Privacy Policy — CVShortlist

Last updated: 22 March 2026 · CVShortlist · Effective immediately

Plain English summary: We process your CV and job descriptions through Claude AI in real time — we never store them. Your account and billing are handled by Outseta and Stripe. We collect anonymised, cookie-free analytics to understand how the site is used. If you arrived via an affiliate link, we record that for attribution. No advertising. No data selling. No cookie banner needed.

Contents

Who We Are
What Data We Collect
How We Use Your Data
Legal Basis for Processing
Third-Party Processors
Data Retention
International Transfers
Your Rights
Cookies and Local Storage
Analytics
Affiliate Tracking
Children's Privacy
Changes to This Policy
Contact Us

1. Who We Are

CVShortlist ("we", "us", "our") is an AI-powered CV tailoring service operated as a sole trader business based in the United Kingdom. We can be contacted at support@cvshortlist.com.

For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for the personal data described in this policy.

2. What Data We Collect

Data you provide directly

Data	Why we collect it	Stored where
Name and email address	Account creation and login	Outseta (our auth and billing provider)
Payment information	Processing your subscription	Stripe via Outseta — we never see card details
CV / resume content	AI tailoring — processed in real time	Not stored — sent to AI and discarded immediately
Job descriptions	AI tailoring — processed in real time	Not stored — sent to AI and discarded immediately
Target country and preferences	Tailoring settings for your session	Not stored beyond the session

Data collected automatically

Data	Why	Where
IP address (hashed)	Rate limiting and abuse prevention	Hashed with a rotating daily salt on our server; original IP never stored; deleted after 1 hour
Anonymised analytics data	Understanding how the site is used	Our server (Hostinger) — see Section 10
Affiliate referral source	Attributing signups to affiliate partners	Your browser localStorage (60 days) and Outseta account record — see Section 11
Credit usage count	Enforcing your monthly plan limit	Your browser's localStorage only — we cannot access this
Session token	Keeping you logged in	Your browser's sessionStorage — cleared when you close the tab

3. How We Use Your Data

We use your data only for the following purposes:

Providing the service: Passing your CV and job description to the Claude AI API (operated by Anthropic, Inc.) to produce a tailored CV. This data is transmitted securely over HTTPS and is not retained by us or Anthropic after processing.
Account management: Creating and managing your account and subscription via Outseta.
Billing: Processing payments via Stripe through Outseta.
Security and abuse prevention: Rate limiting API requests using a hashed, non-reversible IP address.
Analytics: Understanding how visitors use the site using anonymised, aggregated data with no cookies and no personal identifiers.
Affiliate attribution: Recording which affiliate partner referred you so we can fairly attribute signups to our partners.
Customer support: Responding to your emails at support@cvshortlist.com.

We do not use your data for advertising, profiling, automated decision-making with legal effects, or any purpose not listed above.

4. Legal Basis for Processing

Processing activity	Legal basis (UK GDPR)
Account creation and management	Contract — necessary to provide the service you signed up for
Payment processing	Contract — necessary to fulfil your subscription
Processing your CV through AI	Contract — the core service you requested
Security and abuse prevention (rate limiting)	Legitimate interests — preventing abuse and protecting service availability for all users
Anonymised analytics	Legitimate interests — understanding usage patterns to improve the service; no personal data is stored
Affiliate attribution (UTM fields)	Legitimate interests — fairly attributing referrals to affiliate partners; data is limited to campaign name only
Customer support emails	Legitimate interests — responding to your queries and resolving issues

5. Third-Party Processors

We use the following third-party services that may process personal data on our behalf:

Provider	Purpose	Location	Privacy policy
Outseta	Authentication, account management, and billing	United States	outseta.com/legal/privacy
Stripe	Payment processing (via Outseta)	United States	stripe.com/gb/privacy
Anthropic, Inc.	AI processing of CV and job description text	United States	anthropic.com/privacy
Hostinger	Web hosting and server infrastructure	European Union	hostinger.com/privacy-policy
Google Fonts	Serving web fonts (your IP is sent to Google on page load)	United States	policies.google.com/privacy

We do not sell, rent, or share your personal data with any other third parties for their own purposes.

6. Data Retention

Data	Retention period
Account data (name, email)	Until you delete your account, then 30 days before permanent deletion
Payment records	7 years — required by UK tax and accounting law
CV and job description content	Not retained — discarded immediately after AI processing
Hashed IP (rate limiting)	Maximum 1 hour, then automatically deleted
Anonymised analytics data	Aggregated monthly data retained for 24 months; no individual records
Affiliate referral data (UTM fields)	Retained on your Outseta account record for the duration of your account
Support email correspondence	2 years from last contact

7. International Transfers

Some of our third-party processors are based in the United States. Transfers to the US are protected by Standard Contractual Clauses (SCCs) or equivalent mechanisms under UK GDPR. Specifically:

Outseta and Stripe operate under SCCs approved by the UK Information Commissioner's Office.
Anthropic processes CV data under its API terms, which include appropriate data processing agreements.

