Skip to main content
cvee logo
Legal

Privacy Policy

Last updated: 16 March 2026

1. Introduction

cvee ("we", "our", or "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our website and services (collectively, the "Service").

This policy is designed to comply with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws.

2. Data Controller

cvee is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, you can contact our Data Protection Officer at:

Email: [email protected]

3. What Data We Collect

We collect the following categories of personal data:

  • Account Information: Name, email address, and password (hashed) when you create an account. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.
  • CV Data: All information you enter into your CVs, including personal details (name, phone, location, job title), employment history, education, skills, languages, and certifications.
  • Payment Information: When you subscribe to our Pro plan, payment is processed by Stripe. We do not store your full credit card number. We receive only a tokenised reference, your billing email, and transaction details from Stripe.
  • Usage Data: Information about how you use the Service, including pages visited, features used, and session duration. This data is collected only if you consent to analytics cookies.
  • Technical Data: IP address, browser type and version, operating system, and device information for security and troubleshooting purposes.

4. How We Use Your Data

  • Providing the Service: To create, store, and export your CVs. This is necessary for the performance of our contract with you.
  • AI-Powered Suggestions: CV content you submit for AI suggestions is sent to our AI providers (Google Gemini, OpenAI, xAI Grok) for processing. Data sent to these providers is used solely to generate suggestions and is not used for model training.
  • Payment Processing: To process your subscription payments through Stripe.
  • Account Management: To manage your account, authenticate your sessions, and communicate with you about your account.
  • Service Improvement: To analyse usage patterns and improve our Service (only with your analytics consent).
  • Security: To detect and prevent fraud, abuse, and security incidents.

5. Legal Basis for Processing (GDPR Article 6)

  • Contract Performance (Art. 6(1)(b)): Processing your account and CV data is necessary for providing the Service you requested.
  • Consent (Art. 6(1)(a)): Analytics and marketing cookies are only used with your explicit consent, which you can withdraw at any time.
  • Legitimate Interest (Art. 6(1)(f)): We process technical data for security purposes and fraud prevention, which constitutes our legitimate interest.
  • Legal Obligation (Art. 6(1)(c)): We may process data to comply with legal obligations such as tax and accounting requirements.

6. Data Storage and Security

Your data is stored in a PostgreSQL database hosted within the European Union. We implement the following security measures:

  • All passwords are hashed using bcrypt with a cost factor of 12.
  • Data is encrypted in transit using TLS 1.2 or higher.
  • Database connections are encrypted and access is restricted.
  • Regular security audits and dependency vulnerability scanning.
  • Rate limiting and abuse prevention on all API endpoints.

7. Third-Party Services

We share data with the following third parties:

  • Stripe (Payment processing) — Stripe acts as a data processor for payment transactions. Stripe's privacy policy: stripe.com/privacy
  • Google (OAuth authentication) — If you choose to sign in with Google, we receive limited profile information. Google's privacy policy: policies.google.com/privacy
  • AI Providers (AI suggestions) — CV content submitted for AI suggestions is processed by Google Gemini, OpenAI, and xAI Grok APIs. None of these providers use API data for model training. Privacy policies: Google, OpenAI, xAI

8. International Data Transfers

Your data is primarily stored within the European Union. When data is transferred to third-party services located outside the EU (such as our AI providers and Stripe), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the service's participation in an adequacy framework.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of Access (Art. 15): You can request a copy of all personal data we hold about you. You can export your data from your account settings or via our API.
  • Right to Rectification (Art. 16): You can update or correct your personal data at any time through your account settings and CV editor.
  • Right to Erasure (Art. 17): You can request the deletion of your account and all associated data. This can be done through your account settings or by contacting us.
  • Right to Data Portability (Art. 20): You can export all your data (profile and CVs) in a structured, machine-readable JSON format via your account settings or our API.
  • Right to Restrict Processing (Art. 18): You can request that we limit the processing of your data in certain circumstances.
  • Right to Object (Art. 21): You can object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7): Where we rely on consent (e.g., analytics cookies), you can withdraw your consent at any time by adjusting your cookie settings.

To exercise any of these rights, contact us at [email protected] or use the data export and deletion features in your account settings. We will respond to your request within 30 days.

10. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, all personal data and CVs are permanently deleted within 30 days. We may retain anonymised, aggregated data for analytical purposes. Payment records are retained as required by tax regulations (typically 7 years).

11. Cookie Policy

We use the following types of cookies:

  • Essential Cookies: Required for authentication, session management, and security. These cannot be disabled.
  • Analytics Cookies: Help us understand how visitors use our Service. Only activated with your consent.
  • Marketing Cookies: Used for advertising purposes. Only activated with your consent.

You can manage your cookie preferences at any time through the cookie settings banner or by clearing your browser cookies and revisiting the site.

12. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting a notice on our website or sending you an email. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority) in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

← Back to cvee