Legal

Privacy Policy

Effective date: 17 June 2025  ·  Last updated: 17 June 2025

1 Who We Are

CV Superstar ("CV Superstar", "we", "our", or "us") is a Chrome extension that helps job seekers optimise their CVs against specific job postings. We are the data controller for the personal data described in this policy.

Contact: support@cvsuperstar.store

2 What Data We Collect

2.1 Data You Provide Directly

  • CV content (work history, education, skills, contact details) that you upload or paste
  • Email address and password when you create an account
  • Job descriptions you paste or that are auto-detected from LinkedIn
  • Extra context you optionally add (target roles, salary expectations, certifications)
  • Cover letters generated and saved within the extension

2.2 Data Collected Automatically

  • Usage events such as popup_open, cv_upload, analyze_cv, export_cv, and similar interactions — tracked via Google Analytics 4 (GA4)
  • Anonymous usage counters (number of analyses and upgrades per billing period)
  • Application history you record (company name, job title, ATS scores, applied/interview status, dates)

2.3 Data We Do Not Collect

  • We do not collect payment card data — payments are handled by our payment processor
  • We do not sell your personal data to third parties
  • We do not use your CV content to train AI models

3 How We Use Your Data

We use your data to:

  • Deliver the core service: scoring your CV against job postings and generating upgrade recommendations
  • Store your CV so you do not need to re-upload it on every use
  • Maintain your application history and track your job search pipeline
  • Generate cover letters and company briefs on your request
  • Manage your account, authenticate sessions, and enforce usage limits by subscription tier
  • Improve the extension by understanding aggregate usage patterns via GA4
  • Communicate service updates, security notices, and (with consent) promotional messages

4 Legal Bases for Processing (GDPR)

For users in the EEA, United Kingdom, and Switzerland, we process your data on the following legal bases:

  • Contract performance — to deliver the service you signed up for
  • Legitimate interests — to analyse aggregate usage patterns and improve the product
  • Consent — for optional communications such as marketing emails; withdraw at any time
  • Legal obligation — where required by applicable law

5 Third-Party Services

We share data with the following sub-processors to operate the service:

  • Supabase (EU region) — database and authentication. Stores your account profile, CV, job history, and cover letters.
  • Mistral AI — default AI provider. CV content and job descriptions are sent to Mistral's API for analysis.
  • Anthropic — Premium tier only. CV content and job descriptions are sent to Anthropic's API for Premium subscribers who select it.
  • Google Analytics 4 — anonymous event tracking via Measurement Protocol. No raw CV text is sent.

All sub-processors are required to maintain appropriate security measures and to process data only on our instructions.

6 Data Retention

  • Account and CV data — retained until you delete your account
  • Job analysis history — retained until you delete individual records or your account
  • Analytics events — retained per Google Analytics default settings (14 months)
  • Anonymous usage — stored locally in chrome.storage.local; deleted when you clear extension data or uninstall

To delete your account and all associated data, contact support@cvsuperstar.store.

7 Data Security

We implement appropriate technical and organisational measures including:

  • TLS encryption for all data in transit
  • Supabase row-level security policies restricting data access to the owning user
  • API keys stored in a runtime config file, not hard-coded in the extension
  • Session tokens stored in chrome.storage.local, scoped to the extension

No method of transmission or storage is 100% secure. We will notify you of a data breach as required by applicable law.

8 Your Rights

Depending on your location, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion of your data (subject to legal obligations)
  • Restriction — ask us to limit processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — at any time, where processing is based on consent

To exercise any of these rights, email support@cvsuperstar.store. We will respond within 30 days.

9 Cookies & Local Storage

The extension does not set browser cookies. It uses chrome.storage.local to persist:

  • Your authentication session token
  • Your saved CV text
  • Anonymous usage counters (before sign-in)

You can clear this data at any time by removing the extension or clearing Chrome's extension storage.

10 Children

CV Superstar is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, contact us and we will delete it promptly.

11 International Transfers

Your data is primarily stored in Supabase's EU region. Where data is transferred outside the EEA (e.g. to AI providers), we rely on Standard Contractual Clauses or equivalent safeguards as permitted under GDPR.

12 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-extension notice. Continued use of CV Superstar after the effective date of any changes constitutes acceptance of the updated policy.

13 Contact

For privacy questions or to exercise your rights:

📧 support@cvsuperstar.store
We aim to respond to all enquiries within 30 days.