Privacy Policy

This policy explains how Lister Energy AS processes personal data in the CV Builder, what your rights are under the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act, and how to exercise those rights.

1. Who we are

Lister Energy AS is the data controller for all personal data processed in the CV Builder. You can reach us at privacy@listerenergy.no. The supervisory authority for data protection in Norway is Datatilsynet (datatilsynet.no).

2. What data we collect

When you use the CV Builder we collect:

• Identity & contact: full name, preferred name, email, phone, date of birth, nationality, country and city.
• Professional information: headline, key qualifications, years of experience, disciplines, languages, preferred work locations, availability.
• Work history: employer, role, project, dates, description.
• Education & certifications: institution, degree, field of study, issuer, issue and expiry dates, certificate numbers, descriptions.
• References: name, company, role, phone, email, years of work together, notes.
• Uploaded files: CVs, certificates, diplomas, reference letters, and your profile photo.
• Account data: login email, password hash (managed by Supabase Auth), and session information.
• Activity data: last login, last edit, and an internal audit log of who changed what (you, or an administrator at Lister Energy).
• Optional social links you choose to add (LinkedIn, GitHub, website, etc).

3. Why we process your data, and the legal basis

• Maintain your CV for internal use (employees and contractors working with Lister Energy). Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
• Share your CV with clients when Lister Energy is tendering for work or proposing resources. Legal basis: legitimate interest (Art. 6(1)(f)).
• Keep your CV on file for future opportunities after a project ends. Legal basis: legitimate interest or consent (for extended retention — you can toggle this on your profile and withdraw it at any time).
• Authenticate and secure your account. Legal basis: legitimate interest.
• Comply with legal obligations (accounting, tax, labour law). Legal basis: legal obligation (Art. 6(1)(c)).

4. Who we share your data with

Clients: when Lister Energy is bidding for a project, we may share your CV with the prospective client. At an administrator’s discretion the CV can be shared with or without personalia (name, photo, contact details) and with or without references. You can see the history of who we’ve shared your CV with in your profile.

Data processors we rely on (all under a data processing agreement that meets GDPR requirements):

• Supabase — database, authentication, and file storage, hosted within the EU.
• Resend — transactional email for CV sharing and account-related notifications (e.g. deletion confirmations).
• Vercel — web hosting of the application.

We do not sell your personal data. We do not use it for marketing, and we do not share it with parties other than those listed above.

5. How long we keep it

• Active accounts: for as long as your account is active and you remain associated with Lister Energy.
• Inactive accounts: if your account has had no activity for 24 months we may notify you and delete or anonymise it.
• Extended retention: you can opt in to let us keep your CV on file for future opportunities. Toggle it on the Privacy section of your profile; you can withdraw at any time.
• Deleted accounts: when you or an administrator request deletion, your profile is immediately flagged and hidden from the system. After a 30-day grace period — during which you can cancel the deletion — all personal data and uploaded files are permanently removed, including your authentication record.

6. Your rights

Under GDPR you have the right to:

1. Access — see what data we hold about you. Use the “Download my data” button on your profile.
2. Rectification — correct inaccurate data by editing it directly on your profile.
3. Erasure — delete your account using the “Delete my account” section of your profile.
4. Portability — receive your data in a machine-readable format. The export ZIP includes a JSON file with every row we hold about you.
5. Restriction and objection — limit or object to processing based on legitimate interest.
6. Withdraw consent — where we rely on consent (e.g. extended retention), you can withdraw at any time.
7. Complaint — lodge a complaint with Datatilsynet.

For any right that isn’t already available as a button in the app, email privacy@listerenergy.no. We will respond within 30 days.

7. Security

We use industry-standard security measures: encrypted connections (HTTPS/TLS), encrypted storage at rest, role-based access control, row-level security on the database, audit logging of administrative changes, and regular reviews.

8. Cookies

The CV Builder uses only strictly necessary cookies for session management and authentication. We do not use tracking cookies, advertising cookies, or third-party analytics.

9. Changes to this policy

When we make a material change to this policy we bump the version number and ask you to re-accept the new version on your next login. Minor clarifications (typos, small wording fixes) do not trigger a re-acceptance — but the version number and effective date at the top of this page always reflect the current document.

10. Contact

For any questions about this policy or how your personal data is handled, email privacy@listerenergy.no.