Account details (email, name, hashed password or Google OAuth ID) — to give you an account, lawful basis: contract. The CVs, cover letters, and job descriptions you upload or paste — to run the feature you asked for, lawful basis: contract. Payment metadata (we never see card numbers) — to process purchases, lawful basis: contract + legal obligation. Product analytics — only if you accept the cookie banner, lawful basis: consent, withdrawable any time. Basic server logs (IP, user agent) — for security, kept 30 days, lawful basis: legitimate interest.
Vercel (hosting, EU/US), Neon (Postgres database, EU), Vercel Blob (file storage, EU/US), Resend (transactional email, US under SCCs), Stripe and LemonSqueezy (payments, US under SCCs), Google (OAuth sign-in, US under SCCs), PostHog (analytics, EU, consent-gated), OpenAI (AI features on CV text via our admin token, US under SCCs, no training on your data). We do not sell your data, share it with recruiters, or use it for advertising.
Active account data: until you delete the account. Deleted accounts: removed from our database and Blob storage within 30 days, and removed from PostHog at delete time. Server logs: 30 days. Payment records linked to invoices: retained by Stripe / LemonSqueezy for legal accounting periods (typically up to 7 years) — this is a legal obligation we cannot override.
You can export everything we hold about you from Dashboard → Profile → Export my data (JSON download). You can permanently delete your account and all linked data from the same screen. You can withdraw analytics consent any time by clearing your cookies or contacting us. You can ask us to correct your data, restrict processing, or object to it. You can also complain to your national supervisory authority — for example, the Berlin Beauftragte für Datenschutz if you are in Germany, or your local DPA elsewhere in the EU/UK.
HTTPS everywhere, encrypted database at rest, hashed passwords, scoped admin access, audit logs on sensitive operations. If a personal data breach happens we will notify the supervisory authority within 72 hours per Art. 33, and you directly if there's high risk to you.
Privacy questions, data export requests, deletion requests, or anything that looks off: hello@cvglow.org. We respond within 30 days as required by GDPR Art. 12. CVGlow is currently in beta — features may change, but your data rights do not.
We use privacy-friendly analytics to improve the product. No ads, no tracking across sites.