Privacy Policy

1. Introduction

Welcome to CV Pathway ("we", "our", or "us"). CV Pathway is operated by NMC Consulting (nmcconsulting.co.uk). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

For the purposes of data protection law, NMC Consulting is the data controller responsible for your personal information.

By using CV Pathway, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you voluntarily provide when using our services:

• Account Information: Name, email address, and password when you create an account
• CV/Resume Content: The content of CVs and resumes you upload to our platform
• Job Information: Job titles, company names, and job descriptions you provide
• Cover Letters: Cover letters generated through our AI service
• Payment Information: Payment details processed through Stripe (we do not store full credit card numbers)
• Communications: Any feedback, feature requests, or support inquiries you send us

2.2 Automatically Collected Information

• Usage Data: How you interact with our services, features used, and pages visited
• Device Information: IP address, browser type, operating system, and device identifiers
• Cookies and Similar Technologies: We use cookies to maintain your session and improve user experience

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve our AI-powered cover letter generation service
• AI Processing: Your CV content and job descriptions are processed through OpenAI's API to generate personalized cover letters
• Account Management: To create and manage your account, including authentication and security
• Payment Processing: To process subscription payments through Stripe
• Communication: To send service-related notifications, updates, and respond to your inquiries
• Analytics: To analyze usage patterns and improve our services
• Security: To protect against fraud, unauthorized access, and ensure platform security
• Legal Compliance: To comply with legal obligations and enforce our Terms of Service

4. Third-Party Service Providers

We share your information with trusted third-party service providers:

5. Data Retention

We retain your personal information for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce our agreements

You can request deletion of your account and associated data at any time through your account settings or by contacting us. Please note that some information may be retained in backup systems for a limited period.

6. Fraud Prevention and Account Deletion

To prevent abuse of our free tier and protect the integrity of our services, we implement fraud prevention measures in compliance with GDPR Article 6(1)(f) (legitimate interests) and Recital 47 (fraud prevention):

6.1 Deleted Account Tracking

When you delete your account, we retain a cryptographically hashed (non-reversible) version of your email address for fraud prevention purposes. This prevents individuals from repeatedly creating and deleting accounts to abuse free tier credits or services.

6.2 What We Store After Deletion

• Hashed Email: A one-way cryptographic hash of your email address (the original email cannot be recovered)
• Deletion Date: When your account was deleted
• Deletion Reason: The reason for deletion (e.g., user request, GDPR erasure)
• Anonymized Metadata: Hashed IP address and user agent for pattern detection

6.3 Data Retention Period

These fraud prevention records are automatically deleted after 2 years from the date of account deletion. This limited retention period balances fraud prevention with data minimization principles.

6.4 Impact on Re-registration

Email addresses associated with deleted accounts cannot be used to create new accounts during the retention period. If you believe this restriction was applied in error, please contact our support team at support@cvpathway.app.

Legal Basis: This processing is necessary for our legitimate interests in preventing fraud and abuse, as permitted under GDPR Article 6(1)(f). We have determined that these interests are not overridden by your data protection rights, given the minimal nature of the data retained (non-reversible hashes) and the important fraud prevention purpose.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for stored data
• Secure authentication using industry-standard practices
• Regular security audits and monitoring
• Access controls and authentication requirements
• Rate limiting to prevent abuse

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your personal data (note: fraud prevention records may be retained as described in Section 6)
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Request transfer of your data to another service
• Right to Object: Object to our processing of your personal data
• Right to Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, please contact us using the information provided in Section 13. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your session and keep you logged in
• Remember your preferences
• Analyze how you use our services
• Improve user experience and performance

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our service.

10. Children's Privacy

Our services are not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately so we can delete it.

11. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your country of residence. We ensure that appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us at: