Privacy Policy

CVtailor is operated by [Legal company name], [Company registration number if applicable]. For privacy requests, contact [Privacy contact email].

This Privacy Policy is a product/legal draft for an early/private-beta service and is not formal legal advice.

Account data: email address, password hash, name if provided, authentication data, session data, and account settings.

Profile and CV data: employment history, education, skills, certifications, projects, languages, professional summaries, and other profile information you provide.

Job data: job descriptions and role information pasted or uploaded by you.

Generated data: job-fit analysis, tailored CV drafts, cover letter drafts, profile quality guidance, and application history.

Payment and subscription data: handled by Stripe, including subscription status, customer identifiers, and payment records needed to manage billing.

Transactional email data: email delivery information if Resend is configured for password reset, verification, or account emails.

Technical and diagnostic data: logs, IP address if captured by hosting or security systems, browser or device data, rate-limit and security events, cookies, local storage, session data, and privacy-scrubbed error monitoring events.

Essential cookies and session storage are used for login, security, and account sessions. Optional analytics is loaded only after you consent, and you can change cookie preferences from the footer.

Contract necessity: to create accounts, authenticate users, store profiles, analyze CV/profile and job description data, generate tailored outputs, save application history, and manage subscriptions.

Legitimate interest: to protect the service, prevent abuse, apply rate limits, diagnose errors, prevent fraud, improve reliability, and maintain service security.

Consent: where optional analytics, cookies, or similar optional features are used.

Legal obligation: where accounting, tax, payment, or compliance records must be retained.

CV/profile text and job description text may be sent to OpenAI or an OpenAI-compatible AI provider to generate analysis, drafts, and profile guidance.

Do not upload information that you do not want processed by AI providers.

AI provider processing is handled according to the provider's applicable terms and data processing arrangements.

[Confirm whether zero data retention or similar API data controls are enabled in the AI provider account.]

Vercel - hosting, deployment, and infrastructure.

Neon/PostgreSQL - database hosting if configured.

OpenAI or OpenAI-compatible AI provider - AI processing of CV/profile and job description text.

Stripe - payment and subscription processing.

Resend - transactional email if configured.

Sentry - error monitoring. Sentry is configured to scrub or avoid CV content, job description text, profile content, email addresses, tokens, secrets, and raw request bodies before error data is sent.

Some providers may process data outside the EU/EEA, including in the United States. Where required, transfers are handled using appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms.

Account, profile, and CV data is retained while your account is active.

Application history is retained until you delete entries or request account deletion.

When an account deletion request is received, account, profile, CV, and application data will be deleted or anonymised within 30 days unless retention is required by law.

Payment and accounting records may be retained for the period required by applicable accounting and tax law.

Operational and security logs are retained only for limited periods needed for security, debugging, and abuse prevention. [Operational log retention period to be confirmed before public launch.]

Depending on your location and applicable law, you may have rights to access, rectify, erase, restrict, port, or object to processing of your personal data.

Where processing is based on consent, you may withdraw that consent.

You may also complain to the Swedish Authority for Privacy Protection (IMY).

To request deletion or export of your data, contact [Privacy contact email]. Requests are normally processed within 30 days.

Self-service deletion may not be available during private beta.

We use reasonable technical and organisational measures, including authentication, password hashing, access controls, rate limiting, error monitoring with privacy scrubbing, and secure hosting practices.

No internet service can guarantee absolute security.

The service is not intended for children or minors.

This policy may be updated as the service changes. The effective date will be changed when material updates are made.

[Effective date]