Plain-English notice for job-seekers whose CV is processed by ProperFit Hire / Mermoid
Last updated: 6 May 2026
Version: 1.0
Published at: https://properfithire.co.uk/privacy/candidate
---
If a UK employer has uploaded your CV to ProperFit Hire to be ranked against a job they're recruiting for, this page tells you exactly what happens to your data, what your rights are, and how to contact us. We process your CV for a maximum of 7 days after the employer receives our report. We never sell your data, never share it with anyone except the employer who uploaded it, and we never use it to train AI. The scoring engine is deterministic (not machine-learning) so your data stays out of any training pipeline.
---
Brian Gillingham, t/a ProperFit Hire, Lincoln, LN2 2HL, United Kingdom.
ICO registration: ZA###### (number to follow within 7 working days of 6 May 2026).
Contact: dpo@properfithire.co.uk.
We are the Joint Data Controller with the employer who uploaded your CV — meaning we share responsibility for what happens to your data while it is in our system.
---
When an employer uploads your CV to us, we receive whatever you put on your CV. Typically that includes:
If your CV mentions:
We do not process:
---
Article 6(1)(f) UK GDPR — legitimate interests. Specifically: the employer's interest in efficient, defensible, less-biased shortlisting of candidates for an open role. We have completed a written balancing test (Legitimate Interests Assessment) confirming that this interest does not override your rights — available on request.
For special-category data on your CV (health/disability/criminal records), the additional lawful basis is Article 9(2)(b) UK GDPR and DPA 2018 Sch 1 Part 1 paragraph 1 — employment, social security, and social protection.
---
1. The Mermoid scoring engine ranks your CV against the job specification across 4 categories: Skills (35%), Experience (30%), Cultural Fit (20%), Motivational (15%) — plus retention prediction, sector compliance, and Right-to-Work classification.
2. We generate a written report explaining your rank with citations to specific passages of your CV.
3. We email the report to the employer.
4. The employer reviews the report and decides which candidates to contact.
5. We do not contact you directly unless you contact us first.
---
| Data | Retention |
|---|---|
| Your CV (the file) | **Deleted 7 days** after we send the employer the report |
| Job specification | **Deleted 7 days** after delivery |
| Audit-trail report (rank, scores, citations) | **18 months** for tribunal defensibility — unless you ask us to delete it sooner |
| Customer billing records (employer's records, not yours) | 6 years (HMRC requirement) |
| System logs (your IP address never appears here — we only get the employer's connection) | 90 days |
You can ask us to delete the audit trail before 18 months — we will, within 30 days of your request.
---
On a virtual machine in Switzerland — covered by the UK Adequacy Regulations 2021, so equivalent to UK protection. No transfers outside the UK/EEA/adequacy zone. The CV is processed in memory only and never sent to any third-party LLM API or AI training service.
---
Only the employer who uploaded it. Plus essential infrastructure providers (Microsoft Azure for hosting; Stripe for the employer's payment, who never receives your CV; Microsoft 365 for the email we send the employer). No advertisers, no analytics tools, no data brokers, no AI-training partners.
---
You have the following rights under UK GDPR. For all of them, email dpo@properfithire.co.uk. We respond within 30 days (typically same-day).
| Right | What it means | How to use |
|---|---|---|
| **Access (Art 15)** | A copy of all your data we hold + how it's been processed | Email us your name, the employer name (if known), and approximate date you applied |
| **Rectification (Art 16)** | Correct anything inaccurate | Tell us what's wrong and what's right |
| **Erasure (Art 17)** | Delete your data | Tell us your name and (if known) employer/date |
| **Restriction (Art 18)** | Pause processing while a dispute is resolved | Tell us why |
| **Data portability (Art 20)** | Get your data in a portable format | Tell us where you want it sent |
| **Object (Art 21)** | Stop us processing your data | Just tell us "I object" — we will stop within 30 days |
| **Complain to the ICO** | If you're not happy with how we've handled your request | https://ico.org.uk · 0303 123 1113 |
We cannot guarantee your CV won't already be in an existing audit trail — but we can guarantee it will not be processed again after you object.
---
The Mermoid engine produces a rank (a number) and a report (text with citations). The rank is decision-support, not a decision. Final hiring decisions are always made by a human — the employer's hiring manager — who reads our report and decides who to interview.
This means Article 22 UK GDPR (the right not to be subject to a solely automated decision) does not directly apply, but if you believe the employer has used our rank as if it were a decision (i.e. mechanically rejected you based on our score with no human review), you have the right to:
We will fully cooperate with both.
---
This notice is published at https://properfithire.co.uk/privacy/candidate. If you arrived here from an email purporting to be from us, type that URL into your browser directly to confirm. Our Companies House / sole-trader records are searchable on https://gov.uk and the ICO register at https://ico.org.uk/ESDWebPages/Search.
---
We will update this notice if our processing changes. The "Last updated" date at the top tells you when it last changed. We do not email candidates when this notice is updated — please check back if you submitted a CV more than 6 months ago.
---
| Reason | |
|---|---|
| All data-protection enquiries (SARs, erasure, complaints) | dpo@properfithire.co.uk |
| General | brian@properfithire.co.uk |
| Postal | Brian Gillingham, ProperFit Hire, Lincoln LN2 2HL, United Kingdom |