Back to home
Legal · v1.0

Privacy Policy

This Privacy Policy explains how ERPCV FZE (“ERPCV”, “we”, “us”) collects, uses, and protects your personal data when you use erpcv.com and our services. It applies to all visitors and customers worldwide and includes specific sections for users in the EU/EEA, United Kingdom, India, United States (California and other states), and the United Arab Emirates.
Effective: 22 May 2026 Last updated: 22 May 2026
GDPRUK GDPRDPDP (India)CCPA (US)UAE PDPL

01Who we are

ERPCV FZE is a Free Zone Establishment registered in the United Arab Emirates and is the data controller responsible for personal data processed through erpcv.com and related services (the “Service”).

ERPCV LLC (United States) is an affiliated entity providing US-presence operations. Both entities operate under this single Privacy Policy.

Privacy contact: hello@erpcv.com
Postal address: Available on request to the email above.

02Personal data we collect

We only collect data that is necessary to provide the Service. The categories below describe everything we collect and why.

Account data

  • Email address (for authentication and transactional email)
  • Hashed password (handled by our authentication provider, Supabase, we never see or store the plaintext)
  • Account type (consultant or recruiter, chosen at onboarding)
  • Optional profile fields you provide later (name, headline, location)

CV and career data (only if you purchase the Career Pack)

  • The CV file you upload (PDF or DOCX)
  • The extracted text from your CV
  • Personal details you provide in the upload form (full name, phone, location, LinkedIn URL, nationality, availability, references)
  • The job description you optionally paste for tailoring
  • Documents generated from your CV (Executive CV, Project Portfolio, Cover Letter, Reference Sheet, LinkedIn messages, Interview prep)

Payment data

  • Transaction status, amount, currency, timestamp, and Stripe checkout session ID
  • We never see, store, or have access to your card number, CVV, or bank credentials. All card data is handled exclusively by Stripe, a PCI-DSS Level 1 service provider.

Free-tool usage data (ATS Score Checker, Application Tracker)

  • CV text submitted for analysis (processed and immediately discarded by our API)
  • Application tracker data (job titles, companies, status, notes), stored against your account if logged in, or locally in your browser if not

Technical data

  • IP address (used briefly to route requests; not stored beyond standard server logs)
  • Browser type and version, operating system, viewport size
  • Pages visited on erpcv.com (aggregate, cookieless via Vercel Analytics)
  • Strictly necessary cookies (session token, Stripe checkout). See our Cookie Policy.

What we do not collect: we do not knowingly collect data from children under 18, special-category data (health, race, religion, sexual orientation, political opinions, biometric or genetic data), or government-issued identifiers (passport, national ID). Please do not include any of this data in CVs or other content you upload.

03How we use your data

We process your personal data only for the purposes listed below.

PurposeLegal basis (GDPR / UK GDPR)Lawful processing (DPDP / UAE PDPL)
Create and maintain your accountContract (Art. 6(1)(b))Consent + necessary for service
Generate Career Pack documents from your CVContract (Art. 6(1)(b))Consent + necessary for service
Process payments and refundsContract + legal obligationNecessary for service
Deliver transactional email (order confirmation, document delivery)Contract (Art. 6(1)(b))Necessary for service
Respond to your support requestsLegitimate interest (Art. 6(1)(f))Consent
Detect, prevent, and investigate fraud or abuseLegitimate interest (Art. 6(1)(f)) + legal obligationLegitimate use
Comply with tax, accounting, and legal obligationsLegal obligation (Art. 6(1)(c))Legal obligation

We do not use your CV, generated documents, or any uploaded content to train AI models. We do not sell your personal data to any third party. We do not engage in profiling for advertising or automated decision-making that produces legal or similarly significant effects.

04Who processes your data (sub-processors)

To operate the Service we use the following sub-processors. Each is bound by a data processing agreement that requires confidentiality, security safeguards, and limited-purpose processing.

ProviderPurposeData processedLocation
Supabase, Inc.Database, file storage, authenticationAccount data, CVs, generated documents, application trackerUSA / EU regions
Stripe PaymentsPayment processingEmail, transaction metadata (no card data is ever sent to us)Ireland (EU users), USA (US users)
Anthropic, PBCAI text generation (Claude)CV text, profile structure, job description (for the duration of the API call only)USA
ResendTransactional email deliveryEmail address, document attachmentsUSA
Vercel, Inc.Web hosting, CDN, cookieless analyticsIP, user agent, requested URLs (aggregate)Global (auto-routed)
Cal.comConsultation booking embedEmail, time-slot selection (only when you book)USA

Anthropic explicitly commits not to train its models on data submitted via its API. Stripe is PCI-DSS Level 1 certified. Supabase, Vercel, and Resend each maintain SOC 2 Type II reports.

