Privacy Policy

Effective Date: February 25, 2026
Last Updated: February 25, 2026
Version: 1.1.0

Introduction

Welcome to YourNiceCv ("Service", "we", "us", "our"). Your privacy is critically important to us. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services.

Who we are:

Service Operator: YourNiceCv (United Kingdom)
Service Type: SaaS resume builder and AI-powered career tools
Contact: support@yournicecv.com
Data Protection Contact: privacy@yournicecv.com

Scope: This Privacy Policy applies to all users of YourNiceCv, regardless of location. It complies with:

🇬🇧 UK GDPR (United Kingdom Data Protection Act 2018)
🇪🇺 GDPR (General Data Protection Regulation — EU/EEA)
🇺🇸 CCPA/CPRA (California Consumer Privacy Act)
🇨🇦 PIPEDA (Canada)
🇦🇺 Australian Privacy Act

By using the Service, you consent to the data practices described in this policy.

1. Information We Collect

Data Controller Information

YourNiceCv is the data controller responsible for your personal data under UK GDPR (Data Protection Act 2018) and EU GDPR.

Contact details:

Data Protection Email: privacy@yournicecv.com
General Support: support@yournicecv.com
Website: https://yournicecv.com

UK Supervisory Authority: If you have concerns about how we handle your personal data, you can contact the UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk
Helpline: 0303 123 1113
Report a concern: https://ico.org.uk/make-a-complaint
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

ICO Registration: We are committed to registering with the ICO as required under UK data protection law for organisations processing personal data.

We collect the following types of personal data:

1.1 Account Information

When you register an account, we collect:

✅ Email address (required for authentication and communication)
✅ Name (if provided via Google OAuth or profile setup)
✅ Password hash (stored securely by Supabase Auth — we never see your plaintext password)
✅ OAuth data (if you sign in with Google: profile picture, Google user ID)

Legal Basis (GDPR): Performance of contract (Art. 6(1)(b)) — necessary to provide the Service.

1.2 Resume and Career Data

When you use the Service, we collect:

✅ Resume content: Name, contact information (email, phone, address), work experience, education, skills, certifications, summary/objective
✅ Uploaded files: PDF/DOCX resumes you upload for import
✅ Cover letters: Text content you create or generate via AI
✅ Job descriptions: Text you input for resume tailoring

Legal Basis (UK GDPR/GDPR): Performance of contract (Art. 6(1)(b)) — necessary to provide resume creation/editing services

Consent (Art. 6(1)(a)) — for processing resume content that may include special category data (see Section 1.3)

1.3 Special Category Data (Sensitive Data)

Your resume may contain special category data under UK GDPR/GDPR Article 9, including:

⚠️ Racial or ethnic origin (e.g., inferred from name, photo, or listed affiliations)
⚠️ Health data (e.g., medical leave, disabilities mentioned in work history)
⚠️ Political opinions (e.g., political campaigns listed as volunteer work)
⚠️ Trade union membership (if listed in resume)

We do NOT intentionally collect special category data, but it may be present in your uploaded resume content.

Legal Basis (UK GDPR/GDPR): Explicit consent (Art. 9(2)(a)) — by uploading a resume, you explicitly consent to processing any special category data it may contain. You may withdraw consent at any time by deleting your resume or account.

1.4 Payment Information

When you subscribe, we collect:

✅ Billing details: Processed by Paddle.com (our merchant of record)
✅ Transaction records: Subscription plan, payment date, amount, invoice ID

We do NOT store credit card numbers or payment credentials. Paddle handles all payment processing (PCI DSS compliant).

Legal Basis (UK GDPR/GDPR): Performance of contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c)) for tax records.

1.5 Usage and Analytics Data

We automatically collect:

✅ IP address (for security, fraud prevention, and analytics)
✅ Browser type and version (e.g., Chrome, Safari)
✅ Device information (e.g., desktop, mobile, operating system)
✅ Pages visited and features used (e.g., resume editor, template selection)
✅ Session duration and interaction events (e.g., button clicks, file uploads)

This data is collected via PostHog (analytics platform) using cookies and tracking technologies.

Legal Basis (UK GDPR/GDPR):

Legitimate interests (Art. 6(1)(f)) — to improve service quality, detect bugs, and analyse user behaviour
Consent (for EU/UK users via cookie banner)

1.6 Communications

If you contact us (email, support ticket), we collect:

✅ Email content and attachments
✅ Your email address and name
✅ Support correspondence history

Legal Basis (UK GDPR/GDPR): Legitimate interests (Art. 6(1)(f)) — to respond to enquiries and provide customer support.

