Privacy Policy
Last updated: 8 May 2026
This Privacy Policy explains how GoCV.ai collects, uses, shares and protects your personal data, in compliance with Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC and applicable national laws (including the Italian Personal Data Protection Code, D.Lgs. 196/2003 as amended by D.Lgs. 101/2018, and Maltese Data Protection Act Cap. 586).
1. Data Controller
The data controller is The Dell Ltd, a company registered in Malta (Company Registration Number C109946), with registered office at:
The Fort, Level 3, HardRock Business ParkTriq Burmarrad, Naxxar, NXR 6345, Malta
Email for privacy matters: info@thedell.eu
General contact: info@thedell.eu
We have not designated a Data Protection Officer (DPO) as we are not required to under GDPR Art. 37. For any privacy-related question you may contact us at the addresses above.
2. Categories of Personal Data We Process
- Account data: email address, full name, preferred language, optional avatar.
- Authentication data: hashed password, login timestamps, OAuth identifiers (when you sign in with Google).
- Career data: CV content (work experiences, education, skills, certifications, languages), career profile (current/target role, industries, strengths, weaknesses, salary expectations, years of experience), positioning summary, target geographies.
- Application data: job descriptions, statuses, company names, role titles, ATS/fit/evidence scores, notes, follow-up actions.
- Career assets: achievements (incl. STAR details), projects, skills inventory, target companies/roles, cover letters, interview prep notes.
- Generated content: Apply Packs, AI-tailored CVs, cover letters, interview answers and LinkedIn suggestions you create using our AI features.
- Usage data: usage events, feature interactions, timestamps, anonymous funnel signals.
- Technical data: IP address, browser type, device type, operating system, server logs.
- Communications: support requests, feedback, replies to transactional or product emails.
- Payment data: for Pro subscribers, billing email, billing country, VAT number (if provided), subscription status. Card numbers are processed by Stripe and are never stored on our servers.
3. Purposes and Legal Bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Account creation, authentication, account security | Performance of contract โ Art. 6(1)(b) |
| CV analysis, ATS scoring, job matching, Apply Pack, cover letters, interview prep, LinkedIn optimization | Performance of contract โ Art. 6(1)(b) |
| Application tracking and Career Memory persistence | Performance of contract โ Art. 6(1)(b) |
| Transactional emails (verification, password reset, follow-up reminders, job alerts you opted into) | Contract / Consent โ Art. 6(1)(b) / 6(1)(a) |
| Service improvement, aggregated analytics, fraud prevention, leaked-password (HIBP) checks | Legitimate interest โ Art. 6(1)(f) |
| Payment processing, invoicing, anti-fraud (Stripe) | Contract / Legal obligation โ Art. 6(1)(b) / 6(1)(c) |
| Tax, accounting and bookkeeping retention | Legal obligation โ Art. 6(1)(c) |
| Defence of legal claims | Legitimate interest โ Art. 6(1)(f) |
Where processing is based on legitimate interest, we have carried out a Legitimate Interest Assessment (LIA) and you may object at any time (see ยง9).
4. AI Processing
GoCV.ai uses third-party Large Language Model APIs (currently Google Gemini, accessed via the Lovable AI Gateway) to power CV analysis, ATS scoring, fit analysis, Apply Pack generation, cover letter and interview prep, and LinkedIn optimization. When you trigger an AI feature, only the data strictly required for that feature (e.g. CV section, job description) is sent to the AI provider through encrypted channels.
No training on your data. Our AI providers are bound by Data Processing Agreements that prohibit training their foundation models on your inputs or outputs. Data sent to the AI provider is processed solely to generate your requested result and is not retained by the provider beyond the technical request lifecycle and the limited abuse- monitoring window required by their terms.
AI output is generated probabilistically and may contain inaccuracies. You remain solely responsible for reviewing and validating any AI-generated content before using it.
5. Recipients and Sub-processors
We share your data only with carefully selected sub-processors bound by Data Processing Agreements under GDPR Art. 28. Current sub-processors are:
| Sub-processor | Purpose | Location / Safeguard |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage, edge functions | EU (Frankfurt) / US โ SCCs |
| Lovable AI Gateway | Routing of AI requests to model providers | EU/US โ SCCs |
| Google LLC (Gemini API) | AI inference for content generation and analysis | US โ SCCs, no model training on inputs |
| Stripe Payments Europe Ltd. | Subscription billing and payment processing | Ireland (EU) โ controller for payment data |
| Resend, Inc. | Transactional and lifecycle email delivery | US โ SCCs / EU-US Data Privacy Framework |
| Firecrawl | Public job-listing aggregation (no personal data sent) | US โ SCCs |
| Google LLC (Google Analytics 4) | Aggregate website usage statistics โ only after your explicit consent via the cookie banner | US โ SCCs / EU-US Data Privacy Framework, IP anonymisation, no ad signals |
| Yandex LLC (Yandex Metrica) | Aggregate site analytics, heatmaps and session replay (Webvisor) โ only after your explicit consent via the cookie banner | Russian Federation / Finland โ SCCs, masked input fields, no ad signals |
| Lovable (deployment & hosting) | Application hosting, build pipeline, asset CDN | EU/US โ SCCs |
We never sell your personal data. We do not share your CV, career data or application information with employers, recruiters or job boards unless you explicitly instruct us to do so (e.g. by exporting a PDF and sending it yourself). An updated list of sub-processors is available on request at info@thedell.eu.
6. International Data Transfers
Some sub-processors are located outside the European Economic Area (EEA). Where this is the case, the transfer is governed by the EU Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented where appropriate by additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls).
