Privacy Policy

Last updated: April 19, 2026

Tech CV Feedback ("we", "us", "the Service") at tech-cv.com is operated by Avi Lewis, based in Israel. This Privacy Policy explains what we collect, what stays only on your device, and how we protect your information when you use our AI-powered resume analysis service.

1. What We Collect

From your CV

When you upload a CV, the file is parsed client-side in your browser — only the extracted text is transmitted to our servers, and only for the duration of the analysis. The CV file itself is never stored on our servers (the senior-candidate opt-in flow described in Section 3 is the one exception).

What's stored on our servers (after sanitization)

After analysis completes, a redacted summary is written to our database to enable share links (e.g. ?id=… URLs) and aggregate statistics. The redaction happens before storage. Specifically:

• Stored: first name + last initial only (e.g. "Avi L."), current job title, current company name, ideal target roles, strengths, career advice, ATS issues, recommendations, skill gaps, location (country/city), aggregate experience-year totals.
• Content fingerprint: a one-way SHA-256 hash of the parsed CV text is stored alongside each record. This is used purely as a uniqueness key (so different CVs are stored as different rows). The hash cannot be reversed to recover the original CV text.
• Stripped before storage and never written to our database: raw CV text, email, phone, LinkedIn URL, past employer names, full work history (dates and descriptions), education details, military unit names, the rewritten CV, the mock-interview questions, the cover letter, and any portfolio detail beyond a flag of "present/not present".

What stays only on your device

The full, unredacted analysis (including everything stripped above) is cached in your browser's localStorage so that clicking a past analysis in the side panel reloads it instantly with all detail intact. This data never leaves your device. Each signed-in account uses its own per-user namespace (techcv_history:<your-user-id> and techcv_analysis_cache:<your-user-id>), so different users sharing a browser don't see each other's data. You can remove any item from your local history at any time using the × button in the side panel — that wipes it from your browser immediately.

Account information

If you create an account (Google or email/password), we store your email address, display name, and profile photo. Anonymous users have no account; an anonymous browser session is established automatically and is not personally identifiable.

Information collected automatically

• Browser fingerprint: A SHA-256 hash (with a server-side salt) of stable browser properties (user agent, screen size, timezone, language, hardware concurrency) is stored to enforce daily usage limits. The hash is one-way — we cannot reverse it to identify you.
• IP address: Your IP is hashed (same SHA-256 + salt scheme) and stored only for rate limiting. The raw IP is not retained.
• Usage events: We store a count of analyses, rewrites, and similar actions, linked to your hashed identity, to enforce the daily caps described in our Terms.
• Ratings and feedback: If you rate the analysis or leave written feedback, that text is stored against the analysis it pertains to.

2. How We Use Your Information

• CV analysis: Your parsed CV text is sent to OpenAI's API (current model: gpt-5-nano-2025-08-07) for AI-powered analysis. Per OpenAI's API data usage policy, data submitted via the API is not used to train their models.
• Sharing: The redacted analysis is what powers ?id=… share links and the in-browser ?s=… compressed-share format.
• Rate limiting: Hashed identity signals (above) are used to enforce daily caps and prevent abuse.
• Aggregate stats: Counts like "N CVs analyzed" and percentile/salary benchmarks are computed across all users. No individual data is identifiable in these aggregates.
• Subscription management: If/when paid plans launch, your account will be linked to a third-party Merchant of Record for billing. The specific provider will be disclosed at checkout.

3. Senior Candidate Opt-In Flow

If your CV indicates significant tech experience and you are located in Israel, you may be shown an optional offer to share your CV with vetted Tel Aviv recruiting partners. This flow is fully opt-in and clearly distinct from normal use:

• You must explicitly consent by submitting the form (entering desired salary range and phone number).
• Only if you submit: your full CV file is uploaded to our private storage bucket on Supabase, and a copy is forwarded by email to the recruiting partner(s) via Resend.
• Your contact details (name, email, phone, LinkedIn) are stored alongside the upload so the recruiter can reach you.
• You can stop further outreach at any time by replying to any email from the recruiter and asking to be removed.
• Declining the offer does not affect your normal use of the Service.

4. AI Processing

Your CV text is processed by OpenAI's GPT models to generate the structured analysis:

• OpenAI acts as a data processor on our behalf.
• Data submitted via OpenAI's API is not used to train their models (per their API policy).
• The CV text is transmitted over encrypted connections (HTTPS/TLS).
• The raw CV text is not retained after the analysis is complete (the opt-in senior flow above is the exception).

5. Where Your Data Lives

• Database (Supabase, hosted on AWS): sanitized analysis records, account profiles, hashed identity signals, usage events, ratings.
• Object storage (Supabase Storage, hosted on AWS): only senior-candidate CV files for users who opted in.
• Hosting (Vercel): serves the website and runs serverless functions that proxy requests to OpenAI and Supabase.
• Your browser (localStorage): the full analyses described in Section 1 ("What stays only on your device"), your authentication session token, and your language preference (one of: English, Hebrew, Spanish, French, Russian).
• Cloudflare CDN (cdnjs): static assets like the PDF parser worker are loaded from cdnjs.cloudflare.com. No CV content is sent to Cloudflare.

6. Data Retention

• Server-side analysis records: retained while the Service operates, to power share links and aggregate statistics. We do not currently apply an automatic retention cutoff. You may request deletion of records you can identify (see Section 8).
• Account data: retained while your account is active. You can request deletion at any time.
• Hashed identity signals: retained to enforce ongoing rate limits.
• Senior-candidate uploads: retained to allow the recruiting partner to follow up. You may request removal at any time.
• Local browser storage: persists until you clear it (per-item via the × button in the side panel, or via your browser's storage controls).

7. Who We Share Data With

We do not sell your data. We share data only with the following processors, each acting on our behalf:

• OpenAI: CV text for AI analysis (Section 4).
• Supabase: our database, authentication, and storage provider.
• Vercel: our hosting provider, which receives every HTTP request.
• Resend: email delivery — only if you opt in to the senior-candidate flow.
• Payment processor (TBA): a third-party Merchant of Record will handle payment processing — only if/when paid plans launch and you subscribe. The specific provider will be disclosed at checkout.
• Cloudflare (cdnjs): CDN for static assets only (no personal data).

8. Your Rights

Under applicable privacy laws (including Israel's Protection of Privacy Law, 5741-1981, and the EU GDPR for EU visitors), you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Withdraw consent for processing (e.g. ask to be removed from the senior-candidate pipeline).
• Receive an export of your data in a portable format.

To exercise any of these rights, reach us via the LinkedIn contact in Section 12 — we will respond within 30 days. Most browser-local data is already under your direct control: you can remove individual analyses from the side panel at any time using the × button, or visit https://tech-cv.com/?reset=1 to wipe everything tech-cv.com has stored on this device (history, cached analyses, auth tokens).

9. Children's Privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children.

10. Security

We implement appropriate technical measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit.
• Encryption at rest for stored data (provided by Supabase/AWS).
• One-way SHA-256 hashing (with a server-side salt) for identity signals (browser fingerprint and IP).
• SHA-256 fingerprinting of CV content before any database write — the raw CV text is never stored on our servers.
• Sanitization of analysis records before storage — see Section 1 for the explicit list of what is and isn't stored.
• Per-browser anonymous Supabase sessions — each browser gets its own JWT and identity scope; we no longer use a shared anonymous account.
• Server-side functions use a Supabase service-role key with a user-bound client for operations that require auth.uid() ownership checks, and a service client for admin operations.
• Row-level security policies have been drafted but not yet applied (the application layer is currently the primary access control); they will be applied in a future release.
• Third-party widget calls (e.g. the Goozali job-listing widget on the prep page) are proxied through our server so upstream API URLs and keys never appear in the page source.

No system can be guaranteed 100% secure. If you believe your account or data has been compromised, contact us immediately via the LinkedIn link in Section 12.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. Continued use of the Service after changes constitutes acceptance of the updated Policy.

12. Contact

For privacy-related questions or requests, contact:

Avi Lewis
LinkedIn: linkedin.com/in/avi-lewis