Privacy Notice

§1 Controller

Service: VetterPlaces (vetter.alveos.eu)
Operator: Ready-4-IT (brands/services: ready-4-it.com, alveos.eu, vetter.alveos.eu)
Websites: ready-4-it.com, alveos.eu
Privacy Contact: privacy@alveos.eu
Legal Contact: legal@vetter.alveos.eu

§2 Scope

This notice covers data processing in these platform features:

• account and access management
• candidate consent and exclusion preferences
• modular external data-source integrations (each source is opt-in, consent-gated, and can be revoked independently)
• forum source-link collection based on candidate-provided handles
• GitHub aggregate coding statistics
• GitHub repository metadata (commit timestamps, file-extension distribution, pull-request counts, issue counts) retrieved via the VetterStats GitHub App — read-only, no source code
• Gantt timeline visualization from candidate-provided structured data
• recruiter search, access logging, and export logging
• outbound delivery of consented tester or creator profile views to Unframed Bit where Vetter-side consent has been granted

§3 Data Categories

§3.1 Candidate data

• account id, display name, email, role/applicant type
• consent flags, consent version, consent timestamps
• exclusion list entries (blocked recruiter/company visibility)
• forum account handles submitted by candidate
• discovered source links (url, source type, timestamps)
• GitHub aggregate statistics (for example language/activity metrics)
• VetterStats repository metadata: commit timestamps, file-extension distribution, PR counts, issue counts (via GitHub App, read-only — no source code content)
• VetterStats snapshot and delivery log entries (vss_snapshots, vss_deliveries)
• Gantt structured timeline entries submitted by candidate
• outbound delivery logs for Unframed Bit API requests where Vetter-origin profile data is exposed (delivery timestamp, scope identifier)

§3.2 Recruiter and provider data

• account and organization profile data
• view-access and export activity logs
• project and campaign metadata

§3.3 Beta test access data

• Confidentiality agreement records per-project acceptance timestamp, IP address at acceptance, browser user agent, language of the agreement shown, and the set of clauses that were active. These records are legal evidence and are retained beyond account deletion (see §9).
• Access event log timestamp, IP address, browser user agent, and event type (download token issued, credential viewed, marketplace link opened). Anomaly flags are stored where access patterns indicate potential misuse.
• Developer credential confirmation when a developer issues test credentials, the confirmation timestamp and IP are stored as an accountability record.

§4 Purposes and Legal Bases

• Service delivery and account security
• Feature-specific candidate processing
• Beta test access accountability agreement acceptance records and access event logs are processed to fulfil legal accountability obligations, investigate misuse, and support legal defence in the event of disputes (GDPR Art. 6(1)(c), 6(1)(f)). Developer credential confirmation records serve the same purpose.
• Compliance and accountability logging
• Outbound delivery to Unframed Bit where a tester or creator has granted outbound delivery consent in Vetter, their Vetter-managed profile view may be sent to Unframed Bit as an authorized downstream recipient (GDPR Art. 6(1)(a), 6(1)(f)). Vetter remains the source system and consent authority for that delivered Vetter-origin data. Unframed Bit does not supply its local profile data back into Vetter.
• Developer portfolio statistics (VetterStats) where a developer has installed the VetterStats GitHub App and granted the required consent(s) for portfolio statistic generation, Vetter reads repository metadata (commit timestamps, file-extension counts, PR/issue counts) via the read-only GitHub App to produce portfolio statistics (GDPR Art. 6(1)(a) consent). No source code is accessed or stored.

§5 No Automated Candidate Decisions

VetterPlaces MVP does not perform fully automated legal or similarly significant candidate decisions. Recruiter acceptance/rejection remains a human decision.

§6 Data Visibility and Sharing

• Only authorized internal roles can access administrative data on a need-to-know basis.
• Recruiters see only data that is permitted by candidate consent and exclusion rules.
• Recruiters do not receive private source code from candidate repositories via statistics views.
• We do not sell personal data.
• Where a tester or creator has granted outbound delivery consent, Vetter may deliver their profile view to Unframed Bit as a downstream recipient. A separate Unframed Bit account is not required for this delivery. Vetter does not ingest or read data entered locally in Unframed Bit — the data supply is strictly one-way: Vetter → Unframed Bit.

§7 Third-Party Services

• GitHub API (for permitted profile/statistics processing)
• GitHub App (VetterStats, App ID 3110901, slug vetter-stats) — read-only access to repository contents, pull requests, and issues for portfolio statistics; no source code is transmitted or stored
• payment and communication services where applicable

Third-party processing is limited to service operation needs and governed by contractual safeguards.

§8 International Transfers

Default architecture is EU/EEA-hosted where possible. If non-EEA transfer is required for a specific integration, legal safeguards and transparency obligations apply before activation.

§9 Retention

Retention schedules are defined in internal policy and enforced by cleanup jobs and audit logs. The current baseline includes rolling retention for analytics snapshots and bounded retention for access logs. VetterStats repository snapshots (vss_snapshots) and delivery records (vss_deliveries) are purged when a developer unlinks the associated project or revokes the GitHub App installation.

§9.1 Beta test access records

• Confidentiality agreement records retained for the duration of the associated project plus a minimum of 3 years after project closure for legal evidence purposes. When a tester account is deleted, the tester_id field is set to NULL (the record itself is preserved). IP addresses in these records are pseudonymised after the retention period.
• Access event logs retained for 12 months. Rows flagged as suspicious (suspicious_flag = 1) may be retained beyond 12 months for fraud defence and legal compliance purposes.
• Test credentials encrypted credential data is deleted when a credential is revoked or expires. Accountability columns (developer confirmation timestamp, revocation timestamp and reason) are retained as part of the audit record.
• Your rights you may request a copy of your agreement acceptance records (GDPR Art. 15). Deletion requests (Art. 17) are honoured subject to the legal evidence retention obligation described above.

§10 Your GDPR Rights

• access (Art. 15)
• rectification (Art. 16)
• erasure (Art. 17), where legally applicable
• restriction (Art. 18)
• objection (Art. 21), where applicable
• portability (Art. 20), where applicable
• withdraw consent for consent-based processing at any time

§11 Security Measures

• role-based access controls
• session and transport security controls
• audit logging for sensitive actions
• data minimization and retention enforcement
• where OAuth2 tokens are stored, we apply encryption-at-rest controls at the application layer

§12 Contact and Complaints

Contact: privacy@alveos.eu
General contact: legal@vetter.alveos.eu
You may also contact your competent data protection authority.

§13 Changes to This Notice

We may update this notice as the product or legal requirements evolve. Material changes are versioned and announced in-product or by email where required.

Terms of Service | Legal Notice | Back to Home