Skip to main content

Privacy Policy

Last updated:

This policy explains what personal data Curvit collects, why we collect it, how we protect it, and what rights you have over it. We have written it to be clear and practical rather than dense with legal language — if anything is unclear, please get in touch.

1. Data Controller

The data controller responsible for your personal data is Nicholas Letts trading as Curvit, based in the United Kingdom. We are registered with the UK Information Commissioner's Office (ICO) as a data controller. If you have questions about how we handle your data, please use our contact form.

2. Scope

This policy applies to all personal data processed by Curvit in connection with our CV review and tailoring platform, our marketing website at curvit.co.uk, and any communications we have with you. It covers data collected through your use of the service, data you provide to us directly, and data we receive from third-party sign-in providers.

Curvit is not intended for use by persons under the age of 16. If you are under 16, please do not use the service or provide us with any personal data.

3. Data We Collect

We process the following categories of personal data:

Account data

Your name, email address, and profile picture (if provided by Google). If you register with email and password, we store your email address, display name, and a one-way hash of your password — we never store your password in recoverable form. We also record when your email address was verified.

Documents you upload

CV files (PDF, DOCX, TXT, or ZIP for batch uploads) that you submit for review or tailoring. These files are processed to extract text for analysis — they are stored securely and automatically deleted after 20 days. Job specifications you paste or upload are also retained for 20 days.

AI analysis results

The structured output and feedback generated by our AI services in response to your uploaded documents. These are retained for 20 days and can be accessed through your account dashboard during that period.

Usage and quota data

Records of the features you have used (CV advice, matching, rewrite, screening) and when you used them, for the purpose of enforcing plan limits and calculating your rolling 30-day usage allowance. Quota event records are retained for 90 days.

Billing and payment data

Subscription tier, billing status, and payment reference identifiers provided by our payment processor. We do not store full card numbers, CVV codes, or bank account details — all payment card data is handled directly and securely by our payment processor. Payment records are retained for 7 years to satisfy legal accounting obligations.

Technical and security data

Server logs including IP addresses, request timestamps, browser type, and HTTP status codes. Authentication audit logs recording sign-in events, sign-out events, failed login attempts, and account lockout events — used to detect abuse and provide security incident evidence. Technical logs are retained for 90 days; authentication audit logs for 365 days.

Support communications

Messages you send through our contact form, including your name, email address, the subject and body of your message, and any replies from our team. These are retained for as long as the support thread remains open and for a reasonable period thereafter.

Analytics data

Aggregated, anonymised usage data collected via an analytics provider, subject to your cookie consent choices. This includes pages viewed, session duration, and approximate geographic region. We use this data to understand how the service is used and where to improve it. Analytics data is retained for 26 months.

4. How We Use Your Data

  • Providing the service — authenticating you, processing your CV, generating AI feedback, serving your results, enforcing your plan limits.
  • Billing and account management — processing payments, managing subscriptions, issuing receipts, handling cancellations and refunds.
  • Security and fraud prevention — detecting and responding to suspicious sign-in activity, brute-force attacks, account compromise, and misuse of the platform.
  • Support — responding to queries, complaints, and data subject requests submitted through our contact form.
  • Legal obligations — retaining payment records for accounting and tax purposes, responding to lawful requests from authorities.
  • Service improvement — using aggregated, anonymised analytics to understand which features are valuable and where usability can be improved. We do not train AI models on your CV content.
  • Transactional notifications — sending account verification and password reset messages. We do not send marketing communications without your explicit consent.

5. Lawful Basis for Processing

Processing activity Lawful basis
Account creation and authenticationContract performance
CV processing and AI analysisContract performance
Billing and payment processingContract performance
Security monitoring and fraud preventionLegitimate interests
Authentication audit loggingLegitimate interests
Transactional notifications (verification, reset)Contract performance
Analytics cookiesConsent
Payment records retentionLegal obligation
Responding to data subject requestsLegal obligation

6. Cookies

We use a cookie consent banner to give you control over non-essential cookies. You can change your preferences at any time by clicking the cookie settings link in the footer.

Strictly necessary cookies

Authentication session cookies required to keep you signed in and to protect your account from cross-site request forgery attacks. These cannot be disabled while you use the authenticated service.

Analytics cookies (consent required)

Cookies set by our analytics provider that track page views, session length, and aggregate user behaviour. These are only set if you accept analytics cookies through our consent banner. You can withdraw consent at any time.

7. Sub-processors and Third Parties

We engage specialist third-party providers to deliver parts of the service. Each is bound by a data processing agreement and may not use your data for their own purposes.

