Privacy Policy

Last updated: 2026-01-04

Privacy Policy

Last updated: 2026-01-04

This Privacy Policy applies to the SaaS product CvTailor, accessible at:

https://cvtailor.lhx.app

By accessing or using the service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller

The data controller for this service is:

  • Name: Lorys Hamadache – Entrepreneur Individuel (EI)
  • Brand: LHX
  • Contact email: [email protected]

The data controller determines the purposes and means of processing personal data in accordance with the General Data Protection Regulation (GDPR).

2. Scope and Acceptance

This Privacy Policy applies to all users of the service, whether acting as individual consumers (B2C) or professional users (B2B).

Using the service implies acceptance of this Privacy Policy.

If you do not agree with its terms, you must not use the service.

3. Categories of Data Collected

3.1 Account and Identification Data

  • Email address
  • User identifier
  • Authentication credentials (hashed passwords, tokens)

3.2 Usage and Technical Data

  • Pseudonymous identifiers
  • Pages viewed and interaction events
  • Logs and timestamps
  • Device and browser information
  • Error and performance metrics

IP addresses are not stored for analytics purposes.

3.3 User-Provided Content

The service may process content voluntarily submitted by users, including:

  • Text
  • CV data and professional information
  • Uploaded documents
  • Job descriptions, prompts, and inputs related to CV generation

Sensitive Data Notice

Users are strongly discouraged from submitting:

  • Special categories of personal data within the meaning of Article 9 GDPR
  • Any sensitive, confidential, or irrelevant personal data

If such data is voluntarily provided, it is processed solely for the purpose of delivering the requested service.

The publisher does not intentionally collect or process sensitive personal data.

3.4 Billing-Related Data (via Merchant of Record)

When paid features are enabled, the following data may be processed:

  • Subscription or credit status
  • Plan identifiers
  • Transaction references

Payment data such as credit card numbers or banking information is never processed or stored by the publisher and is handled exclusively by the Merchant of Record.

3.5 Ownership of User Content and Generated CVs

All content provided by users, including CV data, job descriptions, and prompts, remains the exclusive property of the user.

All outputs generated by the service, including AI-assisted CV drafts and PDF files, are owned by the user.

The publisher:

  • Does not claim ownership over user content or generated outputs
  • Does not reuse, sell, or exploit user content or generated CVs
  • Processes content solely to deliver the requested service

Users remain solely responsible for the accuracy, legality, and use of the content they submit and generate.

4. Purposes of Processing

Personal data is processed for the following purposes:

  • Provision, operation, and maintenance of the service
  • User authentication and account management
  • Execution of requested features and functionalities
  • Customer support and communications
  • Billing and subscription management (via Merchant of Record)
  • Security, fraud prevention, and abuse detection
  • Product analytics and usage measurement
  • Performance monitoring and service improvement
  • Compliance with legal and regulatory obligations

5. Legal Bases for Processing

Processing is carried out on the following legal bases:

  • Contract performance (Article 6.1.b GDPR)
  • Legal obligation (Article 6.1.c GDPR)
  • Legitimate interest (Article 6.1.f GDPR), notably for security, analytics, and service improvement
  • Consent (Article 6.1.a GDPR), only where explicitly required by applicable law

6. Data Retention

Personal data is retained only for as long as necessary:

  • Account data: retained until account deletion, then archived for a limited legal period
  • Logs and technical data: retained for up to 12 months
  • Analytics data: retained according to configured retention periods
  • User-provided content: retained for the duration necessary to provide the service or until deleted by the user
  • Billing references: retained according to the legal obligations of the Merchant of Record

7. Data Recipients and Processors

To operate the service, the publisher relies on trusted third-party providers acting as data processors:

  • Hosting: Hetzner Online GmbH
  • Database & storage: Supabase Inc.
  • Network & security: Cloudflare, Inc.
  • Payments (Merchant of Record): Polar Software, Inc.
  • Analytics: PostHog (EU cloud)
  • AI model access: OpenRouter

Appropriate Data Processing Agreements (DPAs) are in place with these providers.

8. International Data Transfers

Personal data is primarily processed within the European Union.

Where certain processors may be located outside the EU, transfers are governed by appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions issued by the European Commission

9. AI and Automated Processing

When AI-powered features are used:

  • User-provided content may be transmitted to third-party AI model providers via OpenRouter
  • AI processing is strictly user-initiated
  • No automated decision producing legal or similarly significant effects is performed
  • No profiling or independent reuse of data is conducted

AI processing is limited to delivering the requested functionality.

10. Cookies and Tracking Technologies

The service uses:

  • Strictly necessary cookies required for core functionality
  • Analytics technologies relying on pseudonymous identifiers and not storing IP addresses

Where required by law, users are provided with appropriate mechanisms to manage their preferences.

11. User Rights

In accordance with the GDPR, users have the right to:

  • Access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Objection
  • Withdrawal of consent

Requests can be sent to:

Requests are handled within 30 days.

12. Complaints

Users may lodge a complaint with the competent supervisory authority.

For users located in France:

13. Changes to This Policy

This Privacy Policy may be updated to reflect legal, technical, or operational changes.

Material changes will be communicated where required by law.

14. AI Transparency Notice

CvTailor uses AI-based tools to assist users in structuring, optimizing, and generating CVs based exclusively on user-provided data.

Key principles:

  • AI processing is user-initiated only
  • User data is not used to train or fine-tune AI models
  • No AI-based profiling or automated decision-making with legal effects is performed
  • AI outputs are derived deterministically from user inputs and selected parameters

AI systems are used as assistive tools, not autonomous decision-makers.

Final responsibility for the use, distribution, and disclosure of generated content remains with the user.

15. Contact

For any questions regarding this Privacy Policy or personal data processing: