Privacy Policy
Effective date: March 16, 2026 · Last updated: March 21, 2026
Summary of Key Points
This summary highlights the key points of our privacy policy. For full details, read the corresponding section below.
- We collect personal information you provide (account data, career data, feedback) and minimal automatic data (essential cookies only).
- We do not process sensitive personal information.
- We do not collect information from third parties.
- We process your data to provide our CV tailoring service, manage your account, process payments, and improve the Service.
- We share data only with service providers under Data Processing Agreements (Supabase, OpenAI/Google, Stripe, Vercel, Resend).
- We do not sell your personal data to anyone.
- You can access, export, correct, or delete your data at any time from your profile settings.
- When you delete your account, all your data is permanently and immediately erased.
1. Introduction
This Privacy Policy explains how CVTuner ("we", "us", "our", or the "Company") collects, uses, discloses, and safeguards your personal data when you use our website and services (collectively, the "Service"). This policy applies to all users worldwide and specifically addresses the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service. If you have questions or concerns, contact us at privacy@cvtuner.com.
2. Data Controller
CVTuner is the data controller responsible for your personal data. For questions about this policy or to exercise your data protection rights, contact our Data Protection contact at: privacy@cvtuner.com.
3. Personal Data We Collect
3.1 Data You Provide Directly
We collect personal information that you voluntarily provide when you register, use the Service, submit feedback, or contact us.
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Email address, display name, authentication provider (Google OAuth or email/password) | Account creation, authentication, communication |
| Career Vault Data | Full name, professional title, location, professional summary, work history, education, skills, certifications, languages, career goals, writing style preferences | CV tailoring, cover letter generation, match scoring |
| Job Matching Data | Job descriptions, job posting URLs, match scores, tailored resume and cover letter content | Resume tailoring, ATS optimization, match analysis |
| Payment Data | Payment provider customer ID, subscription ID, subscription status, billing period. We do not store credit card numbers, CVV, or bank account details. | Subscription management, billing |
| Feedback Data | Feedback type, message content | Service improvement |
3.2 Sensitive Personal Information
We do not process sensitive personal information (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data).
3.3 Data Collected Automatically
We use essential cookies for authentication session management and a functional cookie to store your language preference. We do not use analytics, advertising, or tracking cookies. We do not collect IP addresses, device fingerprints, or browsing behavior for profiling purposes.
3.4 Information from Third Parties
We do not collect personal information from third parties. All data we process is provided directly by you.
4. How We Process Your Information
We process your personal information for the following purposes:
- To create and manage your account, including authentication
- To provide the CV tailoring, match scoring, and cover letter generation services
- To process your subscription and manage billing
- To send transactional emails (e.g., account-related notifications)
- To respond to your feedback and support inquiries
- To improve and maintain the security of the Service
We do not use your data for marketing, advertising, profiling, or automated decision-making.
5. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Providing the CV tailoring service | Performance of a contract (Art. 6(1)(b)) |
| Processing career data via AI providers | Performance of a contract (Art. 6(1)(b)) with explicit consent at signup (Art. 6(1)(a)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Essential cookies for authentication | Legitimate interest (Art. 6(1)(f)) — necessary for service functionality |
| Service improvement via feedback | Legitimate interest (Art. 6(1)(f)) |
| Transactional and feedback emails | Performance of a contract (Art. 6(1)(b)) |
If you are located in Canada, we process your information based on your express or implied consent. You can withdraw your consent at any time by contacting us or deleting your account.
6. Third-Party Data Processors
We engage the following third-party processors to deliver the Service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR-compliant handling of your personal data.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, row-level security | All account and career data | US / EU (configurable) |
| OpenAI / Google (Gemini) | AI-powered resume extraction, tailoring, cover letter generation | Resume content, job descriptions (not used for model training per provider DPAs) | US |
| Stripe | Payment processing, subscription management | Email, payment method (handled directly by processor) | US / EU |
| Vercel Inc. | Application hosting, edge network | HTTP request metadata (no persistent PII storage) | Global CDN |
| Resend Inc. | Transactional email delivery (feedback notifications) | Email address, feedback content | US |
We do not share your personal data with any other third parties for marketing, advertising, or any purpose not listed above.
