Privacy Policy
Last updated: March 30, 2026
Effective Date: March 30, 2026
1. Data Controller
Cursus Vitae is operated by:
Side Quests Lab SLU (Sociedad Limitada Unipersonal)
CIF: B26983387
Calle Lepanto 270, 08013 Barcelona, Spain
Registro Mercantil de Barcelona: [Pending registration]
Data Protection Contact: privacy@cursusvitae.com
General Support: support@cursusvitae.com
2. About This Policy
This Privacy Policy explains how Cursus Vitae collects, uses, and protects your personal data. It applies to all Cursus Vitae services, including our AI career companion Elena and voice input features.
We comply with the General Data Protection Regulation (GDPR), the Spanish Organic Law 3/2018 on Data Protection (LOPDGDD), the EU AI Act, and the Spanish Law on Information Society Services (LSSI-CE).
3. Information We Collect
3.1 Information You Provide
- Account Registration: Name, email address, phone number (optional)
- Profile Information: CV/resume, career goals, work history, education, skills, salary expectations, preferred locations, employment gaps or career changes, and other career-related information you voluntarily share
- Conversations: Messages sent through Elena, including career-related queries and context you provide
- Voice Data: When you use voice input, we collect and transmit raw audio to our transcription service (see Section 6)
- Payment Information: When you subscribe to Pro, payment data is processed by Stripe (see Section 7)
3.2 Information We Collect Automatically
- Usage Data: Features used, timestamps, session duration, and navigation patterns
- AI Interaction Metrics: Anonymized and aggregated categories of feature usage (e.g., CV review, interview practice). This data is not linked to individual user profiles.
- Device Information: Device type, browser type, operating system, IP address, and device identifiers
- Server Logs: HTTP request logs, timestamps, error messages, and function execution metadata
3.3 Information We Do Not Collect
- Payment card numbers (processed directly by Stripe)
- Health information, unless you voluntarily include it in career context
- Cross-site tracking data
- Analytics or marketing cookies (see our Cookie Policy)
- Biometric data
3.4 Data You Must Provide
Account registration data (name, email) is required to use Cursus Vitae. Profile information (CV, career goals) is voluntary but necessary for Elena to provide personalized assistance. Payment information is required only for Pro subscriptions.
4. How We Use Your Data
We process your personal data for specific purposes under the legal bases outlined below.
| Purpose | Data Used | Legal Basis | Retention |
|---|---|---|---|
| Core service (account management, Elena) | Account data, profile, conversations | Contract performance | See Section 9 |
| AI-assisted career document analysis (Anthropic) | CV, career context, conversation text | Contract performance | See Section 9 |
| Session continuity notes | Conversation summaries | Contract performance | See Section 9 |
| Voice transcription (Deepgram) | Raw audio | Explicit consent (opt-in) | Discarded after transcription |
| Service communications (account updates, password reset) | Email, account data | Contract performance | Duration of account + 30 days |
| Usage analytics and service improvement | Usage metrics, device data, anonymized patterns | Legitimate interest | See Section 9 |
| Security monitoring and fraud prevention | IP address, device data, usage patterns | Legitimate interest | See Section 9 |
| Legal compliance | All data types as required | Legal obligation | As required by law |
| Marketing communications (optional) | Email address | Explicit consent (opt-in) | Until consent is withdrawn |
Where we rely on legitimate interest, we conduct documented balancing tests. You may request a copy by contacting privacy@cursusvitae.com.
Elena's output consists of document suggestions and requirements mapping — not scores, grades, or classifications of users.
5. AI Features and Transparency
5.1 AI Disclosure
When you use Cursus Vitae, you are interacting with an artificial intelligence system. Elena is an AI career companion powered by Anthropic's Claude language models, not a human advisor. We inform you of this at first interaction and throughout the platform, in accordance with the EU AI Act.
Cursus Vitae is designed for you, the job seeker. Elena helps you articulate your professional experience and navigate your career — but does not make decisions about you on behalf of employers, recruiters, or any third party.
5.2 What Elena Does
Elena helps you refine your CV and cover letters, practice interview responses, explore career domains and transferable skills, draft professional communications, and compare job posting requirements against your CV content.
Elena evaluates your career documents — not you as a person.
5.3 What Elena Does Not Do
Elena does not score, grade, rank, or classify you, does not provide output to employers or third parties, and does not make or influence hiring decisions. Cursus Vitae is a user-side career document tool.
5.4 Confirmation-First Design
Nothing is added to, removed from, or modified in your documents without your explicit confirmation. Elena suggests; you decide. Every proposed change is presented for your review, and you must actively approve it before it takes effect.
