Privacy Policy

Effective Date: 2025-06-04
Last Updated: 2025-12-27

At CVOR, privacy is a core design principle. All CVOR products are built to minimise centralised data collection and to operate primarily through local, user-controlled processing.

This Privacy Policy explains how information is handled when you use CVOR software and services, including:

the CVOR Guard mobile application, and
the CVOR Scout desktop job matching engine (together, the “CVOR Products”), as well as CVOR-related websites and official support channels.

CVOR is operated by CVOR Technologies Ltd, incorporated in England & Wales. Where applicable under data protection law, CVOR Technologies Ltd acts as a data controller only with respect to the limited categories of data it actually processes, and not for user content that remains on the user’s device or within user-controlled third-party services.

1. Scope of This Policy

This Privacy Policy applies to the following CVOR Products and services:

CVOR Guard — the CVOR mobile application for iOS and Android
CVOR Scout — the CVOR desktop job matching engine for macOS and Windows
CVOR websites and official support channels

This Privacy Policy does not apply to third-party services, APIs, job sources, cloud providers, operating systems, or language models that you independently connect to the CVOR Products. Such services are governed by their own privacy policies and terms.

2. Core Privacy Architecture

CVOR Products are designed around the following principles:

Local-First Processing: Sensitive document and job-matching operations are designed to run on your device
User-Owned Infrastructure: You connect and control your own third-party accounts, APIs, and storage
Minimal Centralised Processing: CVOR does not provide hosted document storage or centralised job-matching services
No Behavioural Profiling: CVOR does not require account creation or sign-up and does not intentionally aggregate or monetise user behaviour

As a result, the majority of data processed through CVOR Products is handled locally or within user-controlled third-party services.

3. Categories of Data CVOR Does Not Intentionally Collect

CVOR is designed not to collect or store:

Resumes, CVs, cover letters, or identity documents
Job match histories, applications, or outcomes
Centralised user profiles
Advertising identifiers
Cross-app or cross-website tracking data
User documents or job data on CVOR-operated servers

CVOR does not sell, rent, or trade personal data, and does not use personal data for advertising, ranking, or behavioural profiling.

4. User-Provided Content & Local Processing

4.1 Mobile App – Secure Document Utilities

The CVOR mobile app provides document and image utilities (e.g., watermarking, PDF tools).

These features are designed to process content locally on your device, with no transmission to CVOR-controlled servers, including:

PDFs, images, and related files
File names, labels, watermark text, and recipient identifiers
Embedded document metadata

Key Points:

Your files remain your sole property
CVOR does not design these features to upload documents to CVOR servers
CVOR does not intentionally receive or store user files
Documents remain under your control on your device or within services you choose to use

Any data you enter or process in the App remains local unless explicitly shared by you using your device’s sharing tools. Any sharing action is voluntary, and CVOR is not responsible for misuse once content leaves your device.

Watermarking & Content Responsibility

You may choose to embed visible or invisible watermark data into documents, including:

Timestamp, recipient label, purpose, project name, or other free-text fields

Watermarking is processed entirely on-device. CVOR does not access, transmit, or log this information. You are solely responsible for any content embedded or shared.

4.2 Desktop Job Matching Engine – Local Automation

The CVOR desktop job matching engine is a locally installed application that performs job-match automation on your computer.

At your direction, it may:

Compare job listings against your CV locally
Generate relevance scores and explanations
Write structured outputs to your own cloud storage (e.g., Google Sheets)

These operations are designed to occur locally or directly between your device and third-party services. CVOR does not operate centralised infrastructure for receiving or storing CVs, job listings, match results, or API credentials.

5. Use of Local Language Models (Desktop Engine)

5.1 Local Model Execution

The CVOR desktop engine may use a local, open-source language model to assist with job-matching analysis and explanation generation.

The model runs locally on your device
Prompts, documents, and outputs are processed on-device
CVOR does not receive or transmit model inputs or outputs

5.2 Model Distribution via Hugging Face

Language models may be downloaded from Hugging Face Hub, an independent third-party model distribution platform.

Downloads occur directly between your device and Hugging Face
CVOR does not proxy, relay, or host model downloads
Standard network information (such as IP address) may be processed by Hugging Face as part of normal download requests

6. Third-Party APIs & Services You Connect

6.1 Google Drive & Google Sheets APIs - Summary

CVOR Products may access Google Drive and Google Sheets only after you explicitly authorise access via Google OAuth.

Authentication occurs directly between your device and Google
OAuth tokens are stored locally on your device
CVOR does not receive or store OAuth tokens
Access scopes are limited to user-requested functionality
Permissions are revocable at any time via the Google account settings

6.2 Google User Data — Detailed Disclosure

CVOR Products may access limited Google user data only after you explicitly authorise access via Google OAuth. This section provides a detailed disclosure of the data accessed, its use, storage, sharing, and retention, in accordance with Google API Services User Data Policy requirements.

6.2.1 Google APIs & Scopes Requested

CVOR Products request the following Google API scopes solely to enable user-requested functionality:

Google Drive API — drive.file
Access to files and folders that you explicitly create, select, or manage using CVOR Products.
Google Sheets API
Access to Google Sheets that are explicitly created or selected by you for storing job-matching outputs or entitlement indicators.

CVOR does not request full Drive access and cannot access files that are unrelated to CVOR-generated or user-selected content.

