Skip to main content

Privacy Policy

Last updated: February 2026

1. Introduction

CV Score ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered CV evaluation service at cvscore.net ("the Service").

This policy applies to all users worldwide. Depending on your location, you may have additional rights under local privacy laws such as the UK GDPR, EU GDPR, California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, Singapore's PDPA, and South Africa's POPIA. We address these jurisdiction-specific rights in dedicated sections below.

This policy is effective as of the date shown above and applies to all information collected through the Service.

2. Data Controller

The data controller responsible for your personal information is:

CV Score

United Kingdom

privacy@cvscore.net

For users in the European Economic Area (EEA), our EU representative under GDPR Article 27 is:

German Business Entity (EU Representative)

Germany

eu-representative@cvscore.net

3. Information We Collect

We collect different types of information depending on how you use the Service:

Account Information

When you create an account, we collect:

  • Email address (required for account creation and authentication)
  • Authentication credentials (password hash or OAuth tokens from Google)
  • Account creation date and login history

CV Documents

When you upload a CV for evaluation:

  • Your CV file (PDF format, up to 10MB and 10 pages)
  • Extracted text content from your CV
  • File metadata (filename, size, upload timestamp)

Important: Your CV documents are stored securely in our systems until you choose to delete them. You can delete individual evaluations or your entire account at any time, which permanently removes all associated CV data. We do NOT delete CVs immediately after processing.

Evaluation Results

For each CV evaluation, we store:

  • Overall score and category scores
  • Detailed feedback and recommendations
  • Evaluation prompt version used (for reproducibility)
  • Timestamp of evaluation

Payment Information

For Pro tier users, payment processing is handled by our third-party payment processor, Polar. We store:

  • Email address associated with payment
  • Transaction reference and amount
  • Payment status and date

We do NOT receive or store your credit card number, CVV, or full payment card details. These are processed directly by Polar in accordance with PCI DSS standards.

Technical and Usage Data

We automatically collect:

  • Browser type and version
  • Device information
  • IP address (for rate limiting and security)
  • Session cookies for authentication
  • Error logs (without personal content)

4. How We Collect Information

Directly from you: When you create an account, upload a CV, make a purchase, or contact us.

Automatically: Through essential cookies and server logs when you use the Service.

From third parties: From Google if you use Google OAuth sign-in (we receive only your email and basic profile information).

5. Purposes and Legal Basis for Processing

We process your personal information for the following purposes and legal bases:

Purpose Description Legal Basis
Provide the Service To evaluate your CV and deliver results Performance of contract (GDPR Article 6(1)(b))
Account management To create, maintain, and secure your account Performance of contract
Payment processing To process Pro tier purchases and maintain payment records Performance of contract; legal obligation for tax records
Service improvement To analyze usage patterns and improve the Service Legitimate interest in improving our services
Security To prevent fraud, abuse, and maintain service integrity Legitimate interest in security
Legal compliance To comply with applicable laws and respond to legal requests Legal obligation
Communication To respond to your inquiries and provide support Legitimate interest; performance of contract

We do NOT use your CV data for advertising, profiling, training AI models, or any purpose beyond delivering and improving the requested service.

6. Automated Decision-Making and AI Processing

CV Score uses artificial intelligence to evaluate your CV. This section explains how automated processing works and your rights regarding it.

How AI Evaluation Works

When you submit a CV for evaluation:

  1. Your CV text is extracted from the uploaded PDF document
  2. The extracted text is sent to OpenAI's GPT-4O model for analysis
  3. The AI evaluates your CV against objective document quality criteria
  4. Results are returned to you with scores and recommendations

No identifying information is sent to OpenAI. Only the CV text content is transmitted; your name, email, account ID, and other identifiers are NOT included in the AI processing request.

What the AI Evaluates

The AI assesses document quality across these categories:

  • Structure and organization
  • Clarity and readability
  • Completeness of information
  • Professional presentation
  • Grammar and language quality

Important Limitations

  • Not a hiring tool: CV Score is designed for self-assessment by job seekers. It is NOT designed for employer screening, automated hiring decisions, or HR recruitment purposes.
  • No employment guarantees: A high score does not guarantee interviews or job offers. A low score does not mean you are unqualified.
  • Document quality only: The evaluation assesses document presentation, not your qualifications, experience, or suitability for any role.
  • No legal or career advice: Results are informational only and do not constitute professional advice.

Your Right to Human Review

Under GDPR Article 22 and similar laws, you have the right to request human review of automated decisions that significantly affect you. While CV Score evaluations are advisory (not legally binding decisions), we respect your rights:

  • You may request human review of any evaluation by contacting support@cvscore.net
  • You may express your point of view and contest the evaluation
  • We will respond to human review requests within 30 days

AI Model Training

Your CV data is NOT used to train AI models. OpenAI's API does not use API inputs for training purposes by default, and we have opted out of any such programs. Your CV remains confidential.

