Preview Mode — We're in early development. You can test everything, but downloads are not yet available.
IvyCV

Privacy Policy

Last updated: March 2026

1. Who We Are (Data Controller)

IvyCV (ivycv.com) is operated as działalność nierejestrowana (unregistered activity) under Article 5 of the Polish Entrepreneurs' Law.

We act as the data controller for all personal data processed through the Service. We do not have a Data Protection Officer (DPO) as we are not required to appoint one under GDPR Article 37. For privacy inquiries, contact us at the email above.

2. What Data We Collect

2.1 Data You Provide

2.2 Data Collected Automatically

2.3 Payment Data

Payment processing is handled entirely by Stripe. We never see, store, or process your card number, CVV, or full payment details. We receive only: transaction status, amount, currency, and Stripe customer/session identifiers.

3. Legal Basis for Processing (GDPR Article 6)

Processing ActivityLegal BasisGDPR Article
CV generation and Master Profile storageContract performanceArt. 6(1)(b)
Sending CV data to AI providersContract performanceArt. 6(1)(b)
Payment processingContract performanceArt. 6(1)(b)
Transactional emails (receipts, confirmations)Contract performanceArt. 6(1)(b)
Rate limiting and abuse preventionLegitimate interestArt. 6(1)(f)
Marketing emailsConsentArt. 6(1)(a)
Analytics (if enabled)ConsentArt. 6(1)(a)
Tax record retentionLegal obligationArt. 6(1)(c)

Where we rely on legitimate interest (abuse prevention, security monitoring), our interest is protecting the Service and its users from fraud and abuse, which does not override your fundamental rights given the limited nature of the data involved (session tokens, request counts).

4. How We Use Your Data

5. Use of Artificial Intelligence

  1. Your personal data (career information, job listings) is sent to third-party AI services to generate CV content. These services process your data solely for this purpose.
  2. AI providers used by IvyCV:
    • Anthropic (Claude API) — CV generation, profile merge, document parsing. EU regional processing used where available. API data is NOT used for model training. Logs retained for 30 days maximum.
    • Google Cloud (Gemini API, paid tier) — CV generation (alternative model). EU region (europe-west4, Belgium). Paid API tier: data NOT used for training.
  3. Both providers are bound by Data Processing Agreements (DPAs) that include EU Standard Contractual Clauses (SCCs) for international data transfers.
  4. No automated decisions with legal or similarly significant effects are made about you (GDPR Article 22). CV generation is content creation assistance — you have full control to review, edit, and decide whether to use the output. The Service does not make employment decisions, filter applications, or evaluate candidates.

6. Data Retention

Data TypeRetention PeriodBasis
Active user account and CV dataWhile account existsContract performance
Master ProfileWhile account existsContract performance
Payment records5 years from transactionPolish tax law (Ordynacja podatkowa)
Anonymous session data30 daysLegitimate interest (rate limiting)
AI provider logs (Anthropic)30 days (automatic deletion)Provider policy
Deleted account dataImmediate permanent deletionGDPR compliance

After account deletion, payment records are retained for 5 years as required by Polish tax law, but all personal identifiers are removed (anonymized).

7. Third Parties and Data Transfers

ServicePurposeData LocationTransfer Safeguard
Anthropic (Claude API)AI CV generationUS (EU regional processing available)DPA with EU SCCs
Google Cloud (Gemini)AI CV generation (alternative)EU (europe-west4, Belgium)DPA, EU-US Data Privacy Framework
SupabaseDatabase, authenticationEUDPA
StripePayment processingUS/EUEU-US Data Privacy Framework, DPA
VercelWeb hostingGlobal CDN (EU edge)DPA
ResendTransactional emailUSDPA

We do not sell your data to third parties. Data is shared only with the processors listed above, solely for the purposes described.

8. Your Rights (GDPR Articles 15-22)

You have the following rights regarding your personal data:

To exercise any of these rights, use the tools in your account settings or email hello@ivycv.com. We will respond within 30 days (GDPR Art. 12(3)).

9. Automated Decision-Making and Profiling

IvyCV does not make automated decisions that produce legal effects or similarly significant effects on you (GDPR Article 22). The AI generates CV content as a writing assistance tool. You retain full control: you review, edit, and decide whether to use any generated content. No employment decisions, candidate evaluations, or application filtering occurs within our Service.

10. Is Providing Data Mandatory?

Providing your personal data is not a statutory requirement but is necessary to use the Service:

Refusing to provide this data means the corresponding Service features cannot be delivered.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

12. California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you additional rights:

We do not sell or share your personal data as defined by the CCPA/CPRA. To exercise your rights, use the export or deletion tools in your account settings, or contact us at hello@ivycv.com.

13. Cookies

We use only strictly necessary cookies for authentication. No advertising, tracking, or analytics cookies are set. See our Cookie Policy for details.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email. The "Last updated" date at the top indicates the most recent revision.

15. Contact

For privacy questions, data subject requests, or complaints: