Privacy Policy — CVStory

Last updated: 1 May 2026

1. Who we are

cvstory.org (the “Service”) is operated by Lkt software development and consulting Ltd, a private limited company registered in Cyprus under registration number HE442459 with registered office at Amfiktyonos, 15A, 7, 4046 Limassol, Cyprus (“cvstory”, “we”, “our”, or “us”). We are the data controller for personal data processed through the Service.

If you have any questions about this policy or wish to exercise your rights, contact us at dp@cvstory.org.

2. Scope

This policy explains how we collect, use, store, and share personal data when you visit cvstory.org, sign up for our waitlist, or use our CV building tool and other products. It applies to all users worldwide, with specific provisions for users in the European Economic Area (EEA), the United Kingdom, and California.

3. Personal data we collect

3.1 Data you provide directly

Account and contact data

Email address
Name
Password (stored hashed; we never see it in plain text)
Account preferences and settings

CV content — information you enter, upload, or generate while using the Service, which may include:

Employment history: employer names, job titles, dates, responsibilities, achievements, and (if you choose to include it) salary information
Education: schools, universities, qualifications, dates, grades
Skills, certifications, and languages
Professional links: LinkedIn, GitHub, portfolio URLs
Photographs (if you choose to upload one)
References: names, job titles, and contact details of people you list as references
Free-text content you enter (cover letters, summaries, etc.)
Voice recordings: if you use our voice input feature, we capture short audio recordings to transcribe into text

Payment data: when you pay for the Service, payment is processed by Stripe. Stripe collects and processes your card details directly; we receive only a transaction reference, the last four digits of your card, the card brand, and the billing country. We never see or store full card numbers, CVCs, or expiry dates.

Support correspondence: messages you send us by email or through support channels.

3.2 Data collected automatically

Device and connection data: IP address, browser type, operating system, device type, language, and approximate location derived from IP.
Usage data: pages visited, features used, clicks, time on page, referring URL, UTM parameters from ad campaigns, and similar interactions.
Cookies and similar technologies: see Section 8 below.

3.3 Special category data

CVs sometimes contain information that GDPR Article 9 classifies as special category data — for example, information that reveals racial or ethnic origin, religious or philosophical beliefs, trade union membership, health (including disability), or sexual orientation. We do not ask you to provide this information, and we recommend you avoid including it where possible. However, if you choose to include such information in your CV, we process it on the basis of your explicit consent (Article 9(2)(a) GDPR), which you give by entering and saving the data. You can withdraw this consent at any time by editing or deleting the relevant content, or by deleting your account.

3.4 Data about third parties

When you list previous employers, managers, or references in your CV, you provide personal data about other people. You are responsible for ensuring you have a lawful basis to share that data with us (typically because the information is publicly available, professionally relevant, or because you have informed the reference). We process this data on the basis of our legitimate interest in providing the Service to you, and we apply the same protections as we do to your own data.

3.5 Children

The Service is not directed at children under 16. If you are between 16 and 18, you may use the Service to prepare CVs for internships, first jobs, or further education. We do not knowingly collect data from anyone under 16; if you believe a child under 16 has provided us with personal data, please contact us and we will delete it.

4. How we use your data and our lawful basis

Purpose	Data used	Lawful basis (GDPR Art. 6)
Creating and managing your account; providing the CV builder	Account data, CV content	Performance of a contract (Art. 6(1)(b))
Processing CV content, including AI-assisted generation, editing, and voice transcription	CV content, voice recordings	Performance of a contract (Art. 6(1)(b)); explicit consent for special category data (Art. 9(2)(a))
Processing payments and managing subscriptions	Payment data, account data	Performance of a contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax and accounting records
Sending transactional emails (account confirmation, password reset, service notifications)	Email, account data	Performance of a contract (Art. 6(1)(b))
Sending marketing emails about cvstory features and updates	Email, name	Consent (Art. 6(1)(a)) — collected via double opt-in; you can withdraw at any time
Managing the pre-launch waitlist	Email, name	Consent (Art. 6(1)(a)) — collected via double opt-in
Analytics and product improvement	Usage data, device data	Consent (Art. 6(1)(a)) for cookie-based analytics
Advertising and conversion measurement	Usage data, hashed email	Consent (Art. 6(1)(a))
Security, fraud prevention, abuse detection	Account data, usage data, IP address	Legitimate interests (Art. 6(1)(f)) — protecting the Service and our users
Complying with legal obligations	As required	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, you have the right to object — see Section 10.