2. How We Use Your Information

We use your personal data for the following purposes:

Purpose	Data Used	Legal Basis (UK GDPR/GDPR)
Provide the Service (resume creation, editing, AI features)	Account info, resume content, files	Performance of contract (Art. 6(1)(b))
AI processing (parse resumes, generate content)	Resume text, job descriptions	Performance of contract + Consent (special categories)
Process payments (subscriptions, refunds)	Payment info, email	Performance of contract (Art. 6(1)(b))
Send transactional emails (password reset, receipts)	Email, name	Performance of contract (Art. 6(1)(b))
Send marketing emails (product updates, offers)	Email	Consent (Art. 6(1)(a)) — opt-in required
Analytics and improvement (product optimization)	Usage data, IP, device info	Legitimate interests (Art. 6(1)(f))
Security and fraud prevention (abuse detection)	IP, device fingerprint, usage patterns	Legitimate interests (Art. 6(1)(f))
Legal compliance (tax records, legal holds)	Payment records, account info	Legal obligation (Art. 6(1)(c))

We do NOT:

❌ Sell your personal data to third parties
❌ Use your resume content for marketing or advertising
❌ Share your data with employers or recruiters without your consent
❌ Train our own AI models on your resume content (Google may use anonymized data for Gemini improvement — see Section 4.3)

3. Data Retention

We retain your data as follows:

Data Type	Retention Period	Reason
Active account data	Until account deletion	Service provision
Deleted accounts (soft delete)	30 days	Allow recovery, legal hold
Resume files (uploaded)	Until deleted by user or account closure	User-requested storage
Payment records	As required by UK tax and accounting laws	UK tax compliance
Analytics logs (PostHog)	12 months	Business intelligence
Error logs and backups	90 days	Debugging and recovery
Support emails	3 years	Customer service records

Permanent deletion: After the retention period, data is irreversibly deleted from our systems (except where required by law, e.g., tax records).

We share your data with the following trusted third-party service providers:

4.1 Supabase (Database, Storage, Authentication)

What they do: Host our PostgreSQL database, store uploaded files (resumes), manage user authentication (including Google OAuth).

Data shared:

Account info (email, name, password hash)
Resume content and uploaded files
Session tokens

Location: EU and/or US data centres (depending on Supabase region configuration)

Privacy & Security:

✅ UK GDPR and GDPR compliant
✅ SOC 2 Type II certified
✅ Encryption at rest and in transit

Their policies:

Legal Basis: Data processing agreement (DPA) in place as required by UK GDPR/GDPR Art. 28.

4.2 Paddle.com (Payment Processing)

What they do: Process subscription payments, handle billing, issue invoices, manage refunds.

Data shared:

Email address
Billing details (name, address, payment method)
Subscription plan and transaction history

Location: Global (Paddle operates in US, EU, UK)

Privacy & Security:

✅ PCI DSS Level 1 compliant (highest payment security standard)
✅ UK GDPR and GDPR compliant

Their policies:

Paddle Privacy Policy

Important: Paddle acts as merchant of record (they collect payment on our behalf). You are also subject to Paddle's terms and privacy policy.

Legal Basis: Data processing agreement (DPA) in place.

4.3 Google Gemini API (AI Content Generation)

What they do: Provide artificial intelligence services to parse resumes, generate cover letters, and tailor content.

Data shared:

✅ Resume text content (name, experience, skills, etc.)
✅ Job descriptions (for tailoring)
✅ Cover letter drafts

Location: Google Cloud global infrastructure (US, EU, Asia)

Privacy & Security:

✅ UK GDPR and GDPR compliant (Google Cloud DPA available)
✅ SOC 2, ISO 27001 certified

Important:

⚠️ Google may use anonymized, aggregated data to improve AI models (see Google's AI terms)
⚠️ We do NOT control Google's AI output (see our AI Disclaimer)

Their policies:

Legal Basis: Data processing agreement (DPA) via Google Cloud terms.

4.4 PostHog (Analytics and Product Insights)

What they do: Track user interactions, page views, feature usage, and product analytics.

Data shared:

✅ IP address (anonymized option available)
✅ Browser/device information
✅ Pages visited and events triggered (e.g., "resume created", "template selected")
✅ Session recordings (if enabled — we will notify you)

Location: US and EU (depending on configuration)

Privacy & Security:

✅ UK GDPR and GDPR compliant
✅ Cookie consent supported

Their policies:

PostHog Privacy Policy

Legal Basis: Consent (for EU/UK users via cookie banner) + Legitimate interests (Art. 6(1)(f)) for essential analytics.