6.2.2 Types of Google User Data Accessed

Depending on your actions, CVOR Products may access:

File metadata (file name, file ID, folder structure) for CVOR-related files
Spreadsheet cell data contained in Google Sheets you explicitly authorise
Folder paths created by the CVOR desktop engine (e.g., a “CVOR Job Search” folder)

CVOR does not access:

Gmail data
Contacts
Calendar data
Google Profile information
Files unrelated to CVOR workflows

6.2.3 How Google User Data Is Used

Google user data is accessed and used only to provide the functionality you explicitly request, including:

Writing job-matching results generated locally on your computer to your Google Sheets
Reading job-matching results from your Google Sheets for display within the CVOR mobile app
Reading entitlement indicators stored in your Google Drive to enable subscribed features

CVOR Products:

Do not modify job data beyond formatting for display
Do not enrich, analyse, or profile Google user data centrally
Do not use Google user data for advertising, analytics, or marketing
Do not use Google user data to train AI or machine learning models

All substantive processing occurs locally on your device or directly between your device and Google.

6.2.4 Data Sharing & Third Parties

CVOR does not share Google user data with any third parties.

Specifically:

Google user data is not transmitted to CVOR-operated servers
Google user data is not sold, rented, or disclosed to advertisers, recruiters, or data brokers
CVOR does not allow third parties to access Google user data through its products

Any access to Google services occurs directly between your device and Google’s servers under Google’s own terms and privacy policy.

6.2.5 Data Storage & Security

OAuth authentication is handled directly by Google
OAuth tokens are stored locally on your device
CVOR does not store OAuth tokens or Google user data on CVOR-controlled servers

Security protections rely on:

Google’s OAuth security controls
Your device’s operating system security
Your Google account security settings

You may revoke CVOR’s access at any time via your Google Account permissions.

6.2.6 Data Retention & Deletion

Google user data remains in your Google Drive or Google Sheets under your control
CVOR does not retain copies of Google user data
Uninstalling CVOR Products removes local OAuth tokens and application data
You may delete any CVOR-related files directly from your Google Drive at any time

Because CVOR does not store Google user data on its own servers, deletion requests are fulfilled by you through Google’s standard file deletion mechanisms.

6.2.7 Google API Limited Use Compliance

CVOR’s use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Google user data is:

Used only to provide user-requested features
Not used for advertising or behavioural profiling
Not transferred except as necessary to provide core functionality
Not used to train AI or machine learning models

6.3 Other Third-Party APIs

Any additional APIs you connect operate independently of CVOR. CVOR is not responsible for their data handling practices or legal compliance.

6.4 Open Source Libraries

CVOR uses third-party open-source libraries in the App, which are governed by their respective open-source licenses. These libraries are integrated for the purpose of enhancing the functionality of the App.

By using the App, you agree to comply with the terms and conditions of these open-source licenses.
For inquiries, contact us on support@cvor.io.

7. Billing & Payments

Payments may be processed via platform providers (e.g., Apple App Store, Google Play).

Billing information is collected and processed by the relevant provider (ios - App Store Billing, Android - Google Play Billing)
CVOR does not store full payment credentials
CVOR may maintain a non-identifying entitlement indicator (e.g., paid/unpaid status) to enable access to purchased features saved locally to your google drive.

8. Automatically Collected Technical Data (Mobile App Only)

We use third-party services solely for performance and crash diagnostics. These providers may process limited anonymized data, such as crash logs and device metadata.

Firebase Crashlytics/Google Analytics for Firebase - Crash diagnostics - Anonymised error logs, Device type & OS
Google Play / Apple Services - Subscription & billing management - Purchase & OS-level metadata

Google Analytics for Firebase is configured with:

Data sharing and ad personalization disabled
No user identifiers or advertising IDs
IP anonymization enabled by default

We do not authorize these services to use your data for behavioural advertising or profiling.

These providers are subject to their own privacy policies and compliance obligations, including:

Standard Contractual Clauses (SCCs) under the GDPR
Data Privacy Framework (DPF), where applicable

⚠️ CVOR does not control how these services handle data beyond our limited use and configuration. We rely on their published compliance with applicable privacy laws and best practices.

Note: Raw crash reports that might contain transient technical details are automatically anonymised and aggregated by Firebase before being made available to us. No personal identifiers, advertising IDs, or user-specific information are ever stored or accessible to us. Aggregated, non-personal analytics (such as total crash-free users or average crash rates) may be retained by Firebase for longer periods in accordance with their retention practices. These statistics are used only to understand long-term app stability and trends, not to profile or identify users. Because the data is fully anonymised and cannot reasonably be linked to any individual, it is not considered personal data under GDPR or similar laws.

You can find their policies below:

9. Data Retention

User content remains on your device or within services you control
Uninstalling CVOR Products removes local application data
Support communications are deleted within 30 days of resolution

10. Children’s Privacy

CVOR Products are general-purpose tools and are not directed at children.

App store age ratings: Android 3+, iOS 4+
CVOR does not knowingly collect personal data from children

11. Security Responsibilities

CVOR Products rely on device-level security. Users are responsible for securing their devices and third-party accounts.

12. Your Rights

Depending on your jurisdiction, you may have rights under GDPR, UK GDPR, or CPRA. These rights generally apply only to limited data such as support communications.

13. International Data Transfers

Limited technical data may be processed outside your jurisdiction using appropriate safeguards.

14. Website Analytics & Cookies

We do not place advertising cookies or behavioural trackers on our website.
We do not use your data for automated decision-making or profiling, and we do not use advertising identifiers or behavioural targeting.

15. Policy Updates

Material changes will be communicated via the app or website.

16. Governing Law

This Privacy Policy is governed by the laws of England & Wales, without prejudice to mandatory local protections.

17. Contact

📧 support@cvor.io

Legal Clarifications

CVOR is a software tool, not a job board, recruiter, employer, or data broker.
CVOR does not guarantee employment outcomes.
Users remain responsible for content they create and services they connect.