Legal

Privacy Policy

Last updated: March 2026 · Effective: March 14, 2026

We respect your privacy. This policy explains what data GapZero collects, why, how long we keep it, and what rights you have. We've written it in plain English — no unnecessary legal complexity.

1. Who Is Responsible for Your Data

GapZero is operated by [Company Name], registered at [Company Address] ("we", "us", "our").

For the purposes of the UK GDPR and EU GDPR, we are the data controller of the personal data you provide when using gapzero.app.

Data Protection contact: [privacy@gapzero.app]

2. What Data We Collect

We only collect data that is necessary to provide the service to you.

Data categoryWhat we collectLegal basis (GDPR)
Account dataEmail address, hashed password (via Supabase Auth), account creation dateContract performance (Art. 6(1)(b))
CV contentText extracted from your uploaded CV PDF — name, work history, skills, education, certifications, summaryContract performance (Art. 6(1)(b))
LinkedIn PDF exportText extracted from your LinkedIn PDF — profile, experience, skills (optional upload)Contract performance (Art. 6(1)(b))
Job posting textThe job description you paste or fetch — role title, requirements, employer detailsContract performance (Art. 6(1)(b))
Career questionnaireCurrent role, target role, years of experience, country, work preference (remote/hybrid/on-site)Contract performance (Art. 6(1)(b))
GitHub URLYour public GitHub profile URL (optional) — used to fetch public repository data for analysisContract performance / Consent (Art. 6(1)(a))
Analysis resultsFit scores, gap analysis, salary benchmarks, ATS scores, CV suggestions, cover letters, GitHub assessments, action plans — saved to your account historyContract performance (Art. 6(1)(b))
Usage dataPages visited, features used, analysis count, session identifiersLegitimate interests (Art. 6(1)(f))
Payment dataSubscription status, billing period — payment card details held exclusively by StripeContract performance (Art. 6(1)(b))

3. How We Use Your Data

To provide the service: We send your CV text, job posting, and questionnaire responses to Anthropic's Claude API to generate your analysis. We store the results in Supabase so you can access your history. We use your email to authenticate your account.

To operate the platform: We use usage data to enforce your plan's analysis quota, prevent abuse, and monitor platform health.

To improve the platform: We may analyse anonymised, aggregated usage patterns to improve GapZero. We do not use your personal CV content for this purpose.

To communicate with you: We may send transactional emails (account confirmation, subscription receipts). We will only send marketing communications if you opt in.

4. How AI Processes Your Data

Your CV is sent to Anthropic. When you run an analysis, your CV text, LinkedIn export (if provided), job posting, and questionnaire are transmitted to Anthropic's API. Anthropic processes this data to generate your career analysis. Anthropic is our data processor under a Data Processing Agreement.

Your data is not used to train AI models. Anthropic's API usage policies prohibit using API-submitted data to train or fine-tune their models. Your CV content is used solely to generate your analysis and is not retained by Anthropic beyond the API call.

No automated decision-making with legal effect. GapZero does not make automated decisions about you under GDPR Article 22. All outputs are tools to inform your own decisions. You remain in control.

GitHub analysis uses only publicly accessible repository data from GitHub's public API, limited to repositories you have made public.

5. Third-Party Data Processors

ProcessorWhat they processLocation
AnthropicCV text, job posting, questionnaire (during analysis only)USA
SupabaseAccount data, analysis history, profile, job trackerEU / USA
StripePayment card details, subscription statusUSA / EU
VercelWeb request logs, serverless function executionGlobal CDN

6. International Data Transfers

Some of our processors are based in the United States. If you are in the EU or UK, this means your personal data may be transferred outside the EEA or United Kingdom.

We rely on the following safeguards:

  • Anthropic: EU Standard Contractual Clauses (SCCs) and Anthropic's DPA, including UK IDTA provisions.
  • Supabase: SCCs with EU data residency options where selected.
  • Stripe: EU-US Data Privacy Framework certification and SCCs.
  • Vercel: SCCs included in Vercel's DPA.

You may request a copy of the relevant safeguards by contacting us at the address in Section 10.

7. How Long We Keep Your Data

  • Analysis results and career history — kept while your account is active. Deleted when you delete your account.
  • CV text submitted for analysis — not stored by GapZero after the analysis is complete. The extracted results are stored, but not the raw CV text.
  • Account data (email) — retained until you delete your account or request erasure.
  • Subscription/billing records — retained for 7 years for tax and accounting compliance, even after account deletion.
  • Usage logs — retained for up to 90 days for security and fraud prevention.

You can delete your account and all associated data from your dashboard at any time.

8. Cookies

GapZero uses session cookies only — small pieces of data stored in your browser that keep you logged in between page loads. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that follow you across the web.

  • Authentication cookie — set by Supabase Auth to maintain your login session. Expires when you log out or after 7 days of inactivity.
  • Locale preference — stores your language preference. Not personally identifiable.

You can disable cookies in your browser settings, but doing so will prevent you from staying logged in to GapZero.

9. Your Rights

You have meaningful rights over your data, depending on where you are.

GDPR (EU) & UK GDPR

  • Access — get a copy of your data
  • Rectification — correct inaccurate data
  • Erasure — delete your data ("right to be forgotten")
  • Portability — export your data in a common format
  • Restriction — pause processing while a dispute is resolved
  • Objection — object to processing based on legitimate interests
  • No automated decisions with legal effect

CCPA (California, USA)

  • Right to know what data we collect and how we use it
  • Right to delete your personal information
  • Right to opt out of the sale of your data
  • Right to non-discrimination for exercising your rights
  • We do not sell your personal information to any third party

10. Contact & Data Protection Officer

[Company Name]

[Company Address]

Email: [privacy@gapzero.app]

DPO (if applicable): [DPO Name or "Not appointed — SME exemption applies"]

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email (if you have an account) or by a prominent notice on the Platform at least 30 days before the changes take effect.

See also: Terms & Conditions