4.5 Other Third Parties

We may share data with:

Email providers (e.g., SendGrid, AWS SES) — for transactional and marketing emails
Cloud hosting (e.g., Vercel, Railway) — for application infrastructure
Legal authorities — if required by law (e.g., subpoena, court order)

We will update this policy if we add new third-party services.

5. International Data Transfers

Our operations involve international data transfers outside the United Kingdom:

Service	Data Location	Transfer Mechanism (UK Users)
Supabase	EU / US	UK International Data Transfer Agreement (IDTA) or UK-approved Standard Contractual Clauses (SCCs)
Paddle	Global	UK IDTA + Adequacy Decisions (where applicable)
Google Gemini	Global (US, EU, Asia)	Google Cloud DPA + UK-approved SCCs
PostHog	US / EU	UK IDTA or UK-approved SCCs

UK-Specific Safeguards

For UK users: When we transfer your personal data outside the United Kingdom, we ensure appropriate safeguards are in place:

UK International Data Transfer Agreement (IDTA): UK-approved contract template issued by the ICO
UK-approved Standard Contractual Clauses (SCCs): Addendum to EU SCCs for UK transfers
Adequacy Decisions: We may rely on UK Government adequacy decisions for certain countries (e.g., EU/EEA under UK adequacy regulations)
Data Processing Agreements: All third-party processors are bound by contracts ensuring UK GDPR compliance

EU/EEA Users

For EU/EEA users: Data transferred outside the EU/EEA is protected by:

✅ Standard Contractual Clauses (SCCs) approved by the European Commission
✅ Data Processing Agreements (DPAs) with all processors
✅ Encryption in transit and at rest

Your Rights

You have the right to:

✅ Obtain information about international transfers affecting your data
✅ Request copies of the safeguards in place (UK IDTA, SCCs)
✅ Object to transfers if appropriate safeguards are not in place

To request information about transfers: Contact privacy@yournicecv.com with subject "International Transfer Inquiry"

6. Your Data Protection Rights

Depending on your location, you have the following rights:

You have the right to:

✅ Access (Art. 15): Request a copy of your personal data
✅ Rectification (Art. 16): Correct inaccurate or incomplete data
✅ Erasure (Art. 17 — "Right to be Forgotten"): Delete your data (subject to legal retention requirements)
✅ Restrict Processing (Art. 18): Limit how we use your data
✅ Data Portability (Art. 20): Export your data in a machine-readable format (JSON)
✅ Object (Art. 21): Object to processing based on legitimate interests
✅ Withdraw Consent: Revoke consent for marketing, analytics, or special category data processing
✅ Lodge a Complaint: File a complaint with your national Data Protection Authority (DPA)

How to exercise rights:

In-app: Account Settings → Privacy & Data → Download My Data / Delete Account
Email: Contact support@yournicecv.com or privacy@yournicecv.com with your request

Response time: We will respond within 30 days (may extend to 60 days for complex requests).

6.2 Rights Under CCPA/CPRA (California Users)

California residents have the right to:

✅ Know: What personal information we collect, use, and share (see Sections 1-4)
✅ Access: Request a copy of your data (last 12 months)
✅ Delete: Request deletion of your data (subject to exceptions)
✅ Opt-Out of Sale: We do NOT sell personal data, so no opt-out needed
✅ Non-Discrimination: We will not discriminate for exercising your rights

How to exercise rights: Email support@yournicecv.com or use in-app data export/deletion tools.

Verification: We may ask for proof of identity (email confirmation) to prevent fraud.

6.3 Rights Under Other Laws

Canada (PIPEDA): Right to access, correct, and withdraw consent
Australia (Privacy Act): Right to access and correct data

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for analytics and functionality.

7.1 Types of Cookies

Cookie Type	Purpose	Duration	Provider
Essential	Authentication, session management	Session / 30 days	Supabase
Analytics	Track page views, feature usage	12 months	PostHog
Preferences	Remember settings (theme, language)	12 months	First-party

Essential cookies are necessary for the Service to function and cannot be disabled.

Non-essential cookies (analytics) require your consent (EU users).

When you first visit our site, you will see a cookie banner:

✅ Accept All: Enable analytics cookies
❌ Reject Non-Essential: Only essential cookies
⚙️ Cookie Preferences: Customize settings

You can change preferences at any time via the footer link: [Cookie Settings].

7.3 How to Disable Cookies

You can block cookies via browser settings:

Chrome: Settings → Privacy → Cookies
Safari: Preferences → Privacy → Cookies
Firefox: Preferences → Privacy & Security → Cookies

Note: Disabling essential cookies may break functionality (e.g., login).

For more details, see our Cookie Policy.

