Back to CVBoost

Privacy policy

Last updated: April 2026

Short version

We process your CV to rewrite it. We don't keep it afterward. We don't train AI on it. We don't email you forever. No account = no data hoard.

1. Data controller

JK COM LLC, United States. Contact: support@cvfix.app. See also our Impressum.

2. EU representative (Art. 27 GDPR)

To be appointed before serving EU users at scale (required by Art. 27 GDPR for non-EU controllers). Services like Prighter or GDPR-rep.eu cost ~€50/yr. Details will be listed in our Impressum once appointed.

3. What we process, and why

  • Your uploaded PDF — parsed into text + optional embedded photo extraction. Legal basis: performance of contract (Art. 6(1)(b) GDPR).
  • CV data fields extracted by AI (name, contacts, experience, etc.) — held in server memory while your session is active.
  • Optional job description — if you paste one, used for tailoring, then discarded.
  • Payment data — Stripe handles card details end-to-end. We only see the transaction confirmation and a masked receipt.
  • Basic technical logs — IP address, user agent, timestamp — for anti-abuse and error debugging. Legal basis: legitimate interests (Art. 6(1)(f)). Logs retained ≤ 14 days.

4. What we do NOT collect

  • No user accounts, logins, passwords.
  • No ad tracking pixels, no Meta / Google ads tags, no cross-site retargeting cookies.
  • No email marketing list. We only email you if you email us first.
  • No analytics that identify individuals.

5. How long we keep it

CV data is held in server memory only while your session is active (typically minutes to hours). Uploaded PDFs and session state are automatically discarded when the session ends. Stripe keeps payment records per their legal retention requirements (typically 7 years).

6. Sub-processors / third parties

We rely on the following providers to deliver the service:

  • OpenAI, L.L.C. (USA) — processes your CV text via its GPT-4o API to generate the rewritten version. Per OpenAI's API terms, API data is not used to train OpenAI's models. Privacy policy.
  • Stripe, Inc. (USA) — processes payments. Privacy policy.
  • Vercel, Inc. (USA) — hosting and delivery. Privacy policy.

All three are US-based. Transfers of personal data from the EEA/UK to these providers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission.

7. Your rights under GDPR

EU/EEA/UK residents have the following rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to lodge a complaint with a supervisory authority (Art. 77) — for Germany the list is at bfdi.bund.de

Because we do not store your CV long-term or link it to an identity, most rights resolve to the same answer: we do not hold the data any more. If you want written confirmation, email us and we will respond within 30 days.

8. Your rights under US state laws

California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) residents have rights to know, delete, correct, and opt out of sale/sharing of personal information. We do not sell or share personal information as defined under those laws. To exercise any right, email support@cvfix.app.

9. Cookies

We use strictly necessary cookies to run the service (e.g. a session identifier during your visit). We do not set advertising, analytics, or tracking cookies. Under the ePrivacy Directive, strictly necessary cookies do not require consent.

10. Security

The service is served over HTTPS. Data in transit is encrypted. We rely on Vercel's infrastructure security for data at rest in memory. We do not maintain a separate long-term database.

11. Changes

We may update this policy. The "last updated" date at the top reflects the most recent change. Continued use of the service after changes constitutes acceptance.

12. Contact

Questions or GDPR requests: support@cvfix.app