Privacy Policy
speedcv.co.uk — Last updated: 18 April 2026
1. About this Policy
This Privacy Policy explains how we collect, use, store and share your personal data when you use SpeedCV, an online CV-building service available at speedcv.co.uk (the “Service”). It is written in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
We have tried to keep this policy as clear and straightforward as possible, following the Information Commissioner's Office (ICO) guidance on transparency. If anything is unclear, please contact us using the details in Section 12 below.
2. Who we are
The data controller for your personal data is:
SpeedCV Ltd
A company incorporated in England and Wales
Companies House: 17232403
Registered office: 71-75 Shelton Street, London WC2H 9JQ
Email: [email protected]
SpeedCV Ltd is established in the United Kingdom. No Article 27 UK GDPR representative appointment is required.
3. What personal data we collect
We collect different categories of personal data depending on how you interact with the Service:
- Account information.
- When you create an account, we collect your name, email address, country of residence and language preference. Account authentication is managed through our provider Clerk.
- CV content.
- Any information you enter into your CV, which may include your contact details, employment history, education, skills, professional qualifications, photograph and any other details you choose to add. This may include special category data (for example, information about disabilities if you choose to include it). We process this data solely because you have chosen to provide it.
- Payment information.
- If you subscribe to a paid plan, payment is processed by Stripe. We receive confirmation of your subscription status, transaction references and billing country. We do not receive or store your full card number or bank details — Stripe handles this under PCI DSS Level 1 compliance.
- Usage data.
- We collect information about how you use the Service, including pages visited, features used, session duration and technical information such as your browser type and IP address.
- AI processing data.
- When you use our AI-powered CV improvement features, the text of your CV is sent to our AI providers for processing. See Section 6 for details.
4. How and why we use your data (legal bases)
Under the UK GDPR, we must have a lawful basis for each type of processing. The table below sets out the purposes for which we process your personal data and the legal basis we rely on in each case:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Creating and managing your account | Performance of our contract with you (Article 6(1)(b)) |
| Providing the CV-building service, including saving, editing and exporting your CVs | Performance of our contract with you (Article 6(1)(b)) |
| Processing payments and managing your subscription | Performance of our contract with you (Article 6(1)(b)) |
| Providing AI-powered CV suggestions and improvements | Performance of our contract with you (Article 6(1)(b)) — this is a core feature of the Service |
| Sending you service-related communications (e.g. subscription confirmations, material changes to the Service) | Performance of our contract with you (Article 6(1)(b)) |
| Analysing how users interact with the Service, to improve functionality and user experience | Our legitimate interests in improving the Service (Article 6(1)(f)). You can opt out of analytics cookies — see our Cookie Policy |
| Responding to your enquiries and providing customer support | Our legitimate interests in operating the Service effectively (Article 6(1)(f)) |
| Complying with legal obligations (e.g. tax records, responding to lawful requests from authorities) | Compliance with a legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, we have carried out a balancing assessment to ensure that your interests and fundamental rights do not override ours. You may request a copy of this assessment by contacting us.
5. Who we share your data with
We share your personal data with the following categories of recipients, each of whom acts as a data processor on our behalf under a written data processing agreement:
| Processor | Purpose | Location |
|---|---|---|
| Clerk | User authentication and account management | United States |
| Stripe | Payment processing (PCI DSS Level 1 certified) | United States |
| Neon / Supabase | Database hosting and storage | European Union |
| Anthropic (Claude AI) | AI-powered CV text improvements | United States |
| OpenAI | AI-powered CV text improvements | United States |
| Vercel | Application hosting and delivery | United States / EU Edge |
| Cloudflare | Content delivery, performance and security | Global |
We do not sell your personal data to anyone. We do not share your data with advertisers. Our AI providers process your CV text solely to generate suggestions — we do not permit them to use your data to train their models, and our agreements reflect this.
We may also disclose your personal data where required by law, regulation, legal process or enforceable governmental request.
