Privacy Policy

    Last updated: 8 May 2026

    This Privacy Policy explains how GoCV.ai collects, uses, shares and protects your personal data, in compliance with Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC and applicable national laws (including the Italian Personal Data Protection Code, D.Lgs. 196/2003 as amended by D.Lgs. 101/2018, and Maltese Data Protection Act Cap. 586).

    1. Data Controller

    The data controller is The Dell Ltd, a company registered in Malta (Company Registration Number C109946), with registered office at:

    The Fort, Level 3, HardRock Business Park
    Triq Burmarrad, Naxxar, NXR 6345, Malta
    Email for privacy matters: info@thedell.eu
    General contact: info@thedell.eu

    We have not designated a Data Protection Officer (DPO) as we are not required to under GDPR Art. 37. For any privacy-related question you may contact us at the addresses above.

    2. Categories of Personal Data We Process

    • Account data: email address, full name, preferred language, optional avatar.
    • Authentication data: hashed password, login timestamps, OAuth identifiers (when you sign in with Google).
    • Career data: CV content (work experiences, education, skills, certifications, languages), career profile (current/target role, industries, strengths, weaknesses, salary expectations, years of experience), positioning summary, target geographies.
    • Application data: job descriptions, statuses, company names, role titles, ATS/fit/evidence scores, notes, follow-up actions.
    • Career assets: achievements (incl. STAR details), projects, skills inventory, target companies/roles, cover letters, interview prep notes.
    • Generated content: Apply Packs, AI-tailored CVs, cover letters, interview answers and LinkedIn suggestions you create using our AI features.
    • Usage data: usage events, feature interactions, timestamps, anonymous funnel signals.
    • Technical data: IP address, browser type, device type, operating system, server logs.
    • Communications: support requests, feedback, replies to transactional or product emails.
    • Payment data: for Pro subscribers, billing email, billing country, VAT number (if provided), subscription status. Card numbers are processed by Stripe and are never stored on our servers.

    3. Purposes and Legal Bases (GDPR Art. 6)

    PurposeLegal basis
    Account creation, authentication, account securityPerformance of contract โ€” Art. 6(1)(b)
    CV analysis, ATS scoring, job matching, Apply Pack, cover letters, interview prep, LinkedIn optimizationPerformance of contract โ€” Art. 6(1)(b)
    Application tracking and Career Memory persistencePerformance of contract โ€” Art. 6(1)(b)
    Transactional emails (verification, password reset, follow-up reminders, job alerts you opted into)Contract / Consent โ€” Art. 6(1)(b) / 6(1)(a)
    Service improvement, aggregated analytics, fraud prevention, leaked-password (HIBP) checksLegitimate interest โ€” Art. 6(1)(f)
    Payment processing, invoicing, anti-fraud (Stripe)Contract / Legal obligation โ€” Art. 6(1)(b) / 6(1)(c)
    Tax, accounting and bookkeeping retentionLegal obligation โ€” Art. 6(1)(c)
    Defence of legal claimsLegitimate interest โ€” Art. 6(1)(f)

    Where processing is based on legitimate interest, we have carried out a Legitimate Interest Assessment (LIA) and you may object at any time (see ยง9).

    4. AI Processing

    GoCV.ai uses third-party Large Language Model APIs (currently Google Gemini, accessed via the Lovable AI Gateway) to power CV analysis, ATS scoring, fit analysis, Apply Pack generation, cover letter and interview prep, and LinkedIn optimization. When you trigger an AI feature, only the data strictly required for that feature (e.g. CV section, job description) is sent to the AI provider through encrypted channels.

    No training on your data. Our AI providers are bound by Data Processing Agreements that prohibit training their foundation models on your inputs or outputs. Data sent to the AI provider is processed solely to generate your requested result and is not retained by the provider beyond the technical request lifecycle and the limited abuse- monitoring window required by their terms.

    AI output is generated probabilistically and may contain inaccuracies. You remain solely responsible for reviewing and validating any AI-generated content before using it.

    5. Recipients and Sub-processors

    We share your data only with carefully selected sub-processors bound by Data Processing Agreements under GDPR Art. 28. Current sub-processors are:

    Sub-processorPurposeLocation / Safeguard
    Supabase, Inc.Database, authentication, file storage, edge functionsEU (Frankfurt) / US โ€” SCCs
    Lovable AI GatewayRouting of AI requests to model providersEU/US โ€” SCCs
    Google LLC (Gemini API)AI inference for content generation and analysisUS โ€” SCCs, no model training on inputs
    Stripe Payments Europe Ltd.Subscription billing and payment processingIreland (EU) โ€” controller for payment data
    Resend, Inc.Transactional and lifecycle email deliveryUS โ€” SCCs / EU-US Data Privacy Framework
    FirecrawlPublic job-listing aggregation (no personal data sent)US โ€” SCCs
    Google LLC (Google Analytics 4)Aggregate website usage statistics โ€” only after your explicit consent via the cookie bannerUS โ€” SCCs / EU-US Data Privacy Framework, IP anonymisation, no ad signals
    Yandex LLC (Yandex Metrica)Aggregate site analytics, heatmaps and session replay (Webvisor) โ€” only after your explicit consent via the cookie bannerRussian Federation / Finland โ€” SCCs, masked input fields, no ad signals
    Lovable (deployment & hosting)Application hosting, build pipeline, asset CDNEU/US โ€” SCCs

    We never sell your personal data. We do not share your CV, career data or application information with employers, recruiters or job boards unless you explicitly instruct us to do so (e.g. by exporting a PDF and sending it yourself). An updated list of sub-processors is available on request at info@thedell.eu.

    6. International Data Transfers

    Some sub-processors are located outside the European Economic Area (EEA). Where this is the case, the transfer is governed by the EU Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented where appropriate by additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls).