5.5 How Your Data Is Processed by AI
When you interact with Elena:
- What is sent: Your conversation text and relevant CV excerpts are transmitted to Anthropic's servers in the United States.
- What is not sent: Your email address, user ID, or payment information.
- Protection: Data is encrypted in transit using TLS 1.2 or higher.
- Retention: Anthropic does not retain your data after processing (zero-day retention). Anthropic does not use your data to train or improve its models.
5.6 AI Disclaimers
- Elena may make mistakes. Verify career advice against authoritative sources.
- You are responsible for decisions you make based on Elena's suggestions.
- Elena is not a licensed career coach, recruiter, or legal advisor. For complex career decisions or employment law questions, consult a qualified professional.
- Elena cannot guarantee employment outcomes.
5.7 Automated Decision-Making
Cursus Vitae does not engage in automated decision-making or profiling that produces legal or similarly significant effects. Elena performs requirements mapping — comparing your CV content against job posting requirements — which is a document comparison function, not a human evaluation.
6. Voice Input
Cursus Vitae offers optional voice input so you can speak to Elena rather than type.
How it works: When you activate voice input, audio is recorded locally on your device, transmitted to Deepgram (a speech-to-text service) for transcription, and the resulting text is returned to Elena as input. Your raw audio is not retained after transcription.
Consent: Before each recording, a consent dialog requires you to actively opt in. This consent is separate from the Terms of Service and specific to audio transmission. You can withdraw consent at any time by disabling voice input in your settings. Text input is always available as an alternative.
Processing region: Voice data is processed via Deepgram's EU endpoint (eu.deepgram.com). Your audio does not leave the European Economic Area for transcription.
What we don't do: We do not retain raw audio, use it to train models, share it beyond Deepgram, or analyze voice characteristics.
7. Who We Share Data With
7.1 Data Processors
We use the following services to operate Cursus Vitae. Each processor is bound by data processing agreements.
| Service | Purpose | Data Shared | Data Region | Retention |
|---|---|---|---|---|
| Anthropic | AI processing (Elena) | Conversation text, CV excerpts (no identifiers) | United States (see Section 8) | Zero-day |
| Supabase | Database, account management, conversation storage | All account and profile data | EU (AWS Ireland) | See Section 9 |
| Deepgram | Voice transcription | Raw audio (no account identifiers) | EU (eu.deepgram.com) | Not retained |
| Vercel | Application hosting, serverless functions | HTTP request logs, IP address, function metadata | EU-configured; US entity (see Section 8) | See Section 9 |
| Stripe | Payment processing | Payment method, billing address, transaction amount | EU-processed via Stripe Payments Europe, Ltd. | PCI-compliant |
| Sentry (Functional Software, Inc.) | Application error monitoring and performance tracking | Error context (page URL, browser type, stack traces). No personal career data. | EU (de.sentry.io — Frankfurt, Germany) | 90 days (errors), 30 days (performance) |
| PostHog (PostHog, Inc.) | Privacy-preserving product analytics (cookieless, no session replay) | Anonymized page views, feature usage counts. No personal identifiers or career data. | EU (eu.posthog.com) | Default retention period |
Note on Stripe: Stripe acts as an independent data controller for its own fraud prevention and regulatory compliance obligations. For those purposes, Stripe's own Privacy Policy applies.
7.2 Processor Changes
If we add or replace a data processor, we will update this policy and notify you. You may object to a new processor by contacting privacy@cursusvitae.com. Where the change would materially affect your data protection, we will work with you to find a resolution.
7.3 Legal Disclosures
We will disclose personal data when required by law (e.g., court order, regulatory investigation). Where legally permitted, we will notify you before disclosure.
We do not sell your personal data.
8. International Data Transfers
Your primary data is stored in EU data centers (Supabase, AWS Ireland). Certain processing requires transfers outside the European Economic Area:
Anthropic (United States) — Conversation text and CV excerpts are transmitted to Anthropic for AI processing. This transfer is protected by the EU-U.S. Data Privacy Framework (adequacy decision of July 2023), with Standard Contractual Clauses as a fallback mechanism. Anthropic's zero-day retention policy and prohibition on using API data for model training provide additional safeguards. Only the minimum data necessary is transmitted; no direct identifiers are included.
Vercel (United States entity, EU-configured) — Our hosting provider is a US-based company. Serverless functions are configured to execute in EU regions. Vercel participates in the EU-U.S. Data Privacy Framework, with Standard Contractual Clauses as a fallback. Data processed by Vercel is limited to HTTP request logs, IP addresses, and function metadata — no CV data, conversation text, or career profile content passes through Vercel's US infrastructure.
