Privacy Policy

CVMindAI (“we”, “our”) provides AI-assisted CV optimisation. This policy explains what personal data we collect, how we use it, and the rights you have under UK GDPR and the EU General Data Protection Regulation.

The service is in public beta. We aim to keep data handling minimal and transparent. Questions? Email privacy@cvmindai.com.

• CV contents. The text of the CV file you upload, including names, contact details, work history, education, and any other information you choose to include.
• Sensitive information you choose to include. A CV may contain special-category data or highly personal details, for example health, immigration, equality, union, or background information. Please remove anything not needed for the CV optimisation before uploading.
• Email address. Only when you sign in or purchase the Job Hunt Pack so we can deliver the files and the receipt.
• Job description / target role. Text you paste in when asking the AI to tailor your CV.
• Technical data. Your IP address (for rate limiting and abuse prevention) and basic request logs (endpoint, timestamp, status code). We do not log CV text or AI prompts.
• Ad attribution data. If you arrive from an advert, we may store campaign parameters such as UTM fields, Google click ID, landing page, and first-seen timestamp so we can understand whether paid traffic leads to checkout.

• To extract text from your CV and generate the optimised version.
• To compute the ATS score and recruiter-style feedback shown in the preview.
• To deliver the PDF and Word files after a successful purchase.
• To enforce per-IP and per-account rate limits so abusive traffic does not exhaust our AI quota for honest users.
• To measure the paid funnel from advert click to ATS check, preview, checkout, and purchase. We do not include CV text in analytics events.

The lawful basis is performance of a contract (delivering the service you asked for) and legitimate interest (preventing abuse, securing the service, and understanding paid funnel performance without using CV text). Where we ask for optional consent, for example non-essential cookies, you can withdraw it through your browser or cookie controls. We do not use your CV for marketing, model training, or analytics.

We use trusted service providers to run CVMindAI securely. They only receive the information needed to provide, protect, improve, or measure the service. We do not sell your CV data, and we do not give CV contents to advertising providers.

Where a service provider processes personal data outside the UK or EEA, we use appropriate safeguards where required.

• Uploaded CV files. Held in memory only during processing — they are never written to disk.
• Saved workspaces (if you sign in). Kept until you delete them or your account.
• Purchased downloads. Sensitive CV content is automatically cleared from our systems once both files (PDF + Word) have been delivered.
• Browser-held previews. Kept on your device for up to 24 hours so the preview can survive refreshes, then cleared automatically. You can also clear the local CV from the workspace.
• Email + payment record. Retained for at least 7 years to satisfy UK accounting requirements.
• Rate-limit counters. Auto-expire after the limit window (between 15 minutes and 24 hours).
• Ad attribution. Kept in your browser storage and attached to checkout metadata if you purchase, so we can reconcile advertising spend with purchases.

Under UK and EU GDPR you have the right to access, correct, delete, restrict, or port your personal data. To exercise any of these, email privacy@cvmindai.com from the address tied to your data and tell us what you would like. We will respond within 30 days.

You can also complain to the Information Commissioner's Office at ico.org.uk.

We use localStorage on your device to keep your current draft CV, target role, unsaved edits, and advert attribution so the preview survives a page refresh and checkout can preserve the original campaign source. Draft data does not leave your browser unless you explicitly upload, optimise, save a workspace, or start checkout. Generated CV previews expire after 24 hours, and the workspace includes a clear-local-CV action. Clearing your browser storage removes it too.

Traffic is served over HTTPS. Uploaded files are validated by extension, MIME type, and file signature, capped at 5 MB, and processed in memory. Rate limits and HTTP security headers (HSTS, X-Frame-Options, CSP) are in place. Despite these measures, no online service can guarantee absolute security.

If we change anything material, we will update the date above and post a notice on the site. For ongoing visibility, see also our Terms of Service.