Category Purpose Location
Cloud infrastructure providerHosting, compute, and encrypted backup storageEU
Sign-in providerOAuth-based account authenticationUS (SCCs)
Analytics providerAggregated website usage analytics (consent-gated)US (SCCs)
AI model providerLarge language model for CV analysis and feedbackUS (SCCs)
Payment processorSubscription billing and payment card processingUS/EU (SCCs)
Email delivery providerTransactional notifications (verification, password reset)US (SCCs)

"SCCs" means Standard Contractual Clauses approved by the European Commission, used to ensure adequate protection for transfers of personal data outside the UK/EEA. You may request a list of our current sub-processors via our contact form.

8. How We Use AI

When you upload a CV, the text extracted from your document is sent to an AI language model to generate feedback and suggestions. Before reaching the AI, your document passes through validation (file type and size checks), content extraction, and a sanitisation step designed to detect and neutralise prompt injection attempts.

We do not use your CV content to fine-tune or train AI models. Our AI provider's API terms prohibit the use of inputs for model training by default.

AI-generated outputs are automatically validated for quality and policy compliance before being shown to you. We do not make legally significant automated decisions about you without human oversight — all AI outputs are suggestions for you to review and accept or reject.

9. How Long We Keep Your Data

Data category Retention period
Account data (name, email, password hash)While account is active, then 30 days after closure
Uploaded CV documents and job specifications20 days from upload
AI analysis results20 days from generation
Quota and usage events90 days
Server and application logs90 days
Authentication audit log365 days
Support communicationsDuration of thread plus 12 months
Payment and billing records7 years (legal obligation)
Analytics data26 months

Where retention periods conflict with a legal obligation, the legal obligation takes precedence. Data subject requests to erase data held under a legal obligation will be refused with an explanation.

10. How We Protect Your Data

We implement technical and organisational measures appropriate to the risk:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Database backups are encrypted at rest before transmission to off-site storage.
  • Passwords are stored as secure one-way hashes — we cannot recover your password.
  • Authentication sessions are short-lived and are refreshed only during active use.
  • Repeated failed sign-in attempts trigger rate limiting and temporary account lockout to prevent brute-force attacks.
  • All sign-in, sign-out, and authentication failure events are recorded in a tamper-evident audit log.
  • Uploaded files are validated for file type using content inspection, not filename or MIME declarations, and scanned before processing.
  • Access to production systems is restricted to authorised personnel only.
  • Our infrastructure is hosted within the European Union.

No method of transmission or storage over the internet is completely secure. While we use industry-standard protections, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately.

11. Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR. If the breach is likely to result in a high risk to you personally, we will also notify you directly without undue delay, explaining what happened, what data was affected, and what steps we are taking.

12. International Transfers

Our primary infrastructure is located within the European Union, which provides an adequate level of protection under UK data protection law. When personal data is transferred to sub-processors outside the UK or EEA — including our sign-in, analytics, AI, payment, and email providers — we rely on Standard Contractual Clauses (SCCs) or applicable adequacy decisions to ensure an equivalent level of protection.

13. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights. To exercise any of them, contact us with enough information to identify your account. We will respond within one calendar month.

Right of access

You can request a copy of the personal data we hold about you and information about how we use it.

Right to rectification

You can ask us to correct inaccurate or incomplete personal data. For account details, you can update your name through your account settings.

Right to erasure ("right to be forgotten")

You can ask us to delete your personal data. We will do so unless retention is required for a legal obligation (such as payment records), to defend a legal claim, or for another overriding legitimate interest. Deleting your account will trigger erasure of your profile, documents, and analysis results within 30 days.

Right to restrict processing

You can ask us to pause processing of your data in certain circumstances — for example, while a dispute about accuracy is resolved.

Right to data portability

You can ask us to provide the personal data you have given us in a structured, commonly used, machine-readable format where processing is based on consent or contract and carried out by automated means.

Right to object

You can object to processing based on legitimate interests (such as security monitoring). We will stop unless we can demonstrate compelling grounds that override your interests.

Rights related to automated decision-making

We do not make decisions that produce legal or similarly significant effects on you using automated processing alone — all AI outputs are suggestions you review and act on. You therefore have no specific rights to exercise under Article 22 UK GDPR at this time.

14. Complaints

If you are unhappy with how we have handled your personal data, please contact us directly — we aim to resolve all complaints within 30 days and will treat privacy complaints with priority. Please describe your concern clearly so we can investigate and respond effectively.

15. Updates to This Policy

We review this policy periodically and may update it to reflect changes in the service, legal requirements, or our data practices. Material changes — such as new data categories, new sub-processors, or new purposes — will be communicated to registered users via an in-platform notice at least 14 days before taking effect. The "last updated" date at the top of this page will always reflect the most recent revision. Continued use of the service after the effective date of a change constitutes acceptance, except where consent is required by law.