Ai-Vitae

Privacy PolicyYour Data, Your Rights

How we collect, use, and protect your personal information

Last Updated: 8 May 2026

Data Controller: Ai-Vitae, Ireland — orders@ai-vitae.store

1. Who We Are

Ai-Vitae (“we”, “us”, “our”) is an AI-powered CV, career document, and interview preparation service based in Ireland. We operate the website at ai-vitae.store. For the purposes of the General Data Protection Regulation (GDPR), we are the Data Controller of the personal data you submit to us.

Contact us at any time regarding your data: orders@ai-vitae.store

2. What Data We Collect

When you place an order, we collect:

  • Identity data: Your full name
  • Contact data: Your email address
  • CV / career document: The file you upload (PDF, DOCX, or plain text), which contains your employment history, qualifications, and any other personal information you choose to include
  • Job description: The role or position you are targeting
  • Payment data: Transaction reference, order amount, and currency (we do not store card numbers — these are handled exclusively by Stripe)
  • Order metadata: Package tier, selected add-ons, order ID, timestamp

If you use the AI Mock Interview service, we additionally collect:

  • Voice audio: Your spoken responses during the interview session, processed in real time to generate the conversation
  • Interview transcript: A text record of the full interview, used solely to generate your personalised per-answer feedback report
  • Interview session metadata: Session ID, duration, interview style, booking time (where applicable)

We collect only what is strictly necessary to deliver your service. We do not collect phone numbers, postal addresses, or social media profiles unless you choose to include them in your CV.

3. Why We Process Your Data and Our Lawful Basis

Service Delivery — Contract Performance (Article 6(1)(b) GDPR)

We process your name, email, CV, and job description to rewrite your documents using AI and deliver the completed files to you. This is the core purpose of the contract you enter when placing an order.

Payment Processing — Contract Performance (Article 6(1)(b) GDPR)

We process transaction metadata to confirm payment and fulfill your order. Card data is processed by Stripe under their own data controller obligations.

Legal and Accounting Records — Legal Obligation (Article 6(1)(c) GDPR)

We retain order records (order ID, email, amount, date) for 7 years to comply with Irish tax and accounting law.

Voice Recording & Interview Processing — Consent (Article 6(1)(a) GDPR)

If you use the AI Mock Interview service, your voice and interview transcript are recorded and processed solely to generate your feedback report. You give explicit consent to this recording by clicking “Begin Interview” on the pre-session briefing screen. You may withdraw consent at any time by not proceeding — once a session has started, the recording cannot be stopped mid-session but no further processing occurs after feedback delivery.

We do not use your data for marketing, profiling, or advertising purposes.

4. AI Processing — How Your Data Is Used

Important: Your CV and job description are processed by third-party AI systems to generate your rewritten documents. By placing an order, you consent to this processing.

Our AI models are instructed to work only from the information you provide. They do not add qualifications, employment history, achievements, or metrics that are not present in your original CV.

Depending on the package you select, your CV and job description are sent to one or more of the following AI providers:

  • Anthropic, Inc. (Claude Sonnet / Claude Opus) — used for Premium and Executive tier CV rewriting
  • OpenAI, LLC (GPT-4o / GPT-4o-mini) — used for Starter and Standard tier CV rewriting, and for generating interview feedback reports from your transcript

Both providers are US-based. Data transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Article 46. Neither provider uses your submitted data to train their models without explicit opt-in (which we do not enable). For their data handling policies, see Anthropic Privacy Policy and OpenAI Privacy Policy.

If you use the AI Mock Interview service, your voice audio is also processed in real time by Vapi AI, Inc., which manages the voice conversation infrastructure (speech-to-text, text-to-speech, and session management). Your voice data is transmitted to Vapi solely during the session and is not retained by Vapi after the session ends. See the Vapi Privacy Policy for details.

