Privacy Policy
1. Introduction
This Privacy Policy explains how Daniel Youssef, an individual based in Egypt with address at Tanta First District, Gharbia Governorate, Egypt ("we", "us", "our", or "CV Foundry") collects, uses, stores, shares, and protects your personal information when you use the CV Foundry mobile application and related services (the "Service").
By using the Service, you acknowledge that you have read and understood this Privacy Policy. This Privacy Policy is incorporated into our Terms of Use and uses defined terms from those Terms.
If you do not agree with this Privacy Policy, you must not use the Service.
2. Who We Are (Data Controller)
For the purposes of the General Data Protection Regulation (EU GDPR), the UK GDPR, the Egyptian Personal Data Protection Law (Law No. 151 of 2020), and other applicable data protection laws, the data controller of your personal information is:
- Name: Daniel Youssef (operating as CV Foundry)
- Address: Tanta First District, Gharbia Governorate, Egypt
- Contact: contact@cvfoundry.app
We do not currently have a Data Protection Officer (DPO) but you can direct any privacy-related inquiries to the contact above.
3. Information We Collect
We collect only the information necessary to provide the Service. We organize what we collect into the following categories.
3.1 Information You Provide Directly
Account information (collected when you sign up):
- Email address
- First name and last name (optional)
- Profile photo (optional)
- Language preference
- Confirmation of your age (you must confirm you are at least 16 years old)
- Acceptance of these Terms and this Privacy Policy
CV content (information you enter into your CVs):
- Personal contact details: full name, email, phone number, postal address (street, city, state, postal code, country)
- Optional personal details: date of birth, gender, marital status, photograph
- Professional information: work experience, education, certifications, awards, patents, publications, projects, skills, languages, interests, references, professional affiliations, volunteer work, links to professional profiles
- Availability and employment preferences (such as current availability, employment type, work authorization, willingness to relocate, and a short availability summary)
- Headline and professional summary
Settings and preferences:
- Notification preferences (email notifications on/off, push notifications on/off)
- Theme preference (light/dark, stored on your device only)
- Language and text direction (left-to-right / right-to-left) preference
Feedback you submit:
- Any messages, suggestions, or issue reports you choose to send us through in-App feedback features, together with your Account identifier so we can follow up if needed
3.2 Information Collected from Third Parties
If you sign in using Google Sign-In or Apple Sign-In, we receive from the provider:
- A unique provider-issued identifier
- Your email address (as registered with that provider)
- Your display name and, where available, given/family name
- Basic profile data the provider chooses to share with us
We do not receive your password from these providers.
3.3 Information Collected Automatically
When you use the Service, we automatically collect:
Authentication data:
- One-time passwords (OTPs) for email verification (stored temporarily, expires within 5 minutes)
- Authentication tokens (issued to your device only)
- Session metadata (device descriptor, last activity timestamp)
Device and technical data:
- Push notification token (provided by Apple or Google to enable us to send notifications to your device)
- Device platform (iOS or Android), device model, application version
- A device identifier used to manage notifications
Usage and security data:
- IP address (used temporarily for rate limiting and abuse prevention; not stored long-term)
- Counts of failed authentication attempts (used to prevent automated abuse)
- Timestamps of significant actions (login, account creation, subscription events)
3.4 Subscription and Payment Information
If you purchase a subscription, the App Store (Apple or Google) handles your payment. We do not receive or store your credit card number, bank account details, or full payment credentials.
