Privacy Policy
Last updated: July 1, 2026
This Privacy Policy explains how Daniil Iashin, an individual entrepreneur registered in Georgia ("we", "us") collects, uses and shares personal data when you use SteadyCV (the "Service"). We keep it plain: a resume is personal data by definition, so we treat everything you put into the Service as sensitive and use it only to run the product.
1. Data we collect
Data you provide
- Account data — email address, name (optional), password (stored as a salted hash).
- Resume and cover-letter content — everything you enter or import: work history, education, contact details, photo (if you add one), job descriptions you paste, application notes.
- Feedback — messages you send us through the in-app feedback form or by email.
Data collected automatically
- Usage events — first-party analytics (pages viewed, features used, A/B test assignments) recorded by our own backend. We do not use third-party advertising trackers.
- Technical data — IP address, browser type and device information from server logs, kept for security and debugging.
- Local storage — we store your session token, language preference and an anonymous identifier in your browser's local storage. We do not use advertising cookies.
Payment data
Payments are processed by Paddle.com as Merchant of Record. Your card details go directly to Paddle and never touch our servers. We receive from Paddle only your subscription status, plan and transaction identifiers.
2. How we use your data
- To provide the Service: store and render your resumes, generate exports, track your applications.
- To provide AI features: when you explicitly trigger an AI action, the relevant resume content and job description are sent to our AI provider (see section 4) and the result is returned to you.
- To operate billing, quotas and plan limits.
- To send transactional email (account, billing, product notifications). Marketing email is sent only with your consent and always has an unsubscribe link.
- To improve the product using aggregated, first-party usage analytics.
- To keep the Service secure and prevent abuse.
We do not sell your personal data, share it with advertisers, or use your resume content to train AI models.
3. Legal bases (GDPR)
Where the GDPR applies, we process your data on the basis of: performance of a contract (providing the Service you signed up for), legitimate interests (security, first-party analytics, product improvement), consent (marketing email), and legal obligations (tax and accounting records held by Paddle).
4. Processors we share data with
- Paddle.com Market Ltd — payment processing and tax handling (Merchant of Record).
- Anthropic PBC — AI processing. When you use an AI action, resume text and the job description are sent to the Anthropic API. Per Anthropic's commercial API terms, this data is not used to train models.
- Resend — transactional and (with consent) product email delivery.
- Hosting providers — Railway (application hosting) and Vercel (frontend hosting) run our servers; Neon (PostgreSQL, London, UK) hosts our database.
Each processor receives only the data needed for its function and is bound by a data processing agreement.
5. Retention and deletion
- Your Content is kept while your account is active.
- If you delete your account, we delete your account data and Your Content within 30 days, except records we must keep for legal reasons (billing records are retained by Paddle).
- Server logs are retained for up to 90 days.
- Inactive free accounts may be deleted after prolonged inactivity; we will email you first.
6. Your rights
Depending on your location, you have the right to access, correct, export, restrict or delete your personal data, to object to processing based on legitimate interests, and to withdraw consent at any time. You can exercise most of these directly in the app (edit or delete your resumes, delete your account in Settings) or by emailing us. You also have the right to lodge a complaint with your local data protection authority.
7. International transfers
Our processors may store data outside your country, including in the United States. Where required, transfers are protected by Standard Contractual Clauses or an equivalent safeguard.
8. Security
We use encryption in transit (TLS), hashed passwords, access controls and isolation between users' data. No online service is perfectly secure; if a breach affects your personal data we will notify you and the relevant authority as required by law.
9. Children
The Service is not directed at children under 16 and we do not knowingly collect their data.
10. Changes and contact
We may update this Policy; material changes are announced by email or in-app notice before they take effect. Data controller: Daniil Iashin (Individual Entrepreneur), Georgia.
Privacy questions and requests: [email protected].