Proovus

Privacy Policy

Last updated: March 7, 2026

1. Introduction

Proovus ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Proovus platform, including our website, applications, and services (collectively, the "Platform").

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Platform.

2. Data Controller

Proovus is the data controller responsible for your personal data processed through the Platform. For any questions or requests regarding your data, you may contact us using the details provided in Section 15.

3. Data We Collect

3.1 Information You Provide Directly

Account & Profile Data (Individuals)

  • First name and last name
  • Email address
  • Date of birth (optional)
  • Gender pronouns (optional)
  • Phone number (optional)
  • Profile picture
  • Geographic location (city, country)
  • Personal website and portfolio links
  • External professional profile links (e.g., LinkedIn, Indeed, Malt, Upwork, Bluesky)
  • Personal interests and hobbies (optional)
  • Languages spoken and proficiency levels

Professional Experience Data

  • Job titles, roles, and positions held
  • Company names, addresses, and registration details
  • Employment start and end dates
  • Key achievements, tasks, and project descriptions
  • Hard skills and soft skills
  • Indirect skills
  • Educational background, degrees, and certifications
  • Reference letters and supporting documents
  • Manager names and email addresses (for validation purposes)

Enterprise Account Data (Organizations)

  • Legal entity name and type
  • Business registration number (D-U-N-S)
  • Tax identification number
  • Country and city of incorporation
  • Company email domain and website
  • Head office address
  • Industry classification and staff size
  • Company logo and description
  • Certificate of existence or proof documents (optional)
  • Administrator profiles (name, email, job title)

3.2 Information Collected Automatically

  • Device Information: Browser type and version, operating system, device type, and screen resolution.
  • Usage Data: Pages visited, features used, time spent on the Platform, click patterns, and navigation paths.
  • Log Data: IP address, access timestamps, referring URLs, and error logs.
  • Cookies and Similar Technologies: As described in Section 10.

3.3 Blockchain Data

When an experience is validated and anchored on the Arbitrum blockchain (an Ethereum Layer 2 network), the following data is recorded on-chain:

  • A cryptographic hash (digest) of the validated experience data
  • Transaction hash and timestamp
  • Blockchain wallet address used for the transaction

Important: Only cryptographic hashes are stored on-chain — not your personal information in readable form. However, blockchain records are public and permanent. See Section 7 for details on how this affects your data rights.

4. How We Use Your Data

We process your personal data for the following purposes:

PurposeLegal Basis (GDPR)
Providing and operating the PlatformPerformance of contract
Creating and managing your accountPerformance of contract
Processing experience validationsPerformance of contract
Anchoring validated experiences on the blockchainExplicit consent
Generating AI-assisted CV/Resume and importing experiences via AI extractionPerformance of contract
Skills mapping, analytics dashboards, and competency comparisonPerformance of contract
Processing payments and billingPerformance of contract
Sending service-related notifications and emailsPerformance of contract / Legitimate interest
Improving the Platform and developing new featuresLegitimate interest
Ensuring Platform security and preventing fraudLegitimate interest
Complying with legal obligationsLegal obligation
Enabling public profile visibility (when opted in)Consent

5. Who We Share Your Data With

We may share your personal data with the following categories of recipients:

5.1 Organizations and Managers

When you submit an experience for validation, the relevant Organization and designated Manager(s) will receive the experience data necessary to perform the validation. This includes your name, role details, achievements, skills, and any supporting documents you attach.

5.2 Public Profile Viewers

If you choose to make your profile public, the information you include in your public profile will be accessible to anyone. You control which information is visible through your profile visibility settings.

5.3 Blockchain Network

Cryptographic hashes of validated experiences are published on the Ethereum public blockchain and are accessible to anyone. These hashes do not contain personal information in readable form.

5.4 Service Providers (Sub-processors)

We share data with the following trusted third-party service providers who assist us in operating the Platform:

  • Hetzner (Germany) — Cloud hosting and server infrastructure
  • Cloudflare (USA, with EU data processing) — CDN, DDoS protection, DNS, and web application firewall
  • Keycloak (self-hosted on Hetzner) — Authentication and identity management
  • Infisical (USA) — Secrets management for secure configuration
  • Stripe (USA, with EU data processing) — Payment processing and subscription management
  • Lettermint (France) — Transactional email delivery
  • Mistral AI (France) — AI-powered features including CV/Resume generation and skills analysis
  • Arbitrum (decentralized network) — Blockchain anchoring of validated experience proofs
  • Sentry (USA) — Error tracking and application monitoring
  • Grafana Cloud (USA) — Infrastructure metrics and log aggregation

These providers are contractually bound to process your data only on our behalf and in accordance with our instructions and applicable data protection laws. For providers based outside the EU/EEA, appropriate safeguards (Standard Contractual Clauses) are in place.

5.5 Legal Requirements

We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Proovus, our users, or the public.

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

We do not sell your personal data to third parties.

6. International Data Transfers

Proovus operates globally. Your data may be transferred to, stored, and processed in countries other than your country of residence, including countries that may have different data protection standards.

When we transfer personal data internationally, we ensure appropriate safeguards are in place:

  • EU/EEA: Transfers to countries without an adequacy decision are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
  • UK: Transfers are protected by the International Data Transfer Agreement (IDTA) or UK addendum to EU SCCs.
  • Other jurisdictions: We apply equivalent safeguards as required by applicable local laws.

