Onestopcv

Privacy Policy

Last updated: March 2026

At Onestopcv, we take your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully.

1.

Who We Are & Data Controller

Onestopcv ("we", "us", "our") is the data controller responsible for your personal data collected through cvprouk.com and our associated applications.

We are registered in England and Wales. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring that such processing complies with applicable data protection law.

You can contact our Data Protection Officer (DPO) at any time at privacy@cvprouk.com.

2.

What Personal Data We Collect

We collect the following categories of personal data:

Account & Identity Data

  • Name and email address
  • Hashed password (we never store your password in plain text)
  • Profile photo (if you sign in with Google and grant permission)
  • Account creation date and last login

CV & Document Content

  • All content you enter into your CVs and cover letters (work history, education, skills, contact details, etc.)
  • Document templates selected and formatting preferences
  • Generated PDF and DOCX files
  • Job application records you add to the tracker

Payment & Billing Data

  • Subscription tier and billing period
  • Stripe Customer ID (reference only — card details are handled entirely by Stripe)
  • Billing history and invoice references

Usage & Technical Data

  • Pages visited and features used within the platform
  • Session duration and click patterns (anonymised analytics)
  • Device type, browser, and operating system
  • IP address (used for security and fraud prevention; not linked to your identity for analytics)
  • Error logs and performance data

Communications Data

  • Support emails and live chat transcripts
  • Feedback and survey responses
  • Email marketing preferences

We do not collect or store sensitive personal data (special category data) such as racial or ethnic origin, political opinions, health information, or biometric data. Our CV templates are specifically designed to comply with UK equality law, and we advise against including such information on CVs.

3.

How We Use Your Personal Data

We only use your personal data where we have a lawful basis to do so under UK GDPR:

PurposeLawful Basis
Creating and managing your accountContract performance
Storing and displaying your CV and document contentContract performance
Processing subscription payments via StripeContract performance
Sending transactional emails (receipts, security alerts, password resets)Contract performance / Legitimate interests
Providing AI-powered features (job matcher, content suggestions)Contract performance
Improving the Service through anonymised usage analyticsLegitimate interests
Security monitoring and fraud preventionLegitimate interests / Legal obligation
Sending marketing emails and product updatesConsent (opt-in only)
Complying with legal obligations (tax, fraud reporting)Legal obligation

Where we rely on legitimate interests as our lawful basis, we have balanced our interests against your rights and concluded that our interests do not override your fundamental rights. You may object to such processing — see Section 8 for details.

4.

Cookies & Tracking

We use the following types of cookies and similar technologies:

Essential Cookies Always active

Required for the platform to function. These include session tokens (for authentication), CSRF tokens (for security), and your preferences (e.g., theme). These cannot be disabled without breaking core functionality.

Analytics Cookies Opt-out available

We use anonymised analytics to understand how users navigate the platform and which features are most valuable. Data is aggregated and cannot be used to identify individual users. You may opt out via your browser settings or our cookie preference centre.

Marketing Cookies Consent required

We do not currently use third-party marketing or advertising cookies. If we introduce them in future, we will obtain your explicit consent first.

You can manage cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in and using the platform.

5.

Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only with third-party service providers who act as data processors on our behalf, subject to data processing agreements that require them to protect your data:

Stripe

Payment processing

Processes all subscription payments. We share your name, email, and billing details. Stripe is PCI DSS Level 1 compliant. We never store your card number.

Stripe Privacy Policy →

Supabase (PostgreSQL)

Database hosting

Stores all your account data, CV content, and documents. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Supabase hosts data in the EU/EEA by default.

Supabase Privacy Policy →

Resend

Transactional email

Sends transactional emails (account verification, password resets, receipts, subscription reminders). We share your name and email address. Resend does not use your data for advertising.

Resend Privacy Policy →

Anthropic (Claude API)

AI features

Powers AI features including job matching and content suggestions. Relevant CV content may be sent to the Claude API when you use AI features. Anthropic contractually agrees not to use API data to train its models.

