Privacy Policy

Effective date: 2026-04-23. Last updated: 2026-04-23.

This Privacy Policy explains how Vaibhav Kadam, operating CVCL as a sole proprietor ("we", "us", the "Controller"), collects, uses, and shares information when you use the CVCL service at cvcl.online (the "Service"). It is written to satisfy the requirements of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA / CPRA"). By using the Service you agree to this policy and to our Terms of Service.

1. Who is the Data Controller?

Vaibhav Kadam, sole proprietor, with a registered address at Bank Colony Street, Vita - 415311, Maharashtra, India, is the data controller for personal data processed through the Service. You can contact us about anything in this policy at vaibhav.kadam@cvcl.app.

2. What we collect, and the lawful basis for it

Under GDPR every category of personal data must have a lawful basis (Art. 6, and Art. 9 for special categories). Here is ours:

Category	Examples	Lawful basis (GDPR Art. 6)
Account data	Email, password hash (bcrypt), display name, Google profile photo URL when you sign in with Google.	Contract (b), needed to provide the Service.
CV / resume content	The files you upload, parsed JSON, edits made in the editor, generated tailored CV + cover letter PDFs / DOCX.	Contract (b), this is the Service.
Job descriptions you paste	Free-text JD, company name, role, location, and job-scanner search criteria.	Contract (b).
Voice recordings + transcripts (mock interview)	Audio of your interview session and the bot's responses, the speech-to-text transcript, and the LLM feedback document derived from it.	Contract (b) + your consent (a) at the point you click "Start mock interview". You may delete the recording at any time from the session page.
Payment metadata	Razorpay payment ID, amount, currency, status. We never see your card or bank details.	Legal obligation (c), accounting / tax records.
Usage logs	IP address, user-agent, request paths, timestamps, generation cost / token counts.	Legitimate interests (f), security, abuse prevention, debugging, capacity planning.

We do not knowingly collect special categories of personal data (Art. 9 GDPR, health, religion, political opinions, etc.). If your CV happens to mention such data, we process it only insofar as needed to render your CV.

We do not train machine-learning models on your content. We do not sell or rent your personal data to anyone.

3. How we use your data

Operate the Service, parse your CV, score it against JDs, generate tailored documents, render PDFs, deliver downloads, run mock interviews, scan job boards.
Authenticate you, keep your credit balance accurate, and prevent abuse.
Send transactional email, account verification, password resets, payment receipts. We do not send marketing email without your separate opt-in.
Improve reliability, fix bugs, and plan capacity (using aggregated / anonymized data where possible).
Comply with legal obligations and respond to lawful requests from authorities.

4. Sub-processors

We use a small, stable set of third-party processors. Each is bound by a Data Processing Agreement under Art. 28 GDPR.

Processor	Purpose	Region	Privacy policy
OpenAI	LLM generation + scoring + mock-interview brain. We send the relevant portions of your CV and the JD; OpenAI states API traffic is not used to train its models.	USA	openai.com
ElevenLabs	Real-time text-to-speech for the interviewer voice. They receive the bot's text output (not your audio).	USA	elevenlabs.io
Deepgram	Speech-to-text transcription of your mock-interview audio.	USA	deepgram.com
Razorpay	Payment processing (and KYC where required). We never see your card / bank details.	India	razorpay.com
SendGrid (Twilio)	Email delivery, verification, password reset, receipts. Receives your email address and the email body.	USA	twilio.com
Google	Sign-in (if you use Google login). Shares your email, name, profile picture with us.	USA	google.com
Cloudflare (Turnstile)	Anti-bot challenge on signup / demo. Receives your IP and a behavioral signal; not used for advertising.	USA / global edge	cloudflare.com
DigitalOcean	Hosts the application servers, Postgres database, and Spaces object storage (CV files + mock-interview audio recordings).	EU + USA	digitalocean.com

5. International transfers

Our application servers, Postgres database, and object storage all run in DigitalOcean's Frankfurt (Germany) region, inside the EEA. Several sub-processors listed in Section 4 (notably OpenAI, Stripe, Deepgram, ElevenLabs, SendGrid) operate from the United States. For transfers outside the EEA we rely on the European Commission's Standard Contractual Clauses (where the recipient is in a country without an adequacy decision), supplemented by the technical and organisational measures described in Section 8 (Security).

