Privacy Policy
Version: 25-12-01
Effective Date: December 1, 2025
Last Updated: December 1, 2025
Introduction
BuddyCV, Inc. ("BuddyCV," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our website, mobile application, and related services (collectively, the "Services").
By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.
BuddyCV is based in Safi, Morocco, and operates globally. We comply with applicable data protection laws, including:
- General Data Protection Regulation (GDPR) - European Union
- California Consumer Privacy Act (CCPA) - United States
- Moroccan Law 09-08 on the Protection of Personal Data
- Other applicable international privacy regulations
If you do not agree with this Privacy Policy, please do not use our Services.
Table of Contents
- Information We Collect
- How We Collect Information
- How We Use Your Information
- Legal Basis for Processing (GDPR)
- Information Sharing and Disclosure
- Third-Party Services
- Data Retention
- Your Privacy Rights
- Cookies and Tracking Technologies
- Changes to This Privacy Policy
- Contact Information
1. Information We Collect
1.1 Personal Information
We collect the following categories of personal information:
Account Information (via OAuth):
- Full name
- Email address
- Profile picture (optional)
- OAuth provider ID (Google, LinkedIn, or Facebook)
- Account creation date
- Last login timestamp
Subscription and Payment Information:
- Subscription plan type (free, premium)
- Billing cycle preference
- Payment transaction records (processed and stored by Paddle)
- Subscription status and renewal dates
Technical and Usage Information:
- IP address (for fraud prevention and security)
- Device information (type, operating system, browser)
- Login history and session data
- Error logs and diagnostic information
Communication Data:
- Feedback and survey responses
- Email communications with us
1.2 Information We Do NOT Collect
We do not collect:
- Credit card or payment details directly (handled by Paddle)
- Social Security numbers or national ID numbers
- Sensitive health information
- Political opinions or religious beliefs
- Biometric data
- Precise geolocation data
2. How We Collect Information
2.1 Information You Provide Directly
- OAuth Registration: Basic profile information from Google, LinkedIn, or Facebook
- Customer Support: Information in support requests or feedback
2.2 Information Collected Automatically
- Log Data: IP addresses, browser type, pages visited, timestamps
- Cookies: Essential cookies for authentication and service functionality
2.3 Information from Third Parties
- OAuth Providers (Google, LinkedIn, Facebook): Name, email, profile picture
- Payment Processor (Paddle): Transaction and subscription status information
- AI Services (Claude AI, Gemini, OpenAI ChatGPT): Processing of your content for AI generation
3. How We Use Your Information
We use your personal information for the following purposes:
3.1 Service Provision
- Create and manage your account
- Authenticate your identity via OAuth
- Store and manage your resumes and cover letters
- Enable PDF export and publishing features
3.2 Payment and Billing
- Process subscription payments via Paddle
- Manage billing cycles and renewals
- Handle refunds and cancellations
- Maintain transaction records
3.3 Security and Fraud Prevention
- Monitor and analyze IP addresses for suspicious activity
- Detect and prevent fraudulent accounts and abuse of free access
- Protect against unauthorized access
- Monitor login patterns for security threats
- Enforce our Terms of Use
3.4 Communication
- Send service-related notifications (account creation, subscription changes)
- Respond to customer support inquiries
- Send important updates about the Services
- Notify you of policy changes
- Request feedback and conduct surveys
3.5 Service Improvement
- Analyze usage patterns to improve features
- Conduct research and development
- Test new features and functionality
- Troubleshoot technical issues
- Optimize AI content generation
3.6 Legal Compliance
- Comply with legal obligations
- Respond to legal requests and court orders
- Enforce our Terms of Use
- Protect our rights and property
- Resolve disputes
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:
4.1 Contractual Necessity
- Account creation and authentication
- Service delivery and document management
- Payment processing and subscription management
4.2 Legitimate Interests
- Fraud prevention and security monitoring
- Service improvement and optimization
- Customer support and communication
- Technical troubleshooting and maintenance
4.3 Legal Obligations
- Compliance with tax and accounting laws
- Response to legal requests
- Data breach notifications
4.4 Consent
- Optional cookies and analytics
- Survey participation
You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
5. Information Sharing and Disclosure
5.1 We Do NOT Sell Your Personal Information
BuddyCV does not sell, rent, or trade your personal information to third parties for monetary consideration.