We do receive and store, from the App Store:
- A subscription transaction identifier
- A purchase token (Google Play) or original transaction ID (Apple)
- Subscription product, subscription status (such as active, expired, cancelled, or paused), start date, and expiry date
- The platform (Apple or Google) and country of purchase
- The amount and currency of the purchase (for our internal records)
4. How We Use Your Information
We use your information only for the purposes described below. For each purpose, we identify the legal basis on which we rely.
| Purpose | Categories of Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Provide and operate the Service (CV creation, editing, PDF export, region-aware formatting) | Account info, CV content, settings | Performance of a contract |
| Authenticate you and secure your Account | Email, OTP, social provider IDs, session data | Performance of a contract |
| Process and manage your subscription | Subscription data, account info | Performance of a contract |
| Send transactional emails (verification codes, account notices, subscription receipts) | Email address | Performance of a contract |
| Send optional notification emails (where you opt in) | Email, preferences | Your consent |
| Deliver push notifications (where you enable them) | Device token, preferences | Your consent |
| Detect, prevent, and respond to abuse, fraud, and security incidents | IP address, authentication metadata, rate-limit counters | Our legitimate interest in protecting the Service and our users |
| Comply with legal obligations (e.g., tax records, responding to lawful requests) | Subscription and transaction data | Legal obligation |
| Communicate with you about important changes to the Service or these policies | Performance of a contract / Legitimate interest | |
| Respond to feedback, suggestions, or issue reports you submit | Feedback content, account identifier | Performance of a contract / Legitimate interest |
We do not use your information for advertising. We do not sell your information. We do not use your information for automated decision-making that produces legal or similarly significant effects on you.
5. Special Category Data (Sensitive Data)
When you choose to include details such as date of birth, gender, marital status, or a photograph in your CV, you are voluntarily providing data that some laws classify as sensitive. We process this information only because you have chosen to include it in your CV and have provided your explicit consent by entering it. This information is encrypted at rest using AES-256-GCM, the same standard we apply to other personal identifying information. You can remove or edit this data at any time from within the App.
You are never required to include these fields. CVs created without them remain fully functional.
6. How We Share Your Information
We share your information only with the categories of recipients described below. We do not sell your personal information to anyone.
6.1 Service Providers (Sub-Processors)
We use a small number of trusted third-party providers to operate the Service. Each one processes data only on our instructions and only for the purposes described.
| Provider | Role | Data Processed | Location |
|---|---|---|---|
| Resend (resend.com) | Sends transactional and notification emails on our behalf | Your email address; content of the email (e.g., verification code, account notice) | United States |
| Cloudflare R2 | Stores uploaded files (CV photos, generated PDFs, thumbnails) | The file contents and a storage path that includes your account identifier | Global (Cloudflare network) |
| Firebase Cloud Messaging (Google) | Delivers push notifications to your device | Push notification token; notification title and body | Global (Google infrastructure) |
6.2 Authentication Providers
If you choose to sign in with Google or Apple, the relevant provider receives information about your sign-in attempt as part of the standard OAuth flow. Their handling of your data is governed by their own privacy policies:
6.3 App Stores (Payment Processors)
When you purchase a subscription, Apple (App Store) or Google (Google Play) processes the payment. They share with us only the transaction information necessary to grant you access to premium features, as described in Section 3.4. Their privacy policies apply to your payment data:
6.4 Legal and Safety Disclosures
We may disclose your information when we believe in good faith that disclosure is necessary to:
- Comply with a valid legal process (court order, subpoena, lawful government request)
- Enforce our Terms of Use
- Protect the rights, property, or safety of CV Foundry, our users, or others
- Investigate or prevent fraud, security incidents, or illegal activity
6.5 Business Transfers
If CV Foundry is involved in a merger, acquisition, restructuring, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email or in-App notice) before your information becomes subject to a different privacy policy.
7. International Data Transfers
CV Foundry is based in Egypt. Our service providers (Section 6.1) operate globally and may process your data in the United States, the European Union, or other jurisdictions.
Where we transfer personal data from the European Economic Area, the United Kingdom, or other jurisdictions with cross-border transfer restrictions, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses incorporated into our agreements with sub-processors, or equivalent mechanisms.
You can contact us at contact@cvfoundry.app to request more information about these transfer safeguards.
