Our Privacy Commitments
These principles guide every decision we make about your data.
1. Overview
This Privacy Policy ("Policy") describes how Zaurah Technologies ("Company", "we", "us", or "our") collects, uses, stores, shares, and protects personal information when you use cv.zaurah.com (the "Service" or "Platform").
This Policy applies to all users of the Service, including visitors, registered users, and API consumers. By using the Service, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Service.
This Policy should be read alongside our Terms of Service, which govern your use of the Platform.
2. Data Controller
For the purposes of applicable data protection laws (including the EU General Data Protection Regulation, "GDPR"), the data controller is:
3. Data We Collect
We collect data in three categories:
3.1 Account Data
Information you provide when creating and managing your account:
| Data | Purpose | Required |
|---|---|---|
| Full name | Account identification, CV pre-fill | Yes |
| Email address | Authentication, notifications, password reset | Yes |
| Password (hashed) | Authentication only (bcrypt, never stored in plaintext) | Yes |
| Language preference | Interface localization | Auto-detected |
3.2 CV & Profile Data
Content you voluntarily enter into your CV profile. This may include:
- Personal details — Name, phone number, address, date of birth, nationality, photo
- Professional history — Job titles, employers, dates, responsibilities, achievements
- Education — Institutions, degrees, dates, GPA, certifications
- Skills & languages — Technical skills, soft skills, language proficiencies
- References — Names, titles, and contact details of professional references
- Custom sections — Volunteer work, publications, projects, awards, or any other information you choose to include
You control what CV data you provide. We recommend only including information you are comfortable sharing with potential employers.
3.3 Technical & Usage Data
Data collected automatically when you use the Service:
- Device information — Browser type and version, operating system, screen resolution
- Network data — IP address (anonymized after 90 days), approximate geographic location (country/region level)
- Usage patterns — Pages visited, features used, templates viewed, session duration, clicks and interactions
- Performance data — Page load times, error logs, crash reports
- Referral data — How you arrived at the Service (search engine, direct link, social media)
3.4 Payment Data
When you subscribe to a paid plan:
- Payment processing is handled entirely by Stripe;
- We never receive or store your full credit card number;
- We store only: last 4 digits of your card, card brand (Visa/MC), expiry date, billing country, Stripe customer ID, and transaction records;
- Invoices and payment history are retained for tax and legal compliance.
4. How We Collect Data
- Directly from you — When you register, create a CV, update your profile, contact support, or submit forms;
- Automatically — Through cookies, server logs, and analytics tools when you interact with the Service;
- From third parties — If you use social login (Google, LinkedIn), we receive your name and email from the identity provider. We do not access your contacts, posts, or other social media data;
- From payment processors — Stripe provides us transaction confirmations and limited card details as described above.
5. Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA), UK, and other jurisdictions that require a legal basis for data processing, we rely on:
| Legal Basis | Activities |
|---|---|
| Contract performance | Providing the Service, processing payments, managing your account, delivering CV exports |
| Legitimate interest | Service improvement, analytics, fraud prevention, security monitoring, customer support |
| Consent | Marketing communications, optional cookies, AI feature usage, newsletter subscription |
| Legal obligation | Tax record retention, responding to legal requests, compliance reporting |
6. How We Use Your Data
We use collected data for the following purposes:
6.1 Core Service Delivery
- Creating and managing your account;
- Storing and rendering your CV content;
- Generating PDF, DOCX, and other export formats;
- Providing template selection and customization;
- Enabling ATS score analysis and optimization recommendations.
6.2 AI Features
- Processing your CV content through AI models to generate suggestions;
- Providing content improvement recommendations;
- Calculating ATS compatibility scores;
- Generating cover letter drafts based on your profile.
6.3 Communication
- Sending transactional emails (verification, password reset, payment confirmations);
- Service announcements and important updates;
- Responding to support inquiries;
- Marketing emails (only with your explicit consent, with one-click unsubscribe).
6.4 Security & Fraud Prevention
- Detecting and preventing unauthorized access, fraud, and abuse;
- Monitoring for suspicious login activity;
- Maintaining audit logs for security investigations;
- Rate limiting and bot detection.
6.5 Analytics & Improvement
- Understanding how features are used to guide product development;
- Measuring the effectiveness of templates and AI tools;
- Identifying and fixing bugs, errors, and performance issues;
- Generating anonymized, aggregated statistics (never linked to individual users).
7. Data Sharing & Third Parties
7.1 We Never Sell Your Data
We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes. Period.
7.2 Service Providers
We share limited data with trusted third-party providers who help us operate the Service, under strict contractual obligations:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, name, payment details |
| AI Providers | Content generation, suggestions | CV content sections (per-request, not stored) |
| Cloud Hosting | Infrastructure, data storage | All data (encrypted at rest) |
| Email Service | Transactional emails | Email address, name |
7.3 Legal Requirements
We may disclose your data if required by law, regulation, legal process, or governmental request. We will notify you of such disclosure unless legally prohibited from doing so.