Deepgram (EU-processed) — Voice data is processed via Deepgram's EU endpoint and does not leave the EEA.
Stripe (EU-processed) — EU payment data is processed by Stripe Payments Europe, Ltd. within the EU. Where Stripe transfers data to the US for operational purposes, transfers are protected by the Data Privacy Framework and Standard Contractual Clauses.
For questions about transfers or copies of safeguards, contact privacy@cursusvitae.com.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy.
| Data Type | Retention Period | Deletion |
|---|---|---|
| Account information (name, email) | Duration of account + 30 days | Automatic |
| Profile information (CV, career goals) | Duration of account | Deleted on account deletion |
| Conversation history with Elena | 90 days | Automatic |
| Session continuity notes | Duration of account | Deleted on account deletion |
| AI interaction logs (anonymized) | 30 days | Automatic |
| Voice audio | Not retained (discarded after transcription) | Immediate |
| Transcribed text from voice | 90 days (with conversation history) | Automatic |
| Payment records | 6 years (required by Spanish commercial law) | Secure deletion |
| Server logs | 1–7 days | Automatic |
| Device data | 90 days | Automatic |
You can delete your account at any time through your account settings or by contacting support@cursusvitae.com. Upon deletion, all associated personal data is permanently removed except where retention is required by law.
10. Data Security
We protect your personal data with technical and organizational measures including:
- Encryption in transit using TLS 1.2 or higher
- Encryption at rest using AES-256 for sensitive data
- Row Level Security on all database tables, ensuring each user can only access their own data
- Access controls restricting database access to authorized personnel and systems
- Regular encrypted backups of critical data
- Data minimization — we collect only what is necessary to provide the service
- Incident response procedures for breach detection, containment, and notification
If we discover a data breach that poses a risk to your rights, we will notify the AEPD within 72 hours. Where the breach poses a high risk to you, we will also notify you directly with information about the breach, its consequences, and the measures we have taken.
11. Your Rights
You have the following rights regarding your personal data:
- Access — Request a copy of all data we hold about you, in a structured and machine-readable format.
- Rectification — Correct inaccurate or incomplete data. You can update most profile information directly in your account settings.
- Erasure — Request deletion of your data when it is no longer necessary, or when you withdraw consent.
- Restriction — Request that we limit how we process your data in certain circumstances (e.g., while verifying accuracy or assessing an objection).
- Portability — Receive your data in a portable format for transfer to another service.
- Objection — Object to processing based on legitimate interest. We will stop unless we have compelling grounds that override your interests.
- Withdraw Consent — Where processing is based on consent (voice input, marketing), you may withdraw at any time. Withdrawal does not affect prior processing.
- Automated Decision-Making — You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Cursus Vitae does not make such decisions.
Under Spanish law, heirs or family members of deceased users may exercise access, rectification, or erasure rights. Contact privacy@cursusvitae.com with appropriate documentation.
To exercise any right, email privacy@cursusvitae.com with your name, email address, and your specific request. We will respond within one month. For complex requests, we may extend by up to two additional months with notice. There is no fee unless a request is manifestly unfounded or excessive.
When we rectify, erase, or restrict your data, we will notify the relevant processors listed in Section 7 unless doing so is impossible or involves disproportionate effort.
12. Marketing Communications
We only send marketing communications with your explicit prior consent. You can opt in during account setup or by contacting support@cursusvitae.com. Every marketing email includes an unsubscribe link, and you can opt out at any time through your account settings. We will not send marketing communications after you opt out.
13. Third-Party Links
Cursus Vitae may link to third-party websites. We are not responsible for their privacy practices and recommend reviewing their policies before providing personal information.
14. Children
Cursus Vitae is designed for adult job seekers and is not intended for users under 18. We do not knowingly collect data from children and will delete any such data immediately upon discovery.
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email at least 30 days before taking effect. Non-material changes (such as formatting or clarification) may be made without advance notice.
If you do not agree to changes, you may terminate your account before the new policy takes effect.
16. Contact Us
If you have questions about this Privacy Policy, our data practices, or your privacy rights, please contact us:
Email: privacy@cursusvitae.com
Support: support@cursusvitae.com
Address: Side Quests Lab SLU — Calle Lepanto 270, 08013 Barcelona, Spain
We aim to resolve all inquiries directly. If you are not satisfied with our response, you have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD) at www.aepd.es.