Privacy Policy

ENZROSSI SOFTWARE SOLUTIONS LTDA. ("EnzRossi," "we," "us," or "our") operates the Vetted talent platform ("Platform"). This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use the Platform.

We are the data controller for the personal data processed through the Platform, as defined in the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, "LGPD," Lei nº 13.709/2018) and, where applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

This policy applies to candidates, company representatives, referral partners, and anyone else whose personal data we process through the Platform. By creating an account or using the Platform, you confirm you have read and understood this policy.

Data Controller

• Legal name: ENZROSSI SOFTWARE SOLUTIONS LTDA.
• CNPJ: 54.763.387/0001-67
• Registered address: Av. Bento Munhoz da Rocha Netto, 632, Salas 201 e 204, Ed. Torre Norte SLJ 2, Zona Industrial, CEP 87.030-010, Maringá-PR, Brazil
• Website: enzrossi.com

Data Protection Officer (Encarregado, LGPD Art. 41)

• Name: Matheus Georges Helal
• Email: privacidade@enzrossi.com

Our DPO handles all questions, requests, and complaints related to personal data. Please use the privacy address above rather than general support when exercising your rights or reporting a privacy concern.

Scope and territoriality. EnzRossi is established in Brazil and processes data primarily under the LGPD. We do not have an establishment, branch, or representative in the European Union. When EU residents apply through the Platform, we process their data in line with GDPR requirements as a non-EU controller and you may contact our DPO directly for any GDPR-related requests. We will appoint an EU Article 27 representative if our activities targeting EU residents become regular and systematic.

From Candidates:

• Identity information: full name, email address, country, city, nationality, preferred timezone
• Optional profile picture (avatar) uploaded by you
• Professional information: skills, years of experience, seniority level, availability, languages spoken
• Application materials: CV/résumé (PDF), written answers, video responses (intro video and per-question recordings)
• Compensation preferences: salary expectations and preferred contract types (never shared with clients)
• Behavioral assessment results: self-rating answers, situational judgment responses, computed dimension scores, and profile classification
• AI follow-up answers: short responses to AI-generated questions about gaps between your CV and a specific role (see Section 4 below)
• Referral information: referral code used and referred-by relationship
• Account credentials: email address (passwordless — we use magic links and one-time codes via Supabase Auth)

From Company Contacts:

• Contact name and company name provided during onboarding
• Email address used for portal access and communications
• Portal interaction data (candidate views, stage updates)

From Referral Partners:

• Full name, email address, referral code
• Referral activity: referred candidates, conversion events, earnings history

Automatically collected:

• Authentication session data (tokens, last sign-in)
• Device and browser information for security purposes
• With your consent only, analytics events from Google Analytics 4 (page views, navigation, conversion actions) and Sentry Session Replay (a recording of your browser interactions that helps us debug crashes). Neither of these load until you accept analytics in the cookie banner — see Section 10.

We use the data we collect to:

• Create and manage your account and authenticate your identity
• Evaluate candidate profiles for placement in client positions
• Match candidates with relevant open positions using AI-assisted tools (see Section 6)
• Communicate with you about your application status, pipeline updates, or platform changes
• Process and track referral rewards
• Generate internal analytics to improve matching quality
• Enforce our Terms & Conditions and comply with legal obligations
• Detect and prevent fraud, abuse, or unauthorized access

Under the LGPD (Art. 7) and the GDPR (Art. 6), we must have a valid legal basis for each processing activity. The table below maps the activities we run on the Platform to the basis we rely on.

When we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. When we rely on legitimate interest, you can object and we will reassess the balance between our interests and your rights.

We use AI services (currently Anthropic Claude) and deterministic algorithms at specific points in the candidate experience. This section is your disclosure under LGPD Art. 20 (right to review of automated decisions) and GDPR Art. 22 (automated individual decision-making, including profiling).

