Privacy Policy
A precise account of what data we handle, how your CV is processed, what we do not store, and what rights you have. Last updated February 26th 2026.
What This Policy Covers
This policy describes how CV Analyzer handles data you provide when using the CV analysis and cover letter generation service. It covers what is processed, how it is processed, and what is not retained.
Scope
This policy applies to all uses of the CV Analyzer web application, including uploading a CV, submitting a job description, and receiving analysis output. It does not apply to third-party services you may access through links in our output.
The short version
Your CV is processed in memory, stripped of personal identifiers before any AI call is made, and never written to disk or stored in a database. There are no user accounts. Once your results are returned to your browser, nothing about your session is retained on our infrastructure. The sections below explain this in full.
Data We Process
The service handles two categories of input: your CV and the job description you paste. These are processed differently and have different handling rules.
CV content
When you upload a CV, the file is received by a stateless server-side function. Text is extracted from the PDF in memory. The original file is not written to disk, not stored in a database, and is discarded immediately after text extraction completes. The extracted text is then run through a local PII redaction function - described in detail below - before any part of it is passed to an external AI provider.
Job description
The job description text you paste is used as context for the analysis. It is not stored. It is passed to the AI models as part of the analysis request and is discarded with the session when results are returned to your browser.
Technical request data
Standard server infrastructure logs may record IP addresses, request timestamps, and HTTP method and path for each request. This is generated by the hosting infrastructure and is subject to the data retention policies of that provider. It does not include the content of your CV or job description.
How Personal Identifiers Are Handled
Before any part of your CV reaches an AI model, it is passed through a local redaction function that identifies and removes personal identifiers. This runs server-side, before any outbound network call.
What is redacted
The redaction function identifies and replaces the following categories before any AI call is made: email addresses, phone numbers in French and North American formats including country code variants, all HTTP/HTTPS URLs including portfolio sites and LinkedIn profiles, and the candidate name inferred from the first non-empty line of the document. Each is replaced with a neutral token such as [EMAIL_REDACTED] or [NAME_REDACTED].
What the AI models receive
The AI models receive your professional experience - roles held, responsibilities, skills, and career trajectory - with all personal identifiers replaced. From the perspective of any AI provider, the request contains an anonymous professional profile and a job description. No information that could identify, contact, or profile you is present in that request.
Reinsertion of personal details
The cover letter returned to you contains your real name and contact details. These are reinserted in your browser from what was stripped locally - not from what was processed by the AI. Your identity is not part of the AI processing chain at any point.
What We Do Not Do
Several practices common to AI-powered CV tools do not apply here. These are not policy commitments - they are architectural constraints.
No CV storage
Uploaded CVs are not written to disk, not stored in a database, and not retained after the session ends. There is no document store, no file system path where your CV exists, and no mechanism by which a future request could retrieve a past CV.
No user accounts or profiles
There are no user accounts. No profile is created linking your CV to your identity. No session token, email address, or identifier connects one request to another. Each request is independent.
No use of your data for model training
We do not use your CV content, job description, or generated output to fine-tune or train any AI model. API calls to Anthropic, OpenAI, and Google AI are made under terms that prohibit use of API request data for model training by default. Because PII stripping is applied before every API call, even request logs at the provider level would contain no personal identifiers.
No data sharing or sale
We do not sell, share, or transfer CV content or job descriptions to recruiters, data brokers, analytics platforms, or any third party outside of the AI API calls required to deliver the service.
Third-Party AI Providers
The analysis service uses three AI models operated by external providers. Each receives only anonymized professional content - no personal identifiers - as described above.
Anthropic (Claude)
Performs the primary analysis and produces the initial draft. API requests are subject to Anthropic's data usage policies. Under standard API terms, request data is not used for model training. See anthropic.com/privacy for their current policy.
OpenAI (GPT-4)
Reviews the draft output from a hiring-manager perspective. API requests are subject to OpenAI's data usage policies. Under standard API terms, request data is not used for model training. See openai.com/privacy for their current policy.
Google AI (Gemini)
Performs the final authenticity pass before output is delivered. API requests are subject to Google's data usage policies. Under standard API terms, request data is not used for model training. See ai.google.dev/terms for their current policy.
Your Rights
Applicable data protection law - including GDPR for users in the European Economic Area and UK GDPR for users in the United Kingdom - gives you specific rights regarding personal data. The architecture of this service affects how some of those rights apply in practice.
Right of access and erasure
Because this service does not store CVs, create user accounts, or retain session data, there is no personal data held by us that could be returned in response to a subject access request or deleted in response to an erasure request. If you submitted a request and are uncertain whether anything was retained, you may contact us and we will confirm.
Right to object to processing
The processing that occurs - text extraction, PII stripping, and AI analysis - takes place during a single stateless session and ends when results are returned to your browser. There is no ongoing processing to object to after the session ends. You can stop a session at any time by closing your browser.
Contact for data enquiries
If you have a question about how your data was handled, or want to confirm whether any data related to your use of the service is held, contact us through the support channel on our website. We will respond within the timeframe required by applicable law.