EdgeCV is operated by Edgecv.io. For data protection queries, contact us at privacy@edgecv.io.
We collect: identity data (name, email address); CV content (work history, education, skills, projects, certifications, languages, and optionally date of birth, photo, and address); usage data (page views and feature interactions, identified by a pseudonymous UUID); technical data (IP address for rate limiting — not stored beyond the session; browser and operating system); and payment data (handled by our payment processor — EdgeCV does not store card numbers).
We process your data for the following purposes: account creation and authentication (legal basis: performance of a contract, Art. 6(1)(b) GDPR); CV storage, editing, and export (Art. 6(1)(b)); AI processing of CV content for tailoring, scoring, cover letters, and mock interviews (legal basis: explicit consent, Art. 6(1)(a) — you may withdraw this consent at any time); analytics via PostHog identified by UUID only (legal basis: legitimate interests, Art. 6(1)(f) — you may opt out); error tracking via Sentry with PII scrubbing (Art. 6(1)(f)); transactional email for account events and magic links (Art. 6(1)(b)).
When you use AI-powered features (CV tailoring, ATS scoring, cover letter generation, mock interview), your CV content is transmitted to our AI providers (Anthropic and/or OpenAI). We use the no-training-on-customer-data tier for all AI providers, meaning your data is never used to train AI models. You can withdraw consent for AI processing at any time via Account Settings → AI data processing. Withdrawing consent stops AI features from working but does not delete your account.
We share your data only with the following sub-processors, all covered by Data Processing Agreements (DPAs): Supabase (Postgres database and authentication, EU region); Anthropic (AI inference, US-based, covered by Standard Contractual Clauses); OpenAI (AI inference, US-based, covered by SCCs); PostHog (analytics, EU region); Sentry (error tracking, US-based, covered by SCCs); Microsoft Azure (hosting, EU region); Resend (transactional email, US-based, covered by SCCs); Stripe (billing, US-based, covered by SCCs).
Your primary data lives in Supabase EU region and remains within the European Economic Area. For US-based sub-processors (Anthropic, OpenAI, Sentry, Resend, and Stripe), transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR and the relevant DPAs.
Account data and CV content: retained while your account is active, then subject to a 30-day soft-delete window after you request deletion. All variants are hard-deleted within 30 days of account deletion. Anonymous scan data: deleted after 90 days. Analytics events: subject to PostHog retention settings (1 year by default). Error logs: subject to Sentry retention settings (90 days by default). Backup data: subject to Supabase backup retention (7 days by default).
Under GDPR you have the following rights: Right of access (Art. 15) — request a copy of your data; Right to rectification (Art. 16) — correct your data via the profile editor; Right to erasure (Art. 17) — delete your account via Account Settings; Right to restriction (Art. 18) — request that we restrict processing; Right to data portability (Art. 20) — one-click export of all your data, free of charge, anytime; Right to object (Art. 21) — object to processing based on legitimate interests; Right not to be subject to solely automated decision-making (Art. 22) — AI-generated content is always reviewed by you; no purely automated decisions with legal or significant effects are made. To exercise any right, contact privacy@edgecv.io.
We use strictly necessary cookies for authentication (Supabase session cookie). Analytics are powered by PostHog using a pseudonymous UUID — no personally identifiable data is sent. We do not use third-party advertising cookies. A detailed cookie policy will be published separately.
If you have a complaint about how we handle your data, please contact us first at privacy@edgecv.io. You also have the right to lodge a complaint with your local data protection authority — for example, the ICO (UK), CNIL (France), or BfDI (Germany). Find your local authority at edpb.europa.eu.
Data controller: Edgecv.io. Data protection queries: privacy@edgecv.io. Response time: within 30 days.