Where AI and algorithmic processing happen

• CV parsing. When you upload your CV, the file is sent to Anthropic Claude to extract structured fields (name, email, skills, work history, education, seniority). We use the parsed output to pre-fill your profile so you do not have to retype it. You review and can correct every field before submitting.
• Position gap analysis. When you apply to a specific role, we compare your parsed CV against the requirements and ask Claude to generate up to three short follow-up questions about gaps it spots. Your answers are stored on your draft and, on submission, saved alongside your candidate record so the team reviewing your application can see them. These answers are never shared with client companies unless they appear in your profile content.
• Match recommendations. When our team puts your profile in front of a client for a specific role, Claude drafts a short recommendation (summary, strengths, attention points). Our team reviews and edits the draft before the client sees it. The client only ever sees the human-approved version.
• Behavioral scoring (deterministic, not AI). The behavioral assessment is scored by our own code, not by AI. No AI service sees your assessment answers. The score produces eight 0-100 dimension scores and one of four profile classifications (self-aware, modest, overconfident, spot-blind) using a fixed formula.
• Match scoring (deterministic, not AI). When ranking candidates against a role, we compute a 0-100 match score from three signals: skills coverage, seniority fit, and behavioral fit against the dimensions the team prioritized for that role. The formula is fixed and the same for every candidate.

Significance and consequences (LGPD Art. 20 / GDPR Art. 22)

• None of these signals make a final decision about you on their own. Approval, resubmission, and rejection at every stage are made by a person on our internal review team, not by an automated system. Behavioral classifications and match scores inform which roles you are considered for and the order in which our team reviews profiles, but a human is always in the loop before any outcome that affects you.
• You have the right to request a review of any automated processing tied to your profile, including the behavioral classification and match scores. We will explain the logic, the inputs we used, and the outcome, and a human reviewer will re-evaluate if you ask us to.
• You can request a copy of any AI-generated content tied to your profile, or ask us to re-run a step (for example, after you update your CV).

How AI providers handle your data

• Anthropic processes your data on our behalf under a data processing agreement. Anthropic operates a zero-retention policy for API inputs and outputs on the tier we use, meaning your CV and answers are not retained by Anthropic for training or beyond the time needed to return a response.
• We do not allow AI providers to use your data for their own model training or for any purpose other than returning the response we ask for.

To exercise any of the rights described in this section, contact our DPO at privacidade@enzrossi.com.

We do not sell your personal data. We share data only in the circumstances described below.

With client companies (controllers in their own right)

A privacy-limited view of your profile is shared with client companies you have been matched with, through a secure client portal. The portal only exposes your candidate code (e.g. VTD-XXXXX), seniority, skills, languages, intro video, behavioral profile, and the human-approved match recommendation. Your name, email, phone, LinkedIn, city, salary expectations, and current employer are never shown to clients until you accept an offer. Work history is shown with company names replaced by "Confidential company." Once a client receives that view, they become an independent controller for the data they retain inside their own hiring systems and they are bound by our Terms to use it only for legitimate hiring evaluation.

Service providers (operators / processors)

The following providers process personal data on our behalf under data processing agreements. Each provider is contractually bound to act only on our instructions and to apply security measures appropriate to the data we entrust to them.

• Supabase, Inc. (United States) — managed Postgres database, authentication, and private file storage (CVs, intro videos, per-question videos, profile pictures).
• Vercel, Inc. (United States) — application hosting, server-side rendering, and edge delivery for the Platform.
• Anthropic, PBC (United States) — AI services for CV parsing, position-gap questions, and match recommendation drafting (see Section 6). Zero-retention API tier; no training on your data.
• Resend, Inc. (United States) — transactional email delivery (account, application status, reminders, interview invites).
• Google LLC (United States) — Google Calendar and Google Meet for interview scheduling when an interview is booked. We only access the calendar of the interviewer who connected their account; we do not read candidate calendars.
• Google LLC — Google Analytics 4 (United States) — audience analytics (page views, navigation, conversion events). Loaded only after you accept analytics in the cookie banner. We enable IP anonymisation and do not enable advertising features, ad personalisation, or Google Signals.
• Google LLC — Search Console (United States) — aggregated reporting on how our public pages appear in Google Search results. Search Console reads our public content; it does not set cookies on your browser and does not need consent.
• Functional Software, Inc. (Sentry) (United States) — crash and error reporting (always on, legitimate interest) and Session Replay (loaded only after you accept analytics in the cookie banner). Session Replay records the actions you take in your browser to help us reproduce bugs; we mask all input fields by default.

A current list of our sub-processors lives at /subprocessors. We update it whenever a sub-processor is added, removed, or replaced.

Legal compliance

If required by law, court order, or governmental authority, we may disclose personal data to comply with applicable regulations. We push back on overbroad requests where we have grounds to do so.

