Privacy Policy
Last updated: 2026-04-30
This Policy explains how CV Optimizer (“we”, “us”) collects, uses, and protects your personal data when you use the Service at cvoptmzr.com. It is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable laws.
1. Data controller
The data controller responsible for your personal data is:
Alexandr Dobrovolskyi, Individual Entrepreneur
Ukraine
Email: santichechecheck@gmail.com
2. What we collect
| Category | Data | Source |
|---|---|---|
| Account | Name, email, profile picture URL | Google OAuth at sign-in |
| CV content | CV text (pasted or extracted from PDF/DOCX); for DOCX uploads also the raw file bytes (temporarily, to enable preserve-formatting export) | You |
| Job description | Pasted JD text | You |
| Optimization history | ATS scores, outputs, timestamps | Generated by the Service |
| Billing | Plan, subscription status, period end, credit balance, Paddle customer id | Paddle webhooks |
| Technical | IP address (for rate limiting), request logs | Automatic |
3. How we use it
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide the optimization service | Performance of a contract |
| Authenticate and secure your account | Performance of a contract; legitimate interests |
| Process payments and prevent fraud | Performance of a contract; legitimate interests |
| Send transactional emails (receipts, renewal notices) | Performance of a contract |
| Respond to support and refund requests | Legitimate interests; legal obligation |
We do not sell or rent your personal data. We do not use your CV content to train any AI model. We do not use analytics, advertising, or tracking cookies.
4. Sub-processors
To run the Service we rely on the following third-party processors. Each has their own privacy policy.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| OpenAI, L.L.C. | AI optimization of CV content | CV text, job description | United States |
| Google LLC | OAuth sign-in | Email, name, public Google profile | United States |
| Paddle.com Market Ltd | Payment processing (merchant of record), tax, refunds | Name, email, billing info, transaction history | United Kingdom / EU |
| Neon, Inc. | Postgres database hosting | All stored application data | EU (Frankfurt) |
| Vercel, Inc. | Application hosting, static asset CDN | Request metadata (IP, user-agent) | Primary region: Frankfurt; edge CDN: global |
Transfers outside the EU/EEA or UK are protected by Standard Contractual Clauses or equivalent safeguards as required by GDPR.
5. Retention
- Account data (name, email, picture): kept until you delete your account.
- Uploaded DOCX bytes (used for the preserve-formatting export feature): retained as long as your account exists, then deleted within 30 days of account deletion. They can be purged on request sooner.
- CV text and optimization history: retained while your account is active; deleted within 30 days of account deletion.
- Billing records: retained by Paddle for the period required by applicable tax law (typically 7 years).
6. Your rights
Under GDPR / UK GDPR you have the right to:
- Access the personal data we hold about you.
- Have inaccurate data corrected.
- Have your data deleted (“right to be forgotten”).
- Receive a portable copy of your data.
- Object to or restrict processing.
- Withdraw any consent you previously gave.
- Lodge a complaint with a supervisory authority (the EU list is here).
Exercise any of these rights by emailing santichechecheck@gmail.com. We respond within 30 days (or sooner).
7. Cookies
We use only essential cookies required for authentication (the NextAuth session cookie). We do not use analytics, advertising, or tracking cookies. No consent banner is displayed because no such consent is required.
8. Security
We use HTTPS for all traffic, encrypt data at rest at the database level, and restrict access to production systems to authorized personnel. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.
9. Children
The Service is not directed at children under 16. If we learn we have inadvertently collected data from a child under 16 without verified parental consent, we delete it promptly.
10. Changes to this Policy
Material changes will be announced via email to the address on file. The “last updated” date at the top of this page reflects the most recent revision.
11. Contact
Questions, requests, or complaints regarding this Policy can be sent to santichechecheck@gmail.com.