7. Data Sharing

We share your information only in the following limited circumstances:

Service Providers (Subprocessors): We use carefully selected third-party services to operate CV Score. See Section 8 for details.

Legal Requirements: We may disclose information if required by law, court order, or government request.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change.

We do NOT sell your personal information. We do not rent, trade, or share your data with third parties for their marketing purposes.

8. Subprocessors

We use the following third-party service providers to operate CV Score:

Subprocessor Purpose Data Processed Location
OpenAI, LLC AI-powered CV analysis CV text content only (no user identifiers) United States
Supabase, Inc. Authentication, database, and file storage Account data, CV documents, evaluation results United States (AWS infrastructure)
Polar Payment processing Email, payment transaction details To be confirmed

For a complete and current list of subprocessors, please see our Subprocessor List.

We will notify you of any material changes to our subprocessors by updating this policy and the subprocessor list.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction, including the United States.

Transfer Safeguards

We protect international transfers through:

  • Standard Contractual Clauses (SCCs): We have agreements with our US-based processors incorporating EU-approved SCCs.
  • UK International Data Transfer Agreement (IDTA): For UK data transfers, we use the UK IDTA addendum to SCCs.
  • Adequacy decisions: Where applicable, we rely on adequacy decisions recognizing adequate protection in the recipient country.

UK-EU Transfers

The UK has been granted adequacy status by the European Commission (renewed December 2025, valid until December 2031). Data flows between the UK and EEA require no additional safeguards.

10. Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

Data Type Retention Period Notes
Account Information Until you delete your account You can delete your account at any time through the app settings
CV Documents Until you delete the evaluation or your account Not deleted automatically; you control when to remove
Evaluation Results Until you delete the evaluation or your account Stored to allow you to review past evaluations
Payment Records 7 years from transaction Required for tax and legal compliance
Technical Logs 30 days For security monitoring and debugging

When you delete data or your account, we permanently remove all associated information from our systems, including CV files from storage. Some data may persist in encrypted backups for up to 30 days before permanent deletion.

11. Your Privacy Rights (All Users)

Regardless of your location, you have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Data portability: Receive your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@cvscore.net. We will respond within 30 days (or sooner where required by law).

12. Additional Rights for EEA Users (GDPR)

If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to restriction: Request restriction of processing in certain circumstances
  • Right to complain: Lodge a complaint with your local data protection authority
  • Right to human review: Request human intervention for automated decisions (see Section 6)
  • Right to an explanation: Understand the logic involved in automated processing

You may lodge a complaint with your local supervisory authority. Our lead supervisory authority for EU matters is the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), contactable through our EU representative.

We will respond to GDPR requests within 30 days. This period may be extended by two further months where necessary, taking into account the complexity of the request.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information

In the past 12 months, we have collected:

  • Identifiers: Email address, IP address, account identifiers
  • Professional information: CV/resume content
  • Commercial information: Purchase history, payment records
  • Internet activity: Browsing history on our site, interactions with the Service

Your California Rights

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share your information)
  • Right to Limit Use of Sensitive PI: Limit use of sensitive personal information (we only use it for providing the Service)
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

Automated Decision-Making Technology (ADMT)

Our CV evaluation service uses automated processing. Under CPRA regulations:

  • You have the right to information about how the AI evaluation works (see Section 6)
  • You may request human review of any evaluation
  • You may opt out of automated processing by not using the Service

To protect your privacy, we may need to verify your identity before responding to CCPA requests. We will use the email address associated with your account for verification.

To exercise your California privacy rights, email privacy@cvscore.net with the subject "CCPA Request" or call [phone number to be added]. We will respond within 45 days.

You may designate an authorized agent to make a request on your behalf. We may require verification of the agent's authorization.

14. UK Privacy Rights (UK GDPR)

If you are located in the United Kingdom, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018:

Your rights are substantially similar to those under EU GDPR (Section 12), including rights of access, rectification, erasure, restriction, portability, objection, and automated decision-making.

You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk. As a UK-based data controller, the ICO is our primary supervisory authority.

Note: The UK Data (Use and Access) Act 2025 introduced certain modifications to UK data protection law. We will update this policy as implementing guidance is issued.

15. Other Jurisdiction-Specific Rights

Brazil (LGPD)

Brazilian residents have rights under the Lei Geral de Proteção de Dados, including access, correction, anonymization, portability, and deletion. You may file complaints with the ANPD (National Data Protection Authority).

Canada (PIPEDA)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act to access and correct personal information. Complaints may be filed with the Office of the Privacy Commissioner of Canada.

Australia (Privacy Act)

Australian residents have rights under the Privacy Act 1988 to access and correct personal information. Complaints may be filed with the Office of the Australian Information Commissioner (OAIC).

