PRIVACY POLICY

1. Introduction

This privacy policy is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) in order to describe the methods by which CVing S.r.l. with Sole Shareholder, having its registered office at Via Tortona, 33 – 20144 Milan (MI), Tax Code 02297530442, VAT No. 04681350270, REA MI – 2515112, Definitive Authorization ANPAL No. 0000142 of 28/11/2023 (“CVing” or the “Company”), processes the personal data of natural persons who interact with its digital services.

CVing is an Employment Agency authorized to carry out personnel search and selection activities, providing companies and candidates with a digital platform for managing recruitment processes.

This privacy policy applies to all subjects who interact with the website www.cving.com, the related platform and any connected subdomains or applications (for example recruiters.cving.com), hereinafter jointly referred to as the “Services”, regardless of their category of membership (collectively, the “Users”). 

In particular, this privacy policy applies to:

• Candidates: natural persons who register for the Services in order to create a personal profile, upload their curriculum vitae or other materials, apply for job offers, participate in selection processes or use the functionalities made available by CVing, including within the scope of personnel search and selection activities.
• Information Requesters: Users, including unregistered Users, who contact CVing through the website, contact forms, e-mail address or other official channels, in order to obtain assistance, information on the Services, the Company’s activities or promotional initiatives.
• Corporate Users (companies): natural persons acting in the name and on behalf of companies, entities or organizations that are customers or potential customers of CVing, who interact with the Company within the framework of commercial or pre-contractual relationships, including for the use of the Services offered through the Platform.
  This category includes company representatives, delegates, professional contacts and other persons authorized by customer or prospect companies to communicate with CVing for contractual, administrative, commercial or personnel search and selection purposes.
• Recruiters: natural persons appointed by customer companies (Corporate Users) to use the platform for managing recruitment processes, consulting Candidates’ professional profiles and communicating with Candidates.
  Recruiters’ access to the platform takes place exclusively upon authorization and account creation by CVing, following the execution of a contract between CVing and the relevant customer company and the transmission of the names of the persons to be enabled for access.
• Unregistered Users: natural persons who browse the website or interact with the Services without registering or logging in, for example to consult informational content, events or service pages.

Users, whether registered or not, are invited to review the Cookie Policy, which forms an integral part of this privacy policy, for further details on cookies and consent preferences.

2. Data Controller and Data Protection Officer (DPO)

The Data Controller of the personal data of Users who use the Services is CVing S.r.l., which can be contacted at the e-mail address privacy@cving.com.

With regard to Candidates’ data, where Users apply for a specific position, the data controller for the specific application is the company to which the application is addressed, whose privacy policy will be available in the manner indicated by such company, while CVing acts as a data processor. In certain cases, however, CVing also acts as a data controller with reference to specific job offers, when it directly conducts personnel search and selection activities in its capacity as an authorized Employment Agency (Definitive Authorization ANPAL No. 0000142 of 28/11/2023).

CVing has appointed a Data Protection Officer (DPO), who can be contacted at: dpo@cving.com.

3. Purposes and Legal Bases of the Processing

3.1 Registration for and Use of the Services by Candidates
Candidates’ personal data are processed in order to allow the creation and management of the account, completion of the professional profile, application for job offers, participation in interviews and tests and, in general, the use of the Services (including personnel search and selection).

The legal basis for the processing is the performance of pre-contractual or contractual measures requested by the data subject (Article 6(1)(b) GDPR).

The provision of data is necessary in order to access the Services; failure to provide such data will make it impossible to use the Services.

Any data belonging to special categories (e.g. membership of protected categories pursuant to Law No. 68/1999) are processed pursuant to Article 9(2)(b) GDPR and only if relevant to the selection purposes; any data relating to criminal convictions and offences pursuant to Article 10 of Regulation (EU) 2016/679 may be processed only where required by law.