8. How Long We Keep Your Information
We retain your information only as long as necessary for the purposes described in this Privacy Policy.
| Category | Retention Period |
|---|---|
| Active Account data | While your Account is active |
| OTP (verification code) | Up to 5 minutes (then automatically deleted) |
| Authentication sessions | Up to 30 days from last activity |
| Rate-limit and abuse-prevention data (IP, counters, temporary bans) | Up to 6 hours |
| CV content | While the CV exists in your Account; permanently removed within 30 days of deletion (see Section 9) |
| Files in object storage (photos, PDFs, thumbnails) | Deleted within 30 days of CV or Account deletion |
| Subscription transaction records | Retained for as long as required by tax and accounting laws (typically up to 10 years under Egyptian law) |
| Push notification device tokens | Until you sign out, uninstall the App, or your Account is deleted |
| Pseudonymized records of deleted account | Retained for fraud-prevention, accounting, and legal-compliance purposes. Direct identifiers (such as your email address) are removed; encrypted internal identifiers may remain linked to records we are required to retain by law |
| Backups | Up to 90 days, then automatically purged |
When you delete your Account, we:
- Pseudonymize your email address (replace it with a non-identifying value) and mark your Account as deleted
- Delete your CV content
- Delete all files stored on your behalf in object storage (photos, generated PDFs, thumbnails)
- Delete your social sign-in records
- Delete your push notification tokens
- Retain subscription and transaction records as required accounting laws (typically up to 10 years). Where these records contain personal identifiers, those identifiers remain encrypted and access is restricted to authorized personnel or authorities entitled to receive them by law
This process completes within 30 days of your deletion request. Backups containing residual copies are purged within 90 days.
9. Your Rights
Depending on where you live, you may have some or all of the following rights regarding your personal data.
9.1 Rights Available to All Users
- Access — You can view your Account information and CV content at any time within the App. You can also request a complete export of your data (see Section 9.4).
- Correction — You can edit your Account information and CV content at any time within the App.
- Deletion — You can delete your Account at any time using the in-App "Delete Account" function. See Section 8 for what happens.
- Withdraw consent — You can disable notification emails or push notifications at any time from within the App's settings. You can withdraw consent to processing of CV special-category data (date of birth, gender, marital status, photo) by removing those fields from your CVs.
9.2 Additional Rights for Users in the EU, EEA, and UK (GDPR / UK GDPR)
In addition to the rights above, you have the right to:
- Object to processing based on our legitimate interest
- Restrict processing in certain circumstances
- Data portability — receive your data in a structured, commonly used, machine-readable format (provided via Section 9.4)
- Lodge a complaint with your local Data Protection Authority. In the UK, this is the ICO (https://ico.org.uk). In each EU/EEA country, the supervisory authority is listed at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
9.3 Additional Rights for California Residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect about you and how we use and share it
- Request deletion of your personal information
- Correct inaccurate personal information
- Opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of
- Limit the use of sensitive personal information — to the extent we process such information, we use it only as described in Section 5
- Be free from discrimination for exercising these rights
In the 12 months preceding the date of this Privacy Policy, we have collected the categories of information described in Section 3 and disclosed them to the categories of recipients described in Section 6. We have not sold or shared personal information.
9.4 How to Exercise Your Rights
- View or edit your data — directly within the App
- Export your data — use the in-App "Export My Data" feature, which produces a complete machine-readable JSON file of your Account and CV data
- Delete your Account — use the in-App "Delete Account" feature
- All other requests — email contact@cvfoundry.app with a description of your request
We will respond to requests within 30 days (extendable by up to 60 additional days for complex requests, with notice to you). We may need to verify your identity before fulfilling certain requests; we will only ask for the minimum information necessary to do so.
You can exercise these rights free of charge, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request, as permitted by law.
10. Children's Privacy
The Service is intended for users aged 16 and over, or the age of digital consent in your country if higher. We do not knowingly collect personal information from children under that age. We enforce this through an age confirmation step at sign-up.
If you believe that a child has provided us with personal information, please contact us at contact@cvfoundry.app and we will take prompt steps to delete the information and the associated Account.
