Privacy Policy
Effective date: 14 March 2026 — Version 1.0
1. Who we are
CV Scout AI is operated as a sole trader by NT, trading as CV Scout AI. You can contact us via the contact form.
ICO registration number: Pending (registration in progress).
2. EU representative (Article 27)
CV Scout AI is in the process of appointing an Article 27 EU representative for EU/EEA data subjects. Details will be published here upon appointment. In the meantime, EU/EEA data subjects may contact us via the contact form.
3. What data we collect and why
We collect the minimum data necessary to provide the CV tailoring service.
| Data type | Purpose | Lawful basis | Retention |
|---|---|---|---|
| Email address | Account creation, authentication (OTP), service communications | Contract (Art. 6(1)(b)) | Duration of account + 30 days post-deletion |
| CV text and job descriptions | AI-assisted CV tailoring (the core service) | Contract (Art. 6(1)(b)) | Duration of account; deleted on account deletion |
| Payment and transaction records | Processing payments, issuing refunds, HMRC tax compliance | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | 7 years from transaction (HMRC requirement) |
| Audit log entries (email hash only — no plaintext email) | Fraud prevention, dispute resolution | Legitimate interests (Art. 6(1)(f)) | 2 years |
| Server and application logs | Security monitoring, debugging | Legitimate interests (Art. 6(1)(f)) | 90 days |
| OTP codes | Passwordless authentication | Contract (Art. 6(1)(b)) | 10 minutes (auto-expired) |
| IP addresses (rate limiting logs) | Rate limiting abuse prevention | Legitimate interests (Art. 6(1)(f)) | 30 days |
Special category data: We do not systematically process special category data. If a CV incidentally contains sensitive information (such as health details, ethnicity, or religion), it is processed solely to deliver the tailoring service under Article 6(1)(b) (contract) and is not retained beyond the session.
4. AI processing
CV tailoring is performed using large language models (LLMs) from third-party AI providers, combined with CV Scout AI's own proprietary keyword-matching and scoring logic. Your CV text and job description are transmitted to our AI provider(s) for processing. CV Scout AI acts as the deployer of those AI systems; the current AI model provider(s) are listed in the sub-processors table in section 5 below. All output is AI-generated and subject to our own additional processing — please review it carefully before submitting to employers. This disclosure satisfies our obligations under Article 50 of the EU AI Act.
5. Sub-processors and international transfers
We use the following third-party processors, all based in the United States:
| Processor | Purpose | Transfer mechanism |
|---|---|---|
| Anthropic (current AI model provider) | AI-powered CV tailoring | DPA / SCCs |
| Stripe | Payment processing | DPA / EU-US Data Privacy Framework |
| Resend | Transactional email (OTP codes) | DPA / SCCs |
| Vercel | Hosting and serverless compute | DPA / SCCs |
| Neon | Database | DPA / SCCs |
UK to EU data flows are covered by the EU adequacy decision for the UK (June 2021), currently in force. If this decision lapses, we will implement Standard Contractual Clauses as a fallback.
6. Your rights
Under UK GDPR (and EU GDPR for EU users), you have the following rights:
- Access: request a copy of your personal data (fulfilled via “Download my data” on your Account page)
- Rectification: correct inaccurate data (update your email via account settings or email us)
- Erasure: delete your account and associated data (via the “Delete account” link on your Account page). Note: purchase records are retained for 7 years under HMRC obligation — this cannot be waived.
- Portability: receive your data in machine-readable format (via “Download my data” on your Account page)
- Restriction: request we restrict processing in certain circumstances
- Object: object to processing based on legitimate interests
To exercise any right, use our contact form and select “Data request (GDPR / privacy)” as the subject. We will respond within 30 days. Identity verification is required before we can action requests. You also have the right to lodge a complaint with the ICO (ico.org.uk) or, for EU users, your local supervisory authority.
7. Cookies
See our Cookie Policy for full details. We use strictly necessary cookies for authentication and session management. We use Vercel Analytics in cookie-less mode — no analytics cookies are placed.
8. Changes to this policy
We will notify users of material changes by email. The effective date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.
9. Contact us / data requests
Use the form below for any privacy enquiry, data subject access request, or to exercise any of your rights. Select “Data request (GDPR / privacy)” as the subject so we can prioritise your request.