Your CV content is transmitted to Anthropic's US servers for processing and is not retained there after the response is generated.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct inaccurate data.
Right to erasure: You can ask us to delete your personal data, subject to legal retention obligations.
Right to restriction: You can ask us to restrict processing of your data in certain circumstances.
Right to data portability: You can request your data in a machine-readable format.
Right to object: You can object to processing based on legitimate interests.
Right to withdraw consent: Where we rely on consent as a legal basis (we do not currently do so, but include this right for completeness), you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at support@cvshortlist.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies and Local Storage

We do not use advertising or tracking cookies. We do not display a cookie banner because no consent-requiring cookies are set. We use the following browser storage for functional purposes only:

Storage key	Purpose	Expiry
cvb_used_v2_{uid}	Counting your monthly credit usage	Resets each calendar month automatically
cvb_token	Keeping you logged in during your session	Cleared when you close your browser tab
cvb_cookie_ok	Remembering that you dismissed the notice banner	Persistent until you clear browser data
cvb_tip_dismissed	Remembering that you dismissed the onboarding tip	Persistent until you clear browser data
cvs_ref	Storing affiliate referral source for attribution (see Section 11)	60 days, then automatically removed
o-snippet.utm	Storing UTM parameters at first visit for signup attribution	Persistent until you clear browser data or sign up
cvs_click_logged_{ref}	Preventing duplicate affiliate click counts within the same browser session	Cleared when you close your browser tab
cvs_restore	Temporarily saving your CV session before a payment redirect so it can be restored	Cleared immediately after restore or on logout

You can clear any of these at any time through your browser's developer tools or by clearing your browser data. Doing so will not affect your account but may reset your usage counter display.

10. Analytics

We operate our own privacy-first analytics system to understand how the site is used. This system is designed to comply with UK GDPR without requiring a cookie banner or user consent.

What we collect

Pages visited and approximate time of visit
Traffic source (e.g. direct, search engine, social media, affiliate link)
Country of visitor (derived from IP address — see below)
Device type (mobile, tablet, or desktop — derived from User-Agent)
Browser type (derived from User-Agent)

What we do not collect

We do not store IP addresses. The IP address is used only to derive your country, then immediately discarded.
We do not set cookies for analytics.
We do not track you across sessions or across websites.
We do not create individual user profiles.
We do not share analytics data with any third party.

How we anonymise data

Where a temporary identifier is needed to count unique visitors within a single day, we create a one-way hash using your IP address combined with a secret salt that rotates every 24 hours. This hash cannot be reversed to identify you, and it cannot be linked to you on any subsequent day. All analytics data is stored in aggregated form only — we store counts, not individual records.

Our legal basis for this processing is legitimate interests (Article 6(1)(f) UK GDPR). We have assessed that this interest is not overridden by your privacy rights because: (a) no personal data is retained; (b) no cookies are used; (c) the data cannot identify you; and (d) the processing is limited to understanding aggregate usage patterns to improve the service.

11. Affiliate Tracking

CVShortlist works with affiliate partners who refer visitors to our site using unique links (for example, cvshortlist.com?ref=partner). When you arrive via one of these links, we record the referral for attribution purposes.

What we record

The affiliate campaign name (e.g. "star" or "ade") — this is stored in your browser's localStorage for up to 60 days
If you create an account, the campaign name is stored as a field on your Outseta account record (UtmSource, UtmMedium, UtmCampaign)
Click counts are logged server-side in aggregated, non-personal files — one click per browser session per affiliate link

What we do not record

We do not record your identity in connection with affiliate clicks — clicks are counted anonymously
We do not share your personal data with affiliate partners — they see only aggregate counts and conversion numbers
Affiliate partners cannot access your account, CV content, or any personal data

Our legal basis for affiliate attribution is legitimate interests (Article 6(1)(f) UK GDPR) — specifically, the fair operation of our affiliate programme and correctly attributing referrals to partners.

12. Children's Privacy

CVShortlist is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us at support@cvshortlist.com and we will delete it promptly.

13. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or in applicable law. When we make material changes, we will update the "last updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of CVShortlist after a policy update constitutes your acknowledgement of the updated terms.

14. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

Email: support@cvshortlist.com
Response time: We aim to respond within 5 business days and will always respond within 30 days as required by UK GDPR.
ICO complaints: If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.