7. Social Logins
We offer the option to register and log in using your Google account. When you choose to do this, we receive your name, email address, and profile picture from Google. We use this information only for account creation and authentication. We do not access your Google contacts, calendar, or any other Google services.
We recommend reviewing Google's Privacy Policy to understand how they handle your data.
8. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:
- EU-US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
9. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Career Vault data | Until account deletion (cascade delete) |
| Match results & tailored CVs | Until account deletion (cascade delete) |
| Subscription records | Until account deletion (cascade delete) |
| Feedback | Until account deletion (cascade delete) |
| AI processing logs (third-party) | Per provider retention policy (typically 30 days) |
When you delete your account, all data in our database is permanently and irreversibly deleted through cascading foreign key constraints. This process is immediate and cannot be undone. When we have no ongoing legitimate business need to process your personal information, we will delete or anonymize it.
10. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: all data is transmitted over TLS 1.2+ (HTTPS)
- Encryption at rest: database encryption provided by Supabase infrastructure
- Access control: Row Level Security (RLS) ensures users can only access their own data
- Authentication: secure session management via Supabase Auth with support for OAuth 2.0
- Secret management: API keys and credentials stored as server-side environment variables, never exposed to client-side code
- Principle of least privilege: service role keys are used only in server-side webhook handlers
However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
11. Cookies and Local Storage
| Name | Type | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Essential | Supabase authentication session | Session / 1 year |
| cvtuner_locale | Functional | Stores your preferred language | 1 year |
| cvtuner_consent | Essential | Records your cookie consent choice | 1 year |
| theme | Functional | Stores your theme preference (localStorage) | Persistent |
We do not use any advertising, analytics, or third-party tracking cookies. All cookies used are strictly necessary for the operation of the Service or to remember your preferences.
12. Your Data Protection Rights
Under the GDPR and applicable data protection laws, you have the following rights. You can exercise most of these directly from your Profile settings.
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain a copy of all personal data we hold about you | Profile → Export My Data |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Edit directly in My Resume or Career Vault |
| Right to Erasure (Art. 17) | Request permanent deletion of all your personal data | Profile → Delete Account |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) | Profile → Export My Data |
| Right to Restrict Processing (Art. 18) | Request limitation of processing in certain circumstances | Contact privacy@cvtuner.com |
| Right to Object (Art. 21) | Object to processing based on legitimate interest | Contact privacy@cvtuner.com |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing | Delete your account or contact us |
We will respond to all data protection requests within 30 days. If we need additional time, we will inform you within the initial 30-day period.
13. Do-Not-Track Signals
Some web browsers include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference. No uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals. However, since we do not use any tracking, analytics, or advertising cookies, your browsing activity on our Service is not tracked regardless of your DNT setting.
14. United States Residents
If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, or Virginia, you may have specific rights under your state's data protection laws, including:
- Right to know what personal information we collect, use, and disclose
- Right to access your personal data
- Right to correct inaccuracies in your personal data
- Right to request deletion of your personal data
- Right to obtain a copy of your personal data
- Right to opt-out of the sale of personal information — we do not sell your personal data
- Right to opt-out of targeted advertising — we do not engage in targeted advertising
- Right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us at privacy@cvtuner.com. We will verify your identity before processing your request. If we decline your request, you may appeal by emailing us, and we will respond in writing with our reasoning.
15. Other Regions
Australia and New Zealand
We collect and process your personal information under the obligations set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. You have the right to request access to or correction of your personal information at any time. If you believe we are unlawfully processing your personal information, you have the right to submit a complaint to the Office of the Australian Information Commissioner or the Office of New Zealand Privacy Commissioner.
Republic of South Africa
You have the right to request access to or correction of your personal information at any time. If you are unsatisfied with how we handle your complaint, you can contact the Information Regulator (South Africa) at enquiries@inforegulator.org.za.
16. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@cvtuner.com.
17. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date at the top of this page. For significant changes that affect how we process your data, we will provide notice via email or an in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.
18. Contact & Supervisory Authority
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
CVTuner — Data Protection
Email: privacy@cvtuner.com
You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.
© 2026 CVTuner. All rights reserved.