Privacy Policy

AskCV LLC (“Company,” “we,” “us,” or “our”) operates the AskCV platform at https://askcv.ai (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information.

We are committed to protecting your privacy and complying with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and, where applicable, the General Data Protection Regulation (GDPR).

2.1 Information You Provide

• Account Information — Email, name, username, password (bcrypt-hashed), profile photo. Used for account creation, authentication, and identifying your public profile.
• Authentication Credentials — WebAuthn/passkey public keys, TOTP seeds (when enabled), OAuth identifiers from Google, GitHub, LinkedIn, or Apple if you sign in with them.
• Resume Data — Work history, education, skills, certifications, projects, social links, location. Core service functionality.
• Knowledge Base Content — Custom entries you write or import, and committed practice-interview answers with STAR analysis. Powers the AI chat, fit analysis, and coverage scoring.
• Voice Recordings and Transcripts — If you use voice input for practice interviews or coaching, your spoken audio is streamed to Google Gemini Live for transcription and coaching. We store the resulting transcript attached to the session; the raw audio is not retained after the session ends.
• Interview and Coaching Data — Practice-session questions, your answers, real-time STAR scores, coaching feedback, rewrite suggestions, and journal entries.
• Job Pipeline Data — Job postings you save, application status, cover letters you generate, fit-analysis results, and target roles.
• Support Interactions — Messages you send to the AI support assistant at /support, support tickets you file, thread replies, attachments, and CSAT ratings.
• Visitor and Contact Data — Contact-form submissions and chat messages from visitors to your public resume page. This data is visible to you in your Contacts dashboard and to us as the service operator.
• Integration Tokens — OAuth access and refresh tokens for services you connect (e.g. Google Calendar, Gmail). Tokens are AES-256-GCM encrypted at rest with a key scoped to the tier.
• Payment Information — Billing details are collected and processed directly by Stripe. We never see or store your full card number; we store only the Stripe customer ID, subscription status, and last-4 / brand metadata Stripe returns.
• Communications — Support emails, feedback form submissions, bug reports. Used for customer support and product improvement.

2.2 Information Collected Automatically

• Usage Data — Pages visited, features used, session duration, AI credit consumption. Used for service improvement, billing, and abuse detection.
• Device Information — Browser type, OS, screen resolution, user-agent string. Compatibility and debugging.
• Log Data — IP address, timestamps, request URLs, referrer. Security, abuse prevention, and analytics.
• Error and Diagnostic Data — Stack traces, request metadata, and session context captured by our error monitoring provider (Sentry) when something crashes. Used to fix bugs and improve reliability.
• Public Page Analytics — For visitors to your public resume page: time on page, scroll depth, click events, inferred geographic region (from IP), and referring source. Feeds your analytics dashboard and lead-scoring.
• Cookies — Session and preference cookies (see §9). We do not use advertising or cross-site tracking cookies.

2.3 Information from Third Parties

• AI Providers (via Vercel AI Gateway) — Generated text and voice responses routed through OpenAI, Google Gemini, and Anthropic Claude. Used for chat, coaching, analysis, and support.
• OAuth Identity Providers — If you sign in with Google, GitHub, LinkedIn, or Apple, we receive your email, name, profile picture, and a stable provider identifier.
• Stripe — Payment confirmation, subscription status, invoice history, failed-payment events. Billing management.
• Connected Integrations — If you connect Google Calendar or Gmail, we receive event metadata and email metadata scoped to the permissions you grant. We store only what is necessary for the feature you enabled.

We use your information to:

1. Provide the Service — Display your resume, power the AI chatbot, and track analytics.
2. Process Payments — Bill subscriptions and track usage.
3. Improve the Service — Analyze usage patterns, fix bugs, develop features.
4. Communicate — Send account notifications, respond to support requests.
5. Security — Detect fraud, prevent abuse, enforce terms.
6. Legal Compliance — Meet tax, regulatory, and legal obligations.