7.4 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred as part of the transaction. We will notify users via email and a prominent notice on the Service before data is transferred and becomes subject to a different privacy policy.
7.5 Public CVs
If you use our public link sharing feature, the CV content you share becomes accessible via that link. You control which CVs are shared publicly and can revoke public access at any time.
8. International Data Transfers
Your data may be processed in countries outside your country of residence. When we transfer data internationally, we ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Data Processing Agreements (DPAs) with all sub-processors;
- Selecting providers who maintain SOC 2 Type II or equivalent certifications;
- Ensuring encryption in transit (TLS 1.3) and at rest (AES-256).
10. Data Retention
We retain your data only for as long as necessary to fulfill the purposes described in this Policy:
| Data Type | Retention Period | After Deletion |
|---|---|---|
| Account & CV data | While account is active | 30 days recovery, then permanent deletion |
| Payment records | 7 years (tax/legal obligation) | Retained for compliance |
| Security audit logs | 12 months | Auto-purged |
| Analytics data | 90 days (anonymized) | Auto-purged |
| IP addresses | 90 days (then anonymized) | Anonymized aggregate retained |
| Support tickets | 2 years after resolution | Auto-purged |
| Encrypted backups | 30 days rolling | Overwritten by new backups |
When data is deleted, it is permanently removed from our production systems. Encrypted backups containing deleted data will be overwritten within 30 days.
11. Data Security
We implement robust technical and organizational measures to protect your data:
11.1 Technical Measures
- Encryption in transit — All data transmitted via TLS 1.3 (HTTPS). We enforce HSTS with a minimum 1-year max-age;
- Encryption at rest — AES-256 encryption for all stored data, including backups;
- Password security — Bcrypt hashing with per-user salts (cost factor 12). We never store plaintext passwords;
- Access controls — Role-based access, principle of least privilege, multi-factor authentication for administrative access;
- Infrastructure security — Firewalls, intrusion detection, DDoS protection, automated vulnerability scanning;
- Database isolation — The CV platform uses a dedicated database, separate from other Zaurah services.
11.2 Organizational Measures
- Security awareness training for all team members;
- Background checks for employees with data access;
- Documented incident response procedures;
- Regular security audits and penetration testing;
- Vendor security assessments before onboarding third-party providers.
12. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Request a copy of all personal data we hold about you.
Correct inaccurate or incomplete personal data.
Request deletion of your personal data ("right to be forgotten").
Receive your data in a structured, machine-readable format (JSON/CSV).
Limit how we process your data in certain circumstances.
Object to processing based on legitimate interests or for marketing.
Withdraw consent at any time without affecting prior processing.
File a complaint with your local data protection authority.
To exercise any of these rights, contact us at privacy@zaurah.com. We will respond within 30 days (or sooner as required by applicable law). We may ask you to verify your identity before processing your request.
Many of these rights can also be exercised directly through your account settings (e.g., editing your profile, exporting your data, or deleting your account).
13. AI & Automated Processing
13.1 How AI Processes Your Data
When you use AI-powered features (content suggestions, ATS scoring, cover letter generation), relevant sections of your CV are sent to third-party AI APIs for real-time processing. This data is:
- Transmitted over encrypted connections (TLS 1.3);
- Processed in real time and not retained by AI providers beyond the API request;
- Subject to our DPAs with AI providers, which prohibit use for model training;
- Never shared with other users or used to improve other users' experience.
13.2 Automated Decision-Making
Our ATS scoring feature provides an automated assessment of your CV's compatibility with applicant tracking systems. This score is advisory only and does not affect your access to the Service or any rights. You are free to ignore the score and use your CV as-is.
13.3 Opt-Out
You may choose not to use AI features. All AI-powered tools are optional, and your CV can be created and exported without AI assistance. You will not be penalized or limited in any way for not using AI features.
14. Children's Privacy
The Service is not intended for children under 16 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children.
If we learn that we have collected personal data from a child under the applicable minimum age, we will take immediate steps to delete that data. If you believe a child has provided us with personal information, please contact us at privacy@zaurah.com.
15. Third-Party Links
The Service may contain links to third-party websites, services, or resources that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party sites you visit.
16. Data Breach Notification
In the event of a data breach that may compromise your personal information:
- We will notify affected users via email within 72 hours of discovering the breach (as required by GDPR);
- We will notify the relevant supervisory authority where required;
- Our notification will include: a description of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach;
- We will provide guidance on steps you can take to protect yourself (e.g., changing passwords).
17. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:
- We will update the "Effective" date at the top;
- We will notify registered users via email at least 15 days before changes take effect;
- We may display a notice within the Service;
- We will maintain an archive of prior versions upon request.
Your continued use of the Service after the effective date of the revised Policy constitutes acceptance.
18. Contact & Data Protection Officer
For any privacy-related questions, concerns, or to exercise your data rights:
We aim to respond to all privacy inquiries within 5 business days and to fulfill data rights requests within 30 days.