    7. Data Retention

    • Account and career data: retained while the account is active. Deleted within 30 days of account deletion (backups purged within 90 days).
    • Generated content (Apply Packs, CVs, cover letters): kept until you delete it or close your account.
    • Usage events: up to 24 months, then aggregated/anonymised.
    • Email send logs and unsubscribe tokens: up to 24 months for deliverability and abuse prevention.
    • Payment and invoicing records: 10 years (Italian D.P.R. 633/1972 art. 39 / Maltese tax law).
    • Security and access logs: up to 12 months.
    • Records relating to legal claims: until the limitation period expires (typically up to 10 years).

    8. Security Measures

    • TLS/HTTPS encryption in transit; AES-256 encryption at rest for the database and storage.
    • Row-Level Security (RLS) policies enforcing per-user data isolation on every table containing personal data.
    • Hashing of authentication credentials (bcrypt/argon2) and check against the Have I Been Pwned (HIBP) database to prevent the use of compromised passwords.
    • Mandatory email verification for new accounts.
    • Principle of least privilege for internal access and admin role-based access control.
    • Regular automated dependency and vulnerability scanning.
    • Personal data breach notification to the supervisory authority within 72 hours where required (GDPR Art. 33).

    9. Your Rights (GDPR Art. 15-22)

    • Access (Art. 15) โ€” obtain confirmation and a copy of your data.
    • Rectification (Art. 16) โ€” correct inaccurate or incomplete data.
    • Erasure / "right to be forgotten" (Art. 17) โ€” request deletion of your data.
    • Restriction (Art. 18) โ€” restrict processing in specific cases.
    • Portability (Art. 20) โ€” receive your data in a structured, machine-readable format.
    • Object (Art. 21) โ€” object to processing based on legitimate interest.
    • Withdraw consent (Art. 7(3)) โ€” at any time, without affecting prior lawful processing.
    • Not be subject to solely automated decisions (Art. 22) โ€” we do not take any decision producing legal or similarly significant effects on you based solely on automated processing. AI scores are advisory only.

    Requests can be sent to info@thedell.eu. We will reply within one month (extendable by two months for complex requests, GDPR Art. 12(3)). Many actions (data export, account deletion) can also be performed directly from your account settings.

    10. Cookies, Local Storage and Analytics

    GoCV.ai uses two categories of cookies and browser storage. Strictly necessary cookies are always active because they are indispensable to provide the Service you have requested (Italian Codice Privacy art. 122 c.1; EDPB Guidelines 2/2023). Analytics cookies are activated only after your explicit, granular consent given through the cookie banner, in line with the Italian Garante guidelines of 10 June 2021 and EDPB Guidelines 03/2022.

    10.1 Strictly necessary (no consent required)

    • sb-* โ€” Supabase authentication session and refresh tokens (session / 1 year).
    • i18nextLng โ€” your language preference (1 year).
    • gocv-cookie-consent โ€” record of your consent decision (1 year).
    • gocv_session_id, gocv_utm โ€” server-side anti-abuse and attribution (session).
    • Other application-state keys used to power the editor (drafts, UI state).

    10.2 Statistics โ€” activated only with your consent

    • Google Analytics 4 (Google LLC / Google Ireland Ltd) โ€” measurement ID G-ZE89PY6C1F. Cookies _ga (24 months), _ga_* (24 months). Used to understand aggregate site usage and improve the Service. Configured with IP anonymisation, advertising signals disabled, ad personalisation disabled. Data is transferred to the United States under EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Legal basis: consent, GDPR art. 6(1)(a) and Codice Privacy art. 122. You can withdraw consent at any time through the "Cookie preferences" link in the footer.
    • Yandex Metrica (Yandex LLC) โ€” counter ID 109120258. Cookies _ym_uid, _ym_d (1 year), _ym_isad, _ym_visorc (session). Used to measure aggregate traffic and to record anonymised session replays and heatmaps (Webvisor) so we can diagnose UX issues and improve the Service. Input fields, passwords and any element marked as sensitive are automatically masked before recording. Data is transferred outside the EEA (Russian Federation / Finland) under EU Standard Contractual Clauses with additional technical safeguards (TLS in transit, IP truncation). Legal basis: consent, GDPR art. 6(1)(a) and Codice Privacy art. 122. You can withdraw consent at any time through the "Cookie preferences" link in the footer; this will immediately stop the loading of Yandex Metrica scripts on subsequent page loads.

    We also collect first-party usage events in our own database (table analytics_events) on the basis of our legitimate interest (GDPR art. 6(1)(f)) to debug, secure and improve the Service. Events are pseudonymised, retained for up to 24 months and you may object at any time at info@thedell.eu.

    We do not use advertising or profiling cookies and we do not share analytics data with advertising networks.

    11. Children

    GoCV.ai is not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact info@thedell.eu and we will delete it promptly.

    12. Supervisory Authorities

    You have the right to lodge a complaint with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.

    • Lead authority (controller's establishment): Information and Data Protection Commissioner (IDPC), Level 2, Airways House, High Street, Sliema SLM 1549, Malta โ€” idpc.org.mt.
    • Italian users: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma โ€” garanteprivacy.it.

    13. Digital Services Act โ€” Point of Contact

    Pursuant to Articles 11-12 of Regulation (EU) 2022/2065 (Digital Services Act), the single point of contact for authorities and recipients of the service is: info@thedell.eu (working language: English / Italian).

    14. Changes to This Policy

    We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-product notice at least 15 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

    15. Contact

    The Dell Ltd
    The Fort, Level 3, HardRock Business Park
    Triq Burmarrad, Naxxar, NXR 6345, Malta
    Privacy: info@thedell.eu โ€” DSA: info@thedell.eu