CV cvpilot

1. Our approach

Security is built into how CVPilot is designed, not bolted on afterwards. Your CV often holds details like your email, phone number, and location, so we treat all CV data as private by default and restrict access to it at every layer of the Service.

2. Authentication

Sign-in is handled by Google Firebase Authentication, supporting email/password and Google sign-in. We never see or store your Google password. Every request that reads or changes your data must carry a valid, verified authentication token tied to your account.

3. Access controls

  • All writes go through our server-side API, which verifies your identity token before doing anything.
  • Database rules enforce per-user ownership, so one account cannot read or modify another account's CV.
  • Uploaded source files are stored privately and are streamed through our authenticated API rather than exposed at a public URL.

4. Encryption

All traffic between your browser and CVPilot is encrypted in transit using HTTPS/TLS. Stored data — including your CV content and uploaded files — is encrypted at rest by our infrastructure providers (Google Firebase / Google Cloud).

5. Privacy by default

Newly created CVs are private. A CV is only reachable by others when you explicitly choose to publish it. Exports such as PDFs are served with no-store cache headers so they are not retained by intermediaries. You can switch a CV back to private at any time.

You control what's exposed

The strongest privacy control is what you choose to include and publish. If you would rather not have a full home address or phone number publicly visible, simply leave those fields out or keep your CV private. You can edit or remove any field at any time.

6. Third-party processors

We rely on reputable providers to run the Service — notably Google Firebase for authentication, database, and storage, and a third-party AI provider for CV parsing and enhancement. We limit what we share with them to what is needed to deliver the feature you requested. See our Privacy Policy for details.

7. Your part

  • Use a strong, unique password (or Google sign-in).
  • Keep access to your email account secure.
  • Sign out on shared devices.
  • Only publish CV details you are comfortable making public.

8. Reporting a vulnerability

We welcome responsible disclosure. If you believe you have found a security vulnerability, please email security@cvpilot.xyz with enough detail for us to reproduce the issue. Please give us a reasonable opportunity to investigate and fix it before any public disclosure, and avoid accessing or modifying data that is not yours. We are grateful for reports made in good faith and will not pursue action against researchers who follow this guidance.

9. Incident response

If we become aware of a security incident affecting your personal information, we will investigate promptly and notify affected users and any relevant authorities where required by law.

10. Contact

Security questions or concerns? Email security@cvpilot.xyz.