Additionally, blockchain data is inherently global — once a cryptographic hash is recorded on the Arbitrum network, it is replicated across nodes worldwide. This is a fundamental characteristic of public blockchain technology.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

7.1 Rights Under GDPR (EU/EEA/UK)

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data, subject to the blockchain limitation described below.
  • Right to Restriction of Processing: Request that we limit the processing of your data.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

7.2 Rights Under CCPA (California, USA)

  • Right to Know: Request information about the categories and specific pieces of personal data we collect, use, and disclose.
  • Right to Delete: Request deletion of your personal data.
  • Right to Opt-Out: Opt out of the sale of your personal data. Note: We do not sell personal data.
  • Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.

7.3 Rights Under LGPD (Brazil)

  • Confirmation of the existence of data processing
  • Access to your personal data
  • Correction of incomplete, inaccurate, or out-of-date data
  • Anonymization, blocking, or deletion of unnecessary or excessive data
  • Data portability
  • Information about public and private entities with which your data has been shared
  • Revocation of consent

7.4 Rights Under PIPEDA (Canada)

  • Access to your personal information held by us
  • Challenge the accuracy and completeness of your data and have it amended
  • Withdraw consent for certain processing activities

7.5 Other Jurisdictions

If you reside in a jurisdiction with data protection laws not specifically listed above, we will honor your rights as provided by your local applicable laws.

7.6 Blockchain Limitation on Erasure

Important Notice Regarding Blockchain Data

When you exercise your right to erasure, we will delete all personal data stored on our servers (off-chain data), including: your profile and personal information, all experiences and their details (skills, achievements, reference letters), uploaded documents and profile pictures, company links, notifications, and your account. For validated experiences, manager-side records referencing your data will be anonymized.

However, cryptographic hashes that have been recorded on the Arbitrum blockchain cannot be deleted or modified due to the immutable nature of blockchain technology. These hashes:

  • Do not contain personal information in human-readable form
  • Cannot be reverse-engineered to reconstruct your personal data
  • Will become effectively meaningless once the corresponding off-chain data is deleted

We design our system to minimize on-chain data exposure. This approach has been recognized as compatible with GDPR principles by leading data protection authorities when properly implemented.

To exercise any of your rights, please contact us using the details in Section 15. We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law.

Data CategoryRetention Period
Account and profile dataDuration of your account + 30 days after deletion request
Experience data (off-chain)Duration of your account + 30 days after deletion request
Validation records (off-chain)Duration of your account + 30 days after deletion request
Blockchain records (on-chain)Permanent (immutable)
Payment and billing recordsAs required by applicable tax and accounting laws (typically 5-10 years)
Log and usage data12 months
Support communications3 years after resolution

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: Data is encrypted in transit (TLS/SSL) and at rest.
  • Access Controls: Strict role-based access controls limit who can access personal data within our organization.
  • Authentication: Secure authentication via OAuth 2.0 / OpenID Connect protocols.
  • Monitoring: Continuous monitoring for security threats and unauthorized access attempts.
  • Incident Response: Established procedures for responding to data breaches, including notification to affected individuals and authorities as required by applicable law.

While we take every reasonable precaution, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

10. Cookies and Similar Technologies

We use cookies and similar technologies to operate and improve the Platform.

10.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the Platform to function, including authentication session tokens and security cookies. These cannot be disabled.
  • Functional Cookies: Remember your preferences such as language settings and theme (light/dark mode).
  • Analytics Cookies: Help us understand how you use the Platform so we can improve the user experience. These are only placed with your consent where required by law.

10.2 Managing Cookies

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. Most browsers allow you to:

  • View what cookies are stored and delete them individually
  • Block third-party cookies
  • Block cookies from specific sites
  • Block all cookies
  • Delete all cookies when you close your browser

11. Children's Privacy

The Platform is not intended for use by children under the age of 16 (or the minimum age required by applicable law in your jurisdiction). We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child under the applicable minimum age without verified parental consent, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us immediately using the details in Section 15.

12. Third-Party Links and Services

The Platform may contain links to third-party websites and services, including but not limited to:

  • Arbitrum blockchain explorers (e.g., Arbiscan)
  • Professional networks (e.g., LinkedIn, Indeed, Malt, Upwork)
  • Social media platforms (e.g., Bluesky, Instagram)
  • Authentication providers

We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

13. AI and Automated Processing

Proovus uses artificial intelligence for certain features, including CV/Resume generation, CV import from files and experience data extraction. When we use AI:

  • AI processes your experience data to generate professional CV/Resume, extract experiences from uploaded files (PDF, DOCX) and produce summaries.
  • No automated decisions with legal or significant effects are made solely by AI without human review.
  • You retain full control over AI-generated output and can review, edit, or reject it before use.
  • AI-processed data is subject to the same security and privacy protections as all other data on the Platform.

Under applicable laws (e.g., GDPR Article 22), you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify you via email or a prominent notice on the Platform where required by applicable law.
  • For significant changes affecting your rights, we may request renewed consent where required.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Proovus — Data Protection

Email: privacy@proovus.com

General Contact: contact@proovus.com

Website: proovus.com

If you are located in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.