Privacy Policy

Last updated: 30 April 2026 · Effective immediately

This Privacy Policy explains how SpecCV ("SpecCV", "we", "us", "our") collects, uses, stores, and shares your personal data when you use speccv.com ("the Service"). It is written in plain language to satisfy the transparency requirements of the UK GDPR (retained EU law) and the EU GDPR (Regulation 2016/679).

1. Data Controller

The data controller responsible for your personal data is SpecCV, reachable at privacy@speccv.com.

If you are located in the EU, SpecCV acts as the data controller within the meaning of Article 4(7) GDPR. If you are located in the UK, SpecCV is the controller under the UK GDPR. We do not currently appoint a formal Data Protection Officer; all data protection queries are handled by our privacy team at the address above.

2. Data We Collect

We collect only what is necessary to provide the Service:

2.1 Account data

Your name and email address, provided when you sign up via email/password or a social OAuth provider (Google).
An internal user ID generated by our authentication provider (Firebase Auth).

2.2 CV and job-description content

The CV text and job description you upload or paste into the workspace. This content is sent to our AI provider to generate a draft and is not persisted after the response is returned.
Uploaded files (PDF, DOCX, TXT) are parsed server-side, converted to text, and then discarded. We do not store raw file uploads.

2.3 Subscription and billing data

Your Stripe customer ID, subscription ID, and current plan status. We never store full card numbers, CVV codes, or sort codes — those are held exclusively by Stripe.

2.4 Usage metadata

Counters of CV drafts, cover letters, and other outputs generated in the current billing period, stored per user for quota enforcement.
Your IP address (used only for rate limiting; not logged to a persistent store).
Anonymised error and performance diagnostics collected by Sentry.

2.5 Contact messages

If you submit our contact form, we store your name, email address, subject, and message in order to respond to you.

2.6 Data we do NOT collect

We do not use third-party advertising trackers or social-media pixels.
We do not build marketing profiles or sell personal data to any third party.
We do not collect sensitive categories of personal data (health, biometric, political, religious data) as defined in Article 9 GDPR.

3. Legal Basis for Processing

We process your data under one or more of the following lawful bases (Article 6 UK/EU GDPR):

Processing activity	Legal basis
Creating and managing your account	Contract — necessary to provide the Service you signed up for (Art. 6(1)(b))
Generating CV and cover letter drafts	Contract — the core service you requested (Art. 6(1)(b))
Processing subscription payments	Contract — fulfilling your paid subscription (Art. 6(1)(b))
Enforcing usage quotas and rate limits	Legitimate interests — prevent abuse and ensure fair access for all users (Art. 6(1)(f))
Anonymised error diagnostics (Sentry)	Legitimate interests — diagnosing and fixing product bugs (Art. 6(1)(f))
Responding to contact form submissions	Legitimate interests — responding to your enquiry (Art. 6(1)(f))
Complying with legal obligations (e.g. tax records)	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, you have the right to object. We have assessed that our interests do not override your rights in these specific cases. See Section 8 for how to exercise your right to object.

4. How We Use Your Data

To create your account and authenticate you on return visits.
To process your CV and job description through our AI provider and return a tailored draft.
To track and enforce plan quotas (e.g. number of CV drafts per month).
To process and manage your subscription via Stripe.
To send transactional emails (account confirmation, password reset, billing receipts). We do not send unsolicited marketing email.
To investigate and fix bugs using anonymised diagnostics.
To respond to support and privacy requests you submit to us.
To comply with applicable laws, including financial record-keeping obligations.

We do not use your CV content to train AI models. Your documents are processed in-context and discarded.

