LegendCVHome →
🔒 Privacy & Security

Privacy Policy

Your Data. Protected.

Learn how LegendCV collects, uses, and safeguards your information — under UK GDPR and the Data Protection Act 2018.

Last updated 18 June 2026Contact privacy team

This Privacy Policy explains how LegendCV ("we", "us", "our"), operator of www.legendcv.com, collects, uses, shares and protects personal data. We are the "controller" of your personal data under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

LegendCV does not sell your personal data.
We do not sell, rent, or share personal data with advertisers or data brokers. Your resume content is used only to operate the Service for you.

1. Who We Are

LegendCV is a UK-based AI resume and career platform. For any privacy enquiry, contact privacy@legendcv.com.

2. Data We Collect

We collect the following categories of personal data:

Account data
Email address, hashed password or Google OAuth identifier, display name, profile picture (if provided by Google).
Resume & career data
Information you enter or upload — name, contact details, employment history, education, skills, certifications and any documents you upload (PDF, DOCX).
Billing data
Subscription status, plan, billing interval and Stripe customer ID. Full payment card details are handled directly by Stripe and never reach our servers.
Communications
Messages you send via the contact form or to our support inboxes (hello@, support@, partners@, admin@, marketing@legendcv.com).
Technical data
IP address, user-agent, device and browser information, approximate location derived from IP, log timestamps, and error diagnostics.
Usage data
Pages visited, features used, button clicks, and aggregated performance metrics.

3. How We Use Your Data and Legal Bases

PurposeLegal basis (UK GDPR)
Provide and operate the Service (build, store, export resumes)Contract (Art. 6(1)(b))
Authenticate and secure your accountContract / Legitimate interests
Process payments and manage subscriptionsContract
AI processing of your content (rewriting, ATS scoring, cover letters)Contract
Service emails, security alerts, billing receiptsContract / Legal obligation
Product analytics and improvementLegitimate interests
Marketing emails (only if you opt in)Consent (Art. 6(1)(a))
Fraud prevention, abuse detection, legal complianceLegitimate interests / Legal obligation

4. AI Processing

When you use AI features (resume rewriting, ATS scoring, cover-letter generation, job-match analysis, LinkedIn optimisation, voice transcription), the relevant content is transmitted to AI model providers via the Lovable AI Gateway solely to generate the requested output. AI providers process the content under contractual data-processing terms and do not use your content to train third-party models. AI outputs may be inaccurate; you remain responsible for reviewing them.

How AI works
Your prompts and selected resume content are sent to an AI provider through our gateway to generate the response you asked for — and only that.
What data is sent
Only the input required for the feature you triggered — for example the resume you are rewriting or the job description you are matching.
What is stored
Generated outputs are saved against your account so you can review and reuse them.
What is NOT stored
AI providers do not train third-party models on your content. We do not share resume data with advertisers or sell it to anyone.
AI providers do not use your content to train third-party models.
AI processing is performed under contractual data-processing terms and used only to generate the output you requested.

5. Subprocessors

We share personal data with the following subprocessors, only as necessary to provide the Service:

  • Supabase — database, file storage, authentication infrastructure (EU region).
  • Google LLC — Google OAuth sign-in (only if you choose Google login).
  • Stripe Payments Europe, Ltd. — payment processing and subscription management.
  • Cloudflare, Inc. — CDN, DNS, WAF, DDoS protection, bot mitigation.
  • Zoho Corporation (Zoho Mail) — transactional, support and team email.
  • Lovable — application hosting and AI gateway infrastructure.
Payment cards are processed directly by Stripe.
Card numbers, CVCs and expiry dates never reach LegendCV servers — they are handled by Stripe's PCI-DSS certified environment.

Some subprocessors may transfer data outside the UK/EEA. Such transfers are protected by Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent safeguards.

6. Cookies and Analytics

We use strictly necessary cookies for authentication and security, and limited analytics cookies to improve the Service. Full details, categories, and how to manage your preferences are in the Cookie Policy. Where required by law, we ask for your consent before setting non-essential cookies.

7. Data Retention

  • Account & resumes: retained while your account is active.
  • After account deletion: resumes and personal data are deleted within 30 days; encrypted backups are purged within a further 30 days.
  • Billing records: retained for 7 years to comply with UK tax and accounting law.
  • Contact form messages: retained for up to 24 months unless required longer for legal or support reasons.
  • Security logs: retained for up to 12 months.

8. Security

We use HTTPS/TLS in transit, encryption at rest at our infrastructure providers, role-based access controls, row-level security in the database, Cloudflare WAF and bot protection, rate-limiting on sensitive endpoints, and audit logging. No system is 100% secure; you must keep your credentials confidential.

9. Your Rights (UK GDPR)

You have the right to:

  • access your personal data;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability (export your resumes as JSON/PDF/DOCX);
  • withdraw consent at any time (where processing is based on consent);
  • lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
Access my data
Request a copy of the personal data we hold about you, with the categories and sources used.
Download my data
Export your resumes and account data as JSON, PDF or DOCX at any time from your account.
Delete my data
Close your account from settings — we delete resumes and personal data within 30 days.
Manage consent
Update your marketing, analytics and region preferences any time from your account settings.
Contact privacy team
Email privacy@legendcv.com and we respond within 30 days.
Lodge a complaint
You may lodge a complaint with the UK ICO if you believe your data has been mishandled.

To exercise any right, email privacy@legendcv.com. We respond within 30 days.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact privacy@legendcv.com and we will delete it.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app notice. The "Last updated" date above always reflects the latest version.

12. Contact

LegendCV — United Kingdom
Privacy enquiries: privacy@legendcv.com
General: hello@legendcv.com

Why professionals trust LegendCV

Built with privacy, security and AI transparency in mind.

  • UK GDPR Aligned
    Processed under UK GDPR and the Data Protection Act 2018.
  • Secure Authentication
    Email/password with hashing, plus Google OAuth.
  • Encrypted Storage
    TLS in transit, encryption at rest at infrastructure providers.
  • Stripe Payments
    Card details handled by Stripe — never reach our servers.
  • AI Transparency
    AI providers do not train third-party models on your content.
  • User Data Control
    Access, export and delete your data from your account.
Terms of Service
The rules for using LegendCV.
Cookie Policy
Cookies and similar technologies we use.
Acceptable Use
What's allowed — and what's not.
AI & Data Processing
How LegendCV uses AI responsibly.