SyncCV

Privacy Policy

Effective date: 28 May 2026

1. Overview

This Privacy Policy explains how SyncCV collects, uses, stores, shares, protects, and deletes personal data when you use synccv.store and the SyncCV service.

SyncCV is designed as a privacy-focused AI CV generation service. It redacts detected common personal identifiers before AI processing and gives users a preview of redacted text before syncing. These safeguards reduce privacy risk but cannot guarantee that every item of personal data will be detected in every document.

We process personal data in accordance with applicable UK data protection law, including the UK GDPR, the Data Protection Act 2018, and, where relevant, the Privacy and Electronic Communications Regulations.

2. Controller and Contact

For the personal data processed through SyncCV, the SyncCV owner/operator is the controller unless expressly stated otherwise. For payment data processed directly by Stripe, Stripe may act as an independent controller for parts of its payment and fraud-prevention processing.

Privacy questions, data rights requests, security concerns, and general support requests should be submitted through the SyncCV contact page so they can be routed and tracked.

3. Personal Data We Collect

  • Account data: name, email address, authentication identifiers, account settings, plan status, credits, and billing status.
  • Document data: CVs, job descriptions, extracted text, redacted text, generated CV outputs, match scores, quality checks, filenames, timestamps, and download format choices.
  • Payment data: Stripe customer ID, subscription ID, plan, payment status, invoices, transaction metadata, promo-code use, and related billing records. We do not store full card details.
  • Technical data: IP address, device and browser information, request logs, session data, security logs, error logs, analytics events, and cookie consent choices.
  • Support and communications data: messages, contact details, issue descriptions, and records of support interactions.
  • Marketing preference data: consent status, unsubscribe choices, and communication preferences where marketing features are used.

4. How We Use Personal Data and Our Lawful Bases

  • To create and manage your account: performance of contract and legitimate interests.
  • To upload, extract, redact, preview, process, generate, store, and download CV outputs: performance of contract.
  • To process payments, subscriptions, invoices, promo codes, refunds, fraud checks, and billing support: performance of contract, legal obligation, and legitimate interests.
  • To secure the service, prevent fraud, investigate misuse, enforce terms, and protect users: legitimate interests and legal obligation.
  • To respond to support requests and service communications: performance of contract and legitimate interests.
  • To improve reliability, usability, redaction quality, and service performance using logs and analytics: legitimate interests, and consent where required for non-essential cookies.
  • To comply with legal, tax, accounting, regulatory, court, or law-enforcement obligations: legal obligation.

5. CV Redaction and AI Processing

When you upload a CV or job description, SyncCV extracts text from the file, applies automated redaction checks, stores the redacted text, and may show you a preview of the text that will be used for AI processing.

Current redaction is designed to identify common categories such as names that appear in likely CV headers or explicit name fields, email addresses, UK and international-style phone numbers, address-like lines, UK postcodes, and related contact details.

Redaction is automated and heuristic. It may miss unusual formatting, uncommon identifiers, scanned document artefacts, names embedded in narrative text, or information that does not match detectable patterns. You should use the preview before syncing and replace the file if the preview includes information you do not want processed.

After redaction, SyncCV may send redacted document text and job-description text to AI providers such as Google Gemini to generate role-aligned CV content and analysis. We do not intentionally send raw source files to AI providers for generation.

Generated outputs may still contain information inferred from professional context, such as employers, job titles, education, dates, skills, and achievements, because those details are often necessary to produce a useful CV.

6. Automated Decision-Making and AI Outputs

SyncCV does not make hiring, employment, credit, legal, immigration, or similarly significant decisions about you. The service produces draft CV content and supporting analysis for your review.

AI-generated match scores and analysis are decision-support information only. They are not an assessment by an employer and should not be treated as a guarantee of suitability, interview probability, or employment outcome.

You remain responsible for reviewing generated content before using it. If you disagree with an output, you can edit, discard, regenerate, or choose not to use it.

7. Special Category and Sensitive Data

CVs may accidentally contain sensitive information, such as health information, disability information, union membership, ethnicity, religion, criminal-offence information, or other special-category data. SyncCV is not intended for processing unnecessary sensitive data.

You should remove sensitive information from documents before upload unless it is strictly necessary for your use of the service. If you choose to include such data, you are asking us to process it only to provide the service you requested.

8. Sharing Personal Data

We do not sell your CV data. We share personal data only where necessary to operate, secure, improve, or legally protect the service.

  • Cloud hosting, storage, and deployment providers, including Vercel and Firebase/Google Cloud.
  • AI processing providers, including Google Gemini or equivalent providers used to generate CV outputs.
  • Payment providers, including Stripe, for checkout, subscriptions, billing portal access, invoicing, refunds, tax, and fraud prevention.
  • Analytics and consent tools, where enabled and subject to cookie consent requirements.
  • Professional advisers, insurers, auditors, legal representatives, or regulators where necessary.
  • Law-enforcement, courts, public authorities, or third parties where disclosure is required by law or necessary to protect rights, safety, users, or the service.

9. International Transfers

Some service providers may process personal data outside the United Kingdom. Where international transfers occur, we rely on appropriate safeguards such as UK-approved standard contractual clauses, adequacy regulations, provider data-processing terms, or other lawful transfer mechanisms.

10. Retention

  • Account data is kept while your account is active and for a reasonable period afterwards where needed for legal, tax, billing, security, or dispute purposes.
  • Uploaded source files may be removed after processing where Strict Privacy Mode or similar retention controls apply.
  • Redacted extracted text and generated CV outputs may remain in your private vault so you can preview, download, and manage them.
  • Payment and transaction records are retained as needed for accounting, tax, fraud-prevention, chargeback, and legal purposes.
  • Security and audit logs are retained for a limited period appropriate to investigation, legal, and security needs.
  • You may delete documents or request account deletion, subject to records we must keep for legal, billing, security, or legitimate business reasons.

11. Security

We use technical and organisational measures designed to protect personal data, including account-based access controls, server-side ownership checks, encrypted transport, provider-managed encryption at rest, private storage controls, audit logging, and no-store caching for sensitive download responses.

No internet service is completely secure. You are responsible for using a strong password, protecting your login session, and promptly telling us if you suspect account compromise.

12. Cookies, Analytics and PECR

We use strictly necessary cookies and similar technologies to operate the site, authenticate users, remember security settings, and provide requested features.

Where we use non-essential analytics, advertising, or similar technologies, we will seek consent where required by PECR and UK GDPR standards. Consent must be freely given, specific, informed, and capable of being withdrawn.

You can manage cookies through available cookie controls and your browser settings. If you reject non-essential cookies, core service features should still work, but some analytics or preference features may be limited.

13. Your Data Protection Rights

Subject to legal conditions and exemptions, you may have the right to access, correct, erase, restrict, object to processing, request portability, withdraw consent, and complain to the UK Information Commissioner’s Office.

You can exercise rights by using the SyncCV contact page. We may need to verify your identity before actioning a request. We aim to respond within one month unless the request is complex or multiple requests are made.

You also have the right to complain to the ICO at ico.org.uk. We ask that you contact us first where possible so we can try to resolve the issue quickly.

14. Children

SyncCV is not directed at children. Paid services are intended for adults. If we learn that a child has provided personal data without appropriate consent, we may delete the account and associated data.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in the service, providers, law, regulator guidance, or business operations. Material changes will be notified by updating this page and, where appropriate, by additional notice inside the service.

16. Contact

For privacy questions, data rights requests, security concerns, or general support, use the SyncCV contact page.