Privacy policy

Last updated: 2026-05-11.

---

1. Controller

Paul Hellfalk is the controller for processing needed to provide CV Nu. Privacy questions can be sent to support@cv-nu.se.

2. Personal data we process

We process account data such as email address, password hash and verification status; resume and cover-letter content such as name, contact details, work experience, education, skills, images and uploaded document text; import metadata; session data; security and audit logs; technical data such as IP address for security-relevant events; and payment-related references from Stripe.

3. Purposes and legal bases

Account, builder, import, storage, preview, export and paid-access functions are processed to perform the service agreement. Security logs, abuse prevention, troubleshooting and anonymized traffic counting are processed on legitimate interest. Payment, accounting and tax records are processed for legal obligations. Google Analytics is processed only with consent.

4. Resume content and sensitive data

A resume can contain sensitive or private information if you choose to include it, for example health-related information, union involvement, political assignments or similar details. Avoid uploading more sensitive information than needed. If such information is included, it is processed only to provide the requested resume and import functions.

5. AI-assisted import

When AI-assisted import is used, extracted resume text and relevant import context may be sent to OpenAI, the AI provider used for now, to structure the resume. The original file is not intended to be sent when extracted text is enough. AI import requires separate information/confirmation in the import flow. AI output can be wrong and should be reviewed by you before use.

6. Payments

Card payments are handled by Stripe. The service does not store full card details. It stores customer, checkout, entitlement and payment status references needed to manage one-time purchases, support, records and any required accounting or tax reporting.

7. Cookies and analytics

Necessary cookies are used for login, security, language choices, access-code control and saved cookie choices. We also count anonymized daily visits per domain and locale without setting cookies and without storing IP address or user agent. Google Analytics cookies are used only after consent.

8. Recipients and processors

Personal data may be processed by hosting and operations providers, Stripe for payments, OpenAI for AI import, email or SMTP providers for account emails, Google Analytics if enabled with consent, and backup or security providers needed to operate the service.

9. Transfers outside the EU/EEA

Some providers, such as Stripe, Google and OpenAI, may involve processing outside the EU/EEA or by companies with non-EU group connections. Where required, transfers should be protected by data processing agreements, standard contractual clauses, adequacy decisions, the EU-US Data Privacy Framework where applicable, or another valid transfer mechanism.

10. Retention

Account and resume data is stored while the account is active or until you delete it. Imported raw text and import diagnostics are normally kept for no more than 7 days for troubleshooting. Expiring sessions, tokens and reset data are cleared continuously. Security logs are normally kept for no more than 30 days unless needed for incident investigation. Anonymized traffic counts are normally kept for no more than 180 days. Backups are normally rotated within 30 days. Payment and tax records are retained as required by applicable law.

11. Your rights

You can request access, correction, deletion, restriction, objection and data portability where the GDPR gives those rights. You can export account data and request account deletion from the account page. You can withdraw analytics consent at any time without affecting processing that happened before withdrawal.

12. Automated decisions

AI-assisted import may structure text and suggest section mapping, but the service does not make automated decisions with legal or similarly significant effects about you. You decide whether to use the imported or suggested content.

13. Complaints

If you believe personal data is processed incorrectly, contact support@cv-nu.se. You can also complain to Integritetsskyddsmyndigheten (IMY) in Sweden or another competent data protection authority in the EU/EEA.

14. Contact

For privacy requests or questions about this policy, contact support@cv-nu.se.