11. How We Protect Your Information
We take the security of your personal information seriously and implement a range of technical and organizational measures, including:
- Encryption in transit — all communication between your device, the App, and our servers takes place over HTTPS (TLS)
- Encryption at rest — we use industry-standard AES-256-GCM encryption to protect personal identifying information stored in our database. This includes: your email address, first name, last name, profile photo, and the personal information you include in your CVs and references (full names, email addresses, phone numbers, addresses, cities, states, postal codes, dates of birth, gender, and marital status). It also includes authentication details returned by social sign-in providers (display name, email, raw provider profile data) and subscription transaction tokens (original transaction identifier, purchase token). Non-identifying CV content (such as job titles, company names, professional summaries, skills, and education entries) is stored without field-level encryption but is protected by strict access controls and accessible only over authenticated, encrypted connections
- Access controls — CV content and personal data are stored behind authenticated endpoints; only requests from your authenticated Account can read your data
- Service-to-service authentication — internal communication between our backend services requires a shared secret
- Webhook verification — payment notifications from Apple and Google are cryptographically verified before being acted upon
- Hashed identifiers for lookups — where we need to look up records without exposing the underlying data, we use one-way cryptographic hashes
- Short-lived authentication tokens — sign-in tokens have short lifetimes; long-lived sessions can be revoked
- Log sanitization — automated masking of sensitive values (verification codes, tokens, email addresses) in our system logs
- Rate limiting and abuse prevention — automated controls protect against brute-force attempts and abuse
- Standard security headers — modern security headers (HSTS, X-Frame-Options, Content Security Policy, and others) are applied across all web-facing services
No method of transmission or storage is 100% secure. While we work hard to protect your information, we cannot guarantee absolute security. If we become aware of a personal data breach that is likely to affect you, we will notify you and any relevant authorities as required by applicable law.
12. Cookies and Local Storage
Our mobile App does not use browser cookies. However, the App may store a small amount of information on your device (for example, your theme and language preferences, and authentication tokens needed to keep you signed in). This information stays on your device and is necessary for the App to function.
Our marketing website may use minimal local storage to remember your language and theme preferences. These are functional and do not track you across sites. We do not use third-party advertising or analytics cookies on our website.
13. Push Notifications
If you enable push notifications, we use Firebase Cloud Messaging (Google) to deliver them to your device. You can disable push notifications at any time from within the App settings or your device's system settings. Disabling push notifications does not delete your Account or any of your data.
14. Links to Third-Party Services
The App and our website may contain links to third-party websites or services (for example, links to professional profiles you include in your CV). We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you visit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" and "Effective date" at the top of this Privacy Policy
- We will increment the version number
- We will notify you at least 30 days before the changes take effect through an in-App notice, an email to the address on your Account, or both
Continued use of the Service after the new Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree to the changes, you must stop using the Service and may delete your Account.
We keep a record of the version of this Privacy Policy you accepted and when. We may ask you to re-accept the Privacy Policy if material changes occur.
16. Region-Specific Information
16.1 Egypt
We strive to comply with the Egyptian Personal Data Protection Law (Law No. 151 of 2020). You may exercise your rights of access, correction, and deletion through the methods described in Section 9, and you may contact the Egyptian Data Protection Center if you have a complaint.
16.2 European Economic Area, United Kingdom, and Switzerland
We rely on the legal bases described in Section 4 to process your personal data. You have the rights described in Section 9.2 and the right to lodge a complaint with your local supervisory authority.
16.3 California, United States
Please see Section 9.3 for your rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
16.4 Brazil
If you are in Brazil, we strive to comply with the General Data Protection Law (LGPD). You may exercise your rights of access, correction, pseudonymization, portability, and deletion through the methods described in Section 9, and you may contact the National Data Protection Authority (ANPD) if you have a complaint.
16.5 Other Jurisdictions
We strive to comply with applicable data protection laws in all jurisdictions where we offer the Service. If your jurisdiction provides specific rights not addressed above, please contact us to discuss them.
17. Contact Us
For any questions, concerns, complaints, or requests regarding this Privacy Policy or your personal information:
- Email: contact@cvfoundry.app
- Postal address: Tanta First District, Gharbia Governorate, Egypt
We aim to respond to all inquiries within 30 days.