Privacy policy

1. Overview

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access or use the Service, including our website, authentication, file uploads, AI-assisted document generation, billing, and related features.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

2. Who is responsible

The data controller for personal data processed through the Service is the organization that operates TrueFitCV under the domain where you access the Service (the “Operator”). Where applicable law requires a named entity or contact, we publish or provide that information through the Service or account communications.

3. Information we collect

We may collect the following categories of information:

• Account and profile data. Such as email address, authentication identifiers, and profile or billing-related fields associated with your account.
• Content you submit. Including CV or résumé files and extracted text, job descriptions or URLs you provide, notes you enter in the product, and outputs generated for you (for example tailored CV text, cover letters, and analysis artifacts).
• Usage and technical data. Such as device type, browser type, approximate region derived from IP, timestamps, pages viewed, diagnostics, and security-related logs.
• Payment data. Payments are processed by our payment processor (Stripe). We generally do not receive full payment card numbers; we may receive limited billing metadata (for example customer identifiers, subscription status, and transaction references) as needed to operate billing.

4. How we use information

We use information to:

• Provide, operate, maintain, and improve the Service;
• Authenticate users, prevent fraud and abuse, and protect security;
• Process payments, credits, subscriptions, and customer support requests;
• Run AI-assisted features (for example by sending relevant portions of your CV and job text to model providers) and store outputs so you can access them in your account;
• Comply with law, enforce our Terms, and defend legal claims;
• Analyze usage in aggregate or de-identified form to understand product performance (for example analytics on our hosting platform).

5. Legal bases (EEA, UK, and similar regions)

Where GDPR or similar laws apply, we rely on one or more of the following legal bases: performance of a contract with you; our legitimate interests (for example securing the Service, improving reliability, and preventing fraud), balanced against your rights; consent where we ask for it; and compliance with legal obligations.

6. How we share information

We do not sell your personal information in the conventional sense of selling lists of individuals. We share information with service providers (“subprocessors”) that help us run the Service, subject to appropriate safeguards and contracts where required. Categories may include:

• Hosting and infrastructure (for example application hosting and edge delivery);
• Database and authentication (for example managed database and identity services used to store accounts and content);
• AI providers used to generate tailored content from inputs you submit;
• Payments (Stripe and related payment methods);
• Security and rate limiting (for example caching or rate-limit services);
• Analytics where enabled (for example product analytics on our hosting provider).

We may also disclose information if required by law, regulation, legal process, or governmental request; to enforce agreements; or to protect the rights, property, or safety of the Operator, users, or the public.

7. Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods can depend on the nature of the data (for example account records versus generated artifacts) and whether you delete content or close your account. Some residual copies may persist for a limited time in backups or logs.

8. Security

We implement reasonable administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

9. International transfers

We may process and store information in the United States and other countries where we or our service providers operate. Where required, we use appropriate safeguards (such as standard contractual clauses) for transfers of personal data from the EEA, UK, or Switzerland.

10. Your privacy rights and choices

Depending on your location, you may have rights to access, correct, delete, or export certain personal data; to object to or restrict certain processing; to withdraw consent where processing is consent-based; and to lodge a complaint with a supervisory authority.

You can exercise many rights through account settings (where available) or by contacting us using the contact method shown at the top of this page. We may need to verify your identity before fulfilling certain requests.

11. U.S. state privacy notices (including California)

If you are a resident of a U.S. state with a comprehensive privacy law, you may have additional rights regarding personal information, including rights to know, delete, correct, and opt out of certain processing. We do not use sensitive personal information to infer characteristics about you for behavioral advertising through the Service in a manner that would trigger “limit the use of my sensitive personal information” obligations in typical configurations, but you may contact us with questions.

California residents: we do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA in the usual operation of TrueFitCV as described here, beyond disclosures to service providers for business purposes as permitted by law.

12. Children

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction), and we do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to investigate and delete such information where required.

13. Third-party sites and links

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third parties. Please review their policies before providing information to them.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “Last updated” date. Where changes are material and required by law, we will provide additional notice or obtain consent as appropriate.

15. Contact

Questions about this Privacy Policy or our privacy practices should be directed using the contact method shown at the top of this page.