← Home

Privacy Policy

Last updated: 2 June 2026

CVstepUP ("we", "us") respects your privacy. This policy explains what personal data we collect, why we collect it, and your rights under the UK GDPR, EU GDPR and the Data Protection Act 2018.

1. Who we are

CVstepUP is the data controller for the personal data processed via cvstepup.com. Contact: privacy@cvstepup.com.

2. Data we collect

• Account data: email, name, hashed password (or OAuth identifier).
• CV content: the work history, education and personal details you enter to generate a CV.
• Payment data: handled by Stripe. We store only a reference, amount, currency, status and receipt URL — never card details.
• Usage data (with consent): page views, region, referrer, user-agent string.
• Support data: any messages you send us.

3. Lawful bases

• Contract: to create your account, generate and store your CV, and process your payment.
• Legitimate interests: to keep the service secure and prevent abuse.
• Consent: for optional analytics cookies. You can withdraw consent at any time.
• Legal obligation: to keep accounting records for tax purposes.

4. How we use AI

We send the information you type into the CV builder to an AI provider (Google or OpenAI, via the Lovable AI Gateway) solely to generate or improve your CV. Your inputs are not used to train third-party models.

5. Sharing

We only share data with processors that help us run the service: hosting and database (Supabase), payments (Stripe), and AI generation (Google/OpenAI via Lovable). All are bound by data-processing agreements.

6. International transfers

Some processors are based outside the UK/EEA. Transfers are protected by Standard Contractual Clauses (SCCs) and the UK Addendum.

7. Retention

We keep your account and CVs until you delete them, or 24 months after your last activity. Payment records are kept for 7 years to meet UK accounting law.

8. Your rights

• Access a copy of your data
• Correct or update inaccurate data
• Delete your account and data ("right to be forgotten")
• Export your data (portability)
• Withdraw consent for analytics at any time
• Lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority

You can delete your account from the dashboard or by emailing privacy@cvstepup.com.

9. Security

Data is encrypted in transit (TLS) and at rest. Access is restricted via row-level security so only you can see your CVs.

10. Children

The service is not directed at children under 16. We do not knowingly collect data from children.

11. Changes

We will update the "Last updated" date when this policy changes. Material changes will be notified by email.