7. Data Retention
- Account and career data: retained while the account is active. Deleted within 30 days of account deletion (backups purged within 90 days).
- Generated content (Apply Packs, CVs, cover letters): kept until you delete it or close your account.
- Usage events: up to 24 months, then aggregated/anonymised.
- Email send logs and unsubscribe tokens: up to 24 months for deliverability and abuse prevention.
- Payment and invoicing records: 10 years (Italian D.P.R. 633/1972 art. 39 / Maltese tax law).
- Security and access logs: up to 12 months.
- Records relating to legal claims: until the limitation period expires (typically up to 10 years).
8. Security Measures
- TLS/HTTPS encryption in transit; AES-256 encryption at rest for the database and storage.
- Row-Level Security (RLS) policies enforcing per-user data isolation on every table containing personal data.
- Hashing of authentication credentials (bcrypt/argon2) and check against the Have I Been Pwned (HIBP) database to prevent the use of compromised passwords.
- Mandatory email verification for new accounts.
- Principle of least privilege for internal access and admin role-based access control.
- Regular automated dependency and vulnerability scanning.
- Personal data breach notification to the supervisory authority within 72 hours where required (GDPR Art. 33).
9. Your Rights (GDPR Art. 15-22)
- Access (Art. 15) โ obtain confirmation and a copy of your data.
- Rectification (Art. 16) โ correct inaccurate or incomplete data.
- Erasure / "right to be forgotten" (Art. 17) โ request deletion of your data.
- Restriction (Art. 18) โ restrict processing in specific cases.
- Portability (Art. 20) โ receive your data in a structured, machine-readable format.
- Object (Art. 21) โ object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)) โ at any time, without affecting prior lawful processing.
- Not be subject to solely automated decisions (Art. 22) โ we do not take any decision producing legal or similarly significant effects on you based solely on automated processing. AI scores are advisory only.
Requests can be sent to info@thedell.eu. We will reply within one month (extendable by two months for complex requests, GDPR Art. 12(3)). Many actions (data export, account deletion) can also be performed directly from your account settings.
10. Cookies, Local Storage and Analytics
GoCV.ai uses two categories of cookies and browser storage. Strictly necessary cookies are always active because they are indispensable to provide the Service you have requested (Italian Codice Privacy art. 122 c.1; EDPB Guidelines 2/2023). Analytics cookies are activated only after your explicit, granular consent given through the cookie banner, in line with the Italian Garante guidelines of 10 June 2021 and EDPB Guidelines 03/2022.
10.1 Strictly necessary (no consent required)
sb-*โ Supabase authentication session and refresh tokens (session / 1 year).i18nextLngโ your language preference (1 year).gocv-cookie-consentโ record of your consent decision (1 year).gocv_session_id,gocv_utmโ server-side anti-abuse and attribution (session).- Other application-state keys used to power the editor (drafts, UI state).
10.2 Statistics โ activated only with your consent
- Google Analytics 4 (Google LLC / Google Ireland Ltd) โ measurement ID
G-ZE89PY6C1F. Cookies_ga(24 months),_ga_*(24 months). Used to understand aggregate site usage and improve the Service. Configured with IP anonymisation, advertising signals disabled, ad personalisation disabled. Data is transferred to the United States under EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Legal basis: consent, GDPR art. 6(1)(a) and Codice Privacy art. 122. You can withdraw consent at any time through the "Cookie preferences" link in the footer. - Yandex Metrica (Yandex LLC) โ counter ID
109120258. Cookies_ym_uid,_ym_d(1 year),_ym_isad,_ym_visorc(session). Used to measure aggregate traffic and to record anonymised session replays and heatmaps (Webvisor) so we can diagnose UX issues and improve the Service. Input fields, passwords and any element marked as sensitive are automatically masked before recording. Data is transferred outside the EEA (Russian Federation / Finland) under EU Standard Contractual Clauses with additional technical safeguards (TLS in transit, IP truncation). Legal basis: consent, GDPR art. 6(1)(a) and Codice Privacy art. 122. You can withdraw consent at any time through the "Cookie preferences" link in the footer; this will immediately stop the loading of Yandex Metrica scripts on subsequent page loads.
We also collect first-party usage events in our own database (table analytics_events) on the basis of our legitimate interest (GDPR art. 6(1)(f)) to debug, secure and improve the Service. Events are pseudonymised, retained for up to 24 months and you may object at any time at info@thedell.eu.
We do not use advertising or profiling cookies and we do not share analytics data with advertising networks.
11. Children
GoCV.ai is not intended for individuals under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact info@thedell.eu and we will delete it promptly.
12. Supervisory Authorities
You have the right to lodge a complaint with the supervisory authority of the Member State of your habitual residence, place of work or place of the alleged infringement.
- Lead authority (controller's establishment): Information and Data Protection Commissioner (IDPC), Level 2, Airways House, High Street, Sliema SLM 1549, Malta โ idpc.org.mt.
- Italian users: Garante per la protezione dei dati personali, Piazza Venezia 11, 00187 Roma โ garanteprivacy.it.
13. Digital Services Act โ Point of Contact
Pursuant to Articles 11-12 of Regulation (EU) 2022/2065 (Digital Services Act), the single point of contact for authorities and recipients of the service is: info@thedell.eu (working language: English / Italian).
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-product notice at least 15 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
15. Contact
The Dell LtdThe Fort, Level 3, HardRock Business Park
Triq Burmarrad, Naxxar, NXR 6345, Malta
Privacy: info@thedell.eu โ DSA: info@thedell.eu