Privacy Policy

This Privacy Policy describes what personal data cvlint collects when you use the Service (cvlint.com and subdomains), how we use it, who we share it with, and the rights you have over it. By using the Service you accept the practices described here. See the Terms of Service for the contract you enter into.

Account data. When you sign up we collect your email address and any name or profile information you provide through the identity provider you choose (Google, Apple, or email/password via Amazon Cognito).

Resume and job-description content. When you upload a resume or paste a job description, that content is sent to our servers for analysis and may include personal data such as your name, contact details, employment history, education, and skills.

Payment data. If you subscribe to a paid plan, Stripe, Inc. collects your payment details directly. We receive metadata (plan, status, last-4 digits) but never see full card numbers.

Technical data. We collect IP addresses (hashed for rate-limit storage), browser type, OS, page paths, and basic interaction events necessary to operate the Service.

• Provide the Service. Parse and score your resume, generate rewrites, render exports, and surface the results in your account.
• Operate the Service. Enforce rate limits, track AI-call costs per account for billing and abuse detection, send transactional emails (account verification, payment receipts, failed-payment notices).
• Improve the Service. Aggregate, anonymized usage to identify bugs and prioritize improvements. We do not use individual resume content to evaluate model performance without removing identifiers first.
• Comply with the law. Respond to lawful requests, prevent fraud, enforce our terms.

We do not use your resume or job-description content to train third-party AI models. We do not sell your personal data. We do not share your resume with recruiters or employers.

We process your personal data on these legal bases:

• Contract — to deliver the Service you signed up for (Art. 6(1)(b) GDPR).
• Legitimate interests — operating, securing, and improving the Service (Art. 6(1)(f) GDPR).
• Legal obligation — tax, accounting, fraud-prevention obligations (Art. 6(1)(c) GDPR).
• Consent — where required for non-essential analytics or marketing (Art. 6(1)(a) GDPR). You can withdraw consent at any time.

We rely on the following sub-processors to operate the Service. Each handles the categories of data shown and processes data on our documented instructions.

• Amazon Web Services (Ireland / us-east-1) — hosting, file storage (S3), database (DynamoDB), authentication (Cognito). All resume and account data.
• Anthropic, PBC (United States) — Claude API calls for resume parsing, scoring, and rewriting. Receives resume and job-description text on a per-request basis. Per Anthropic’s policy, API inputs are not used to train their models.
• Stripe, Inc. (United States and EU) — payment processing. Receives payment-card details directly from you (we do not see them); receives your email and Customer-ID metadata.

Transfers to the United States rely on the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable. We review sub-processors before onboarding and notify account holders by email before adding a new one that processes resume content.

• Resume uploads (S3): retained 90 days then auto-deleted.
• Analysis results (DynamoDB): retained 90 days then auto-deleted via TTL.
• Generated resumes (DynamoDB): retained 90 days then auto-deleted via TTL.
• Account record: retained for the life of your account, deleted within 30 days of account closure.
• Billing records: retained 7 years to meet tax obligations.
• Rate-limit and abuse-detection data: retained 24 hours (rate limits) or up to 90 days (cost ledger), then auto-deleted.

You have the right to access, correct, export, restrict processing of, object to processing of, and delete your personal data. Where we rely on consent, you have the right to withdraw it.

To exercise any of these rights, email privacy@cvlint.com from the address tied to your account. We respond within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority.

California residents (CCPA/CPRA): You may request access to or deletion of your personal information, opt out of “sale” or “sharing” (we do neither), and designate an authorized agent. Email the address above with the subject line “CCPA Request”.

We encrypt data in transit (TLS 1.2+) and at rest. Access to production systems is restricted to named team members via multi-factor authentication. We log access to resume content and review the logs periodically.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify affected users without undue delay as required by applicable law.

We use first-party cookies that are strictly necessary to run the Service: session cookies for authentication, language preference, and CSRF protection. We do not currently use third-party advertising or tracking cookies. If we add optional analytics in the future, we will ask for your consent first via a cookie banner.

The Service is not directed at children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, email privacy@cvlint.com and we will delete it.

We may update this Privacy Policy. Material changes will be announced by email to account holders at least 14 days before they take effect. The “Last updated” date at the top reflects the current version.

Data protection enquiries: privacy@cvlint.com.
General support: support@cvlint.com.