Privacy & Trust

Privacy Policy

Last Updated: 25 May 2026

Effective Date: 25 May 2026

Data Protection Officer

For privacy queries or rights requests:

[email protected]

Business Location

Main office location:

London, United Kingdom

1. Introduction

This Privacy Policy explains how CevyAI ("we", "us", or "our") collects, uses, and protects your personal information when you use our website and services at cevyai.com (the "Service").

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller Details:

CevyAI
London, United Kingdom
Email: [email protected]
ICO Registration Number: Pending

2. Information We Collect

2.1 Information You Provide Directly

  • Account Information: When you sign up using Google OAuth, we receive your name, email address, and profile picture from Google.
  • CV Content: CV templates and content you upload to generate tailored CVs.
  • Job Listing URLs: URLs of job listings you provide for CV tailoring.
  • Payment Information: Processed by Stripe (see Section 5). We do not store your full payment card details.

2.2 Automatically Collected Information

  • Usage Data: Information about how you interact with the Service, including pages visited, features used, and time spent.
  • Device Information: IP address, browser type, operating system, and device identifiers.
  • Cookies and Similar Technologies: We use cookies and similar technologies. See our Cookie Policy below.

2.3 Information from Third Parties

  • Google OAuth: Name, email address, and profile information from your Google account.
  • Stripe: Payment transaction data and subscription status.

3. Legal Basis for Processing (UK GDPR)

We process your personal data under the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you've signed up for (Article 6(1)(b) UK GDPR).
  • Legitimate Interests: Improving our Service, fraud prevention, and security (Article 6(1)(f) UK GDPR).
  • Consent: Where you have given explicit consent (e.g., for marketing communications).
  • Legal Obligations: Compliance with tax, accounting, and other legal requirements (Article 6(1)(c) UK GDPR).

4. How We Use Your Information

We use your personal information to:

  • Provide the Service: Generate tailored CVs using your uploaded templates and job listing URLs.
  • Account Management: Create and manage your account, authenticate you via Google OAuth.
  • Payment Processing: Process payments and manage subscriptions via Stripe.
  • AI Processing: Process your CV content and job listings through Google Gemini API to generate tailored CVs.
  • Communication: Send service-related notifications, updates, and respond to your enquiries.
  • Improvement and Analytics: Analyse usage patterns to improve the Service.
  • Legal Compliance: Comply with legal obligations and enforce our Terms of Service.

5. Third-Party Service Providers

We share your information with the following third-party service providers:

Google OAuthPrivacy Policy

Purpose: Authentication and account creation.

Data Shared: Name, email address, profile picture.

Location: Processes data globally with primary infrastructure in the US and EU.

StripePrivacy Policy

Purpose: Payment processing and subscription management.

Data Shared: Email address, payment information, transaction details.

Location: Processes data globally with infrastructure in the EU and US.

Google Gemini APIPrivacy Policy

Purpose: AI-powered CV generation and tailoring.

Data Shared: Your CV content and job listing information.

Location: Google Cloud processes data in accordance with their data processing terms. Data may be processed in the EU and US.

Note: Your data sent to the Gemini API is not used to train Google's models.

6. Data Storage and International Transfers

6.1 Primary Data Storage

Your account data, uploaded CVs, and generated CVs are stored on our self-hosted MongoDB server located in the European Union.

6.2 International Transfers

Some of our third-party service providers (Google, Stripe) may transfer data outside the UK and EU. These transfers are protected by:

  • Standard Contractual Clauses (SCCs): Approved by the UK Information Commissioner's Office and European Commission.
  • Adequacy Decisions: Where applicable, data transfers to countries with adequacy decisions.
  • Service Provider Safeguards: Our providers implement appropriate technical and organisational measures to protect your data.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service and comply with legal obligations:

  • Account Data: Retained until you close your account.
  • Uploaded CVs and Generated CVs: Retained until you close your account or delete specific CVs.
  • Payment Records: Retained for 7 years for tax and accounting purposes (legal requirement).
  • Usage Logs: Retained for up to 12 months for security and analytics purposes.

When you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal, regulatory, or fraud prevention purposes.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another service.
  • Right to Object: Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at [email protected].

8.1 Right to Complain

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • Encryption: Data in transit is encrypted using TLS/SSL. Data at rest is encrypted.
  • Access Controls: Strict access controls and authentication mechanisms.
  • Regular Security Audits: We regularly review our security practices.
  • Self-Hosted Infrastructure: Our MongoDB database is self-hosted on secure EU-based servers, giving us direct control over data security.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Essential Cookies: Enable core functionality (e.g., authentication, session management). These cannot be disabled.
  • Analytics Cookies: Understand how users interact with the Service to improve it.
  • Preference Cookies: Remember your settings and preferences.

You can control cookies through your browser settings. Note that disabling essential cookies may affect your ability to use the Service.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use the Service or provide any personal information.

If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information as quickly as possible.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. We will notify you of any material changes by:

  • Posting the updated Privacy Policy on our website with a new "Last Updated" date.
  • Sending you an email notification (if you have an account with us).

Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Address: London, United Kingdom

Data Controller: CevyAI

Cookie Policy

What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide and improve the Service.

Types of Cookies We Use

1. Strictly Necessary Cookies: Required for the Service to function (e.g., authentication, security).

2. Performance Cookies: Collect information about how you use the Service to help us improve it.

3. Functionality Cookies: Remember your preferences and settings.

Managing Cookies

You can control and delete cookies through your browser settings. However, disabling essential cookies may impact your ability to use certain features of the Service.

Third-Party Cookies

Our third-party service providers (Google, Stripe) may set their own cookies. Please refer to their respective privacy policies for more information.

© 2026 CevyAI. All rights reserved.