Legal

Privacy Policy

Version 1.0 Effective: March 24, 2026

This Privacy Policy explains how CVForge collects, uses, stores, and protects your personal data when you use our AI-powered CV generation platform. By using the Service you agree to the practices described here.

01

Overview

CVForge is a web-based platform that helps users generate tailored CVs using AI. To provide the Service, we collect a small amount of personal data — primarily what is required to authenticate your account, process your CV requests, and communicate with you. We do not sell your data, serve ads, or share your information with third parties except as described in this Policy.

We act as the data controller for personal data collected through the Service. Where we pass data to third-party processors (such as Google Gemini or Paddle), those processors act under their own data processing terms.

02

Data We Collect

We collect the following categories of data:

Account data (via OAuth)

  • Full name
  • Email address
  • Profile avatar URL
  • OAuth provider name (Google or GitHub) and your provider-assigned user ID

CV generation data

  • Experience Input — the work history, skills, and background text you submit
  • Job descriptions you paste into the generation form
  • Job title labels you provide
  • Generated Output — the CV Markdown returned by the AI model
  • Timestamp and token count for each generation

Usage & billing data

  • Number of generations used in the current billing period
  • Subscription plan (Free, Pro, or Enterprise)
  • Quota reset date
  • Payment events received from Paddle (plan, status — we never see card details)

Contact data

  • Name, email, subject, and message content submitted via the contact form

Technical data

  • Session identifiers stored in an encrypted server-side session cookie
  • Standard web server logs (IP address, browser user-agent, request path, timestamp) retained for up to 30 days for security and debugging purposes
03

How We Use Your Data

Purpose Data used Legal basis
Authenticate your account OAuth profile, session ID Contract
Generate your CV Experience Input, job description Contract
Store generation history Generated Output, job title, timestamp Contract
Enforce usage quotas Request count, plan, reset date Contract
Process payments Email, plan, Paddle event data Contract
Respond to support enquiries Contact form data Legitimate interest
Security & fraud prevention Server logs, session data Legitimate interest
Legal compliance Any data required by law Legal obligation

We do not use your data for advertising, profiling, or any purpose not listed above.

04

Third-Party Processors

We share data with the following third-party services to operate the platform:

  • Google Gemini API — Your Experience Input and job description are transmitted to Google's Gemini API to generate your CV. This data is processed under Google's API data processing terms. We do not use the API in a way that permits Google to train models on your data under the standard API agreement.
  • Google OAuth — If you sign in with Google, your name, email, and avatar are received from Google's OAuth service. We do not receive your Google password.
  • GitHub OAuth — If you sign in with GitHub, your name, primary email, and avatar are received from GitHub's OAuth service.
  • Paddle — Paid subscriptions are processed by Paddle as our Merchant of Record. Paddle handles all payment data; we receive only the outcome (plan upgrade or cancellation) via webhook. Paddle's privacy policy governs their data handling.
  • Hosting & infrastructure provider — The platform runs on cloud infrastructure. Server logs and database backups may be stored within that provider's systems subject to their data processing agreement with us.

We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.

05

AI & Your Content

Your Experience Inputs and Generated Outputs are stored in your account's generation history solely to provide the dashboard and retrieval features of the Service.

  • We do not use your inputs or outputs to train, fine-tune, or evaluate any AI model.
  • We do not share your CV content with other users or make it publicly accessible.
  • You may delete individual generations from your dashboard at any time, or request full deletion of all your data by contacting us.
  • Inputs are transmitted to the Google Gemini API over an encrypted TLS connection and are not stored by CVForge beyond what appears in your generation history.
06

Data Retention

We retain your data for the following periods:

  • Account data — held for the lifetime of your account and deleted within 30 days of an account deletion request.
  • Generation history — retained while your account is active. Deleted on account deletion or on individual request.
  • Contact messages — retained for 12 months for support continuity, then deleted.
  • Server logs — retained for up to 30 days for security purposes, then purged automatically.
  • Payment records — retained as required by applicable financial regulations (typically 7 years), held by Paddle as Merchant of Record.

Accounts inactive for more than 12 consecutive months may be deleted in accordance with our Terms of Service, with at least 30 days' email notice where possible.

07

Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

  • TLS encryption for all data in transit between your browser and our servers.
  • Encrypted session cookies with server-side session storage.
  • Database access restricted to application-layer credentials; no public database endpoints are exposed.
  • API keys and secrets stored as environment variables, never in source code.
  • Payment data handled exclusively by Paddle; we store no card numbers or bank details.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at security@cvforge.io.

08

Cookies & Sessions

CVForge uses a single session cookie to maintain your logged-in state. This cookie is:

  • Strictly necessary for the Service to function — the site cannot work without it.
  • Encrypted and signed using your Flask secret key; it does not contain readable personal data.
  • Cleared when you log out or when your browser session ends.

We do not use tracking cookies, advertising cookies, or any third-party analytics scripts. We do not use Google Analytics, Meta Pixel, or similar tools.

09

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access. Request a copy of the personal data we hold about you.
  • Rectification. Ask us to correct inaccurate data. Note that your name and email are sourced from your OAuth provider and must be updated there first.
  • Erasure. Request deletion of your account and all associated data.
  • Portability. Request an export of your generation history in a machine-readable format.
  • Restriction. Ask us to restrict processing of your data in certain circumstances.
  • Objection. Object to processing based on legitimate interests.
  • Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email legal@cvforge.io from your registered address. We will respond within 30 days. We may ask you to verify your identity before processing the request.

If you are located in the EU or UK, you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data lawfully.

10

Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at legal@cvforge.io and we will delete it promptly.

11

International Data Transfers

CVForge and its infrastructure providers may process your data in countries outside your own, including the United States. Where data is transferred outside the European Economic Area (EEA), we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
  • The adequacy decisions or binding corporate rules of the relevant processor (e.g. Google's EU data processing terms).

By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions that may have different data protection laws than your country of residence.

12

Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — such as new categories of data collection or new third-party processors — we will provide at least 14 days' notice by displaying a banner on the Service or by emailing your registered address.

The "Effective" date at the top of this page always reflects the current version. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13

Contact

For privacy-related enquiries, data subject requests, or to report a concern, please contact us at:

Email legal@cvforge.io

We aim to respond to all privacy enquiries within 5 business days.