Privacy Policy
Last updated: February 17, 2026
The French version of this document is legally binding.
This privacy policy describes how LeCV (accessible at lecv.app) collects, uses, and protects your personal data in compliance with the General Data Protection Regulation (GDPR) and French data protection law.
1. Data Controller
- Name: Gabriel Gauffre
- Address: 18 rue Louis David, 93170 Bagnolet, France
- Email: support@lecv.app
2. Data Collected
We collect the following categories of data:
2.1. Account Data
- Name, email address, password (hashed)
- For Google OAuth users: name and email provided by Google
2.2. CV and Cover Letter Data
- Personal information entered (civil status, contact details, photo)
- Professional experience and education
- Skills, languages, interests
- Cover letter content
2.3. Payment Data
- Stripe customer ID
- Pass type and expiration date
- Banking information is processed exclusively by Stripe and is never stored on our servers
2.4. Technical Data
- IP address (for rate limiting and security)
- Session cookies
3. Purposes and Legal Basis
| Purpose | Legal Basis |
|---|---|
| Account creation and management | Performance of contract |
| CV and cover letter generation | Performance of contract |
| AI-powered content improvement | Performance of contract |
| Payment processing | Performance of contract |
| Transactional emails (verification, password reset) | Performance of contract |
| Security and abuse prevention (rate limiting) | Legitimate interest |
4. Use of Artificial Intelligence
LeCV uses the OpenAI API (GPT-5 model) to provide writing assistance features:
- Express CV fill from a free-text description
- Enhancement of work experience descriptions
- Generation of professional profiles and skills
- Cover letter generation
- Job ad analysis
When you use these features, relevant data from your CV (experience, skills, target position) is sent to the OpenAI API for processing. OpenAI does not retain data sent through its API and does not use it to train its models (in accordance with their API data policy).
Transfers to OpenAI (United States) are governed by the European Commission's Standard Contractual Clauses (SCCs).
5. Data Recipients
Your data may be shared with the following processors:
| Processor | Role | Country |
|---|---|---|
| Vercel | Application hosting | United States |
| Neon | PostgreSQL database | United States |
| OpenAI | AI processing (content generation) | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| OAuth authentication (optional) | United States | |
| Cloudflare | DNS and domain protection | United States / Global |
6. International Transfers
Our processors are primarily located in the United States. These transfers are governed by:
- The EU-US Data Privacy Framework (for certified processors)
- The European Commission's Standard Contractual Clauses (SCCs)
7. Data Retention
| Data | Retention Period |
|---|---|
| User account | Until account deletion by the user |
| CVs and cover letters | Until deletion by the user or account deletion |
| Payment data (Stripe ID) | Duration of account + legal accounting obligations |
| Technical logs (IP) | In-memory only, not persisted |
| Email verification tokens | 24 hours |
| Password reset tokens | 1 hour |
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure: request deletion of your data
- Right to restriction: restrict the processing of your data
- Right to data portability: receive your data in a structured format
- Right to object: object to the processing of your data
- Right to withdraw consent: at any time, when processing is based on consent
- Right to lodge a complaint: with the CNIL (www.cnil.fr)
To exercise these rights, contact us at support@lecv.app. We will respond within one month.
9. Cookies
For more information about cookies used by LeCV, see our cookie policy.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- HTTPS encryption for all communications
- Password hashing (bcrypt)
- CSRF tokens for form protection
- Rate limiting on sensitive endpoints
- Input validation and sanitization
- SSRF protection on scraping features
- Security HTTP headers (CSP, X-Frame-Options, etc.)
11. Minors
LeCV is intended for persons aged 18 and over. We do not knowingly collect data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@lecv.app.
12. Changes
We may update this privacy policy. In case of substantial changes, we will notify users by email or through a visible notice on the site. The date of last update is indicated at the top of this page.
13. Contact
For any questions about this privacy policy or your personal data, contact us at: support@lecv.app.