Singapore (PDPA)

Singapore residents have rights under the Personal Data Protection Act to access and correct personal data. Complaints may be filed with the Personal Data Protection Commission.

South Africa (POPIA)

South African residents have rights under the Protection of Personal Information Act to access, correct, and delete personal information. Complaints may be filed with the Information Regulator.

For jurisdiction-specific requests, please contact privacy@cvscore.net indicating your location.

16. Cookies and Tracking

We use minimal cookies essential for the Service to function:

Essential Cookies We Use

  • Authentication token (supabase-auth-token): Keeps you logged in to your account. Strictly necessary for the Service to function.

What We Do NOT Use

  • Analytics cookies (no Google Analytics, no tracking pixels)
  • Advertising cookies (no targeted ads, no remarketing)
  • Third-party tracking cookies
  • Social media tracking widgets

Third-Party Cookies

If you sign in with Google OAuth, Google may set cookies on their domains. These are governed by Google's privacy policy, not ours.

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Service.

For more details, see our Cookie Policy.

17. Security

We implement appropriate technical and organizational measures to protect your personal information:

  • Encrypted data transmission using TLS 1.3
  • Encrypted data storage at rest
  • Row-level security isolating user data in the database
  • Rate limiting to prevent abuse
  • Regular security assessments
  • Access controls limiting employee access to personal data
  • Secure authentication with password hashing and OAuth support

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

If you discover a security vulnerability, please report it responsibly to security@cvscore.net.

18. Children's Privacy

CV Score is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal information from a child under 16, we will delete it promptly. If you believe we may have collected information from a child under 16, please contact us at privacy@cvscore.net.

19. Data Breach Notification

In the event of a personal data breach:

  • We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (where required under GDPR/UK GDPR)
  • We will notify affected individuals without undue delay if the breach is likely to result in high risk to their rights and freedoms
  • We will document all breaches and our response
  • We maintain incident response procedures to detect, investigate, and address breaches promptly

If you believe your data may have been compromised, contact us immediately at security@cvscore.net.

20. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page with a new effective date
  • Sending an email to registered users for significant changes
  • Displaying a prominent notice on the Service

We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

For material changes affecting your rights or how we use your data, we will provide at least 30 days' notice before the changes take effect.

21. Contact Us

For privacy-related questions, requests, or concerns, contact us at:

Privacy inquiries

privacy@cvscore.net

Data subject requests

privacy@cvscore.net (Include "Data Subject Request" in the subject line)

Security issues

security@cvscore.net

General support

support@cvscore.net

Postal address

CV Score, United Kingdom

We aim to respond to all inquiries within 5 business days and to complete data subject requests within 30 days.

22. Data Protection Officer

For matters related to data protection compliance, you may contact our Data Protection Officer at:

dpo@cvscore.net

The DPO is responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws.

Privacy Questions

Common questions about data handling and privacy.

Is my CV stored after evaluation?

Yes. Your CV is stored securely in your account until you choose to delete it. You can delete individual evaluations or your entire account at any time, which permanently removes all associated CV data. We do not delete CVs automatically after processing—this allows you to review past evaluations and track your progress.

How does AI evaluate my CV?

We use OpenAI's GPT-4O model to analyze your CV text against objective document quality criteria including structure, clarity, completeness, and professional presentation. Only the text content of your CV is sent to OpenAI—no identifying information like your name, email, or account details are included. OpenAI does not use API inputs for training.

Is this a hiring tool?

No. CV Score is designed for self-assessment by job seekers, not for employer screening or automated hiring decisions. The evaluation assesses document quality only—not your qualifications, suitability for roles, or employability. Results are informational and do not constitute professional advice.

Can I request human review of my evaluation?

Yes. Under GDPR and other privacy laws, you have the right to request human review of automated decisions. While our evaluations are advisory (not legally binding), you can request human review by emailing support@cvscore.net. We will respond within 30 days.

What are my data rights?

You have the right to access, correct, delete, and port your personal data. You can delete your account and all associated data at any time through the app settings. For formal data subject requests, email privacy@cvscore.net. Response times depend on your jurisdiction: 30 days for GDPR/UK GDPR, 45 days for CCPA.

Do you sell my data?

No. We do not sell, rent, or share your personal information with third parties for their marketing purposes. We only share data with service providers (subprocessors) who help us operate the Service, and they are contractually bound to protect your data.

How do you handle international data transfers?

Your data may be processed in the United States by our service providers (OpenAI, Supabase). We protect these transfers using Standard Contractual Clauses (SCCs) approved by the European Commission and UK IDTA for UK transfers. All processors have Data Processing Agreements in place.

How can I delete my data?

You can delete individual evaluations from your dashboard, or delete your entire account through app settings. Account deletion permanently removes all your data including CV files, evaluation results, and account information. Payment records are retained for 7 years as required by law.