App: CVRadar AI · Operator: BOSS Software · Last updated: June 10, 2026
CVRadar AI helps you tailor your resume to a specific job, score it against ATS systems, and generate cover letters and interview questions. This Privacy Policy explains what data we collect, why we collect it, the third parties that process portions of it on our behalf, and the rights you have under GDPR (EU) and KVKK (Turkey).
1. Data we collect
Account data. Email address, display name, password (stored only as an Argon2 hash — we cannot read it), email-verified flag, account creation date. You provide this when you sign up.
Resume content. Every resume you create or upload — personal info you enter (full name, phone, location, links), professional summary, work experience, education, skills, projects, languages, certifications. This is the content you actively type or upload as a PDF.
Job analyses. The job descriptions you paste for analysis, the resulting Job-Match scores, missing keywords, and AI-generated cover letters / LinkedIn About / interview questions.
Application tracker entries. Companies, positions, statuses (Saved / Applied / Interview / Offer / Rejected), notes, and dates you record about your job applications.
Purchase records. RevenueCat / Apple / Google receipts that confirm your pass purchases, the pass type, and expiry. We never see or store payment card details — payments are processed by Apple App Store or Google Play.
Device identifiers for push notifications. Firebase Cloud Messaging (FCM) device tokens, used solely to send notifications you opted into.
Audit log. A server-side log of sensitive actions (sign-in, pass grants, account deletion requests) with timestamp and source IP, retained for security and abuse prevention.
2. Data we do NOT collect
We do not track your activity outside the app.
We do not run advertising trackers, analytics SDKs, or behavioral profiling.
We do not sell or rent your data to third parties.
We do not access your phone contacts, calendar, photos, location, microphone, or camera.
We do not collect data from minors (the app is 17+).
3. Why we collect this data
Provide the service. Without your resume content we cannot generate analyses, cover letters, or interview questions.
Authenticate you. Email + password hash + JWT tokens let you sign in across devices.
Process purchases. Receipt verification with Apple / Google / RevenueCat grants you the pass features you paid for.
Send notifications you asked for. Application reminders, broadcast announcements — only when the system permission is granted and you have not turned the category off.
4. Third parties that process your data on our behalf
OpenAI (GPT-4o-mini). When you upload a PDF resume, the extracted text is sent to OpenAI's API solely to parse it into structured fields (name, experience, education, skills). OpenAI processes the text under their API data usage policy — they do not use this data to train models and retain it only for abuse-prevention review (max 30 days). We do not send your account email or other identifiers to OpenAI.
Apple App Store and StoreKit / Google Play Billing. Used to process in-app purchases. They handle your payment information directly; we only receive a purchase confirmation.
RevenueCat. Subscription / one-time purchase reconciliation between Apple/Google and our backend.
Firebase Cloud Messaging (Google). Delivers push notifications. Receives only your device's FCM token plus the notification payload (title + body, no resume content).
SMTP email provider. Sends transactional emails (account verification, password reset). Receives only your email address and the message body.
None of these third parties have access to your resume content beyond what is described above, and we have data processing agreements (or equivalent terms of service) with each.
5. Data location and security
Our backend runs on a dedicated VPS we operate in Europe. Postgres database, file storage, and application servers are all on the same infrastructure under our direct control. Data in transit is protected by HTTPS (TLS 1.2+). Passwords are hashed with Argon2id. JWT secrets are 32-byte random values stored only in environment variables on the VPS.
6. Your rights under GDPR and KVKK
You have the following rights regardless of where you live:
Right of access. Email support@oyunloop.com and we will export all data we hold about you within 30 days.
Right to rectification. Edit any resume / application / personal info directly in the app at any time.
Right to deletion (right to be forgotten). Open Settings → Data → "Delete my account" inside the app. We permanently delete your account, all resumes, all analyses, all applications, audit log payloads, and FCM tokens. Anonymized aggregate counters may remain.
Right to data portability. The deletion request also produces a JSON export of your data if you ask.
Right to object / restrict processing. Email us — we will halt processing within 30 days while we review.
Right to lodge a complaint. EU residents may complain to their national data protection authority. Turkish residents may apply to the Personal Data Protection Authority (KVKK).
7. Data retention
We retain your account data and resumes for as long as your account is active. If you delete your account, all data is purged within 30 days (some backups may persist for up to 35 days for disaster recovery, then are overwritten). Audit log entries are retained for 12 months for security and abuse prevention.
8. Children
CVRadar AI is intended for users aged 17 and over. We do not knowingly collect data from minors. If you believe a minor has provided data to us, email support@oyunloop.com and we will delete it.
9. Changes to this Privacy Policy
If we make a material change to this Privacy Policy, we will update the "Last updated" date at the top of this page and notify users through an in-app notification on next launch.
10. Contact
For privacy questions, data subject requests, or any other concern, please email support@oyunloop.com.