Privacy Policy — CVHelp
Last updated: 4 July 2026 · Version: 1.0
CVHelp ("we", "us", "the service") helps immigrants and expats in Norway tailor their CV and application letter (søknad) to the Norwegian job market. This policy explains what personal data we process, why, on what legal basis, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR), which applies in Norway through the EEA agreement.
1. Who is responsible (data controller)
The data controller is:
- Pavlo Larichev (private individual / enkeltperson; business registration in progress)
- Kong Oscars Gate, 5017 Bergen, Norway
- Contact: personvern@cvhelp.no
If you believe we process your data unlawfully, you may contact us at the address above or lodge a complaint with the Norwegian supervisory authority, Datatilsynet (datatilsynet.no).
2. What data we process, why, and on what legal basis
2.1 Account data
| Data | Source | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Email address | You / Google login | Login, email verification, service messages | Contract 6(1)(b) |
| Name | You / Google login | Identify your account | Contract 6(1)(b) |
| Password (hashed, never plaintext) | You (email signup) | Authentication | Contract 6(1)(b) |
| Profile image URL | Google login (optional) | Display in the app | Contract 6(1)(b) |
| Login provider + OAuth tokens | Google (if you use Google login) | Keep you signed in | Contract 6(1)(b) |
| Session token, IP address, browser user-agent | Automatic on login | Keep you signed in, security | Legitimate interest 6(1)(f) — account security |
| Plan (free / paid) and usage counters | Automatic | Enforce the free-tier limit and your subscription | Contract 6(1)(b) |
2.2 CV and job-posting content — not stored
The text of your CV and the job posting you paste (or the PDF you upload) is the most sensitive data you give us. We do not store it. It is held only in memory for the seconds it takes to produce your analysis, sent to our AI provider to generate the result, and then discarded. It is never written to our database. See section 3 for where it is sent during processing.
A CV can contain special categories of data under GDPR Art. 9 (for example a photo, health information, trade-union membership, religion or ethnic origin). You control what you include. We strongly recommend removing photos and any sensitive details before uploading — they are not needed for the analysis and Norwegian CVs normally do not include them. We process the content you choose to submit only to deliver the analysis you requested, based on your request (contract, Art. 6(1)(b)) and, for any special-category data you choose to include, your explicit consent (Art. 9(2)(a)) given via the consent checkbox at submission.
2.3 Payment data
Subscriptions (49 NOK/month) are handled by Stripe. We never see or store your full card number — Stripe processes the payment and gives us only a customer reference and your subscription status. Legal basis: contract 6(1)(b); and legal obligation 6(1)(c) for accounting records.
3. Who we share data with (processors) and where it goes
We use the following processors. We do not sell your data or use it for advertising.
| Processor | Purpose | Data sent | Location / transfer mechanism |
|---|---|---|---|
| Neon (Postgres database) | Store account data | Account data (§2.1) | EEA — Frankfurt. No transfer out of the EEA. |
| Vercel | Hosting the website | Requests, IP address | EEA — Frankfurt region (fra1). |
| Optional "Sign in with Google" | Email, name, profile image | USA — certified under the EU-US Data Privacy Framework (DPF). | |
| Resend | Verification and account emails | Email address | USA — EU Standard Contractual Clauses (SCCs) per Resend's DPA; also DPF-certified. |
| Stripe | Payments and subscriptions | Name, email, payment details, customer reference | USA — certified under the EU-US Data Privacy Framework (DPF). |
| DeepSeek | AI analysis of your CV and the job posting (primary provider) | The CV and job-posting text you submit | China — see the transfer notice below. |
| Anthropic (Claude) | AI analysis (alternative provider) | The CV and job-posting text you submit | USA — certified under the EU-US Data Privacy Framework (DPF). |
⚠️ Transfer notice — DeepSeek (China)
Our primary AI provider, DeepSeek, is based in the People's Republic of China. There is no EU adequacy decision for China, and DeepSeek does not currently offer EU Standard Contractual Clauses. This means the protections of the GDPR do not travel with your data there: Chinese authorities may have legal access to data processed on Chinese infrastructure, and you may not have effective legal remedies in China.
Because of this, we send your CV and job-posting text to DeepSeek only with your explicit, informed consent (GDPR Art. 49(1)(a)), which you give via the consent checkbox each time you request an analysis. Before consenting, consider:
- Do not include photos, national ID numbers, health details, or other sensitive information in the CV text you submit — the analysis does not need them.
- Your content is sent for one-time processing and is not stored by us; DeepSeek's own retention is governed by DeepSeek's privacy policy.
- If you do not consent, you cannot use the analysis feature — the AI processing is the service.
4. How long we keep data
| Data | Retention |
|---|---|
| CV / job-posting content | Not stored — discarded immediately after processing |
| Account data | Until you delete your account, then removed within 30 days |
| Usage counters | Life of the account |
| Payment records | 5 years, as required by the Norwegian Bookkeeping Act (bokføringsloven) |
| Session / login records | Lifetime of the session |
5. Your rights
Under GDPR you have the right to:
- Access the data we hold about you;
- Rectify inaccurate data;
- Erasure ("right to be forgotten") — delete your account and associated data;
- Restrict or object to processing;
- Data portability — receive your account data in a machine-readable format;
- Withdraw consent at any time, where processing is based on consent (this does not affect processing already carried out);
- Lodge a complaint with Datatilsynet (datatilsynet.no).
To exercise any of these, contact personvern@cvhelp.no. We respond within one month.
Because we do not store your CV or job-posting content, there is nothing for us to return or delete in respect of that content — it never persists beyond your request.
6. Security
Data is transmitted over HTTPS/TLS. Passwords are hashed. The database is hosted in the EEA with access restricted to the service. We enforce a strict Content-Security-Policy and standard security headers. No system is perfectly secure, but we take measures appropriate to the sensitivity of the data — above all by not storing your CV at all.
7. Cookies
We use a strictly necessary session cookie to keep you signed in. We do not use advertising or third-party tracking cookies, and we do not use analytics cookies.
8. Children
The service is intended for adults in the job market and is not directed at children under 16.
9. Changes to this policy
We may update this policy. Material changes will be announced in the app or by email. The "Last updated" date at the top reflects the current version.
10. Contact
Pavlo Larichev · Kong Oscars Gate, 5017 Bergen, Norway · personvern@cvhelp.no