4.1 How AI Processes Your Data

AskCV uses AI to power practice interviews with STAR coaching, the public chat widget on your resume page, voice coaching, fit analysis, cover letter generation, knowledge imports, and the AI support assistant at /support. The general flow is the same across all features:

1. Your input (text, voice, or a request) arrives at our backend.
2. Relevant context is assembled — for chat and coaching, via retrieval-augmented generation (RAG) over your knowledge base using pgvector similarity search; for support, via RAG over our published support articles.
3. The prompt and the retrieved context are sent to an AI provider through the Vercel AI Gateway, our routing and observability layer.
4. The AI generates a response that is streamed back to you. For voice coaching, audio is handled end-to-end by Google Gemini Live.

4.2 AI Providers

All text AI is routed through the Vercel AI Gateway (operated by Vercel Inc.), which proxies requests to the underlying model providers listed below. The Gateway enforces our OIDC authentication and does not retain prompts or completions for training.

• OpenAI — Chat, analysis, and routing models. Privacy Policy
• Google (Gemini) — Chat, analysis, embeddings, and voice coaching (Gemini Live). Terms
• Anthropic (Claude) — Public chat responses and deep analysis. Privacy Policy
• Vercel Inc. — Vercel AI Gateway (routing, authentication, and usage metering). Privacy Policy

4.3 AI Data Commitments

• We do not use your data to train AI models, and we contractually require providers to honour zero-retention or API-tier terms where available.
• AI providers process data under their API terms (not consumer terms). API terms forbid training on inputs by default.
• We do not share your full resume or knowledge base in any single prompt — only the specific snippets retrieved by RAG for the current request.
• Chat conversations, interview transcripts, and support conversations are stored in your account so you can review them, and can be deleted by you at any time.
• Voice audio is streamed in real time and not retained after the session ends; we keep the resulting transcript only.

We use the following third parties to operate the Service. Each processes only the minimum data needed for its stated purpose. This list is updated as we add or remove vendors.

• Vercel Inc. (United States) — Application hosting, edge delivery, Fluid Compute runtime, Vercel AI Gateway, Vercel Blob storage (profile photos and document uploads), marketplace integrations.
• Neon, Inc. (United States) — Managed PostgreSQL database with pgvector for the knowledge base and all application state.
• Stripe, Inc. (United States) — Payment processing, subscription management, Stripe Customer Portal for self-service billing, invoice and tax compliance.
• Resend (United States) — Transactional email delivery (verification, password reset, notifications, support replies, nurture sequences).
• Upstash, Inc. (United States) — Redis cache for rate limiting, model preference caching, and ephemeral session state.
• Sentry (Functional Software, Inc., United States) — Error monitoring, performance tracing, and session replay (scrubbed of PII by default).
• OpenAI, Google, Anthropic — AI model providers routed through Vercel AI Gateway (see §4.2).
• Google LLC — Calendar and Gmail integration APIs, if you connect them; Gemini Live for voice coaching.
• GitHub, Inc. — Repository import and OAuth sign-in, if you enable them.
• LinkedIn Corporation — OAuth sign-in, if you enable it.

We enter into data processing agreements (DPAs) with subprocessors that handle personal data. We will provide 30 days' notice before adding a new subprocessor that materially changes how your data is processed.

We do not sell your personal information and we do not share it for cross-context behavioural advertising. We share data only as follows:

• Subprocessors (listed in §5) — Each receives only the data necessary to perform its stated function.
• Public Profile Pages — Anything you choose to publish to your public URL (askcv.ai/u/your-username) is, by design, public. You control what is published and can unpublish at any time.
• Shareable Links — When you share a link, the recruiter or visitor on the other end sees whatever resume version, cover letter, and chat context you bound to that link.
• Legal Compliance — We disclose information when required by subpoena, court order, or other valid legal process, or to protect the safety of users, the public, or AskCV. We will notify you of a legal request unless prohibited from doing so.
• Corporate Transactions — In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity, subject to the commitments in this Privacy Policy.

