Privacy Policy

Last updated: 31 May 2026

This policy describes how QuickCV ("we", "our", "the app") handles your information. We've written it in plain English because we want you to actually read it.

QuickCV is operated from Ireland. We've designed the app and this policy with the EU General Data Protection Regulation (GDPR) in mind.

Quick summary

We've tried to make QuickCV one of the most privacy-respecting CV apps you can use. The short version:

• Your CV content lives on your device and in your own iCloud. We don't have access to it.
• AI features briefly send your CV content to Google's Vertex AI for processing. Nothing is stored on our servers.
• We don't have user accounts. We can't identify you because we never know who you are.
• We don't sell data, share it with advertisers, or use it to train AI models.
• We don't use third-party analytics or tracking SDKs.
• One-time purchases. No subscription. Apple handles all payment.

The rest of this document explains the details.

Who's responsible for your data

QuickCV is operated by ZBR Technologies, based in Ireland. For privacy questions or data requests, contact [email protected].

Under GDPR, ZBR Technologies is the data controller for the limited data we process (analytics events and App Attest device records). For CV content stored in your iCloud, Apple is the processor and you control access. For CV content sent to Vertex AI for processing, we use Google Cloud as a sub-processor under standard data-processing terms.

What we collect

CV content you enter or import

When you build or import a CV, QuickCV stores on your device (and in your private iCloud — see below) the text you enter: your name, contact details, work history, education, skills, professional summary, target role, and cover letter content. This content is entered voluntarily by you and remains yours.

Analytics events

The app records a small set of anonymous usage events to help us understand how the app is used and to fix problems:

• app_launched
• new_cv_started (with path: scratch / import / duplicate)
• section_completed (section name only — e.g. "experience", not section contents)
• ai_polish_completed
• export_attempted
• export_successful
• paywall_reached
• purchase_completed
• renewal_completed

No CV content, name, email, or any personally identifiable information is included in these events. Events are batched and sent to our analytics endpoint when a batch of 10 is reached or when the app moves to the background.

Device attestation

We use Apple's App Attest framework to verify that requests to our backend come from genuine QuickCV installations on real Apple devices (not scripts or modified copies). This involves generating a device-specific cryptographic key pair. The public key is registered with us; the private key never leaves your device's Secure Enclave. No personal information is associated with this key — it's a random per-installation identifier.

Diagnostics

If the app crashes, Apple's MetricKit framework collects diagnostic information (a crash trace, performance metrics) and makes it available to us through Xcode Organizer. These reports do not contain CV content and are not transmitted to our servers — Apple is the processor.

How your data is used and where it goes

Local and iCloud storage

Your CVs are stored using SwiftData on your device. If you are signed in to iCloud, they sync automatically to your private iCloud CloudKit database, which is associated with your Apple ID. We have no access to your iCloud data — Apple is the processor for this. See Apple's Privacy Policy.

AI processing (Vertex AI / Gemini)

When you use AI features (parse imported PDF, keyword match, gap detection, polish content, generate summary, generate cover letter), your CV content and target role are sent over HTTPS to our Cloud Function backend (hosted on Google Cloud, region: europe-west1), which passes them as a stateless request to Google's Vertex AI (Gemini 2.5 Flash) for processing.

This is a stateless pass-through. We do not store your CV content on our servers. The request is forwarded, the AI response is returned to your device, and nothing is retained on our side.

We minimise what we send. For all AI calls other than parse-resume, our system strips out your personal contact information (name, email, phone, address) before sending the content to Vertex AI. The contact info stays on your device; only your professional content (work history, education, skills, summary) is processed.

For parse-resume specifically (when you import an existing PDF), we send the full extracted text because that's the only way to identify what's in the PDF. The parsed result returns to your device and the request is not retained.

Google Cloud / Vertex AI acts as a sub-processor for this processing. Data is processed in the EU (europe-west1, in Belgium). See Google Cloud's Privacy Notice and Vertex AI's data governance terms.

Lawful basis under GDPR: our lawful basis for processing your CV content through Vertex AI is performance of a contract (GDPR Article 6(1)(b)) — you provide the content to use the AI-assisted CV-building service you purchased. We do not rely on consent, because consent would imply you could withdraw it while continuing to use the service. If you don't want your CV content processed by AI, simply don't use the AI features — the rest of the app (manual editing, export) works fully without them.

Purchases

All purchases are handled by Apple via StoreKit. We receive only receipt validation results (product ID, purchase date, transaction ID). We never see your payment card details, address, or any other payment information. See Apple's Privacy Policy.