8. Data Security

We implement industry-standard security measures to protect your data:

8.1 Technical Safeguards

✅ Encryption in transit: HTTPS/TLS 1.3 for all connections
✅ Encryption at rest: Database and file storage encrypted (Supabase)
✅ Secure authentication: OAuth 2.0, bcrypt password hashing
✅ Access controls: Role-based permissions, least privilege principle
✅ Firewall and DDoS protection: Cloudflare (if applicable) or hosting provider
✅ Regular backups: Automated daily backups with 30-day retention

8.2 Organizational Safeguards

✅ Limited access: Only authorized personnel can access user data
✅ Data Processing Agreements: All third-party processors bound by DPAs
✅ Incident response plan: Procedures for data breach notification

8.3 Your Responsibilities

To protect your account:

✅ Use a strong, unique password
✅ Enable two-factor authentication (if available)
✅ Do not share your account credentials
✅ Report suspicious activity immediately

8.4 Data Breach Notification

In the event of a data breach:

✅ We will notify affected users within 72 hours (as required by UK GDPR/GDPR)
✅ Notification will include: nature of breach, data affected, steps taken
✅ We will notify relevant Data Protection Authorities (UK ICO for UK users, relevant EU DPA for EU users) if required

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Children's Privacy (UK/COPPA Compliance)

YourNiceCv is not intended for children under 13 years old (or under 16 in the UK/EU for certain processing).

We do NOT knowingly collect personal data from children. If you are under the minimum age:

❌ Do not create an account
❌ Do not upload resumes or personal information

If we discover that we have collected data from a child without parental consent, we will delete it immediately.

Parents: If you believe your child has provided us with personal data, contact support@yournicecv.com to request deletion.

10. Your Choices and Opt-Outs

10.1 Marketing Emails

You can opt out of marketing communications:

✅ Click Unsubscribe in any marketing email
✅ Update preferences in Account Settings → Notifications
✅ Email support@yournicecv.com to opt out

Note: You will still receive transactional emails (e.g., password resets, receipts) — these are necessary for the Service.

10.2 Analytics Tracking

You can opt out of PostHog analytics:

✅ Disable cookies via Cookie Preferences (footer link)
✅ Use browser Do Not Track (DNT) signal (we respect DNT)
✅ Use privacy-focused browsers (e.g., Brave, Firefox with tracking protection)

10.3 Delete Your Account

You can permanently delete your account:

✅ Go to Account Settings → Delete Account
✅ Confirm deletion (irreversible after 30 days)
✅ All data will be deleted except payment records (retained for tax compliance)

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

Material changes (e.g., new data collection, third-party sharing) will be communicated via:

✅ Email notification (30 days before effective date)
✅ In-app banner prompting you to review changes

Continued use of the Service after changes take effect constitutes acceptance.

If you do not agree, you may delete your account before changes take effect.

12. Contact Us / Data Protection Officer

For privacy questions, data requests, or concerns:

General Contact: support@yournicecv.com
Data Protection Contact: privacy@yournicecv.com
Website: https://yournicecv.com

Data Protection Enquiries (UK GDPR/GDPR):

Email: privacy@yournicecv.com
Subject line: "Data Protection Request — [Your Email]"

Mailing Address (for formal notices): Available upon request via support@yournicecv.com

UK Representative (if required under UK GDPR): [To be appointed if processing large volumes of UK data from outside UK]

13. Supervisory Authority (UK/EU Users)

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your national Data Protection Authority (DPA):

🇬🇧 UK: Information Commissioner's Office (ICO)
- Website: https://ico.org.uk
- Helpline: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
🇪🇺 EU: Find your DPA at https://edpb.europa.eu/about-edpb/board/members_en

14. Legal Basis Summary (UK GDPR/GDPR)

Processing Activity	Legal Basis
Account management, service provision	Performance of contract (Art. 6(1)(b))
Payment processing	Performance of contract (Art. 6(1)(b)) + Legal obligation (Art. 6(1)(c))
Resume content processing	Performance of contract + Consent (for special categories, Art. 9(2)(a))
AI processing (Gemini)	Performance of contract + Consent
Analytics (PostHog)	Consent (Art. 6(1)(a)) + Legitimate interests (Art. 6(1)(f))
Marketing emails	Consent (Art. 6(1)(a))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f))
Legal compliance (tax records)	Legal obligation (Art. 6(1)(c))

15. California "Shine the Light" Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes (Cal. Civ. Code § 1798.83).

We do NOT share personal data with third parties for their marketing purposes.

By using YourNiceCv, you acknowledge that you have read and understood this Privacy Policy.

Document Version: 1.1.0
Effective Date: February 25, 2026
Next Review: August 25, 2026 (6 months)