• Account data and resume content — Retained for the life of your account, then hard-deleted within 30 days of account deletion.
• Knowledge base and interview data — Retained for the life of your account. You can delete individual entries or sessions at any time.
• Voice transcripts — Stored alongside the interview or coaching session. Raw audio is not retained.
• Public chat sessions — Retained for the life of your account so you can review recruiter conversations; individually deletable.
• Support conversations and tickets — Retained until you archive or delete them, so the AI support assistant has context. Archived tickets stay in the database for admin audit purposes.
• Visitor analytics and Contacts — 12 months for aggregate analytics; individual contact records retained until you delete them.
• Error and diagnostic data (Sentry) — 90 days.
• Server and audit logs — 30 days for access logs; 1 year for security audit logs.
• Payment records — 7 years (tax and legal requirement). Held by Stripe and referenced by Stripe customer ID in our database.

After account deletion, we permanently delete your data within 30 days, except where retention is required by law (e.g. financial records, legal holds).

AskCV takes a defence-in-depth approach. See our dedicated Security page for more detail. Controls include:

• Encryption in transit — TLS 1.3 for all connections. HSTS enabled on all domains.
• Encryption at rest — Managed encryption at the database and object-storage layer. Integration OAuth tokens are additionally encrypted with AES-256-GCM using a key that is unique per environment and never logged.
• Tenant isolation — AskCV is multi-tenant. Every tenant-scoped table carries a tenantId column and every query is filtered through a centralised withTenant() helper to prevent cross-tenant access. PostgreSQL Row-Level Security (RLS) hardening is a planned Phase 2 control and is not yet in place.
• Authentication — Bcrypt password hashing (cost 12), WebAuthn/passkey support, TOTP two-factor authentication, and account lockout after repeated failed attempts. Admin accounts use a separate auth system with mandatory MFA.
• Session security — Random 64-byte session tokens stored as SHA-256 hashes, HttpOnly + Secure + SameSite cookies, per-session IP and user-agent tracking.
• Input validation and anti-abuse — Zod schema validation on every API route, CSRF protection via double-submit cookies, XSS-safe JSON-LD rendering, prompt injection escaping on user-controlled content, and distributed rate limiting.
• Audit logging — Admin actions and security-sensitive tenant actions (login, password change, email change, subscription changes, API key actions) are recorded with actor and before/after state.
• Infrastructure — Serverless execution on Vercel with automatic patching, dependency pinning, and environment-scoped secrets. Staging and production environments are separated with unique keys.

9.1 All Users

You have the right to:

• Access — Request a copy of your personal data.
• Correction — Update inaccurate information.
• Deletion — Request deletion of your account and data.
• Export — Download your data in a portable format.
• Opt-out — Disable analytics tracking.

9.2 California Residents (CCPA)

In addition to the above, California residents have the right to:

• Know — What personal information we collect and how it is used.
• Delete — Request deletion of personal information.
• Non-discrimination — Equal service regardless of exercising privacy rights.
• Opt-out of sale — We do not sell personal information, but you may opt out of any future sale.

To exercise CCPA rights, email privacy@askcv.ai or use account settings.

9.3 EU/EEA Residents (GDPR)

If applicable, EU/EEA residents also have the right to:

• Restrict processing — Limit how we use your data.
• Object — Object to processing based on legitimate interest.
• Portability — Receive data in a machine-readable format.
• Lodge complaint — File a complaint with a supervisory authority.

Legal bases for processing: contract performance, legitimate interest, and consent (where applicable).

10.1 Types of Cookies We Use

• better-auth.session_token — Essential. Authenticates your session (set by Better Auth). HttpOnly, Secure, SameSite=lax. Session duration.
• better-auth.csrf_token — Essential. CSRF protection (double-submit pattern). Session duration.
• theme_preference — Functional. Remembers your dark/light theme choice. 1 year.
• visitor_session — Functional. Anonymously tracks a visitor's session on a public resume page so analytics and chat work without a logged-in user. 30 days.

10.2 Cookie Choices

Essential cookies are required for the Service to function. We do not use advertising cookies, third-party analytics cookies, or cross-site tracking cookies.

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If we learn we have collected such information, we will promptly delete it.

The Service is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. We rely on standard contractual clauses and other appropriate safeguards for international transfers.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The “Last Updated” date at the top indicates when changes were last made.

For privacy questions or to exercise your rights:

AskCV LLC
Los Angeles, CA

Email: privacy@askcv.ai
Website: https://askcv.ai