6. AI processing — how it works
SpeedCV uses artificial intelligence to help you improve your CV. When you use an AI feature, the relevant text from your CV is sent to our AI providers (currently Anthropic and OpenAI) via their APIs. They process the text, generate suggestions, and return the results to us.
What you should know:
- AI processing is a core part of the Service and is necessary to deliver the features you have signed up for.
- Your CV text is sent via encrypted connections and is processed in accordance with our data processing agreements with each provider.
- We do not permit our AI providers to retain your data beyond what is needed to process your request, nor to use it for model training.
- You always have the final say on whether to accept, modify or reject any AI-generated suggestion.
- If you do not wish your CV text to be processed by AI, you may use the Service without activating AI features (though this will limit the functionality available to you).
7. International data transfers
SpeedCV Ltd is based in the United Kingdom. Some of the processors listed in Section 5 are located in the United States or operate globally.
Transfers to the United States and other countries. Where your data is transferred to processors in the United States or other countries outside the UK, we ensure that appropriate safeguards are in place, including:
- The UK International Data Transfer Agreement (UK IDTA) or the EU Standard Contractual Clauses with the UK Addendum, as applicable;
- The UK Extension to the EU-US Data Privacy Framework, where the recipient is a certified participant; or
- Other transfer mechanisms permitted under Article 46 of the UK GDPR.
You may request a copy of the relevant safeguards by contacting us at [email protected].
8. How long we keep your data
We retain your personal data only for as long as is necessary for the purposes set out in this Policy:
| Data category | Retention period |
|---|---|
| Account information | For the duration of your account, and deleted within 30 days of account closure |
| CV content | For the duration of your account, and deleted within 30 days of account closure |
| Payment records | 10 years from the date of the transaction (to comply with applicable accounting and tax law) |
| Usage and analytics data | 90 days from the date of collection |
| Customer support correspondence | 2 years from the date of the last communication |
When your data is no longer needed, it is securely deleted or anonymised so that it can no longer identify you.
9. Your rights under UK data protection law
Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data:
- Right of access.
- You can ask us to confirm whether we are processing your personal data and, if so, to provide you with a copy of that data (a “subject access request”).
- Right to rectification.
- You can ask us to correct any personal data that is inaccurate or incomplete. You can also update most of your data directly through your account settings.
- Right to erasure (“right to be deleted”).
- You can ask us to delete your personal data in certain circumstances — for example, where it is no longer necessary for the purposes for which it was collected, or where you withdraw your consent.
- Right to restrict processing.
- You can ask us to restrict the processing of your personal data in certain circumstances — for example, where you contest the accuracy of the data, or where you have objected to processing based on legitimate interests.
- Right to data portability.
- You can ask us to provide your personal data in a structured, commonly used and machine-readable format, or to transmit it directly to another controller where technically feasible.
- Right to object.
- You can object to processing of your personal data where we rely on legitimate interests as our legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights related to automated decision-making.
- We do not make any decisions about you based solely on automated processing that produce legal or similarly significant effects. Our AI features generate suggestions for your review — you always make the final decision.
- Right to withdraw consent.
- Where we rely on your consent as a legal basis, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.
How to exercise your rights. You can exercise any of these rights by contacting us at [email protected]. We will respond within one month. In complex cases, we may extend this by a further two months, but we will let you know within the first month if that is necessary.
There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive.
10. Data security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration. These measures include encryption in transit (TLS) and at rest, access controls, regular security reviews and the use of reputable, security-certified processors.
No system is completely secure. If you become aware of any security incident involving your data, please contact us immediately at [email protected].
11. Children
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly.
12. How to contact us
If you have any questions about this Privacy Policy or about how we handle your personal data, you can contact us at:
13. How to complain
If you are unhappy with how we have handled your personal data, we would appreciate the chance to address your concerns — please contact us first using the details above.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: available via the ICO website
14. Changes to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. Where we make material changes, we will notify you by email or by a prominent notice on the Service before the changes take effect. We encourage you to review this Policy periodically.