Privacy Policy
Last updated: April 19, 2026
1. Information We Collect
Account Information
- Email address (required for account creation)
- Password hash (if using password authentication; we never store plain-text passwords)
CV and Job Data
- CV files you upload (PDF, DOCX) and their extracted text content
- Additional information you provide about yourself
- Job descriptions and URLs you submit
- Generated CVs and cover letters
Payment Information
- Stripe customer ID and transaction records
- We do not store credit card numbers; all payment processing is handled by Stripe
Usage Data
- AI generation logs (prompt tokens, completion tokens, latency) via Langfuse for quality monitoring
- Application tracking data you create
2. How We Use Your Data
We do not advertise using your data, and we do not sell your personal data to third parties.
- CV Generation: Your CV content and job descriptions are sent to Azure OpenAI to generate tailored CVs and cover letters.
- Account Management: Your email is used for authentication, magic links, email verification, and account-related communications.
- Payment Processing: Transaction data is used to manage your credit balance.
- Service Improvement: AI usage metrics (via Langfuse) help us monitor and improve generation quality. These logs do not contain your personal data; only prompt structure and token counts.
3. Data Processing and Third Parties
| Service | Purpose | Data Shared |
|---|---|---|
| Azure OpenAI | AI CV/cover letter generation | CV text, job descriptions (processed, not stored by Azure) |
| Stripe | Payment processing | Email, payment details |
| Langfuse | AI monitoring and quality | Token counts, latency metrics, trace IDs |
| Resend | Transactional emails | Email address |
| Azure (Hosting) | Infrastructure — United States (East) | All data (encrypted at rest and in transit) |
4. Data Storage and Security
- All data is stored on Azure Database for PostgreSQL in the United States (Azure East US region) with encryption at rest.
- Data in transit is encrypted using TLS.
- Passwords are hashed using bcrypt.
- Access to production systems is restricted to the sole operator.
5. International Data Transfers (UK and EEA Users)
WadeCV is operated from the United States and all personal data we process — including your CV content, account information, and generated documents — is stored and processed on Microsoft Azure infrastructure in the United States (Azure East US region). If you access WadeCV from the United Kingdom, the European Economic Area, or any other jurisdiction outside the United States, your personal data will be transferred to and processed in the United States.
Legal basis for the transfer. For users in the United Kingdom and the EEA, we rely on Article 49(1)(b) of the UK GDPR and EU GDPR — the transfer is necessary for the performance of the contract between you and WadeCV. Delivering the WadeCV service requires processing your CV and job description data on our US-hosted infrastructure; no equivalent UK or EEA-hosted instance of the service exists. By creating an account and submitting CV or job data, you understand and agree that this transfer is necessary to provide the service you have requested.
Risks you should be aware of.The United States is not currently recognised by the UK Information Commissioner's Office or the European Commission as providing an "adequate" level of data protection equivalent to UK or EU standards in all cases. US law enforcement and intelligence agencies may be able to access data held by US-based cloud providers under US law (including FISA Section 702 and Executive Order 12333), and the remedies available to non-US persons in US courts may be more limited than under UK or EU law. Microsoft Azure is certified under the EU-US Data Privacy Framework and its UK Extension, which provides additional safeguards at the infrastructure layer, but your direct relationship with WadeCV relies on the Article 49(1)(b) contract necessity basis described above.
Your controls. You can avoid the transfer by not creating an account or not submitting CV data. If you have already created an account and change your mind, you can delete your account at any time via Settings > Delete Account, which permanently removes all your data from our systems within 30 days (see Section 6 Data Retention).
6. Data Retention
- Your data is retained as long as your account is active.
- Deleted accounts have their data permanently removed within 30 days.
- Payment records may be retained longer for legal and accounting purposes.
7. Your Rights
You have the right to:
- Access: View all data associated with your account through the dashboard.
- Rectification: Edit your CV data at any time via the CV editor.
- Deletion (Erasure):Delete your account and all associated data through Settings > Delete Account.
- Portability: Download your generated CVs and cover letters as DOCX files.
- Object: Contact us to object to specific data processing activities.
- Withdraw consent: Where we rely on consent (for example, analytics storage in the UK/EEA), you can withdraw it at any time via Your Privacy Choices.
UK and EEA users:In addition to the rights above, you have the right to lodge a complaint with a supervisory authority if you believe we have infringed your data protection rights. In the United Kingdom this is the Information Commissioner's Office (ico.org.uk). In the EEA this is the data protection authority of your country of residence. We encourage you to contact us first at support@wadecv.com so we can try to resolve any concerns directly.
8. Cookies and Analytics
We use essential cookies to keep you signed in (authentication tokens stored as httpOnly, secure cookies) and to remember your theme preference.
We also use Google Analytics 4 ("GA4") to understand how WadeCV is used so we can improve the product. GA4 collects pseudonymous usage data such as page views, feature engagement (for example, when you tailor a CV, generate a new version, or download a document), approximate location (based on your IP address as processed by Google), device and browser information, and technical event metadata (such as error states or failed requests). We do not use this data to build marketing profiles of individual users.
GA4 is loaded with Google Consent Mode v2. We never enable advertising storage, ad user data, or ad personalization signals — those categories are always set to denied.
For visitors whose browser timezone is in the EEA or United Kingdom, analytics storage is set to denied by default and a consent banner is shown; we only enable analytics storage after you accept. For visitors elsewhere (including the United States), analytics storage is enabled by default in accordance with applicable US state privacy laws (including the California Consumer Privacy Act as amended by the CPRA), and you may opt out at any time via Your Privacy Choices.
We honor the Global Privacy Control (GPC) browser signal. If your browser sends GPC, we treat it as an opt-out of analytics regardless of region or saved preference.
For more information about how Google Analytics handles data, please see Google's documentation on "How Google uses information from sites or apps that use our services" and the "Safeguarding your data in Google Analytics" page.
9. Children's Privacy
WadeCV is not intended for users under 16 years of age. We do not knowingly collect data from children.
10. Changes to This Policy
We will notify registered users via email of any material changes to this Privacy Policy.
11. Contact
For privacy-related inquiries, contact us at support@wadecv.com.