Backend logs

Our Cloud Function logs contain operational metadata for each request: the action name (e.g. "detect-gaps", "polish-content"), a per-device rate-limit counter, error codes, and aggregate metrics such as input and output character counts, the number of keywords or gaps processed, the cover-letter tone selected, and the StoreKit transaction ID for purchase validation. They contain no CV text, no AI response content, no personal contact information, and no personally identifiable information. Logs are retained for 30 days per Google Cloud's default policy and are used only for debugging, operational health, and abuse prevention.

Backend records

Our backend keeps two small types of persistent records, both keyed by your device's App Attest identifier (a cryptographically random per-installation reference — not your Apple ID, name, or email):

• Device attestation records. When you first use an AI feature, our backend stores your device's App Attest public key and a counter used to prevent replay attacks. The record contains the public key, a counter value, your bundle identifier, and timestamps. It does not contain any personal information or CV content.
• Rate-limit counters. To prevent abuse, we count AI requests per device per day. The record contains the device reference, the date, and a count. No content is stored.

These records are retained for the lifetime of your app installation. If you delete the app, the App Attest key on your device is destroyed and the records on our end become unreachable but remain in our database. You can request their deletion by emailing us at [email protected] — we will action requests within 30 days.

What we do NOT do

• We do not sell your data to anyone.
• We do not use your CV content to train AI models.
• We do not share your data with advertisers.
• We do not use third-party analytics SDKs (no Firebase Analytics, Mixpanel, Amplitude, Segment, or similar).
• We do not use cross-app tracking, the IDFA, or any other tracking identifier.
• We do not collect location data.
• We do not access your device's Contacts, Photos, or other sensitive data outside what you explicitly provide in your CV.

International data transfers

When you use AI features, your CV content is sent to Google's Vertex AI service. Although the processing region is set to europe-west1 (Belgium), Google Cloud is a US-headquartered company and data may transit infrastructure outside the EU. International transfers from the EU are made under appropriate safeguards, including the EU-US Data Privacy Framework (where Google participates) and Standard Contractual Clauses where applicable.

If you do not want your CV content processed under these arrangements, you can use QuickCV without using the AI features — the app's manual editing and export functions work fully offline.

Your rights under GDPR

If you are in the EU, UK, or another GDPR-equivalent jurisdiction, you have the following rights under data protection law:

• Right of access (Article 15): you can request a copy of the personal data we hold about you. For QuickCV this is limited to your App Attest device record and rate-limit counters.
• Right to rectification (Article 16): you can request correction of inaccurate data.
• Right to erasure / "right to be forgotten" (Article 17): you can request deletion of your data.
• Right to restriction of processing (Article 18): you can ask us to stop processing your data while a complaint or dispute is resolved.
• Right to data portability (Article 20): you can request your data in a portable format.
• Right to object (Article 21): you can object to our processing of your data.
• Rights related to automated decision-making (Article 22): QuickCV does not make automated decisions that legally or significantly affect you. AI-suggested CV content is informational; you decide what to keep.

To exercise any of these rights, contact us at [email protected]. We will respond within one month, as required by GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Ireland, this is the Data Protection Commission (DPC) at www.dataprotection.ie. If you are in another EU member state, you may complain to your local supervisory authority.

Deleting your data

To delete all your CV data:

1. Delete the QuickCV app from your device. This removes all locally-stored CVs, the App Attest key, and all app data on your device.
2. Remove its iCloud data: Settings → [Your Name] → iCloud → Manage Storage → QuickCV → Delete Data. This removes your CVs from your private iCloud database.

After these two steps, no CV content of yours exists anywhere — not on your device, not in your iCloud, and not on our servers (since AI processing is stateless and we never stored your CV).

If you also want our small backend records (the device attestation key and any rate-limit counters from your usage) deleted, email [email protected]. We will action such requests within 30 days. The same applies to any anonymous analytics events from your installation, although these are automatically deleted after 30 days regardless.

Children

QuickCV is not directed at children under 16. We do not knowingly collect personal information from children under 16. If we learn that a child under 16 has provided personal information, we will delete it.

Security

We use industry-standard security practices to protect data in transit and at rest:

• All communication with our backend is over HTTPS with TLS 1.2+.
• Apple's App Attest verifies that backend requests come from genuine app installations.
• Backend infrastructure runs on Google Cloud with Google's standard security controls.
• We use the principle of least privilege for backend access.

No system is perfectly secure, but we take reasonable care commensurate with the limited sensitivity of the data involved.

Changes to this policy

We may update this policy as the app evolves or as data protection requirements change. The "Last updated" date at the top will reflect any material changes. We will notify users of significant changes via an in-app notice. Continued use of the app after changes constitutes acceptance.

Contact

For any privacy questions, data subject requests, or general questions about this policy:

Email: [email protected]

We will respond within one month of receiving a request, as required by GDPR. For most requests, we respond much faster than that.