Privacy Policy
Effective date: March 16, 2026 · Last updated: March 16, 2026
This Privacy Policy explains how CVTuner ("we", "us", "our", or the "Company") collects, uses, discloses, and safeguards your personal data when you use our website and services (collectively, the "Service"). This policy applies to all users worldwide and specifically addresses the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation.
By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
1. Data Controller
CVTuner is the data controller responsible for your personal data. For questions about this policy or to exercise your data protection rights, contact our Data Protection contact at: privacy@cvtuner.com.
2. Personal Data We Collect
2.1 Data You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Email address, display name, authentication provider (Google OAuth or email/password) | Account creation, authentication, communication |
| Career Vault Data | Full name, professional title, location, professional summary, work history, education, skills, certifications, languages, career goals, writing style preferences | CV tailoring, cover letter generation, match scoring |
| Job Matching Data | Job descriptions, job posting URLs, match scores, tailored resume and cover letter content | Resume tailoring, ATS optimization, match analysis |
| Payment Data | Payment provider customer ID, subscription ID, subscription status, billing period. We do not store credit card numbers, CVV, or bank account details. | Subscription management, billing |
| Feedback Data | Feedback type, message content | Service improvement |
2.2 Data Collected Automatically
We use essential cookies for authentication session management and a functional cookie to store your language preference. We do not use analytics, advertising, or tracking cookies.
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Providing the CV tailoring service | Performance of a contract (Art. 6(1)(b)) |
| Processing career data via AI providers | Performance of a contract (Art. 6(1)(b)) with explicit consent at signup (Art. 6(1)(a)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Essential cookies for authentication | Legitimate interest (Art. 6(1)(f)) |
| Service improvement via feedback | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Performance of a contract (Art. 6(1)(b)) |
2. Personal Data We Collect
2.1 Data You Provide Directly
| Category | Data Elements | Purpose |
|---|---|---|
| Account Data | Email address, display name, authentication provider (Google OAuth or email/password) | Account creation, authentication, communication |
| Career Vault Data | Full name, professional title, location, professional summary, work history, education, skills, certifications, languages, career goals, writing style preferences | CV tailoring, cover letter generation, match scoring |
| Job Matching Data | Job descriptions, job posting URLs, match scores, tailored resume and cover letter content | Resume tailoring, ATS optimization, match analysis |
| Payment Data | Payment provider customer ID, subscription ID, subscription status, billing period. We do not store credit card numbers, CVV, or bank account details. | Subscription management, billing |
| Feedback Data | Feedback type, message content | Service improvement |
2.2 Data Collected Automatically
We use essential cookies for authentication session management and a functional cookie to store your language preference. We do not use analytics, advertising, or tracking cookies. We do not collect IP addresses, device fingerprints, or browsing behavior for profiling purposes.
3. Legal Basis for Processing (GDPR Article 6)
| Processing Activity | Legal Basis |
|---|---|
| Providing the CV tailoring service | Performance of a contract (Art. 6(1)(b)) |
| Processing career data via AI providers | Performance of a contract (Art. 6(1)(b)) with explicit consent at signup (Art. 6(1)(a)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Essential cookies for authentication | Legitimate interest (Art. 6(1)(f)) — necessary for service functionality |
| Service improvement via feedback | Legitimate interest (Art. 6(1)(f)) |
| Transactional emails | Performance of a contract (Art. 6(1)(b)) |
4. Third-Party Data Processors (Sub-Processors)
We engage the following third-party processors to deliver the Service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR-compliant handling of your personal data.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, row-level security | All account and career data | US / EU (configurable) |
| OpenAI / Google (Gemini) | AI-powered resume extraction, tailoring, cover letter generation | Resume content, job descriptions (not used for model training per provider DPAs) | US |
| Stripe / Polar | Payment processing, subscription management | Email, payment method (handled directly by processor) | US / EU |
| Vercel Inc. | Application hosting, edge network | HTTP request metadata (no persistent PII storage) | Global CDN |
4. Third-Party Data Processors
We engage the following third-party processors to deliver the Service. Each processor operates under a Data Processing Agreement (DPA) that ensures GDPR-compliant handling of your personal data.
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, row-level security | All account and career data | US / EU |
| OpenAI / Google (Gemini) | AI-powered resume extraction, tailoring, cover letter generation | Resume content, job descriptions (not used for model training) | US |
| Stripe / Polar | Payment processing, subscription management | Email, payment method (handled directly by processor) | US / EU |
| Vercel Inc. | Application hosting, edge network | HTTP request metadata (no persistent PII storage) | Global CDN |
5. International Data Transfers
Your personal data may be transferred to and processed in countries outside the EEA and UK, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place:
- EU-US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Career Vault data | Until account deletion (cascade delete) |
| Match results & tailored CVs | Until account deletion (cascade delete) |
| Subscription records | Until account deletion (cascade delete) |
| Feedback | Until account deletion (cascade delete) |
| AI processing logs (third-party) | Per provider retention policy (typically 30 days) |
When you delete your account, all data in our database is permanently and irreversibly deleted through cascading foreign key constraints. This process is immediate and cannot be undone.
5. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V, including:
- EU-US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all sub-processors
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion |
| Career Vault data | Until account deletion (cascade delete) |
| Match results & tailored CVs | Until account deletion (cascade delete) |
| Subscription records | Until account deletion (cascade delete) |
| Feedback | Until account deletion (cascade delete) |
| AI processing logs (third-party) | Per provider retention policy (typically 30 days) |
When you delete your account, all data in our database is permanently and irreversibly deleted through cascading foreign key constraints. This process is immediate and cannot be undone.
7. Your Data Protection Rights
Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data. You can exercise most of these rights directly from your Profile settings.
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain a copy of all personal data we hold about you | Profile → Export My Data |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Edit directly in My Resume or Career Vault |
| Right to Erasure (Art. 17) | Request permanent deletion of all your personal data | Profile → Delete Account |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) | Profile → Export My Data |
| Right to Restrict Processing (Art. 18) | Request limitation of processing in certain circumstances | Contact privacy@cvtuner.com |
| Right to Object (Art. 21) | Object to processing based on legitimate interest | Contact privacy@cvtuner.com |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing | Delete your account or contact us |
We will respond to all data protection requests within 30 days. If we need additional time, we will inform you within the initial 30-day period.
7. Your Data Protection Rights
Under the GDPR and applicable data protection laws, you have the following rights. You can exercise most of these directly from your Profile settings.
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access (Art. 15) | Obtain a copy of all personal data we hold about you | Profile → Export My Data |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete personal data | Edit directly in My Resume or Career Vault |
| Right to Erasure (Art. 17) | Request permanent deletion of all your personal data | Profile → Delete Account |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON) | Profile → Export My Data |
| Right to Restrict Processing (Art. 18) | Request limitation of processing in certain circumstances | Contact privacy@cvtuner.com |
| Right to Object (Art. 21) | Object to processing based on legitimate interest | Contact privacy@cvtuner.com |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing | Delete your account or contact us |
We will respond to all data protection requests within 30 days.
8. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: all data is transmitted over TLS 1.2+ (HTTPS)
- Encryption at rest: database encryption provided by Supabase infrastructure
- Access control: Row Level Security (RLS) ensures users can only access their own data
- Authentication: secure session management via Supabase Auth with support for OAuth 2.0
- Secret management: API keys and credentials stored as server-side environment variables, never exposed to client-side code
- Principle of least privilege: service role keys are used only in server-side webhook handlers
9. Cookies and Local Storage
| Name | Type | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Essential | Supabase authentication session | Session / 1 year |
| cvtuner_locale | Functional | Stores your preferred language | 1 year |
| cvtuner_consent | Essential | Records your cookie consent choice | 1 year |
| theme | Functional | Stores your theme preference (localStorage) | Persistent |
We do not use any advertising, analytics, or third-party tracking cookies.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that data promptly.
11. California Residents (CCPA)
If you are a California resident, you have additional rights under the CCPA:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information
- Right to opt-out of the sale of personal information — we do not sell your personal data
- Right to non-discrimination for exercising your privacy rights
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact & Supervisory Authority
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
CVTuner — Data Protection
Email: privacy@cvtuner.com
You have the right to lodge a complaint with a supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.
8. Data Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- Encryption in transit: all data is transmitted over TLS 1.2+ (HTTPS)
- Encryption at rest: database encryption provided by Supabase infrastructure
- Access control: Row Level Security (RLS) ensures users can only access their own data
- Authentication: secure session management via Supabase Auth with support for OAuth 2.0
- Secret management: API keys and credentials stored as server-side environment variables, never exposed to client-side code
- Principle of least privilege: service role keys are used only in server-side webhook handlers
9. Cookies and Local Storage
| Name | Type | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | Essential | Supabase authentication session | Session / 1 year |
| cvtuner_locale | Functional | Stores your preferred language | 1 year |
| cvtuner_consent | Essential | Records your cookie consent choice | 1 year |
| theme | Functional | Stores your theme preference (localStorage) | Persistent |
We do not use any advertising, analytics, or third-party tracking cookies. All cookies used are strictly necessary for the operation of the Service or to remember your preferences.
10. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@cvtuner.com.
11. California Residents (CCPA)
If you are a California resident, you have additional rights under the CCPA:
- Right to know what personal information we collect, use, and disclose
- Right to delete your personal information
- Right to opt-out of the sale of personal information — we do not sell your personal data
- Right to non-discrimination for exercising your privacy rights
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes that affect how we process your data, we will provide notice via email or an in-app notification. Your continued use of the Service after changes constitutes acceptance of the updated policy.
13. Contact & Supervisory Authority
For any questions, concerns, or requests related to this Privacy Policy or your personal data:
CVTuner — Data Protection
Email: privacy@cvtuner.com
You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available at edpb.europa.eu.
© 2026 CVTuner. All rights reserved.