Privacy policy
Last updated: 22 June 2026
What we store
When you create an account we store your email, a session token, and (if you sign in with Google) your name. When you save a CV or a job, we store the text encrypted at rest with a per-user key. When you generate a tailored CV, we store the resulting JSON encrypted in the same way.
What we do not store
We do not log CV bodies, job descriptions, contact details, or generated content beyond what is necessary to deliver the service. Server logs contain only event names, timings, error categories, and source domains. Backups follow the same redaction rules.
How AI uses your data
To generate a tailored CV, we transmit the relevant CV text and job description to a third-party AI sub-processor (Anthropic) via an encrypted API connection. The processed result is then validated and stored under your account. Personal data is encrypted in transit (TLS) and at rest. Anthropic does not train on API request content per their usage policies.
Sub-processors
We use the following third-party sub-processors to operate the service:
| Sub-processor | Purpose |
|---|---|
| Anthropic | AI processing — CV tailoring and structured output generation |
| Cloudflare | Hosting, CDN, database (D1), object storage (R2), and serverless compute |
| Stripe | Payment processing and billing management |
| Resend | Transactional email (magic links, receipts, notifications) |
| OAuth sign-in only, when you choose it |
Your controls
- Delete any CV, job, or generated run from your dashboard. Deletion cascades through linked exports.
- Export everything as a JSON file from Settings → Your data.
- Delete your account from Settings → Danger zone. Account deletion removes every row and every storage object linked to your user.
Data retention
Paid accounts: data is stored until you delete the item or the account. Generated PDF exports automatically expire from object storage after 30 days unless re-pinned. Stripe billing records are retained for accounting and legal compliance. Server logs are retained for up to 90 days.
GDPR — rights of data subjects
If you are located in the European Economic Area or United Kingdom, we process your personal data on the following lawful bases: consent (where you have opted in) and contract performance (to provide the service you signed up for). You have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your personal data ("right to be forgotten").
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Restriction — ask us to restrict processing in certain circumstances.
- Supervisory authority — lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member-state authority).
To exercise any of these rights, email [email protected]. We will respond within 30 days.
CCPA / CPRA — California residents
If you are a California resident, you have the right to know what personal information we collect, request deletion of your personal information, opt out of any sale of personal information (we do not sell personal information), and not be discriminated against for exercising these rights. To submit a request, email [email protected].
Contact
Questions or requests: [email protected].