Privacy policy

1. Data we collect

We collect the following categories of personal data:

• Account data. Your email address, used to create and authenticate your account. We support magic-link sign-in and email/password authentication. We do not collect your name unless you provide it in your profile settings.
• Master CV. The CV or resume you upload to RecastCV. This is the source document from which all tailored CVs are generated. It may contain your name, address, contact details, work history, qualifications, and any other information you choose to include.
• Project library. Individual project entries you add to supplement your master CV — outcomes, metrics, case studies, and role details that you want the tailoring engine to draw from.
• Job application history. The job descriptions you submit for tailoring, the tailored CVs generated for each role, and the application status you assign to each entry in the tracker.
• Payment data. If you purchase credits, Stripe processes your payment. We receive a Stripe customer ID and a record of the transaction amount. We never receive or store your card number, CVV, or billing address — those remain with Stripe.
• Usage data. Standard server logs including IP address, browser type, pages visited, and timestamps. These are used for security monitoring and aggregate analytics only.

We do not collect data from third parties, run tracking pixels, or share your data with advertising networks.

2. How we use your data

We use your data solely to provide and improve the RecastCV service:

• CV tailoring. When you submit a job description for tailoring, your master CV and the job description text are sent to Anthropic's API (Claude) to generate a tailored CV. This is the core function of the product. Your master CV and JD are included in the prompt sent to Anthropic. See Section 4 for details on Anthropic's data handling.
• Authentication. Your email address is used to authenticate you and to send magic-link sign-in emails.
• Credit management. We maintain a credit ledger to record purchases and usage. This ledger is append-only and forms part of our audit trail.
• Product improvement. Aggregate, anonymised usage data (not your CV content) may be used to improve the tailoring engine and the product generally.

We do not sell your data. We do not use your data for advertising. We do not train our own AI models on your CV content.

3. Storage and security

All RecastCV data is stored in Supabase, hosted in the EU region(Frankfurt, Germany). Supabase uses PostgreSQL with row-level security enforced at the database layer. Your data is isolated from other users’ data — our database policies ensure that queries run as your authenticated user can only access rows that belong to your account.

Data is encrypted at rest and in transit. All connections to RecastCV and to our infrastructure providers use TLS. For more technical detail on our security posture, see our security page.

4. Third-party processors

We work with the following sub-processors:

• Anthropic (Claude API). Your master CV content and job description text are sent to Anthropic to generate tailored CV output. Anthropic does not use inputs from the API to train its models by default. See Anthropic’s privacy policy for details.
• Supabase. Database, storage, and authentication infrastructure. EU region. See Supabase’s privacy policy.
• Stripe. Payment processing for credit purchases. Stripe is PCI DSS Level 1 certified. We never see or store your card details. See Stripe’s privacy policy.
• Vercel. Application hosting and edge network. See Vercel’s privacy policy.

We do not share your data with any other third parties unless required to do so by law.

5. Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete your master CV, project library, tailored CV outputs, and job application history within 30 days. Email addresses and transaction records (credit ledger entries) may be retained for longer where required by law or legitimate financial record-keeping obligations.

Server logs are retained for up to 90 days and then deleted.

6. Cookies and local storage

RecastCV uses cookies solely for session management. We use Supabase’s cookie-based session mechanism to keep you signed in across browser sessions. These are necessary cookies — the service cannot function without them.

We use browser local storage to remember your UI preferences (such as dark mode). No personal data is stored in local storage.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

7. Your rights

Subject to applicable law, you have the following rights regarding your personal data:

• Access. You can view all data we hold about you via your account settings. Your master CV, project library, and application history are visible and downloadable from within the application.
• Correction. You can update or correct your master CV, project entries, and profile information at any time within the application.
• Deletion. You can delete individual applications, your project library entries, and your master CV at any time. To delete your account entirely, contact us at ai@sumletter.com. We will confirm deletion within 30 days.
• Export. Contact us to request a full export of your data in a machine-readable format. We will respond within 30 days.
• Portability and objection. For users in the EU/UK, you have additional rights under GDPR / UK GDPR including the right to data portability and the right to object to processing. Contact us to exercise these rights.

To exercise any of these rights, contact us at ai@sumletter.com. We will respond within 30 days.

8. Children

RecastCV is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at ai@sumletter.com and we will delete the account.

9. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email at the address associated with your account before the changes take effect. The date at the top of this page reflects the most recent update.

10. Contact

If you have questions about this policy or how we handle your data, contact us at ai@sumletter.com.