5. Sub-processors and Third-Party Recipients

We share your data only with the following sub-processors, each bound by data processing agreements and appropriate safeguards:

Provider	Purpose	Location
Google Firebase	Authentication (Firebase Auth), database (Firestore)	US / EU
Anthropic / Claude	AI document drafting — CV text processed in-flight, not stored	US
Stripe	Payment processing and subscription management	US / EU
Upstash Redis	Rate limiting (IP-derived counters, no persistent user data)	US / EU
Sentry	Anonymised error and performance monitoring	US
Vercel	Hosting, serverless functions, edge network	Global

6. International Data Transfers

Some of our sub-processors are based in the United States. Where we transfer personal data from the UK or EEA to the US, we rely on one of the following safeguards:

UK–US Data Bridge — for transfers from the UK to US organisations certified under the UK Extension to the EU–US Data Privacy Framework.
EU–US Data Privacy Framework (DPF) — for transfers from the EEA to certified US organisations.
Standard Contractual Clauses (SCCs)— where DPF certification is not held, we use the EU Commission's 2021 SCCs or equivalent UK International Data Transfer Agreements (IDTAs).

You can request a copy of the relevant transfer mechanism by contacting us at privacy@speccv.com.

7. Data Retention

Data type	Retention period
Account data (name, email, user ID)	Retained while your account is active, then deleted within 30 days of account closure.
CV and job description content	Processed in-flight only. Not persisted after the API response is returned.
Usage counters (quota tracking)	Retained for the current and prior 2 billing periods for dispute resolution, then deleted.
Billing records (Stripe IDs, plan status)	Retained for 7 years to comply with UK financial record-keeping requirements.
Contact form messages	Retained for up to 2 years, or until you request deletion.
Error logs (Sentry — anonymised)	Auto-deleted by Sentry after 90 days.
Rate-limiting counters (Redis)	Auto-expired after the rate-limit window (typically 60 seconds to 24 hours).

8. Your Data Subject Rights

Under the UK GDPR and EU GDPR you have the following rights. To exercise any of them, email privacy@speccv.com with "Data Rights Request" in the subject line. We will respond within 30 days (extendable to 3 months for complex requests, with notice).

Right of access (Art. 15)
Request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
Ask us to correct inaccurate or incomplete data.
Right to erasure / 'right to be forgotten' (Art. 17)
Ask us to delete your data where there is no overriding legitimate reason to keep it. We will honour this unless retention is required by law (e.g. financial records).
Right to restriction of processing (Art. 18)
Ask us to pause processing your data while a dispute is resolved.
Right to data portability (Art. 20)
Receive your account data in a structured, machine-readable format (JSON) for transfer to another service.
Right to object (Art. 21)
Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent
Where we rely on consent (we currently do not for any primary processing), you may withdraw it at any time without affecting past processing.
Right not to be subject to automated decisions (Art. 22)
We do not make any solely automated decisions with legal or similarly significant effects.

Right to lodge a complaint. If you are dissatisfied with how we handle your data, you have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint
EU: Your local Data Protection Authority — see edpb.europa.eu

We would appreciate the opportunity to resolve your concern directly before you approach a supervisory authority.

9. Cookies and Local Storage

SpecCV uses a minimal set of cookies. For full details, including how to manage or opt out, see our Cookie Policy.

Session cookies — strictly necessary to keep you signed in.
Stripe cookies — set by Stripe to prevent fraud during checkout.
We do not use advertising, tracking, or analytics cookies.

10. Children's Privacy

SpecCV is not directed at children under the age of 16 (or such higher age as required by local law). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact privacy@speccv.com and we will delete it promptly.

11. Security

All traffic is encrypted in transit using TLS 1.2+ with HSTS enforced.
Authentication is delegated to Firebase Auth, a certified identity provider.
Production secrets (API keys, database credentials) are stored in an encrypted secret manager, never in source code.
Access to production data is restricted to authorised personnel only.
We run regular dependency audits and monitor for security advisories.

No system is perfectly secure. If you discover a security vulnerability, please report it responsibly to support@speccv.com.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by a prominent notice on the Service at least 14 days before they take effect. The date at the top of this page always reflects the latest version. Continued use of SpecCV after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For all privacy-related queries, requests, and complaints:

Email: privacy@speccv.com

Contact form: speccv.com/contact

We aim to respond within 5 business days and will always respond within 30 days.

Loading SpecCV…