Effective date: 13 May 2026.

This Privacy Policy explains how CVForge collects, uses, stores, and protects personal data when you use the CVForge website and app.

The service processes career-related information such as CVs, job history, education, and job applications. This may include personal data, so you should only provide information you are comfortable using in the service.

GRAZ LABS LTD is the data controller responsible for personal data processed through CVForge, unless stated otherwise in a separate agreement.

GRAZ LABS LTD, Company Number: 16960808, with registered address at: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

For privacy questions or data requests, contact support@cvforgeapp.com.

We may require verification of your identity before fulfilling requests.

Account data may include your name, email address, password hash for email and password users, profile photo if provided, social sign-in identifiers, account status, security and session data, and support history.

Career content may include CV text and structured CV data, uploaded or imported documents, pasted CV or LinkedIn profile text, job descriptions and URLs, cover letters and LinkedIn content, saved versions, edits, generated outputs, follow-up answers, health-check results, and analysis results.

Billing data may include payment references such as Stripe IDs, subscription and purchase details, amounts, currency, payment status, entitlements, credits, top-ups, usage data, and refund or support context. We do not store full card numbers.

Technical and usage data may include IP address and request metadata, device and browser information, analytics events, CV parse events, AI usage metadata and logs, entitlement and credit usage records, and performance, error, and audit logs.

We collect data directly from you when you use the service.

We collect data automatically through system logs and usage tracking.

We collect data from third parties such as payment providers and authentication services.

We use your data to provide and operate the service.

We use your data to generate CVs, parse or extract CV content, run deterministic health checks, produce improvements, tailor outputs, generate cover letters, and create LinkedIn profile content when you request those features.

We use your data to manage accounts, billing, and entitlements.

We use your data to provide support and resolve issues.

We use your data to maintain security and prevent abuse.

We use your data to improve product performance and reliability.

Where applicable under UK GDPR or similar laws, we rely on the following legal bases:

Contract: to provide the CVForge service, including account creation, CV generation, tailoring, exports, purchases, subscriptions, and support for requested product features.

Legitimate interests: to maintain security, prevent abuse, improve reliability, understand product performance, resolve issues, and support users.

Legal obligation: for tax, accounting, fraud prevention, regulatory compliance, and responding to lawful requests where required.

Consent: for optional cookies and certain communications where required.

You may object to processing based on legitimate interests where applicable.

When you use AI features, relevant data such as CV content, uploaded or pasted CV text, job descriptions, LinkedIn profile text, cover letter inputs, and prompts may be processed by third-party AI providers such as OpenAI.

This processing is used to generate outputs requested by you, operate AI features, maintain security, prevent abuse, and improve service reliability.

AI inputs and outputs may be temporarily processed and retained by AI providers in accordance with their security, abuse-monitoring, and legal obligations.

General CV health checks are deterministic and local to the application logic. They are not AI-generated and do not require OpenAI processing.

We do not use AI to make automated decisions about employment, hiring, or candidate evaluation.

CVForge does not make hiring decisions.

We do not sell your CV content or personal data to AI providers or other third parties.

AI-generated content may be inaccurate or incomplete. You should review all outputs before use.

CV content may include sensitive or special-category data such as health, ethnicity, or nationality.

If you include sensitive or special-category data, you do so voluntarily. We do not require this data for normal use of the service.

You are responsible for deciding what personal or sensitive information to include in your CV, uploaded documents, pasted content, or generated materials.

Where sensitive data is included, we process it only because you provided it and where it is needed to provide the service features you choose to use.

You should avoid providing sensitive data unless necessary for your intended use.

The service is not designed to require sensitive data for normal CV creation.

We may share data with trusted service providers, including payment providers such as Stripe, AI providers such as OpenAI, hosting and infrastructure providers, email providers, authentication providers, analytics tools, and support tools.

These providers process data on our behalf under contractual safeguards.

Service providers may change over time as the service evolves.

We may also disclose data where required to comply with legal obligations, enforce our terms, investigate misuse, respond to legal requests, prevent fraud or abuse, or protect users, the service, or the public.

We do not sell your CV content or personal data.

We use cookies and similar technologies for authentication and session management, security and fraud prevention, OAuth sign-in, draft and checkout recovery, saved workflow state, preferences, and analytics where applicable.

Some browser storage is used because it is necessary for requested product flows, such as preserving a draft, checkout return state, design preview state, or AI workflow progress. Optional analytics and non-essential storage technologies are controlled through the cookie settings tool where available.

You can control optional cookies through the cookie settings tool where available, your browser settings, or the Cookies Policy.

We retain account and CV data while your account is active.

We retain billing data as required for legal and accounting obligations.

We retain logs and analytics for operational and security purposes.

We retain support records for service continuity and dispute resolution.

Where possible, we limit retention periods. For example, temporary files may be deleted within 24 hours, logs may be retained for limited periods such as 90 days, and analytics data may be retained for limited periods such as 180 days.

You can delete your account from your account settings where the delete account option is available. This removes sign-in access, saved CVs, jobs, cover letters, profile photo, linked sign-in methods, sessions, and related account content from the product.

Some deletion actions may take a short period to fully propagate through backups, caches, and internal systems.

If your account has an active subscription, the product may require you to cancel the subscription and wait for the paid period to end before account deletion can be completed.

If you used Facebook Login or another social sign-in method, you can also remove CVForge from your connected apps in that provider's account settings to revoke future access.

If you cannot access the account settings or need help with a deletion request, contact support@cvforgeapp.com.

Some data may still be retained where required by law or for legitimate purposes such as accounting, tax, refunds, fraud prevention, security, or legal claims.

We use appropriate technical and organisational measures to protect data, including access controls, encryption and secure storage practices, rate limiting and monitoring, and audit logging.

No system is completely secure, and we cannot guarantee absolute security. You should take reasonable precautions to protect your account.

Some service providers may process data outside your country.

Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent lawful mechanisms.

Depending on your location, you may have rights to access your data, correct inaccurate data, request deletion, restrict or object to processing, request data portability, and withdraw consent where applicable.

To request deletion, use the in-product account deletion option in settings where available, or contact us if you cannot access your account.

You may also have the right to lodge a complaint with a data protection authority.

In the UK, this is the Information Commissioner's Office (ICO).

We may send service-related emails such as account, billing, security, and support communications. These are needed to operate the service and are not optional marketing messages.

Where we send optional communications, you can opt out at any time.

The service is not intended for children. We do not knowingly collect data from children.

The service is intended for users aged 18 or older, or minors using it with appropriate parental or guardian permission where permitted by law.

If you believe a child has provided personal data, contact us so we can investigate and remove it where appropriate.

We may update this Privacy Policy from time to time.

The latest version will always be available on the website. Where legally required, we will provide notice of material changes.