5. Third-Party Sub-Processors

We use the following third-party services to operate our platform. Each has a data processing agreement in place with us or operates under GDPR-adequate safeguards:

ProviderPurposeData SharedLocation
Stripe, Inc.Payment processingEmail, order amountUS / EU (SCC)
Supabase, Inc.Secure file and order data storageCV file, order metadataEU (Frankfurt)
Anthropic, Inc.AI document rewriting (Premium/Executive)CV content, job descriptionUS (SCC)
OpenAI, LLCAI document rewriting (Starter/Standard)CV content, job descriptionUS (SCC)
Google LLCDocument formatting (Editable Word add-on) and email deliveryCV content (formatting only), email addressEU / US (SCC)
Vapi AI, Inc.Voice interview infrastructure (speech-to-text, TTS, session management) — interview sessions onlyVoice audio (in-session only, not retained)US (SCC)
Hetzner Online GmbHServer infrastructure (workflow automation)All order data (in transit)EU (Germany)
Vercel, Inc.Website hostingIP address, usage dataUS / EU (SCC)
Cloudflare, Inc.DNS, DDoS protection, and network securityIP address, request metadataUS / EU (SCC)

6. Data Retention

  • Your CV file and job description: Stored securely for 90 days after your order is completed, then permanently deleted from our systems.
  • Completed document files (rewritten CV, cover letter, LinkedIn text, editable DOCX): Stored for 90 days after delivery, then permanently deleted.
  • Interview transcript and voice data: Your interview transcript is retained only for as long as needed to generate and deliver your feedback report — typically a matter of minutes. It is permanently deleted from our systems after your feedback report is sent. Voice audio processed by Vapi is not retained by Vapi after the session ends.
  • Interview session metadata (session ID, duration, booking time): Retained for 90 days alongside your order record, then deleted.
  • Order records (order ID, email, package, amount, date): Retained for 7 years to comply with Irish tax and accounting obligations, then deleted.
  • Email correspondence: Retained for up to 2 years for support and dispute resolution purposes.

You may request early deletion of your data at any time — see Section 8 below.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

  • All data transmitted over HTTPS/TLS encryption
  • CV files stored in private, access-controlled cloud storage (not publicly accessible)
  • Row-level security on our database
  • API keys and credentials stored as encrypted environment variables, never in source code
  • Server infrastructure hosted within the EU (Hetzner, Frankfurt)

No method of electronic transmission or storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33 (EU GDPR) and the equivalent UK GDPR obligation. For EU/Irish data subjects this means the Data Protection Commission (DPC); for UK data subjects this means the Information Commissioner's Office (ICO).

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of them, email us at orders@ai-vitae.store with your order ID and we will respond within 30 days.

Right of Access (Article 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

Ask us to correct inaccurate data we hold about you.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data. We will comply unless we are required to retain it for legal obligations (e.g. accounting records).

Right to Restrict Processing (Article 18)

Ask us to pause processing your data in certain circumstances.

Right to Data Portability (Article 20)

Receive your data in a structured, machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interests.

Rights Related to Automated Decision-Making (Article 22)

Our service involves automated processing of your CV by AI. You have the right to request human review of AI-generated output. Contact us and we will manually review your documents.

Right to Lodge a Complaint

You have the right to complain to your national supervisory authority. Irish residents: Data Protection Commission (DPC) at dataprotection.ie. UK residents: Information Commissioner's Office (ICO) at ico.org.uk.

9. UK Users

If you are based in the United Kingdom, the following additional provisions apply to you.

UK GDPR

The UK retained EU GDPR in domestic law as the “UK GDPR” following Brexit. UK GDPR carries the same substantive data protection obligations as EU GDPR. As a UK resident, you have the same rights described in Section 8 above, enforceable under UK law.

UK Supervisory Authority

If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK data protection regulator, at ico.org.uk. This is in addition to your right to complain to the Irish DPC.

EU → UK Data Transfers

The UK has been granted an adequacy decision by the European Commission, meaning the transfer of your personal data from our EU-based infrastructure to the UK (and vice versa) is lawful without additional safeguards.

UK → EU Data Transfers

Under UK GDPR, transfers of personal data from the UK to EU/EEA countries are permitted under the UK's adequacy regulations (SI 2021/1772), which recognise the EU/EEA as providing adequate protection. Our EU-based infrastructure (Hetzner, Supabase Frankfurt) therefore receives your data lawfully.

ICO Registration

We are in the process of registering with the Information Commissioner's Office (ICO) as required for organisations processing UK personal data. Our ICO registration number will be added here upon completion. You can verify registered organisations at ico.org.uk/register.

10. Cookies

We use only essential cookies required for the site to function (e.g. your cookie consent preference and cart state). We do not use advertising or behavioural tracking cookies. For full details, see our Cookie Policy.

11. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will update the “Last Updated” date at the top and, where appropriate, notify customers by email. Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For any questions or requests regarding your personal data:

Irish Supervisory Authority: Data Protection Commission (DPC) — dataprotection.ie

UK Supervisory Authority: Information Commissioner's Office (ICO) — ico.org.uk