05International transfers

When you use ERPCV, your personal data may be transferred to and processed in jurisdictions outside your country of residence, including the United States, the European Union, and the United Arab Emirates, where our sub-processors operate.

For users in the EU/EEA and United Kingdom

Where personal data is transferred outside the EU/EEA or UK to a country without a European Commission adequacy decision (such as the United States), we rely on the European Commission's Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable) executed with each sub-processor, supplemented by technical and organizational measures including encryption in transit (TLS 1.2+) and at rest.

For users in India

Under the Digital Personal Data Protection Act 2023, personal data may be transferred outside India unless the country is on a restricted list issued by the Indian Government. As of the effective date of this policy, no such restrictions apply to our sub-processor locations.

For users in the UAE

Under Federal Decree-Law No. 45 of 2021 (UAE PDPL), cross-border transfers are permitted to jurisdictions that ensure an adequate level of protection or under appropriate contractual safeguards. Our SCCs satisfy this requirement.

06How long we keep your data

Data typeRetention period
Uploaded CV file (raw PDF/DOCX)Deleted immediately after text extraction completes (typically within 60 seconds)
Extracted CV text + profile JSONKept while your account is active to enable re-delivery of your Career Pack
Generated documents (CV, Portfolio, etc.)Available for download from your account for 12 months from delivery
Account data (email, account type)Kept while your account is active. Deleted within 30 days of account deletion request, except where retention is required by law.
Payment/order recordsRetained for 7 years for tax and accounting compliance (UAE Federal Tax Authority and US IRS requirements)
Free-tool ATS submissionsNot retained. Processed in-memory and discarded after the response is returned.
Application trackerRetained while your account exists; deleted with account deletion
Email logs (Resend)30 days for delivery troubleshooting
Server access logs (Vercel)Typically 30 days, then aggregated

07Your rights

Depending on where you live, you have the rights described below. To exercise any of them, email hello@erpcv.com from the email address associated with your account. We will verify your identity and respond within the statutory timeframes (30 days under GDPR/UK GDPR, 30 days under DPDP, 45 days under CCPA, 30 days under UAE PDPL).

EU/EEA and United Kingdom (GDPR / UK GDPR)

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate or incomplete data
  • Erasure (“right to be forgotten”): request deletion
  • Restriction: limit how we process your data
  • Portability: receive your data in a structured, commonly used format
  • Object: to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, with no effect on prior processing
  • Complain: to your local data protection authority. In the UK this is the ICO (ico.org.uk). In other EU countries, see edpb.europa.eu.

India (DPDP Act 2023)

  • Right to information about personal data processing
  • Right to correction and erasure of personal data
  • Right of grievance redressal: contact us first; if unresolved, escalate to the Data Protection Board of India
  • Right to nominate another person to exercise your rights in the event of death or incapacity

United States. California (CCPA / CPRA)

  • Right to know what personal information we collect, use, disclose, and sell (we do not sell)
  • Right to delete personal information we collected from you
  • Right to correct inaccurate personal information
  • Right to opt-out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising, so this right is satisfied by default
  • Right to limit use of sensitive personal information: we do not collect sensitive personal information as defined by CPRA
  • Right to non-discrimination for exercising these rights

Similar rights apply to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA). Exercise them the same way.

United Arab Emirates (PDPL)

  • Right to access personal data held about you
  • Right to rectification and erasure
  • Right to restrict or object to processing
  • Right to data portability
  • Right to complain to the UAE Data Office

08How we protect your data

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data at rest in Supabase is encrypted using AES-256
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • Passwords are hashed using industry-standard algorithms (we never see plaintext)
  • Payment data never touches our servers. Stripe handles all card processing
  • We follow secure development practices including dependency scanning and security review of code changes

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law (GDPR Art. 33) and notify affected users without undue delay where the breach is likely to result in high risk.

09Cookies and tracking

We use only strictly necessary cookies: a Supabase session cookie to keep you logged in, and a Stripe cookie during checkout. Neither requires your prior consent under GDPR or UK GDPR because they are essential for the Service to function.

We do not use Google Analytics, advertising pixels (Meta, LinkedIn, Google Ads), or third-party trackers. Our usage analytics (via Vercel Analytics) are aggregate and cookieless.

See our full Cookie Policy for details.

10Children

ERPCV is a professional service intended for adults aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact hello@erpcv.com and we will delete it promptly.

11Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. For material changes that affect your rights, we will notify you by email at least 30 days before the change takes effect, or via a prominent notice on erpcv.com.

Continued use of the Service after a change becomes effective constitutes acceptance of the updated policy.

12Contact us

For any question or request related to this Privacy Policy or your personal data, contact us at hello@erpcv.com.

Controller: ERPCV FZE, United Arab Emirates
Affiliated entity: ERPCV LLC, United States
Privacy contact: hello@erpcv.com

Questions about this policy? Email hello@erpcv.com.

ERPCV FZE · United Arab Emirates · v1.0