Privacy Policy
Last updated: July 6, 2026
This Privacy Policy explains how Cursus Vitae collects, uses, and protects your personal data. We've written it to describe exactly what the service does today — nothing more.
1. Who is responsible for your data
Cursus Vitae is operated by:
Side Quests Lab S.L.
CIF: B26983387
Calle Lepanto 270, 08013 Barcelona, Spain
Registro Mercantil de Barcelona, Hoja B-653505, Inscripción 1ª
Data protection contact: privacy@cursusvitae.com
General support: support@cursusvitae.com
Side Quests Lab S.L. is the data controller for the personal data described in this policy. We process your data in accordance with the EU General Data Protection Regulation (GDPR), the Spanish Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD), and the Spanish Law on Information Society Services (LSSI-CE).
2. What Cursus Vitae is
Cursus Vitae is a free web application that turns a static CV into a structured, connected record of a career. You enter your own professional history — roles, education, skills, achievements — and Cursus Vitae organises it into a career graph: a map of how your experience, skills, and accomplishments relate to one another, rather than a flat list on a page.
From that graph, Cursus Vitae helps you do three things, all free:
- Understand your career. Guided Discover sessions walk you through your own history and help you make it more complete and more accurate — connecting a skill to the role where you actually used it, merging duplicate entries, filling in periods between jobs, and turning vague descriptions into specific, evidence-backed ones. You answer; the app organises. Nothing is added to your record without your confirmation.
- Target a specific job. When you paste in a job's requirements, Cursus Vitae maps them against your career graph and shows you, requirement by requirement, what your experience already demonstrates and where the gaps are — with concrete, actionable guidance on how to close each gap (for example, which achievement to quantify or which bullet to rewrite). This is requirements mapping, not scoring: Cursus Vitae assesses how well a document matches a job — it does not rank or grade individuals.
- Produce and share the result. You tailor a CV for a given application (free for up to a capped number of applications), export it as a polished PDF, track the applications you've made, and — if you choose — generate a shareable career view: a private link that presents a selection of your experience to a recruiter.
Everything Cursus Vitae surfaces is a suggestion for you to accept, edit, or ignore. You remain the author of your CV and the decision-maker at every step. Cursus Vitae does not profile you, does not rank or grade individuals, and does not make recruitment or employment decisions on behalf of any third party. It is a tool you use on your own side of the hiring process.
(Cursus Vitae also offers a paid tier with a conversational assistant. That tier is not yet available, and this policy describes only the free product currently offered.)
3. What data we collect
Account data. When you create an account, we collect your name and email address. You can sign up with an email and password or with Google (see Section 5 on how sign-in works).
Career data you enter. Everything you add to build your career graph and CV — job history, education, skills, achievements, notes, the answers you give during Discover sessions, the job requirements you paste in for a specific application, and the CVs and tailored documents you create. You provide this voluntarily; you decide what to include.
Technical data. When you use the app, our systems automatically record limited technical information needed to run and secure the service: your IP address, browser and device type, and server logs (request timestamps, error records, and similar operational data).
Product usage data. We collect limited, privacy-preserving analytics about how the app is used — for example, which features are opened and how often — to understand and improve the service. This analytics is configured to run without cookies and without capturing the content of your career data or the text you type (see Section 6).
We do not collect payment card details (the service is free — see Section 8), special-category data such as health or biometric data, or cross-site tracking data.
4. Why we use your data and our legal basis
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the service: your account, career graph, Discover sessions, requirements mapping, CV tailoring, PDF export, and application tracking | Account data, career data | Performance of a contract (Art. 6(1)(b)) |
| Generate requirements mapping and CV suggestions with AI assistance | The career data and job requirements relevant to your request | Performance of a contract (Art. 6(1)(b)) |
| Service communications (e.g. account and security emails, password reset) | Account data | Performance of a contract (Art. 6(1)(b)) |
| Keep the service secure and prevent abuse | Technical data (IP, device, logs) | Legitimate interest (Art. 6(1)(f)) |
| Understand and improve how the app is used | Privacy-preserving usage data, technical data | Legitimate interest (Art. 6(1)(f)) |
| Diagnose and fix errors | Error and performance data (no career content) | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | As required by law | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have weighed our interest against your rights. You can ask us for a summary of that assessment at privacy@cursusvitae.com, and you can object to this processing (see Section 10).
5. Sign-in and how AI processing works
Sign-in. You can sign in with email and password or with your Google account. Authentication is handled by Supabase, our authentication and database provider. When you sign in with Google, Google confirms your identity to us; we receive basic account identifiers to create and secure your account. We use Google only for sign-in — we do not access your Gmail, Google Drive, contacts, or other Google data.
AI processing. Some Cursus Vitae features are AI-assisted: mapping a job's requirements against your experience, suggesting how to strengthen a description, and generating a tailored CV. When you use one of these features, the relevant career data and job requirements are sent to Anthropic's API to produce the result, which is then returned to you in the app. This processing happens only when you ask for it, and its output is always a suggestion you review and decide on.