Anthropic Privacy Policy →

Google (OAuth)

Authentication (optional)

If you choose to sign in with Google, we receive your name, email address, and profile photo from Google. We do not receive your Google password. This integration is optional — you may register with email instead.

Google Privacy Policy →

We may also disclose your personal data to law enforcement or regulatory authorities where required by law, or to protect the rights, property, or safety of Onestopcv, our users, or others.

6.

International Data Transfers

Some of our third-party processors (including Stripe and Anthropic) are based in the United States. When we transfer your personal data to the US or other countries outside the UK/EEA, we ensure appropriate safeguards are in place:

  • Adequacy decisions issued by the UK government (where applicable)
  • UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs) adapted for UK use
  • UK-US Data Bridge (for US processors that are certified under the bridge programme)

You may request a copy of the relevant transfer mechanism for any specific processor by contacting us at privacy@cvprouk.com.

7.

Data Retention

We retain your personal data for the following periods:

Data TypeRetention Period
Account and profile dataDuration of account + 30 days after deletion request
CV and document contentDuration of account + 30 days after deletion request
Payment and billing records7 years (UK tax law requirement)
Support communications3 years from last interaction
Anonymised analytics dataIndefinitely (cannot be linked to you)
Security and access logs90 days

When you delete your account, we begin the deletion process immediately. Most data is removed within 30 days, except where retention is required by law (e.g., financial records).

8.

Your Rights Under UK GDPR

Under the UK GDPR and Data Protection Act 2018, you have the following rights:

Right of Access

You have the right to obtain a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.

Right to Rectification

You have the right to have inaccurate personal data corrected. You can update most of your data directly in Account Settings.

Right to Erasure ('Right to be Forgotten')

You have the right to request deletion of your personal data where there is no legitimate reason for us to continue processing it. Note that some data may be retained to comply with legal obligations.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON or CSV) and to transfer it to another controller.

Right to Object

You have the right to object to processing based on legitimate interests or direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to Restriction of Processing

You have the right to request that we restrict processing of your data in certain circumstances (e.g., while a dispute about accuracy is resolved).

Right to Withdraw Consent

Where processing is based on your consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's supervisory authority — at ico.org.uk or by calling 0303 123 1113. We encourage you to contact us first so we can try to resolve your concern directly.

To exercise any of these rights, email us at privacy@cvprouk.com with "Data Rights Request" in the subject line. We will respond within one calendar month. We may need to verify your identity before processing your request.

9.

Children's Privacy

Onestopcv is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. Our Terms of Service require users to be at least 16 years old.

If you believe that a child under 16 has provided us with personal data without parental consent, please contact us at privacy@cvprouk.com and we will take steps to delete that data promptly.

10.

Security Measures

We implement appropriate technical and organisational measures to protect your personal data:

  • Encryption at rest: All database data is encrypted using AES-256
  • Encryption in transit: All connections use TLS 1.2 or higher (HTTPS enforced)
  • Password security: Passwords are hashed using bcrypt before storage
  • Access control: Database access is restricted by IP allowlist; only authorised personnel have access to production data
  • Authentication: We support secure OAuth2 login and enforce strong session management
  • Backups: Automated daily backups with point-in-time recovery, stored in a separate region
  • Dependency monitoring: We regularly scan for and address security vulnerabilities in our dependencies
  • Incident response: We have a documented data breach response procedure; affected users will be notified within 72 hours where required by law

While we take security seriously, no system is 100% secure. You should use a strong, unique password and enable two-factor authentication where available. If you suspect your account has been compromised, contact us immediately.

11.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Send you an email notification to the address on your account
  • Display an in-app notice

We encourage you to review this policy periodically. Continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

12.

Contact & DPO

For any privacy-related questions, requests, or concerns, please contact our Data Protection Officer:

Data Protection Officer — Onestopcv

Email: privacy@cvprouk.com

General support: hello@onestopcv.com

Registered in England and Wales · We aim to respond to all privacy requests within 5 business days

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or by calling 0303 123 1113.