Privacy Policy

Last updated: 17 May 2026

This Privacy Policy explains what personal data CvNeat collects, how we use it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR). If anything here is unclear, email us at the address below and we will explain it.

1. Who we are

CvNeat is operated from Spain. You can reach us at the contact details below for any question about this Privacy Policy or about your personal data.

CvNeat
Email: privacy@cvneat.com

2. What personal data we collect

  • Account data: your email address and a hashed (one-way) password. We never see your plain-text password.
  • CV content: everything you type into the CV editor - name, contact details, work history, education, skills, and (in DACH templates) an optional photo. This is your data; you control it.
  • Billing data: if you subscribe, Stripe handles your card details on our behalf. We receive your Stripe customer ID, subscription status, plan, and current period end, but never your card number.
  • Session cookies: two first-party cookies, one to keep you logged in, one to protect against cross-site request forgery (CSRF). No third-party tracking or advertising cookies.
  • Operational logs: minimal server logs (timestamp, IP, request path) retained for security and debugging.

3. Why we collect it (lawful basis)

  • Art. 6(1)(b) GDPR - performance of a contract: account, CV content, and billing data are necessary to provide the service you signed up for.
  • Art. 6(1)(f) GDPR - legitimate interests: operational logs and session cookies, used to keep the service secure, prevent fraud, and investigate abuse.
  • Art. 6(1)(a) GDPR - consent: if at any point we add cookies that are not strictly necessary, we will ask for your consent first. Today we do not use any such cookies.

4. Who we share it with

We use a small number of processors. Each is bound by a written data-processing agreement and processes data only on our instructions.

  • Stripe - payment processing. Stripe receives your email and card details when you subscribe. See Stripe's privacy notice for details.
  • Microsoft Azure - hosts our application servers and PostgreSQL database. Data is stored in European Union regions and processed exclusively on our instructions under Art. 28 GDPR.
  • Transactional email provider: delivers password-reset and account-notification emails. Used only for transactional messages, never for marketing.

We do not sell your personal data. We do not share it with advertisers.

5. Where we store it

Application data is stored on Microsoft Azure infrastructure in European Union regions. Stripe processes payment data in accordance with its own infrastructure; any transfers outside the EEA rely on the EU Standard Contractual Clauses and supplementary measures.

6. How long we keep it

  • Account & CV data: kept until you delete your account.
  • Backups: retained for 30 days after account deletion, then permanently erased.
  • Billing & tax records: invoices and payment receipts are retained for up to 6 years to comply with Spanish accounting and tax law (Art. 30 Código de Comercio; Art. 66 Ley General Tributaria).
  • Operational logs: retained for up to 90 days, then deleted.

7. Your rights under the GDPR

You have the right to:

  • Access a copy of the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") of your personal data.
  • Data portability - receive your data in a machine-readable format.
  • Restriction of processing in certain circumstances.
  • Object to processing based on our legitimate interests.
  • Lodge a complaint with your national data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD), www.aepd.es.

To exercise any of these rights, email us at privacy@cvneat.com. We will respond within 30 days.

8. Account deletion and erasure

You can delete your account at any time from Settings → Delete account. Deletion is a full erasure: your user record, profile, CVs, and active sessions are removed from the live database in a single transaction, and any active Stripe subscription is cancelled at the same time. Backups containing your data are permanently overwritten within 30 days. Billing records required by tax law (invoices, payment receipts) are retained for the legally required period under Art. 6(1)(c) GDPR.

9. Cookies

CvNeat uses two strictly necessary first-party cookies: one to keep you logged in (session) and one to protect form submissions from cross-site request forgery (CSRF). We do not use analytics, advertising, or tracking cookies. If this ever changes, we will ask for your consent through a cookie banner before any non-essential cookie is set.

10. Minors

CvNeat is not directed at children under 14, the minimum age for valid consent to personal-data processing under Spanish law (Art. 7 LOPDGDD 3/2018). We do not knowingly collect data from children under 14. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

If we make material changes, we will email registered users at least 30 days before the changes take effect. The "Last updated" date at the top of this page always reflects the current version.

12. Contact

Questions about this policy or your data? Email privacy@cvneat.com.

← Back to home