In certain sections of the Services, access may also be obtained through social login, i.e. using the credentials of an account associated with a third-party platform (for example Google).
The use of social login implies acceptance of the privacy policy of the relevant social network, which acts as an independent data controller for the data thus acquired.

3.2 Access to and Use of the Services by Corporate Users and Recruiters
CVing processes the personal data of Corporate Users and Recruiters for purposes related to the management of pre-contractual and/or contractual relationships and to the use of the platform.

In particular, data are processed in order to:

• manage commercial relationships and send informational and promotional communications relating to CVing’s services, in compliance with the principle of lawfulness and within the limits of any consent given and any contract executed;
• enable the performance of the technical, organizational and operational activities necessary for the provision of the Services provided for in the contract entered into between CVing and the customer company;
• allow access to and use of the reserved area for Recruiters available at recruiters.cving.com, managing the personal credentials created by CVing;
• manage communications and technical support with company contacts, ensuring the proper functioning of the platform.

Recruiters’ access to the platform does not take place autonomously: personal credentials are generated by CVing following execution of the contract with the relevant customer company, which identifies the persons authorized to use the Services.

• The legal bases for the processing are:
  the performance of the contract entered into with the customer company or the adoption of pre-contractual measures (Article 6(1)(b) GDPR);
• CVing’s legitimate interest in maintaining commercial relationships and promoting its services (Article 6(1)(f) GDPR), limited to already acquired professional contacts and subject to the right to object, including by contacting privacy@cving.com;
• and, for the sending of personalized promotional communications, the data subject’s consent (Article 6(1)(a) GDPR).

The provision of personal data is necessary in order to manage the Service.
Failure to provide such data will result in the impossibility of activating or using the account or managing the contractual relationship with the relevant company.

3.3 Management of Users’ Support, Contact or Information Requests
CVing processes the personal data of individuals who contact the Company through the website, contact forms, e-mail address or other official channels (such as Customer Support) solely for the purpose of managing assistance or information requests relating to the Services offered, CVing’s institutional or promotional activities, and for providing responses to the communications received.

The data voluntarily provided by the User (such as name, e-mail address, telephone number or message content) are used exclusively to handle the request and for purposes strictly related thereto.

The legal bases for the processing are:

• the performance of pre-contractual measures or a request of the data subject (Article 6(1)(b) GDPR), where the contact is made to receive assistance, obtain information on a CVing Service or initiate a contractual relationship;
• CVing’s legitimate interest in ensuring proper management of communications and providing responses to requests received (Article 6(1)(f) GDPR), subject to the right to object, including by contacting privacy@cving.com.

Only with the User’s express consent may the data also be used for sending informational or promotional communications regarding CVing’s Services (Article 6(1)(a) GDPR).

The provision of data is optional but necessary in order to receive a response; failure to provide such data will make it impossible for CVing to provide the requested assistance or information.

3.4 Sending of Informational, Functional and Promotional Communications
CVing may process Users’ personal data for communication and update purposes relating to its Services and related activities.

In particular:

• functional or technical communications concern the operation of the website/platform, account management, provision of requested Services, technical maintenance or system security. Such communications are necessary for the performance of the contract or the provision of the requested Service, and the legal basis is Article 6(1)(b) GDPR;
• informational or promotional communications (e.g. newsletters) are optional and concern updates, initiatives, job offers, events or news relating to CVing’s Services or selected partners, possibly personalized based on the User’s profile. In this case, the legal basis is the data subject’s consent pursuant to Article 6(1)(a) GDPR and, where applicable, Article 130(4) of Legislative Decree No. 196/2003.

Any consent given may be withdrawn at any time by clicking on the unsubscribe link (“Unsubscribe” or “Unsubscribe Preferences”) included in each communication, or by writing to privacy@cving.com.

Failure to give consent does not affect the use of the main Services, but results in the impossibility of receiving updates or promotional communications at the contact details provided by the User.

