TakeMeUp.cv

Legal

Privacy Policy

Last updated: 2026-06-04

Who we are

TakeMeUp.cv is a CV-builder and job-search tool operated by Bogdan Ionita (sole trader, Bucharest, Romania). For the purposes of the EU General Data Protection Regulation (GDPR), Bogdan Ionita is the data controller for personal data processed via TakeMeUp.cv.

Contact for privacy questions, requests, or complaints: contact@takemeup.cv.

What personal data we collect

CV content you give us. When you build, import, or upload a CV, we process whatever you put in it: your name, email, phone, location, photo (if uploaded), date of birth and nationality (if you fill those EU-specific fields), employment history, education, skills, certifications, languages, projects, awards, and any custom sections.

Account data (signed-in users only): email and authentication tokens (handled by Clerk), Stripe customer ID and subscription state (for paid plans), and your consent state for AI processing.

Usage data. We log which CV features you use, quota counts for free-tier limits, and AI-spend ledger entries. We hash your IP address (SHA-256 + salt) before storing it for rate-limiting; we do not store raw IPs.

Anonymous users can use the free tier without an account. We set a functional cookie (cv_anon) to tie any anonymously-built CVs back to your browser so you don't lose your work. Anon CVs and event ledgers are auto-purged after 30 days.

What we use it for, and the legal basis

  • Building, storing, and exporting your CV — performance of the contract (GDPR Art. 6(1)(b)) for paid users; legitimate interest (Art. 6(1)(f)) for the free tier.
  • Authentication — performance of contract for signed-in users.
  • Payment processing — performance of contract; compliance with tax record-keeping obligations (Art. 6(1)(c)).
  • AI-powered features (Rewrite, Roast, Career GPS, Summary, Cover Letter, Interview Prep, Aging Detector, Achievement Amplifier, Job Match, Translation, LinkedIn, Authenticity check, Career Gaps, CV parsing) — your explicit consent (Art. 6(1)(a)). The first time you trigger any AI feature, we show you a consent prompt; you can withdraw consent at any time from your account page, after which no further AI features will run on your CV.
  • Rate-limiting and fraud prevention — legitimate interest in keeping the service usable for everyone (Art. 6(1)(f)).
  • Service emails (account confirmations, receipts) — performance of contract.

Who we share it with

We use a small set of carefully chosen subprocessors to run TakeMeUp.cv. The full, current list — including each provider's role, what data they receive, where they process it, and the EU→non-EU transfer mechanism where applicable — is on our Subprocessors page.

The most material relationship to flag here: Anthropic PBC (US), which provides the AI inference for all AI features. When you trigger an AI feature, we send the relevant parts of your CV to Anthropic's API. Anthropic is EU-U.S. Data Privacy Framework certified (EU Commission adequacy decision, July 2023). A Data Processing Agreement with EU Standard Contractual Clauses is in force between us and Anthropic — Anthropic automatically incorporates this DPA into its Commercial Terms of Service, which we have accepted. Anthropic's public API contractually does not train on customer data.

We do not sell your data. We do not share it with advertisers. We do not use it for training any AI model (ours or anyone else's).

Where your data is processed

Our primary infrastructure runs within the European Economic Area and the United Kingdom: the Neon Postgres database and Vercel Blob storage are in the UK (London region, covered by the EU Commission's UK adequacy decision valid through 2031). EU-located third-party APIs (Eurostat, ESCO, France Travail, Bundesagentur, Jooble) process queries within the EU.

Some subprocessors are headquartered outside the EU/UK but covered by appropriate transfer mechanisms — the EU-U.S. Data Privacy Framework, EU Standard Contractual Clauses, and a Data Processing Agreement in force with each vendor. For the vendors we use, the DPA is auto-incorporated into the vendor's standard commercial terms (which we have accepted); separate per-customer signatures aren't required for the agreement to bind. The full list with each location and transfer basis is on the Subprocessors page.

How long we keep it

  • Account + CV data: kept while your account is active, deleted on request (see below) or 30 days after you close your account.
  • Anonymous CV data and event logs: auto-purged 30 days after last activity.
  • AI artifacts (roasts, cover letters, GPS, etc.) follow the parent CV — deleted when the CV is deleted.
  • Payment records: kept as required by Romanian tax law (currently 10 years for invoices).
  • Backups: rolling 30-day database backups. Deletion requests propagate to backups within 30 days.

Your rights

Under GDPR you have the following rights:

  • Access (Art. 15) — see what we hold about you. Self-serve via your Manage account menu → Download my data.
  • Rectification (Art. 16) — correct your data. Self-serve in the CV editor and account settings.
  • Erasure (Art. 17) — delete your account and all associated data. Self-serve via Manage account → Delete my account.
  • Restriction (Art. 18) — ask us to pause processing while a dispute is resolved. Email us.
  • Portability (Art. 20) — get a machine-readable copy of your data. Self-serve via the export action.
  • Objection (Art. 21) — object to processing based on legitimate interest. Email us.
  • Withdraw AI consent (Art. 7(3)) — revoke your consent for AI features at any time via account settings. Past AI results aren't affected; no future AI calls will run on your CV.
  • Complaint to a supervisory authority — you have the right to file a complaint with your national data-protection authority. For Romania (where we're established): ANSPDCP, dataprotection.ro.

Children

TakeMeUp.cv is not directed at children under 16. We do not knowingly process personal data of children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

Security

We use TLS for all data in transit, encryption at rest for database and object storage, scoped access tokens for inter-service calls, and hash-only storage of IPs and (where applicable) recipient identifiers. Authentication is handled by Clerk (industry-standard session management, optional MFA). No system is perfectly secure; we'll notify affected users and the relevant authority within 72 hours of becoming aware of any breach involving personal data, as required by GDPR Art. 33–34.

Changes to this policy

We'll update this page when our processing changes (new subprocessor, new feature, new region). The “Last updated” date at the top reflects the most recent change. Material changes that affect your existing data will be flagged via email or an in-app notice.

Contact

For any privacy question, rights request, or just an honest push-back on something in this policy: contact@takemeup.cv. I (Bogdan) read every one.