Back to CVpilot

LEGAL

Data Processing Agreement

How CVPilot processes personal data on behalf of Users.

Last updated: May 1, 2026

1. Definitions

  • “User” means any individual who accesses or uses the CVPilot platform.
  • “Service Provider” means CVPilot Inc.
  • “Personal Data” means any personally identifiable information provided by or collected from a User in connection with the Services, including but not limited to names, email addresses, resume content, and job application materials.
  • “Services” means the AI-powered career development tools provided by CVPilot, including resume generation, cover letter creation, and job matching.

2. Roles and Responsibilities

CVPilot Inc. acts as the data processor on behalf of Users, processing Personal Data solely for the purpose of delivering the Services. Users retain ownership of their Personal Data at all times and may request access, correction, or deletion of their data as described in Section 8.

3. Permitted Uses of Personal Data

CVPilot shall use Personal Data solely for the purpose of providing the Services, including:

  • Generating AI-powered resume content, cover letters, and career recommendations
  • Enabling skill translation and career enrichment features
  • Producing aggregated, de-identified analytics to improve the platform

CVPilot shall not use Personal Data for any purpose beyond providing the Services, including advertising, unsolicited marketing, or selling data to third parties.

4. Data Security Obligations

CVPilot maintains the following security measures to protect Personal Data:

  • AES-256-GCM encryption at rest for all sensitive data
  • TLS 1.2+ encryption for all data in transit
  • Role-based access controls ensuring only authorized personnel can access Personal Data
  • Comprehensive audit logging of all access to Personal Data
  • Encryption key management via secure environment variables
  • Regular security assessments and monitoring

5. Subprocessors

CVPilot uses the following subprocessors to deliver the Services, each bound by data processing agreements:

SubprocessorPurpose
Supabase Inc.PostgreSQL database hosting (AWS us-east-1)
Clerk Inc.User authentication and session management
Vercel Inc.Application hosting and CDN
Anthropic PBCAI processing (API-only; no data retention; no model training on user inputs)
Stripe, Inc.Payment processing, subscription management, and billing (PCI-DSS Level 1 certified; CVPilot does not store full payment card numbers)

CVPilot will publish updates to this list when new subprocessors are added that will have access to Personal Data. Continued use of the Services after such notice constitutes acceptance of the updated subprocessor list.

6. Data Breach Notification

In the event of a security breach involving Personal Data, CVPilot shall:

  • Notify affected Users within 72 hours of confirming the breach
  • Provide a written description of the nature of the breach, the data affected, and the remediation steps taken
  • Cooperate with any applicable notification obligations under state or federal law
  • Bear the cost of required notifications to affected individuals where the breach is caused by CVPilot’s negligence

7. Data Retention and Deletion

  • Personal Data is retained only for as long as a User’s account is active or as needed to provide the Services
  • Upon account deletion, Personal Data is removed within 30 days
  • Users may request deletion of specific data at any time by contacting privacy@cvpilot.co
  • CVPilot will provide written confirmation of deletion upon request
  • Audit logs may be retained for up to 180 days after deletion for compliance purposes, after which they will be purged
  • Aggregated, anonymized data that cannot identify a User may be retained indefinitely for analytics purposes

8. User Rights

Users have the following rights with respect to their Personal Data:

  • Access: Users may view all Personal Data CVPilot holds about them through the account dashboard
  • Correction: Users may request correction of inaccurate data at any time
  • Deletion: Users may request deletion of their account and associated data
  • Portability: Users may request their data in a machine-readable format
  • Opt-out: Users may opt out of non-essential data processing at any time

To exercise any of these rights, contact us at privacy@cvpilot.co. We will respond within 30 days.

9. Audit and Compliance

CVPilot maintains internal audit logs and security documentation sufficient to demonstrate compliance with this DPA. Upon written request, CVPilot will make a completed security assessment available to Users or their authorized representatives. CVPilot cooperates with regulatory inquiries as required by applicable law.

10. Limitation of Liability

CVPilot’s liability for any claims arising from this DPA or the handling of Personal Data shall be limited to direct damages and shall not exceed the greater of the fees paid by the User in the twelve months preceding the claim or one hundred U.S. dollars ($100). CVPilot shall not be liable for indirect, incidental, or consequential damages.

11. Term and Termination

This DPA is effective for the duration of a User’s active account and service relationship with CVPilot. Upon account termination, CVPilot’s data deletion obligations (Section 7), breach notification obligations (Section 6), and User rights (Section 8) survive termination.

12. Governing Law

This DPA is governed by the laws of the State of Texas, without regard to its conflict of law provisions. Any disputes arising under this DPA shall be resolved in the courts of Collin County, Texas.

13. Changes to This DPA

CVPilot may update this DPA from time to time. We will notify Users of material changes by posting the updated DPA on our website and updating the effective date. Continued use of the Services after such notice constitutes acceptance of the updated terms.

14. Contact Us

CVPilot Inc.
Email: privacy@cvpilot.co
Website: www.cvpilot.co

CVPilot Inc. © 2026. All rights reserved.