5.2 Service Providers
We share information with trusted third-party service providers who assist us in operating our Services:
Amazon Web Services (AWS):
- Purpose: Data storage, hosting, and infrastructure
- Data Shared: All user content, documents, and account data
- Security: All data encrypted at rest and in transit
Paddle:
- Purpose: Payment processing and subscription management
- Data Shared: Name, email, billing information, transaction details
- Role: Merchant of record
- Security: PCI DSS compliant
AI Providers (Claude AI, Gemini, OpenAI ChatGPT):
- Purpose: AI content generation and optimization
- Data Shared: Resume and cover letter content submitted for AI processing
- Data Retention: These providers do not store your data permanently
- Usage: Content generation only
OAuth Providers (Google, LinkedIn, Facebook):
- Purpose: Authentication and account verification
- Data Shared: Authentication tokens only
- Access: We only receive name, email, and profile picture
Analytics and Monitoring Tools:
- Purpose: Service performance and usage analytics
- Data Shared: Aggregated and anonymized usage data
- Examples: Error monitoring, performance tracking
5.3 Legal Requirements
We may disclose your information if required to do so by law or in response to:
- Court orders or subpoenas
- Law enforcement requests
- Government investigations
- Legal proceedings or disputes
- Protection of our rights, property, or safety
- Prevention of fraud or illegal activity
6. Third-Party Services
Our Services integrate with the following third-party services:
6.1 OAuth Authentication Providers
Google, LinkedIn, Facebook:
- We use these services solely for secure authentication
- We access only basic profile information (name, email, profile picture)
- These providers have their own privacy policies
- We are not responsible for their privacy practices
Links to Third-Party Privacy Policies:
- Google: https://policies.google.com/privacy
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
- Facebook: https://www.facebook.com/privacy/policy
6.2 Payment Processor
Paddle:
- Acts as our merchant of record
- Processes and stores all payment information
- Maintains billing portal for subscription management
- Subject to Paddle's privacy policy: https://www.paddle.com/legal/privacy
6.3 Cloud Infrastructure
Amazon Web Services (AWS):
- Provides data storage and hosting
- All data encrypted at rest and in transit
- Subject to AWS's privacy policy: https://aws.amazon.com/privacy
6.4 AI Content Generation
Claude AI, Gemini, OpenAI ChatGPT:
- Processes your content for AI generation purposes only
- Does not permanently store your content
- Subject to respective privacy policies:
- Anthropic (Claude): https://www.anthropic.com/privacy
- Google (Gemini): https://ai.google.dev/gemini-api/terms
- OpenAI (ChatGPT): https://openai.com/privacy
7. Data Retention
7.1 Active Accounts
We retain your personal information for as long as your account is active and as necessary to:
- Provide you with our Services
- Comply with legal obligations
- Resolve disputes
- Enforce our agreements
7.3 Deleted Accounts
For All Users (Free and Subscribed):
- When you request account deletion, your account enters a 30-day pending deletion period
- During this period, you may restore your account by canceling the deletion request
- After 30 days, your account and associated user content are permanently deleted
- No backups are maintained for permanently deleted account data
- Paddle may retain transaction history for legal and tax compliance
7.4 Legal Requirements
We may retain certain information for longer periods if required by law, including:
- Tax records (as required by applicable tax laws)
- Transaction records (as required by Paddle and financial regulations)
- Records related to legal disputes or investigations
7.5 Aggregated Data
We may retain anonymized and aggregated data indefinitely for:
- Analytics and research purposes
- Service improvement
- Statistical analysis
This data cannot be used to identify individual users.
