Legal basis: Art. 6(1)(b) GDPR.
3. Billing and Compliance: Processing of payments and tax obligations. Legal basis: Art. 6(1)(c) GDPR.
4. Infrastructure Security: Monitoring logs and preventing abuse. Legal basis: Art. 6(1)(f) GDPR (legitimate interest).
5. Marketing Communication: Sending information about news, updates, and Service offers to an e-mail address. Legal basis: Art. 6(1)(a) GDPR (voluntary consent of the User).

§ 5. Retention Policy and Hard Delete Mechanisms

1. Free Accounts: Permanent deletion of PDF files and database data within an absolute maximum of 24 hours (CRON processes).
2. Premium Accounts: Storage of documents for 30 days to enable iterative work, followed by automatic deletion.
3. Every user has the right to force a permanent deletion (Hard Delete) of their documents at any time from the control panel.

§ 6. Data Processing Topology (Sub-processors)

Data is processed in cooperation with: Google LLC (Gemini API), Supabase, Inc., Cloudflare, Inc. (R2), Vercel, Inc., Stripe, and Sentry (Functional Software, Inc. - error and performance monitoring). All entities guarantee protection standards compliant with EU requirements.

§ 7. Rights of the Data Subject

The user has the right to access their data, rectify it, erase it (“right to be forgotten”), restrict processing, data portability, and lodge a complaint with a supervisory authority.

§ 8. Identity of the Data Controller

1. The Data Controller is Wiktor Ciopciński, correspondence address: Księdza Juliana Chrościckiego 89D, 02-414 Warsaw, Poland.
2. Inquiries should be directed to the e-mail address: atsbusteradmin@gmail.com.

§ 9. Management of Marketing Consents

1. The consent to marketing communication referred to in § 4 point 5 is entirely voluntary and is not a condition for using the fundamental functionalities of the Service.
2. The user has full control over the granted consent. They may withdraw or re-grant it at any time using a dedicated switch (toggle) in the Account Settings section.
3. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

§ 10. Cookies and Changes to the Policy

1. The Service uses local storage mechanisms (Cookies, Local Storage) that are technically necessary.
2. We reserve the right to update this document in the event of legal or technological changes. The Polish version is legally binding.