Crosshire
CR Crosshire

Privacy Policy

Effective: 2026-05-20

1. Who we are

Crosshire is operated by Darshan Singh, a sole proprietor based in the European Union. Contact: darshansingh@crosshire.ch. We are the data controller for personal data processed across the Crosshire surfaces listed below.

This policy is the master privacy notice for Crosshire as a parent brand. It covers four distinct surfaces, each with its own data shape:

  • Consulting — the parent site at crosshire.ch.
  • Blogs — the journal at blogs.crosshire.ch.
  • Learn — the courses surface at learn.crosshire.ch.
  • FitScore — the CV ↔ JD matching product at fitscore.crosshire.ch.

2. What each surface collects

2.1 Consulting (crosshire.ch)

  • Contact-form submissions: name, email, message content.
  • Essential cookies (session, CSRF, cookie-consent state).
  • Aggregated, cookieless analytics via Plausible.

2.2 Blogs (blogs.crosshire.ch)

  • No account, no login. No personal data collected by default.
  • Aggregated, cookieless analytics via Plausible.
  • Optional cookie-consent state (a single first-party cookie) when the banner is shown.

2.3 Learn (learn.crosshire.ch)

  • Optional email address if you sign up for course updates. No account is required to read content today.
  • Aggregated, cookieless analytics via Plausible.
  • Local-storage progress markers (kept on your device, not transmitted unless you sign in to sync).

2.4 FitScore (fitscore.crosshire.ch)

  • Email address (magic-link authentication).
  • CV content — the file you upload, plus the structured profile we parse from it (work history, education, skills, languages, location).
  • Job descriptions you paste or upload.
  • Match results, Summaries, and Crosshire Scores generated by our AI pipeline.
  • Sensitive fields contained in CVs: parsed work history, language fluency, and location may be considered sensitive depending on your jurisdiction; we treat them as personal data under GDPR.
  • Technical data: IP address, browser type, pages visited, timestamps (Plausible — cookieless).

3. Legal basis (GDPR Article 6)

  • Consulting contact form — pre-contractual measures at the data subject's request (Art 6(1)(b)) and legitimate interest in responding to inquiries (Art 6(1)(f)).
  • Blogs — legitimate interest in operating the site (Art 6(1)(f)); consent for any non-essential cookie (Art 6(1)(a)).
  • Learn email signup — consent (Art 6(1)(a)).
  • FitScore — contract performance for matching, account auth, and Summary delivery (Art 6(1)(b)); legitimate interest for anonymized quality improvement (Art 6(1)(f)); consent where we ask for it explicitly.

4. Retention

  • Consulting contact emails — 12 months from last interaction, unless an engagement is opened (then per the statement-of-work retention clause).
  • Blogs analytics — 13 months (Plausible default), aggregated.
  • Learn email list — until you unsubscribe (one-click link in every email).
  • FitScore CVs and JDs — kept until you delete them or close your account. Deletion is immediate and cascades across matches, Summaries, and embeddings within 30 days of the request.
  • FitScore account email — retained while the account is active; deleted within 30 days of account closure.
  • Aggregated, anonymized usage metrics — retained indefinitely; they do not identify you.

5. Sub-processors

We rely on a small list of vetted sub-processors. Each is engaged under a data-processing agreement and only handles data necessary for its function.

  • Anthropic — LLM inference for FitScore CV / JD parsers, the matcher, and Learn content generation. US-based. anthropic.com/legal/privacy
  • Vercel — application hosting and edge delivery for all four surfaces. US-based with EU regions. vercel.com/legal/privacy-policy
  • Postgres host — managed Postgres database for FitScore accounts, CVs, JDs, and matches. EU region.
  • Infomaniak — transactional and magic-link email delivery. Swiss-hosted, GDPR-compliant. infomaniak.com
  • Plausible Analytics — privacy-friendly, cookieless analytics for all four surfaces. EU-hosted. plausible.io/privacy

We do not sell, rent, or trade your personal data. We do not share data with advertisers.

6. International transfers

Anthropic is established in the United States. Transfers of CV / JD / match data to Anthropic rely on the EU-US Data Privacy Framework (DPF) certification and Standard Contractual Clauses (SCCs) approved by the European Commission as a complementary safeguard. Vercel is also US-based with EU regions; we use EU regions where the service supports it and rely on SCCs otherwise. Transfers are limited to the duration of each request and the processors' own retention policies, surfaced in the linked privacy notices above.

7. Job descriptions and CVs (FitScore)

JDs and CVs you submit to FitScore are processed by Anthropic to generate your Summary. The content remains yours: we do not share it with the company whose JD you submitted, we do not establish any business relationship with that company on the basis of your submission, and we do not contact the original JD author. If your employer or a third party originally authored the JD, you remain responsible for ensuring you have the right to submit the content for screening purposes. See the FitScore EULA and our Terms for the full clauses.

8. Your rights (GDPR Articles 15–22)

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — request deletion of your personal data where there is no overriding legal basis to retain it.
  • Portability — receive your data in a structured, machine-readable format.
  • Restriction — ask us to restrict processing while a dispute is resolved.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time.
  • Lodge a complaint — with your national supervisory authority.

To exercise any of these rights, email darshansingh@crosshire.ch. We respond within 30 days.

9. Automated decision-making

FitScore uses automated processing — large language models — to generate fit scores and Summary outputs. This constitutes automated processing under GDPR Article 22. FitScore is a decision-support tool: outputs are advisory and probabilistic, built to help you decide quickly whether a match is worth a conversation. They are intended to inform your own decision-making, not to replace it. You retain the right to obtain human review, contest a result, and request the principal factors behind it by emailing darshansingh@crosshire.ch.

10. Security

HTTPS in transit, encrypted storage at rest where the underlying provider supports it, access controls limited to the operator, and rate-limiting on public endpoints. We keep dependencies patched and the sub-processor list short to reduce attack surface. No system is perfectly secure; if you spot a vulnerability, report it to darshansingh@crosshire.ch.

11. Children

None of the Crosshire surfaces are directed at children under 16. FitScore is for adult job-seekers and recruiters only. If you believe a child under 16 has provided personal data through any Crosshire surface, contact darshansingh@crosshire.ch and we will delete it.

12. Changes to this policy

We may update this policy from time to time. Material changes will be highlighted on this page with a new effective date. Continued use of any Crosshire surface after the effective date constitutes acceptance of the revised policy. Older versions are available on request.

13. Contact

Data controller: Darshan Singh, sole proprietor, EU.
Email: darshansingh@crosshire.ch

A list of EU national supervisory authorities is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

This document is an operator-drafted policy for transparency. Consult a lawyer for legally binding interpretation in your jurisdiction.