5. Automated processing and AI

We use third-party AI providers to help generate, rewrite, transcribe, and improve CV content when you use those features. We do not use your data to train our own models, and our agreements with these providers prohibit them from using your data to train theirs.

Voice transcription uses Groq, Inc. running OpenAI’s whisper-large-v3 model. Voice audio is sent to Groq for transcription and is not retained by Groq for training under their API terms.

Text generation lets you choose which model processes your CV content. Available models include those from OpenAI, LLC (e.g. GPT family), Anthropic, PBC (Claude family), and may include open-weight models served by Alibaba Cloud / Qwen or DeepSeek. Each provider has different terms, locations, and data handling practices:

Provider	Headquarters	Processing location	Notes
Groq	United States	United States	Voice transcription only; no training on API data
OpenAI	United States	United States and EU	API data not used for training
Anthropic	United States	United States and EU	API data not used for training
Qwen (Alibaba Cloud)	China	China	Available only on explicit user selection
DeepSeek	China	China	Available only on explicit user selection

We default to providers in the EU/US. Chinese providers are available only when you explicitly select them — we will display a clear notice before sending data to them. If you would prefer not to use any non-EU/US provider, you can restrict your model selection at any time in your account settings.

These features assist you but do not make automated decisions that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR — a human (you) reviews and decides what to keep.

International transfers related to AI processing are described in Section 7.

We share personal data only with the following categories of recipients, who act as our processors under written data processing agreements:

Recipient	Purpose	Location
Hetzner Online GmbH	Application hosting (VPS, deployed via Coolify)	Nuremberg, Germany (EU)
Brevo (Sendinblue SAS)	Transactional email, marketing email, waitlist management with double opt-in	France (EU)
PostHog Inc.	Product analytics	EU Cloud — Frankfurt, Germany
Stripe Payments Europe Ltd / Stripe, Inc.	Payment processing	Ireland (EU) and United States
Meta Platforms Ireland Ltd / Meta Platforms, Inc.	Advertising and conversion tracking via Meta Pixel	Ireland (EU) and United States
Google Ireland Ltd / Google LLC	Advertising and conversion tracking via Google Tag with enhanced conversions	Ireland (EU) and United States
Groq, Inc.	AI-assisted Voice transcription	United States
OpenAI, LLC	AI-assisted text generation (when selected)	United States, EU
Anthropic, PBC	AI-assisted text generation (when selected)	United States, EU
Alibaba Cloud (Qwen)	AI-assisted text generation (only when explicitly selected)	China or other regions
DeepSeek	AI-assisted text generation (only when explicitly selected)	China

We may also disclose personal data:

To professional advisers (lawyers, accountants, auditors) under duties of confidentiality
To public authorities where required by law or court order
To a buyer or successor in the event of a merger, acquisition, or asset sale, subject to standard confidentiality protections

We do not sell your personal data.

6.1 Joint controllership with Meta

When you interact with our Service while we run the Meta Pixel, Meta and cvstory act as joint controllers for the collection and transmission of certain data to Meta, in line with the Fashion ID CJEU ruling. The arrangements between joint controllers are summarised in Meta’s Controller Addendum. After data reaches Meta, Meta processes it as an independent controller under its own privacy policy.

7. International data transfers

Our core infrastructure (Hetzner, Brevo, PostHog EU Cloud, Stripe Ireland) is located within the EU/EEA and does not involve international transfers.

Some of our processors transfer or process personal data outside the EEA, in particular in the United States and (only on your explicit selection) China. Where this is the case, we rely on the following safeguards under Chapter V GDPR:

EU-US Data Privacy Framework (DPF): where the recipient is certified, transfers are made on the basis of the European Commission’s adequacy decision for the DPF. Stripe, Meta, Google, OpenAI, and Anthropic are (or have affiliates that are) DPF-certified at the time of writing — we monitor certifications and will update this policy if any cease to participate.
Standard Contractual Clauses (SCCs): the European Commission’s 2021 SCCs, supplemented by additional safeguards where necessary following a transfer impact assessment. We use SCCs for Groq and for any provider that is not DPF-certified.
Transfers to China (Qwen, DeepSeek): China is not subject to a Commission adequacy decision and does not benefit from a framework comparable to the DPF. Where you choose a Chinese model, we rely on the SCCs combined with your explicit informed consent to the transfer (Article 49(1)(a) GDPR). You will be shown a clear notice before any data is sent to a Chinese provider, and you can avoid such transfers entirely by selecting only EU/US providers.