3.5 Enabling Navigation and Managing the Website (Browsing Data, Technical Logs, Cookies and Other Trackers)
During navigation of the Services, the IT systems and software procedures acquire certain personal data whose transmission is implicit in the use of Internet communication protocols (e.g. IP addresses, device identifiers, URI/URL of requested resources, request times, size of response files, numerical code indicating the status of the server response, parameters relating to the operating system and the User’s IT environment). Such information is processed solely for the purpose of ensuring the operation, security and maintenance of the Services, as well as for obtaining aggregated statistics on the use of the Services.

The legal basis is the Data Controller’s legitimate interest (Article 6(1)(f) GDPR).

CVing Services also use technical cookies (necessary for operation, security and provision of the Services) and, subject to consent, cookies and similar technologies for statistical/analytical and marketing/profiling purposes, including third-party cookies. Consent preferences are managed through the dedicated banner/panel (CMP) and may be modified at any time by the User.

Details on cookies and consent preferences are governed by the Cookie Policy.

3.6 Security and Investigations
CVing will process Users’ data in order to investigate any violations of the terms of use of the Services and where investigations are necessary for security purposes and the protection of Users. The legal basis for the processing is Article 6(1)(f) of Regulation (EU) 2016/679, namely CVing’s legitimate interest in preventing abuse or fraud in the use of the Services offered.

3.7 Legal Obligations / Authorities’ Orders / Protection of Rights
CVing will also process Users’ personal data in order to comply with specific legal provisions and may be required to transmit such personal data to third parties where required by law, by an order of a judicial authority or in the context of judicial proceedings, for the purpose of protecting the rights of Users, CVing or third parties. Where deemed appropriate in good faith, CVing undertakes to inform Users of requests for disclosure of their data, unless prohibited by law or by an authority order. The legal basis for the processing is Article 6(1)(c) of Regulation (EU) 2016/679.

4. Processing Methods and Use of Automated Technologies

The processing of personal data is carried out using electronic, IT and, where necessary, paper-based tools, in compliance with the principles of lawfulness, fairness, transparency, proportionality and security set forth in Regulation (EU) 2016/679 (GDPR).

Communications between the User’s browser and CVing’s systems take place via secure protocols (e.g. TLS/HTTPS), and technical and organizational measures are adopted to prevent unauthorized access and data loss.

CVing adopts appropriate technical and organizational measures pursuant to Article 32 GDPR, aimed at ensuring the confidentiality, integrity and availability of data, as well as preventing unauthorized access, loss or improper use of the processed information.

Processing is carried out mainly through computerized systems and automated procedures, with appropriate levels of human oversight and logic strictly related to the stated purposes.

Processing operations may include collection, recording, organization, storage, consultation, processing, non-automated profiling, extraction and use of data, always in compliance with the principles of data minimization and storage limitation.

CVing may also use artificial intelligence and machine learning technologies to support and optimize:

• personnel search and selection activities;
• personalization and improvement of the User experience on the website/platform;
• management and analysis of applications and professional profiles;
• provision of informational, communication and technical support services.

Such systems operate in compliance with the principles of transparency, fairness and explainability, and are designed not to result in automated decision-making processes producing legal effects or significantly affecting the data subject pursuant to Article 22 GDPR.

Any automated assessment or selection is always subject to human supervision, and final decisions remain entrusted to qualified personnel.

CVing also carries out periodic checks on the reliability, accuracy and non-discrimination of the algorithms used, adopting appropriate measures to reduce the risk of errors, bias or distortions in the results generated by the technologies employed.

5. Data Retention Period

Personal data are retained for a period proportionate to the purposes for which they were collected and processed, in compliance with the principles of storage limitation and data minimization pursuant to Article 5(1)(e) GDPR.

