Privacy Policy

CV Tailor (“we”, “us”) is operated as a sole trader in the United Kingdom. For privacy questions, data requests, or complaints, contact privacy@cv-tailor.uk.

We are the data controller for personal data processed via cv-tailor.uk.

When you use CV Tailor, we process the following categories of personal data:

• Account data: email address, name (if provided), password hash (bcrypt), OAuth profile data if you sign in via Google or GitHub.
• CV content: the CV files you upload (.docx or .pdf) and the parsed text. CVs typically contain employment history, education, skills, and contact details.
• Job descriptions: the text you paste or the URL you provide for tailoring.
• Tailoring outputs: the rewritten CVs we generate, ATS scores, honesty-check reports, cover letters, interview-prep notes, and outreach summaries.
• Payment data: handled entirely by Stripe; we never see card details. We store the Stripe checkout session ID, the credits purchased, and the amount paid.
• Operational metadata: sign-up date, sign-in events, rate-limit counters, and request logs (which include IP addresses, kept by Vercel for up to 30 days).

• To provide the service (UK GDPR Art. 6(1)(b) — performance of a contract): account creation, sign-in, parsing your CV, tailoring it, generating documents, taking payment.
• To prevent abuse (Art. 6(1)(f) — legitimate interests): rate limiting, fraud detection, securing the platform.
• To comply with the law (Art. 6(1)(c)): tax records related to payments are retained as required by HMRC.

To run the service, we share data with the following third parties. Each is bound by their own privacy and data-processing terms.

• Vercel (USA / EU) — hosting and serverless functions.
• Supabase (EU — eu-west-2) — database and CV file storage.
• Anthropic (USA) — AI processing of CV text and job descriptions to produce critiques, rewrites, and related outputs. Anthropic does not train on your data when accessed via the API. Their privacy practices: anthropic.com/legal/privacy.
• Stripe (USA / EU) — payment processing.
• Resend (USA) — transactional email delivery (verification, magic links).
• Upstash (USA / EU) — rate-limit counters.
• Cloudflare (global) — DNS and registrar.
• Google / GitHub — if you choose those sign-in methods, they receive sign-in events.

Some of these processors are based in the United States. Transfers rely on UK International Data Transfer Addenda (IDTA) and the EU Standard Contractual Clauses, plus each provider’s additional safeguards.

• Account data: while your account exists, plus 30 days after deletion for backup retention.
• Uploaded CVs and tailored outputs: stored until you delete them or close your account.
• Payment records: retained for 6 years to comply with UK tax law.
• Server and rate-limit logs: 30 days.

Under UK GDPR you can:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and the associated data (right to erasure).
• Export your data in a machine-readable format (right to portability).
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where consent is the lawful basis.

You can delete your account or export your data from your account settings page, or by emailing privacy@cv-tailor.uk.

If we cannot resolve a complaint, you have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

We use a strictly-necessary cookie to keep you signed in (the auth session cookie). This does not require consent.

If you opt in via the consent banner, we also load Vercel Analytics, which collects anonymised pageview data and your IP address to help us understand traffic patterns. You can withdraw consent at any time by clicking Cookies in the footer.

We do not run advertising cookies. We do not share data with third-party advertising networks.

Passwords are hashed with bcrypt. Sessions are stored in httpOnly, Secure, SameSite=Strict cookies. CV files are kept in private storage and served only via short-lived signed URLs (15 minutes). Payments are handled by Stripe’s hosted Checkout — we never receive card details. The site is served over HTTPS with HSTS.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and contact affected users where required.

We’ll update this page when our processing changes. Material changes will be flagged at the top of the page and, where appropriate, communicated by email.