Privacy notice
Last updated: 5 May 2026
Plain-English summary. I'm Brian Gillingham, a
UK-based recruitment consultant. I receive job specs and CVs from
clients, score them with my Mermoid platform, and return a
ranked, citation-backed report within 24 hours. CVs and job specs
are deleted 7 days after delivery; audit reports kept 18 months
for tribunal defensibility unless you ask me to delete sooner.
I never sell or share your data with third parties.
1. Who is the data controller?
Brian Gillingham, t/a ProperFit Hire, Lincoln, LN2 2HL, United
Kingdom. ICO registration in process at the time of writing;
enquiries to brian@properfithire.co.uk.
2. What data is processed?
- Customer data (name, email, company, billing details)
when you sign up or place an order.
- Candidate data (CV contents, including names,
contact details, employment history, qualifications, RTW status,
DBS references) when uploaded by a customer for cohort scoring.
- Job specification data (role, salary,
requirements) provided by the customer.
- System logs (IP address, request timestamps)
retained for security purposes for 90 days.
3. Lawful basis (UK GDPR)
- Customer data: Article 6(1)(b) — performance
of contract.
- Candidate data: Article 6(1)(f) — legitimate
interests of the customer in conducting recruitment, with
Article 6(1)(b) flowdown when a candidate enters a hiring
process. The candidate retains all UK GDPR rights including
the right to object (Art. 21).
- Special-category data (health, criminal-record-related
DBS data): Article 9(2)(b) and Schedule 1 Part 1 paragraph 1
of the Data Protection Act 2018 — employment, social
security, and social protection.
4. Retention
- CVs + job specs: deleted 7 days after report delivery.
- Audit reports + scoring metadata: 18 months
(the limitation period for typical employment-tribunal claims),
unless you ask me to delete sooner.
- Customer billing records: 6 years (HMRC tax-record requirement).
- System logs: 90 days, then automatically purged.
5. Where data is stored
Mermoid runs on a virtual machine in the European data residency
(Switzerland North, EU-equivalent under the UK adequacy regulations
for Switzerland). CV contents are processed in-memory only and never
sent to third-party LLM APIs, SaaS embedders, or other processors.
The scoring pipeline is fully deterministic which means the model
cannot retain or train on your data.
6. Sub-processors
A short, transparent list:
- Microsoft Azure — VM hosting (Swiss data centre).
- Stripe — payment processing only;
receives transaction details, NOT candidate data.
- Outlook / Microsoft 365 — for the email I
send you with the delivered report.
No other sub-processors. No analytics. No advertising trackers.
7. Your rights
Under UK GDPR you can exercise the rights of access, rectification,
erasure, restriction, portability, and objection. To exercise any
of these, email me. I respond within 30 days (typically same-day).
You also have the right to complain to the
UK Information Commissioner's Office.
8. Automated decision-making
Mermoid's scoring is decision-support, not solely automated
decision-making. Final hiring decisions are always made by
a human (the customer's hiring manager). Per the ICO's April 2026
guidance, where a human merely "rubber stamps" the AI ranking that
becomes ADM under Article 22; my reports are designed to support
meaningful human review with citations and signal evidence so the
human can substantively challenge any rank position.
9. Candidate-specific notice
If you are a candidate whose CV has been processed: contact me
directly to request access, correction, or erasure. I will respond
within 30 days. I do not contact candidates directly without my
customer's authorisation.