In particular:

• Candidates: data are retained for the entire duration of the account registration and for a maximum period of 48 months from the last interaction with the Services, in order to enable the management of potential new professional opportunities or profile updates. After this period, data will be deleted or anonymized, unless further retention is necessary for the establishment or defense of legal claims or to comply with legal obligations.
• Recruiters and Corporate Users: data are retained for the duration of the contract entered into between CVing and the customer company and thereafter for a maximum period of 10 years from termination of the relationship, in compliance with civil, tax and accounting obligations, as well as for the protection of the Company’s rights.
• Information Requesters: data are retained for the time necessary to manage and respond to the request and, in any case, no longer than 12 months from receipt of the request, unless further relationships or subsequent contacts exist.
• Data used for marketing or newsletter purposes: retained until withdrawal of consent by the data subject or, in the absence of withdrawal, for a maximum period of 24 months from the last meaningful contact with CVing.
• Cookies and tracking preferences: retention periods for cookies (technical, analytical, profiling) and consent preferences are indicated in the Cookie Policy and in the consent management panel (CMP).

At the end of the above retention periods, data will be deleted, anonymized or securely archived with restricted access, where necessary for legal obligations or defense purposes.

6. Data Recipients and International Transfers

Users’ personal data may be disclosed, within the limits strictly relevant to the purposes indicated above, to the following categories of recipients:

• customer companies or partners of CVing or belonging to the same corporate group of which CVing is part, where necessary for the management of applications, performance of the contract or personnel search and selection activities;
• providers of technical, IT and management services, including hosting providers, system maintenance providers, communication management providers, cloud platforms or technical support and digital marketing services, duly appointed, where applicable, as data processors pursuant to Article 28 GDPR; 
• professional consultants, collaborators and external parties assisting CVing for administrative, accounting, legal or internal control purposes, always subject to specific confidentiality agreements and processing instructions;
• public authorities or supervisory bodies, where required by law or by orders of judicial or administrative authorities.

Personal data are stored within technological infrastructures located in the territory of the European Union.

Where, for technical or organizational reasons, transfers to third countries are necessary, CVing ensures that such transfers take place exclusively to countries subject to an adequacy decision by the European Commission pursuant to Article 45 GDPR, or on the basis of the execution of Standard Contractual Clauses adopted by the European Commission pursuant to Article 46 GDPR, or other appropriate safeguards to protect data subjects’ rights.

In any case, CVing ensures that external providers adopt technical and organizational measures suitable to guarantee a level of data protection no lower than that required by the GDPR.

7. Data Subjects’ Rights

At any time, pursuant to Articles 15–22 GDPR and depending on the type of processing carried out, it is possible to exercise the right to:

• obtain confirmation as to whether or not personal data concerning you exist;
• obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom personal data have been or will be disclosed and, where possible, the retention period;
• obtain rectification and erasure of the data;
• obtain restriction of processing;
• obtain data portability, i.e. receive the data from CVing in a structured, commonly used and machine-readable format and transmit them to another data controller without hindrance;
• object to processing, including processing for direct marketing purposes;
• withdraw consent to the processing of the data provided;
• object to automated decision-making processes relating to natural persons, including profiling;
• lodge a complaint with the Data Protection Authority or another competent supervisory authority.

These rights may be exercised by sending a written request to CVing at the e-mail address privacy@cving.com.

8. Final Provisions

This document is drafted in the Italian language and may be translated and made available by CVing, for explanatory purposes only, also in one or more foreign languages. The only version having legal validity is the Italian version. Therefore, in the event of any discrepancies, inconsistencies, or conflicts between the Italian version and any foreign-language translation of this document, the provisions of the Italian version shall prevail in all cases.

https://media.cving.com/privacy-policy/ 

9. Updates

CVing may amend this privacy policy at any time to adapt it to regulatory changes or modifications to its services.
Updated versions will be published on the website and made available through the platform, indicating the date of the last update; in the event of significant changes, Users will be informed through other communication channels.

Last update: 06.02.2026

This document replaces any previously available specific privacy policies, which may be requested by writing to privacy@cving.com.