Anthropic processes this data under its commercial API terms. Those terms provide that customer data submitted through the API is retained for up to 30 days and is not used to train Anthropic's models. Data is encrypted in transit. We do not use your career data to train any AI model of our own.
6. Cookies and analytics
Cursus Vitae sets only strictly necessary cookies — the minimum required to log you in and keep the service secure (your authentication session and cross-site-request-forgery protection). We do not use advertising, marketing, or cross-site tracking cookies.
To understand how the app is used, we run product analytics through PostHog in a cookieless configuration: it is set to not store analytics cookies on your device, uses in-memory storage only, does not record your screen or session, and is configured to mask the text you type so the content of your career data is not captured. Analytics requests are routed through our own EU endpoint (a reverse proxy) rather than sent directly to a third-party domain. What it records are aggregate signals about which features are used.
If we ever introduce non-essential or tracking cookies, we will update this policy and ask for your consent before placing them on your device. Full detail on the specific cookies we use is in our Cookie Policy.
7. Who we share data with
We use a small number of service providers (“processors”) to operate Cursus Vitae. Each is bound by a data processing agreement and may only process your data on our instructions.
| Provider | Purpose | Data region |
|---|---|---|
| Supabase | Database, account storage, and authentication | EU (AWS, Ireland — eu-west-1) |
| Vercel | Application hosting and serverless functions | EU-configured; US company (see Section 8) |
| Anthropic | AI-assisted features (requirements mapping, CV suggestions) | United States (see Section 8) |
| Sign-in only (Google OAuth), where you choose it | See Google's own privacy policy | |
| PostHog | Cookieless product analytics (no career data, no identifiers) | EU |
| Sentry | Error and performance monitoring (no career data) | EU |
We do not sell your personal data. We disclose personal data to authorities only where required by law (for example, a valid court order), and, where legally permitted, we will notify you first.
If we add or change a processor, we will update this policy. Where a change would materially affect how your data is protected, we will let you know.
8. Where your data is processed
Your account and career data are stored in the EU (Supabase, AWS Ireland). Our hosting provider, Vercel, is a US company but is configured to run in EU regions; the data handled by Vercel is limited to technical information such as request logs and IP addresses.
When you use an AI-assisted feature, the relevant career data and job requirements are sent to Anthropic in the United States. This transfer relies on the EU–U.S. Data Privacy Framework, with Standard Contractual Clauses as a fallback safeguard, and only the data needed to produce your result is sent — no account identifiers.
For questions about international transfers or copies of the safeguards, contact privacy@cursusvitae.com.
9. How long we keep your data
We keep your data only as long as your account is active. Your account information and your career data (career graph, CVs, notes) are retained while your account exists and are deleted when you delete your account. We do not keep your career data on a separate retention schedule beyond the life of your account.
The one exception is the career data sent to Anthropic when you use an AI-assisted feature: Anthropic retains it for up to 30 days under its API terms and then deletes it.
You can delete your account at any time in your account settings or by contacting support@cursusvitae.com. When you delete your account, your associated personal data is permanently removed, except where we are legally required to keep certain records (for example, any records we must retain under Spanish tax or accounting law).
10. Your rights
Under the GDPR, you have the right to:
- Access — get a copy of the data we hold about you.
- Rectification — correct data that is inaccurate or incomplete. You can edit most of your career data directly in the app.
- Erasure — ask us to delete your data when it is no longer needed or you withdraw consent.
- Restriction — ask us to limit how we process your data in certain cases.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing we base on legitimate interest; we will stop unless we have compelling legitimate grounds.
- Not be subject to automated decisions — Cursus Vitae does not make decisions about you by automated means, and does not profile you. Its AI-assisted features only produce suggestions for your own documents, which you review and decide on.
To exercise any right, email privacy@cursusvitae.com with your request. We will respond within one month; for complex requests we may extend by up to two further months and will tell you if so. There is no charge unless a request is manifestly unfounded or excessive.
If you are not satisfied with our response, you can lodge a complaint with the Spanish Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), at www.aepd.es.
11. Sharing a career view with a recruiter
Cursus Vitae lets you create a shareable career view: a link you generate yourself that shows a selection of your career information to someone you send it to, such as a recruiter. This is entirely under your control:
- You choose whether to create a link and what to include in it.
- You set how long the link stays active (for example, 30, 60, 90 days, or one year).
- You can disable a link at any time, which immediately stops it from being viewable, and you can delete it entirely.
We generate the link and host the page it points to. We do not send it to anyone on your behalf — you decide who receives it.
12. Children
Cursus Vitae is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18, and we will delete such data if we discover it.
13. Security
We protect your data with encryption in transit and at rest, row-level security so each account can only reach its own data, access controls, and regular backups. If a data breach poses a risk to your rights, we will notify the AEPD within 72 hours and, where the risk to you is high, notify you directly.
14. Changes to this policy
We may update this policy to reflect changes in the service or the law. We will post the updated version with a new date and, for material changes, let you know in advance. If you don't agree with a change, you can delete your account before it takes effect.
15. Contact
Email: privacy@cursusvitae.com
Support: support@cursusvitae.com
Post: Side Quests Lab S.L. — Calle Lepanto 270, 08013 Barcelona, Spain