8. Your Privacy Rights
8.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights:
Right to Access:
- Request a copy of your personal data
- Receive information about how we process your data
Right to Rectification:
- Correct inaccurate or incomplete personal data
Right to Erasure ("Right to be Forgotten"):
- Request deletion of your personal data
- Subject to legal retention requirements
- Note: account deletion requests are processed after a 30-day restoration window
Right to Restrict Processing:
- Limit how we use your personal data
Right to Data Portability:
- Receive your data in a structured, machine-readable format
- Transfer your data to another service provider
Right to Object:
- Object to processing based on legitimate interests
- Object to direct marketing
Right to Withdraw Consent:
- Withdraw consent at any time (where processing is based on consent)
Right to Lodge a Complaint:
- File a complaint with your local data protection authority
8.2 Rights Under CCPA (California Residents)
If you are a California resident, you have the following rights:
Right to Know:
- Categories of personal information collected
- Sources of personal information
- Business purpose for collecting information
- Categories of third parties with whom we share information
Right to Delete:
- Request deletion of your personal information
- Subject to certain exceptions
Right to Opt-Out of Sale:
- We do not sell personal information, so this right does not apply
Right to Non-Discrimination:
- We will not discriminate against you for exercising your privacy rights
8.3 Rights Under Moroccan Law 09-08
If you are located in Morocco, you have rights including:
- Right to access your personal data
- Right to correct inaccurate data
- Right to object to processing
- Right to lodge a complaint with the CNDP (Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel)
8.4 How to Exercise Your Rights
To exercise any of these rights:
- Email us: privacy@buddycv.com
- Include in your request:
- Your full name
- Email address associated with your account
- Specific right(s) you wish to exercise
- Any relevant details or documentation
We may request additional information to verify your identity before processing your request.
8.5 Account Management
You can manage your personal information directly through your account settings:
- Update your profile information
- Manage your documents
- View your subscription status
- Access your usage history
- Delete your account (subject to the 30-day pending deletion policy)
9. Cookies and Tracking Technologies
9.1 What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help us provide and improve our Services.
9.2 Types of Cookies We Use
Essential Cookies:
- Authentication and account access
- Session management
- Security features
- Service functionality
These cookies are necessary for the Services to function and cannot be disabled.
9.3 Third-Party Cookies
Our OAuth providers (Google, LinkedIn, Facebook) may set their own cookies during the authentication process. These are governed by their respective privacy policies.
9.4 Cookie Management
Browser Settings:
- You can control cookies through your browser settings
- Blocking essential cookies may prevent you from using our Services
- Instructions for common browsers:
- Chrome: Settings > Privacy and Security > Cookies
- Firefox: Options > Privacy & Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Edge: Settings > Privacy > Cookies
Cookie Lifespan:
- Persistent cookies: Remain until expiration or manual deletion (typically 30-365 days)
10. Changes to This Privacy Policy
10.1 Right to Modify
We reserve the right to update or modify this Privacy Policy at any time to reflect:
- Changes in our practices
- Legal or regulatory requirements
- New features or services
- Security enhancements
10.2 Notification of Changes
When we make material changes to this Privacy Policy:
- We will update the "Last Updated" date at the top
- We will notify you via email (to the address associated with your account)
- We may display a prominent notice on our website
- For significant changes, we may require you to accept the new Privacy Policy
10.3 Your Options
After receiving notice of changes:
- Review the updated Privacy Policy carefully
- If you disagree with the changes, you may delete your account
- Continued use of the Services after changes become effective constitutes acceptance
10.4 Version History
We maintain a version history of this Privacy Policy. Previous versions are available upon request.
11. Contact Information
11.1 Privacy Inquiries
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
Email: privacy@buddycv.com
Subject Line: Privacy Inquiry
11.2 Data Protection Officer
For GDPR-related inquiries:
Email: dpo@buddycv.com
Subject Line: GDPR Request
11.3 General Support
For general customer support:
Email: support@buddycv.com
11.4 Security Issues
To report security vulnerabilities:
Email: security@buddycv.com
Subject Line: Security Issue
Additional Information
Data Controller
BuddyCV, Inc. is the data controller responsible for your personal information collected through our Services.
Language
This Privacy Policy is provided in English. In the event of any conflict between an English version and a translated version, the English version shall prevail.
Effective Jurisdiction
This Privacy Policy is governed by the laws of Morocco and applicable international data protection regulations (GDPR, CCPA, etc.).
Acknowledgment
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO ITS TERMS.
You further acknowledge that:
- You understand how we collect, use, and share your personal information
- You understand your privacy rights and how to exercise them
- You understand that we use third-party services (OAuth, Paddle, AWS, AI providers)
- You understand our security measures and limitations
- You understand that we do not maintain backups of deleted data
- You understand that account deletion is scheduled with a 30-day restoration window before permanent deletion
- You understand that we collect IP addresses for fraud prevention and security
Last Updated: December 1, 2025
Version: 25-12-01
© 2025 BuddyCV, Inc. All rights reserved.