Privacy Policy

CVCooked is operated by APEX Labs, based in Delhi, India. This Privacy Policy explains what personal data we collect from users of the CVCooked website and services, how we use it, with whom we share it, and the rights you have over it. For purposes of the EU GDPR and UK GDPR, APEX Labs acts as the data controller. For the California CCPA/CPRA and the Indian DPDP Act, 2023, APEX Labs acts as the business / data fiduciary.

We collect the following categories of personal data:

• Email address. Captured when you request your roast results, sign in with a magic link, or complete a purchase.
• Resume content. The text (or PDF bytes) of the resume you upload or paste, along with any target role, filter, and region you select.
• Payment data. If you purchase a paid tier, our payment processors (Razorpay for India, Stripe for international) collect and process your card or UPI details directly. We receive only a payment reference, amount, currency, and status; we never store full card numbers, CVV, or UPI PINs.
• Usage data. IP address (hashed/truncated for rate-limiting), user agent, page views, and product events captured via PostHog analytics.
• Session data. Supabase authentication tokens stored as cookies when you sign in with a magic link.

We process your data for the following purposes:

• AI analysis. To generate your roast, ATS score, job matches, and, for paid users, rewritten resumes and related deliverables.
• Service operations. Authentication, rate-limiting, fraud prevention, payment processing, and customer support.
• Product improvement. Anonymous and aggregated analytics to understand which features work and to improve the model prompts, scoring, and UX.
• APEX ecosystem communications. Sending transactional emails (magic links, payment confirmations, deliverable emails) and, with your consent, occasional product updates from CVCooked or other APEX Labs tools (such as MyNext30, BillFlow, LumaChat). You can opt out at any time.
• Legal compliance. Tax records, responding to lawful requests, and enforcing our Terms.

We rely on the following bases to process your data: performance of a contract (providing the Service you requested); legitimate interests (product analytics, security, fraud prevention); consent (marketing communications, optional cookies); and legal obligation (tax and accounting records).

CVCooked does not sell your personal data. We share it only with processors and partners strictly necessary to deliver the Service:

• AI providers. Google (Gemini API) and Anthropic (Claude API) receive your resume content and target context solely for inference. Per their published policies, API traffic is not used to train their foundation models. Data is processed and then discarded at the provider.
• Supabase. Hosts our PostgreSQL database and authentication. Personal data is stored on Supabase-managed infrastructure with row-level security.
• Vercel. Hosts the application and edge functions.
• Razorpay / Stripe. Process payments and receive transaction metadata directly from your browser.
• Resend. Delivers transactional emails.
• PostHog. Product analytics, configured to mask personal identifiers where possible.
• Adzuna. Live job-search provider. We send anonymized query parameters (role, region, filter) but not your resume or email.

Cross-border transfers (e.g., from India or the EU to the US) are covered by the provider’s standard contractual clauses or equivalent safeguards.

Resume text is automatically deleted 30 days after upload unless you have purchased a paid tier, in which case the deliverables and supporting data are retained for 12 months so you can re-download them. Email addresses and payment records are retained for up to 7 years to comply with Indian tax and accounting law. Analytics events are retained for up to 13 months. You can request earlier deletion (see section 7).

Depending on where you live, you have the following rights:

• EU / UK (GDPR): access, rectification, erasure, portability, restriction, objection, and the right to lodge a complaint with a supervisory authority.
• California (CCPA/CPRA): know, delete, correct, opt-out of sale/sharing (we do not sell), and non-discrimination.
• India (DPDP Act, 2023): access, correction, erasure, nomination, and grievance redressal.
• Canada (PIPEDA): access, correction, withdrawal of consent.

To exercise any right, email the.apexx.solutions@gmail.com. We will respond within 30 days (or sooner where required by local law) and may ask you to verify your identity before we act.

We use a minimal set of cookies:

• Essential. Supabase authentication session cookies; a short-lived cv_post_auth_roast cookie that remembers which roast to route you back to after sign-in. These cannot be disabled without breaking the Service.
• Analytics. PostHog sets cookies to measure anonymous product usage. You can disable these via your browser settings or by using a Do-Not-Track extension.

We do not use third-party advertising cookies.

Data is transmitted over TLS, stored on encrypted managed infrastructure (Supabase, Vercel), and access is restricted by row-level security policies and least-privilege service roles. Despite these measures, no internet service is 100% secure; if a breach occurs that is likely to harm you, we will notify you and any regulator required by law.

CVCooked is not directed at, and we do not knowingly collect data from, children under 18. If you believe a child has provided us data, contact us and we will delete it.

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent version. Material changes will be flagged to users by email or an in-app notice.

APEX Labs
Delhi, India
Email: the.apexx.solutions@gmail.com