Salary expectations, internal ratings, team notes, your CV file, and our internal scoring details are never shared with clients, candidates, or referral partners.

Most of our service providers process data outside Brazil, primarily in the United States and the European Union. The LGPD (Art. 33 to 36) and the GDPR (Chapter V) require specific safeguards for those transfers. Here is how we cover them:

You can ask our DPO at privacidade@enzrossi.com for a copy of any specific transfer mechanism (for example, the relevant SCCs) we rely on for your data.

We retain personal data only as long as we need it for the purpose we collected it for, plus any period required by law. The table below sets out the retention period for each major category of data we hold.

Self-service deletion. You can delete your account from Settings → Danger zone. Deletion is immediate and irreversible. We do not hold a grace window. We send a confirmation email after the wipe so you have a paper trail of what we removed.

Manual deletion requests. If you cannot reach Settings (for example, while a rejection cooldown is active), email our DPO at privacidade@enzrossi.com. We will process your request within 15 days under the LGPD (Art. 19) and within 30 days under the GDPR (Art. 12), subject only to legal obligations that require us to retain specific records.

We split cookies into two categories: strictly necessary (always on — the product would break without them) and analytics & product improvement (off by default; loaded only after you accept them in the banner that appears on your first visit). We do not use advertising cookies, tracking pixels, fingerprinting, or cross-site identifiers.

You can change your decision at any time using the "Manage cookies" link in the footer of every page. Withdrawing consent does not affect the lawfulness of processing carried out while consent was active.

Strictly necessary cookies

Analytics & product improvement (opt-in)

These cookies and scripts only load after you click Accept all on the banner or toggle Analytics on in the customize sheet. If you reject or never decide, none of the items below are loaded or set.

Always-on observability (no cookies set). Even when you reject analytics, we run Sentry error and performance reporting in the background so we can detect crashes. This piece does not set cookies on your browser, does not record your screen, and only sends an event when something goes wrong. We rely on legitimate interest for this (LGPD Art. 7, IX; GDPR Art. 6(1)(f)).

Google Search Console. We use Search Console to see how our public pages perform in Google Search. Verification is done via a meta tag on the site; Search Console reads our pages directly and does not set cookies on your browser.

Local storage and session storage. We store a handful of UI helpers in the browser (referral attribution, a one-time toast key, the cookie consent decision above, and a once-per-session portal-view dedupe marker). None of these leave your device.

Disabling strictly necessary cookies will break sign-in, application drafts, and portal access. We do not have a way to run the service without them. Rejecting analytics has no effect on your access to any feature.

We implement industry-standard security measures to protect your personal data:

• Authentication is passwordless and managed via Supabase Auth. Sign-in uses a one-time 6-digit code and a magic link sent to your email; there is no password stored anywhere.
• All data is encrypted in transit using TLS.
• Row-Level Security (RLS) policies enforce strict data access controls at the database level. Each user type can only access data relevant to their role.
• Files (CVs, intro videos, per-question videos, profile pictures) are stored in private buckets. Access requires a short-lived signed URL.
• Internal ratings, salary expectations, your CV file, and team notes are restricted to authenticated internal team members only.
• Client portal access tokens are non-guessable UUIDs with optional expiry and can be revoked at any time.
• Google Calendar OAuth tokens (used for interview scheduling) are encrypted at rest with AES-256-GCM.

While we take reasonable steps to protect your data, no system is completely secure. Keep access to your sign-in inbox safe, and contact us immediately if you suspect unauthorized access to your account.

Under the LGPD (Art. 18) and the GDPR (Articles 12 to 23), you have the rights listed below. They apply regardless of whether you reached us through Brazil or another country, and they are free to exercise.

• Confirmation and access. Confirm whether we process your personal data and request a copy of it.
• Correction. Request correction of inaccurate, incomplete, or outdated data. Most fields can be edited directly from your dashboard.
• Anonymization, blocking, or deletion. Request that we anonymize, block, or delete unnecessary, excessive, or unlawfully processed data.
• Erasure. Request the deletion of personal data processed with your consent. You can also delete your entire account from Settings → Danger zone.
• Portability. Receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Information about sharing. Receive information about the public and private bodies with which we have shared your data.
• Information about consent. Receive information about the option to refuse consent and the consequences of that refusal.
• Withdraw consent. Withdraw any consent you gave us at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Marketing preference toggles in Settings flip consent off immediately.
• Object to processing. Object to processing based on our legitimate interest, including profiling. We will stop unless we can show overriding grounds.
• Restriction of processing. Ask us to restrict processing in specific circumstances, for example while we verify a correction request.
• Review of automated decisions. Request human review of any automated decision or profiling that affects you, as described in Section 6.
• Lodge a complaint. Lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD) at gov.br/anpd. If you live in the European Union or the United Kingdom, you can lodge a complaint with your local data protection authority. We always prefer to hear from you first so we can try to resolve the issue directly.

