ShotCV

Privacy policy

Last updated: May 15, 2026

ShotCV respects your privacy and strictly applies GDPR (EU 2016/679) and the French Data Protection Act. This page details what we collect, why, for how long, and who has access.

1. Data collected

Account: email, password (argon2id-hashed), first/last name/phone/address (optional). Source CV: text of your uploaded CV. Applications: pasted job ads + optimised CVs + generated letters. Payment data: card managed by Stripe (we store no card number). Anonymized technical logs (truncated IP, user-agent). Pro photo selfies: only if you buy a photo pack.

2. Retention periods

Source CV, applications, optimised CVs and letters: 12 months after your last account activity (then automatic deletion). Account (email, profile): as long as your account exists. Account deletion (Settings → Security → Delete my account): IMMEDIATE erasure of all this data + automatic Stripe cancellation. Raw photo selfies: deleted 24h after generation. Generated photos: 30 days then permanent deletion. Invoices: 10 years (legal accounting obligation).

3. Your rights

Access, rectification, objection, erasure, portability, restriction: exercise these rights anytime from Settings → Security, or by writing to dpo@shotcv.fr. Response within 30 days. GDPR data export available on request. You may also lodge a complaint with the CNIL (cnil.fr).

4. Data Protection Officer

Arnaud Guéras acts as DPO. Contact: dpo@shotcv.fr.

5. Subprocessors

Anthropic (AI CV boost + letters, USA — EU-US standard contractual clauses, data NOT used for training). Stripe (payment + subscription portal, USA — SCC). Resend (transactional emails, EU region). Hetzner (server hosting, Germany). Backblaze B2 (file storage, EU region — Germany). Replicate (AI photos, USA — SCC, only for photo packs). Google Gemini (single-shot Solo photo, USA — SCC). No other subprocessor.

6. Cookies

Strictly necessary session cookie for authentication (`shotcv_session`, HMAC-signed, 30 days, not subject to CNIL consent). First-party analytics only (self-hosted Umami, no tracking cookie, no cross-site tracking). No third-party cookies, no advertising trackers, no Facebook/Google pixel.