Privacy Policy

This Privacy Policy explains how Medicalware S.r.l. ("Shortli", "we", "us") collects, uses, shares, and protects personal data when you use our recruiting SaaS platform. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR - EU Regulation 2016/679) and applicable Italian data protection laws.

The Data Controller is: Medicalware S.r.l. Via della Ricerca Scientifica, Rome, Italy VAT: IT12651051000 Email: info@medicalware.it For Candidate Data uploaded by Users, the User is the Data Controller and Shortli acts as Data Processor.

We collect and process the following categories of personal data: Account Data: name, email address, profile picture (obtained via Google or Microsoft OAuth). Candidate Data (uploaded by Users): full name, email, phone number, date of birth, location, LinkedIn/GitHub URLs, work experience, skills, education, languages, salary information, availability, work preferences, and full CV text. Billing Data: fiscal entity type, business name or personal name, VAT number, tax ID (codice fiscale), SDI code, PEC email, billing address. Payment card details are processed exclusively by Stripe and never stored on our servers. Usage Data: API operations performed, AI model usage (tokens consumed), search queries, email sending logs (recipient, subject, timestamp, status), activity history on candidates. Technical Data: IP address, browser type, device information collected automatically during access to the Service.

We process personal data based on the following legal grounds: Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service, manage your account, process payments, and fulfill our contractual obligations. Legitimate interest (Art. 6(1)(f) GDPR): improving the Service, preventing fraud, ensuring security, and sending service-related communications. Legal obligation (Art. 6(1)(c) GDPR): compliance with tax, accounting, and invoicing requirements under Italian law. Consent (Art. 6(1)(a) GDPR): where specifically required, such as for optional email permissions via OAuth.

We process personal data for the following purposes: - Providing and maintaining the Service - User authentication and account management - CV analysis using artificial intelligence (metadata extraction, skill identification, candidate matching) - Generating semantic embeddings for candidate search functionality - Sending emails on behalf of Users to candidates - Processing payments and managing subscriptions - Generating and submitting electronic invoices (Italian SDI system) - Sending system notifications (trial reminders, billing alerts, team invitations) - Monitoring service usage and enforcing plan limits - Improving and developing new features

We share personal data with the following third-party processors, each bound by data processing agreements: Anthropic, LLC (USA): CV text analysis, candidate ranking, and natural language processing via Claude AI models. Google Cloud Platform (USA): secure storage of uploaded CV files; authentication via Google OAuth; email sending via Gmail API. Microsoft Corporation (USA/EU): authentication via Azure AD; email sending via Microsoft Graph API. Stripe, Inc. (USA): payment processing and subscription management. Stripe is PCI-DSS certified. Resend, Inc. (USA): delivery of system transactional emails. FattureInCloud / TeamSystem (Italy): electronic invoice generation and SDI submission. Hugging Face, Inc. (USA): generation of text embedding vectors for semantic search. MongoDB, Inc. (USA/EU): database hosting via MongoDB Atlas.

Some of our third-party processors are located in the United States. For these transfers, we rely on: - EU Standard Contractual Clauses (SCCs) approved by the European Commission - The processor's certification under recognized frameworks - Supplementary technical and organizational measures to ensure adequate protection You may request a copy of the applicable transfer safeguards by contacting us at info@medicalware.it.

Active account data: retained for the duration of your active account and Subscription. Deleted data: when you delete items (CVs, shortlists, job descriptions, clients), they are moved to a trash folder. Data remains in the trash until you permanently delete it manually. Once permanently deleted, data is removed from our systems and cannot be recovered. Billing records: retained for 10 years as required by Italian tax law. Usage logs: retained for 24 months for service improvement and dispute resolution. Upon account deletion, all associated personal data is permanently removed, except where retention is required by law.

Under the GDPR, you have the following rights regarding your personal data: Right of access: obtain confirmation of whether your data is being processed and receive a copy. Right to rectification: correct inaccurate or incomplete data. Right to erasure: request deletion of your personal data when it is no longer necessary for the purposes collected. Right to data portability: receive your data in a structured, machine-readable format. Right to restriction: request limitation of processing in certain circumstances. Right to object: object to processing based on legitimate interest. Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing. Right to lodge a complaint: file a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) at www.garanteprivacy.it. To exercise your rights, contact us at info@medicalware.it. We will respond within 30 days.

Shortli uses only essential cookies required for the Service to function: Session cookie (next-auth.session-token): maintains your authenticated session. This is a technical cookie strictly necessary for the Service. Locale cookie (NEXT_LOCALE): stores your language preference (English or Italian). We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. No consent banner is required as we only use strictly necessary cookies.

We implement appropriate technical and organizational measures to protect personal data, including: - Encryption of data in transit (TLS/HTTPS) - OAuth-based authentication (no passwords stored) - JWT token-based sessions with expiration and refresh rotation - Access controls and organization-level data isolation - Signed webhook verification for payment processing - Regular security monitoring - Principle of least privilege for service accounts

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through a notice within the Service at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

For any questions or requests regarding this Privacy Policy or your personal data, contact us at: Medicalware S.r.l. Via della Ricerca Scientifica, Rome, Italy VAT: IT12651051000 Email: info@medicalware.it