You can request a copy of the relevant safeguards by emailing dp@cvstory.org.

8. Cookies and tracking technologies

We use cookies and similar technologies (pixels, local storage, device identifiers) for the purposes set out below. Where the law requires consent, we will not set non-essential cookies until you have given consent through our cookie banner. You can change your preferences at any time via the “Cookie Settings” link in the footer.

Category	Tools	Purpose	Requires consent?
Strictly necessary	Session cookies, CSRF tokens, login state, cookie consent record	Operating the Service, security	No
Analytics	PostHog (EU Cloud)	Understanding how the Service is used and improving it	Yes
Advertising	Meta Pixel, Google Tag (including enhanced conversions)	Measuring ad performance and showing relevant ads	Yes

Enhanced conversions involves sending a hashed (SHA-256) version of your email address to Google for the purpose of attributing conversions to ads. Although hashed, this is still personal data under GDPR, and we only do this with your consent.

Meta Pixel captures events such as page views, button clicks, and conversion events (e.g. waitlist signup) and transmits them to Meta along with your IP address and a Meta browser identifier where present. We only set the Pixel after you accept advertising cookies.

Retention periods for cookies vary from session-only (deleted when you close your browser) up to 24 months. Specific durations are listed in our cookie banner’s preference centre.

9. How long we keep your data

Data	Retention period
Active account data and CV content	For as long as your account is open
Voice recordings	Transcribed in near-real-time and deleted from our servers within 24 hours; transcribed text retained as part of your CV content
Deleted account data	Permanently deleted within 30 days, except for backup copies which are rotated out within 90 days
Waitlist email	Until you unsubscribe or until 24 months of inactivity, whichever comes first
Marketing consent records	Records of consent (and double opt-in confirmation) kept for 3 years after consent is withdrawn, to demonstrate compliance
Transactional email logs	12 months
Payment and invoicing records	6 years (Cyprus tax law requirement)
Analytics data (PostHog)	12 months
Support correspondence	3 years from last contact

10. Your rights

If you are in the EEA or the UK, you have the following rights under the GDPR / UK GDPR:

Right of access — to obtain a copy of the personal data we hold about you
Right to rectification — to correct inaccurate or incomplete data
Right to erasure (“right to be forgotten”) — to have your data deleted in certain circumstances
Right to restrict processing — to limit how we use your data in certain circumstances
Right to data portability — to receive your data in a structured, commonly used, machine-readable format, or have it transmitted to another controller
Right to object — to object to processing based on legitimate interests, or to direct marketing at any time
Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal
Right not to be subject to solely automated decision-making that produces legal or similarly significant effects (Article 22)

To exercise these rights, email dp@cvstory.org. We will respond within one month and may need to verify your identity.

You also have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus (www.dataprotection.gov.cy). You may also complain to the supervisory authority in your country of residence — for users in Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).

11. California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

Know what personal information we collect, use, and disclose
Request deletion of your personal information
Correct inaccurate personal information
Opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising — under California law, our use of Meta Pixel and Google Tag for advertising may constitute “sharing”, and you can opt out via our cookie banner or by enabling Global Privacy Control (GPC) in your browser
Limit the use of sensitive personal information
Be free from discrimination for exercising these rights

To exercise these rights, contact dp@cvstory.org. We do not knowingly sell personal information of minors under 16.

12. Security

We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, regular backups, and security monitoring. No system is perfectly secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Cyprus supervisory authority within 72 hours and, where the risk is high, will inform affected users without undue delay.

13. Changes to this policy

We may update this policy from time to time to reflect changes in our practices, our Service, or applicable law. We will post the updated policy on this page and update the “Last updated” date. For material changes, we will notify you by email or through the Service.

14. Contact

Email: dp@cvstory.org