CVAura
Get started

CVAura Legal

Terms, privacy, and refund policies

These documents explain how CVAura services, billing, and data practices work.

Privacy Policy

Last updated: 19 April 2026

This Privacy Policy explains how CVAura ("CVAura", "we", "us", "our") collects, uses, discloses, and protects personal data when you use cvaura.com, app.cvaura.com, and associated product services. This policy supports global compliance, including GDPR, UK GDPR, and applicable California privacy rights.

1. Data Controller and Contact

Data Controller: Shaveen Udayanga (trading as CVAura), an individual sole proprietor in Sri Lanka, acting as controller for personal data described in this policy.

Privacy and data rights requests can be sent to support@cvaura.com.

2. Personal Data We Collect

We collect the following categories of data:

  • Account identity data: name, email address, profile picture, and account identifiers obtained from OAuth login through Asgardeo.
  • CV and job-input data: CV text extracted from uploaded PDF files and job description text you paste.
  • Analysis results: structured ATS result JSON, including score, matched keywords, missing keywords, suggestions, and summary.
  • Profile and service data: account settings, entitlement status, plan tier, and usage state (for example, free analysis consumed or active subscription).
  • Transaction metadata: Paddle order IDs, invoice line items, subscription status, renewals, cancellation state, and tax country/region information.
  • Technical and usage logs: IP-derived risk signals, timestamps, request paths, user agent/device characteristics, and service diagnostics used for reliability and fraud prevention.
  • Support communications: details you send when contacting support, including order references and request context.

3. How We Collect Data

Data is collected directly and indirectly from:

  • You, when you sign in, upload a CV, enter a job description, or contact support.
  • Asgardeo, as identity provider, when authentication succeeds.
  • Google Gemini API, as processing endpoint for AI-generated analysis output.
  • Paddle, as Merchant of Record, for payment and subscription events.

4. Why We Use Personal Data

We use personal data for the following purposes:

  • Provide and operate the CVAura analysis service.
  • Authenticate users and maintain account security.
  • Store and display your historical analyses and profile data.
  • Process billing, subscriptions, refunds, and payment support with Paddle.
  • Detect fraud, abuse, scraping, or policy violations.
  • Monitor uptime, troubleshoot incidents, and improve performance and product quality.
  • Comply with legal obligations, including tax, accounting, and dispute handling.

5. Legal Bases for Processing (GDPR/UK GDPR)

For users in the EU/EEA/UK, we rely on one or more of the following legal bases under GDPR and UK GDPR:

  • Contract necessity: processing needed to provide the service you request, including account access, analysis generation, and purchase fulfillment.
  • Legitimate interests: service security, abuse prevention, reliability, product improvement, and support operations.
  • Legal obligations: tax, financial records, anti-fraud requirements, and lawful authority requests.
  • Consent: where required for optional processing in specific jurisdictions.

6. AI Processing and Google Gemini Disclosure

CV text and job description text are transmitted to Google Gemini API to generate ATS analysis output. This processing is necessary to provide the core functionality of CVAura. The resulting analysis may be stored in your account history so you can revisit prior reports.

CVAura does not sell your CV data or job description data. CVAura does not share your data with unrelated advertisers or data brokers.

7. Sharing and Access to Data

Access to personal data is limited to authorized CVAura personnel and approved service providers that need access to perform contracted services.

Primary processors and infrastructure partners used by CVAura include:

  • Asgardeo (identity and session authentication).
  • Google Gemini API (AI analysis processing).
  • Supabase (application data storage, when enabled for persistence).
  • Paddle (payments, invoicing, subscriptions, and refunds).
  • Cloudflare (DNS and network edge infrastructure).

Paddle processes payment information as Merchant of Record. CVAura receives order and subscription metadata needed for service access (for example, order IDs, product line items, plan state, and invoice status) but does not receive your full payment card details.

8. International Data Transfers

Because CVAura serves users globally, your data may be processed in countries outside your home jurisdiction. Where required, we rely on recognized safeguards such as standard contractual clauses or equivalent legal mechanisms provided by our processors.

9. Data Retention

We retain data for as long as needed for service delivery and compliance:

  • Anonymous result session records expire after approximately 24 hours.
  • Account profile and analysis history are retained while your account remains active.
  • If you request account deletion, production records are deleted or de-identified within 30 days, with backup copies retained for up to 180 days before secure overwrite.
  • Inactive accounts (no sign-in activity for 12 months) may be deleted or anonymized after notice, unless retention is required for legal obligations.
  • Billing and transaction records may be retained for up to 7 years for tax, accounting, and dispute compliance.
  • Operational logs are retained for security and incident response for up to 90 days.

10. Cookies and Similar Technologies

We use cookies and similar storage for authentication, service continuity, and analytics.

  • Asgardeo session cookies: used to maintain authenticated user sessions.
  • Anonymous result cookie: a short-lived cookie linking your browser to a temporary anonymous analysis result.
  • Return-to cookie: a short-lived cookie used to return you to the appropriate page after sign-in.
  • Analytics storage: first-party measurement data may be used to understand aggregate product usage and performance. CVAura does not use advertising trackers for behavior targeting.

11. Security Measures and Vulnerability Reporting

CVAura applies technical and organizational measures designed to protect personal data, including HTTPS/TLS encryption in transit, access controls, environment segregation, secure cookie settings, logging, and incident monitoring.

No system can be guaranteed 100% secure. If you identify a potential security issue, contact support@cvaura.com with "Security Report" in the subject.

12. Your Privacy Rights

Depending on your location, you may have rights regarding your personal data. These rights may include:

  • Right of access (GDPR Article 15).
  • Right to rectification (GDPR Article 16).
  • Right to erasure/deletion (GDPR Article 17).
  • Right to restriction of processing (GDPR Article 18).
  • Right to data portability (GDPR Article 20).
  • Right to object to certain processing (GDPR Article 21).
  • Right to withdraw consent where processing is consent-based.
  • Right to lodge a complaint with a supervisory authority.

For California residents, rights may include knowing categories/sources of personal information, requesting deletion or correction, and non-discrimination for exercising privacy rights. CVAura does not sell personal information and does not share it for cross-context behavioral advertising.

13. How to Exercise Your Rights

Submit requests by emailing support@cvaura.com from the account email address, with subject "Privacy Request" and the request type.

We may verify identity before fulfilling requests. We target an initial response within 30 days and may extend where permitted by law for complex requests.

14. Children's Privacy

CVAura is not directed to children under 16. If we learn that personal data of a child has been provided without appropriate authorization, we will take steps to delete it.

15. Updates to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted with an updated "Last updated" date and, where appropriate, notified by email or in-product notice.

16. Contact and Related Legal Policies

For privacy, account, legal, and refund support, contact support@cvaura.com.