How to exercise your rights. Email our Data Protection Officer at privacidade@enzrossi.com. We will respond within 15 days under the LGPD and within 30 days under the GDPR. If we need more time for a complex request, we will tell you why and confirm the new timeline.

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, "CCPA"), gives you the rights set out in Section 12, plus the specific notices below.

Categories of personal information we collect

• Identifiers (name, email, phone, candidate code, IP address)
• Personal information categories listed in Cal. Civ. Code § 1798.80(e) (signature, employment history, education)
• Professional or employment-related information (CV, work history, skills, languages, salary expectations)
• Education information
• Internet or other electronic network activity (sign-in events, portal opens with hashed IPs)
• Inferences drawn from the categories above (behavioral profile classification, match scores), as described in Section 6
• Audio and visual information you upload yourself (intro videos, per-question videos, profile picture)

Sources of information. Directly from you (apply flow, Settings, profile edits), from referrers (when someone uses your referral link), and from our internal team (review notes and ratings). We do not buy candidate data from third-party data brokers.

Business purposes. The same purposes described in Section 4 (operate the Platform, evaluate and match candidates, comply with legal obligations, prevent fraud).

Disclosure for business purposes. We disclose personal information to the service providers listed in Section 7 strictly for the business purposes described here. Each provider is contractually bound under a service-provider agreement that prohibits using the data for any other purpose.

Sale or sharing of personal information. We do not sell personal information for monetary consideration and we do notshare personal information for cross-context behavioral advertising. There is nothing for you to opt out of in that respect, but you still have the right to send us a "Do Not Sell or Share My Personal Information" request and we will record that we received it.

Sensitive personal information. The CCPA treats some of the categories we collect (such as account credentials) as sensitive personal information. We use it strictly for the purposes set out in Cal. Civ. Code § 1798.121(a) and you can limit that use by contacting us.

Retention. We retain each category for the period set out in the table in Section 9.

How to exercise your rights. Email privacidade@enzrossi.com. You can have an authorized agent submit a request on your behalf if you give them written permission and they verify your identity to us. We will not discriminate against you for exercising any CCPA right.

The Platform is intended for professional use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors and we ask candidates to confirm they are at least 18 at signup. If you believe a minor has provided us with personal data, contact our DPO at privacidade@enzrossi.com and we will delete it without delay.

We maintain an internal incident response process to detect, contain, and assess any security incident affecting personal data.

• To you (data subjects). If we determine that a breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34) or a relevant risk under the LGPD (Art. 48), we will notify you directly without undue delay. The notice will describe the nature of the breach, the data categories involved, the likely consequences, the measures we have taken to contain it, and the contact details of our DPO.
• To regulators. We will notify the Brazilian National Data Protection Authority (ANPD) within a reasonable timeframe consistent with LGPD Art. 48 and, where the GDPR applies, the relevant EU supervisory authority within 72 hours of becoming aware of a notifiable breach.
• Records. We document every incident, the facts surrounding it, the data affected, the remedial action taken, and the rationale behind any decision not to notify externally.

You can report a suspected security issue to privacidade@enzrossi.com. We treat responsible disclosures seriously and we will keep you updated on our investigation.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the revised policy.

Privacy questions, requests, and complaints (DPO)

• Data Protection Officer: Matheus Georges Helal
• Email: privacidade@enzrossi.com

General questions about the Platform

• Email: contact@enzrossi.com
• Company: ENZROSSI SOFTWARE SOLUTIONS LTDA.
• CNPJ: 54.763.387/0001-67
• Address: Av. Bento Munhoz da Rocha Netto, 632, Salas 201 e 204, Ed. Torre Norte SLJ 2, Zona Industrial, CEP 87.030-010, Maringá-PR, Brazil
• Website: enzrossi.com