Privacy Policy

Last updated: March 2026 · business@nextry.app

1. Who We Are

CVPass is operated by NexTry Oy (Y-tunnus: 3361604-7), Ketokivenkaari 20, 00710 Helsinki, Finland. Contact: business@nextry.app. We are the data controller for personal data processed through this service.

2. Legal Basis for Processing (GDPR Art. 6)

We process your personal data on the following legal grounds:

• Contract performance (Art. 6(1)(b)) — processing your resume to provide the analysis service you requested, managing your account and subscription
• Legitimate interest (Art. 6(1)(f)) — maintaining service security, preventing fraud, aggregated analytics to improve the service
• Legal obligation (Art. 6(1)(c)) — tax and accounting records for payments
• Consent (Art. 6(1)(a)) — marketing communications (you can withdraw consent at any time)

3. What Data We Collect

Account data: email address, hashed password, subscription status.

Resume data: the content of resumes you upload for analysis. This is processed to generate match scores and tailored versions.

Usage data: number of checks used, timestamps, job descriptions you paste (not stored after session unless saved by you).

Payment data: payments are handled entirely by Stripe. We never see or store your card details.

Technical data: IP address, browser type, and basic analytics to maintain and improve the service.

4. How We Use Your Data

• To provide resume analysis and generate tailored resumes
• To manage your account and subscription
• To send transactional emails (account confirmation, receipts)
• To maintain and improve service quality (aggregated, anonymised statistics only)
• To comply with legal obligations

5. Resume Data Handling

Your resume is processed in memory to generate results. It is not stored on our servers after your session ends unless you explicitly save it to your account. Saved resumes can be deleted at any time from your account settings.

We do not use your resume content to train any AI models. Your resume text is sent to the AI provider (Anthropic) solely for real-time analysis and is not retained by them for training purposes.

6. Data Sharing and International Transfers

We do not sell or rent your personal data. We share data only with the following processors:

• Stripe, Inc. (USA) — payment processing. Stripe is certified under the EU-US Data Privacy Framework. Stripe Privacy Policy
• Anthropic, PBC (USA) — AI inference for resume analysis. Your resume text is sent via API for real-time processing only and is not stored or used for model training. Data transfer is governed by Standard Contractual Clauses (SCCs) under Anthropic's Data Processing Agreement. Anthropic Privacy Policy
• Webdock.io (EU) — cloud hosting. All application data is stored on servers located in the European Union.

For transfers to the USA (Stripe, Anthropic), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and have assessed the transfer risks in accordance with the Schrems II ruling.

7. Your Rights (GDPR)

If you are in the EU or EEA, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and all associated data
• Export your data in a portable format
• Object to or restrict processing
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email business@nextry.app. We will respond within 30 days.

8. Data Retention

Account data is retained for as long as your account is active. After account deletion, all personal data is permanently removed within 30 days. Anonymised usage statistics may be retained indefinitely.

9. Security

We use encryption in transit (HTTPS/TLS) and at rest for all stored data. Access to production systems is restricted to authorised personnel only. We conduct regular security reviews.

10. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. You can disable cookies in your browser, but this may affect service functionality.

11. Children

CVPass is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy. We will notify you by email at least 14 days before significant changes take effect. The current version is always available at cvpass.nextry.app/privacy.

13. Contact

For privacy questions or to exercise your rights: business@nextry.app