6. Data retention

Account: kept until you delete it from the Account page or email us.
Resumes, JDs, generated artifacts: kept until you delete them individually, or auto-removed with the parent resume when you delete it.
Mock-interview audio + transcripts: kept until you delete the session, or 60 days after the session ends - whichever comes first.
Job-scanner results: hard-purged 60 days after the scan, regardless of account state.
Credit + payment records: retained for 7 years to meet accounting / tax obligations, in anonymized form where the law permits.
Server logs: 30 days, then discarded.

7. Your rights

If you are in the EEA, UK, or Switzerland (GDPR)

You have the right to:

Access (Art. 15), request a copy of the personal data we hold about you.
Rectification (Art. 16), ask us to fix inaccurate data.
Erasure / "Right to be forgotten" (Art. 17) , ask us to delete your data. You can do this yourself from the Account page.
Restriction (Art. 18), ask us to limit processing while a dispute is resolved.
Portability (Art. 20), request a machine-readable export of your data.
Objection (Art. 21), object to processing based on our legitimate interests.
Withdraw consent (Art. 7), where we relied on your consent (e.g. mock-interview recording), you can withdraw it without affecting the lawfulness of past processing.
Lodge a complaint with your local supervisory authority. A list of EU DPAs is at edpb.europa.eu; the UK ICO is at ico.org.uk.

If you are a California resident (CCPA / CPRA)

You have the right to:

Know what personal information we collect, the purposes, and the categories disclosed (see Section 2 + 4 above).
Delete your personal information, subject to exceptions (e.g. records we must keep for tax law).
Correct inaccurate personal information.
Opt-out of sale or sharing. We do not sell or share your personal information for cross-context behavioral advertising. You have nothing to opt out of, but you can still ask us to confirm this in writing.
Limit use of sensitive personal information. The only data we treat as sensitive is your mock-interview voice recording; we use it solely to generate your feedback and never for inferences about you.
Non-discrimination, exercising any of these rights will not affect your access to the Service or pricing.

To exercise any right, email vaibhav.kadam@cvcl.app. We respond within 30 days (GDPR) / 45 days (CCPA), and may verify your identity via the email on your account before acting on the request.

8. Security

We encrypt traffic with TLS. Passwords are stored as bcrypt hashes, never plaintext. Payment secrets stay inside Razorpay's vault. Session tokens are short-lived JWTs. Access to the production database and object storage is restricted to authorised engineers and audited. No system is perfectly secure; if we become aware of a breach affecting your data we will notify you and the relevant supervisory authorities within 72 hours of discovery (Art. 33 / 34 GDPR).

9. Cookies and similar storage

See our dedicated Cookie Policy for the full inventory and how to change your choice.

10. Automated decision-making

We use AI to score how well your CV matches a JD and to rewrite bullets in the JD's vocabulary. These scores and rewrites are recommendations, they have no legal effect on you and they do not gate access to anything outside the Service. You always see the output before deciding what to do with it.

11. Children

The Service is not intended for people under 18 and we do not knowingly collect personal data from minors. If you believe a minor has used the Service, email us and we will delete the account.

12. Changes to this policy

We may update this policy. Material changes will be announced via email to the address on your account at least 14 days before they take effect, and the Cookie banner will re-prompt for any new processing that requires consent. The "last updated" date at the top of this page always reflects the current version.

13. Contact

Privacy questions, data-subject requests, breach reports: vaibhav.kadam@cvcl.app.

Vaibhav Kadam · Bank Colony Street, Vita - 415311, Maharashtra, India