Privacy Policy

Privacy Policy

Last updated: 29 April 2026

This Privacy Policy describes how CVMatchly AI Ltd (“CVMatchly”, “we”, “us”) collects, uses and protects your personal data when you use cvmatchly.ai and our related services. We comply with the UK GDPR, the EU GDPR, and the UK Data Protection Act 2018.

1. Who we are

CVMatchly AI Ltd is the data controller for personal data processed through cvmatchly.ai. You can reach us at privacy@cvmatchly.ai.

2. Data we collect

  • Account data. Name, email, password hash, authentication provider IDs.
  • CV and job data. CVs, job descriptions, cover letters, supporting documents, match scores, and outputs you generate.
  • Billing data. Plan, billing cycle, transaction IDs. Card details are handled by our payment processor and never stored on our servers.
  • Usage data. Pages viewed, features used, referrer, device, browser, approximate location from IP, and event timestamps.
  • Support data. Messages you send via chat or email, and the context of any tickets.
  • Cookies. See our Cookie Policy.

3. How we use your data

  • Provide the service. Account creation, CV optimisation, scoring, generated documents, and billing.
  • Improve and secure the product. Diagnose bugs, detect abuse, prevent fraud, and develop new features.
  • Communicate. Service notifications, security alerts, and (with consent) product updates and marketing.
  • Comply with law. Tax records, lawful requests, and to enforce our terms.

We do not sell your personal data, and we do not use your CVs to train third-party foundation models without your explicit consent.

4. Legal bases

  • Contract. To provide the service you signed up for.
  • Legitimate interests. Security, fraud prevention, service improvement, balanced against your rights.
  • Consent. Marketing emails, non-essential cookies, and certain integrations. You can withdraw consent at any time.
  • Legal obligation. Tax, accounting, and compliance with lawful requests.

5. Sharing your data

We share data with vetted processors who help us run the service. Each is bound by a data processing agreement.

  • Hosting & infrastructure: Vercel, AWS.
  • Authentication: NextAuth providers (e.g. Google).
  • AI processing: Anthropic, OpenAI (subject to no-training agreements where available).
  • Analytics: Vercel Analytics, PostHog.
  • Marketing: Meta (Facebook Pixel) — only with consent.
  • Payments: Stripe / Paystack.
  • Support: Tawk.to.
  • Email: Transactional email provider.

We may also disclose data where required by law, to enforce our terms, or in connection with a corporate transaction (e.g. merger or acquisition), with notice where legally possible.

6. International transfers

Personal data may be transferred to, and processed in, countries outside the UK or EEA. Where this happens, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or the EU Standard Contractual Clauses, and we assess the destination country's laws.

7. Retention

  • Active account data is kept while your account is open.
  • CVs and generated documents are retained for the life of the account, or until you delete them.
  • Billing records are kept for at least 7 years to meet UK tax obligations.
  • Backups are retained for up to 35 days then overwritten.
  • You can request deletion at any time (see Section 9).

8. Security

We use encryption in transit (TLS), encryption at rest for databases and object storage, role-based access controls, audit logs, and regular dependency reviews. No system is perfectly secure, but we take reasonable steps appropriate to the sensitivity of CV data.

9. Your rights

Under UK and EU GDPR you have the right to access, rectify, erase, restrict processing of, and port your personal data, and to object to certain processing. You can also withdraw consent and lodge a complaint with a supervisory authority.

To exercise any right, email privacy@cvmatchly.ai. We respond within 30 days. The UK supervisory authority is the Information Commissioner's Office (ico.org.uk).

10. Children

CVMatchly is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with data, contact us and we will delete it.

11. Automated decision-making

Our scoring and CV optimisation use automated processing to give you insights and recommendations. These are advisory; we do not make decisions that produce legal or similarly significant effects on you without human involvement.

12. Changes to this policy

We may update this policy. The “Last updated” date reflects the most recent version. Material changes will be flagged in-product or by email where appropriate.

13. Contact

Questions, concerns, or requests: privacy@cvmatchly.ai.