Data Compliance

Last updated: May 31, 2026

Cravid Labs LLC is the operator of Fursa (usefursa.com). Cravid Labs LLC is a Wyoming limited liability company with its principal place of business at 30 N Gould St, Ste R, Sheridan, WY 82801, United States.

Cravid Labs LLC is committed to handling personal data lawfully, transparently, and securely. This Data Compliance page supplements our Privacy Policy with jurisdiction-specific disclosures, security commitments, breach notification procedures, and a list of third-party sub-processors we engage to deliver the Fursa Service.

1. GDPR — European Union & UK

If you are located in the European Economic Area (“EEA”) or the United Kingdom, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and its UK equivalent apply to our processing of your personal data.

1.1 Lawful Bases for Processing

We rely on the following lawful bases under GDPR Article 6:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Service you signed up for — including account creation, resume parsing, job matching, and application submission.
• Legitimate interests (Article 6(1)(f)): Analytics and product improvement, fraud prevention, and service security, where these interests are not overridden by your rights. We have conducted a legitimate interests assessment and concluded that these activities are proportionate.
• Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable laws or respond to lawful requests from public authorities.
• Consent (Article 6(1)(a)): For any optional processing (e.g., marketing emails) where consent is the only appropriate basis. You may withdraw consent at any time.

1.2 Data Subject Rights

Under the GDPR, you have the right to access, rectify, erase, restrict, and port your personal data, as well as the right to object to certain processing. To exercise these rights, contact us at legal@usefursa.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant EU data protection authority).

1.3 International Data Transfers

Fursa is operated from the United States. When personal data is transferred from the EEA or UK to our servers or sub-processors located in the United States or other third countries, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (and, for UK transfers, the UK International Data Transfer Addendum) as the transfer mechanism. A copy of the applicable SCCs is available on request by contacting legal@usefursa.com.

1.4 Data Processing Agreement (DPA)

If you are a business customer processing personal data through the Service and require a Data Processing Agreement to comply with GDPR Article 28, please contact us at legal@usefursa.com and we will provide one upon request.

2. CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA/CPRA”) grants you specific rights regarding your personal information.

2.1 Your California Rights

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., completing a transaction, legal obligations).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising. There is no opt-out required, but you may contact us if you have concerns.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

2.2 Submitting a California Request

To submit a verifiable consumer request under the CCPA, contact us at legal@usefursa.com with the subject line “California Privacy Rights Request.” We will respond within 45 days. We may need to verify your identity before processing your request.

2.3 Categories of Personal Information Collected (Past 12 Months)

• Identifiers (name, email address, IP address)
• Professional or employment-related information (resume content, work history, job preferences)
• Education information (degrees, certifications)
• Internet or other electronic network activity information (usage logs, page visits)
• Inferences drawn from the above to create a profile (job match scores)

3. Data Security

Cravid Labs implements industry-standard technical and organizational security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction.

3.1 Encryption

• In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints).
• At rest: Personal data stored in our database (Supabase PostgreSQL) is encrypted at rest using AES-256 encryption.
• Passwords: User passwords are hashed using bcrypt with a suitable cost factor before storage; plaintext passwords are never stored.

3.2 Access Controls

• Access to production systems is restricted to authorized Cravid Labs personnel on a need-to-know basis.
• Database access is controlled through role-based permissions; no single engineer has unrestricted access to all production data.
• Multi-factor authentication is required for all personnel with access to production infrastructure.

3.3 Ongoing Security Practices

• Dependency vulnerability scanning on all production packages
• Regular security reviews of authentication flows, API endpoints, and data access patterns
• Automated alerting for anomalous access patterns or failed authentication attempts

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any vulnerabilities we discover or are notified of.

4. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Cravid Labs will:

• Notify regulators: Where required by applicable law (including GDPR Article 33), notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. The notification will include the nature of the breach, categories and approximate number of individuals and records affected, likely consequences, and measures taken or proposed.
• Notify affected users: Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals (GDPR Article 34), or as otherwise required by applicable law, we will notify affected users promptly without undue delay. Notifications will be provided via email to the address on file.
• Contain and remediate: Immediately take steps to contain the breach, assess its scope, and implement measures to prevent recurrence.

To report a suspected security vulnerability or data breach, contact us at legal@usefursa.com with the subject line “Security Incident.”

5. Sub-Processors

We engage the following third-party sub-processors to help provide the Service. Each sub-processor is subject to a data processing agreement or equivalent contractual protections, and processes personal data only as directed by us and for the purposes described below.

We will update this sub-processor list when we add or remove sub-processors. Existing customers will receive notice of any new sub-processors at least 30 days in advance where required by applicable law.

6. Contact

For data compliance inquiries, requests, or concerns, contact Cravid Labs LLC at: legal@usefursa.com