Privacy Policy

1. What Data We Collect

1.1 Data You Provide Directly

When you register for an account or use the Platform we collect:

• Account information - your full name, email address, and password.
• Professional information - your target industry, target job role, and career stage.
• CV and career content - the CV documents, cover letters, LinkedIn profile content, and interview answers you upload or input for AI analysis.
• Payment information - processed and stored securely by Stripe. We do not store card details on our servers.
• Communications - any messages, feedback, or support requests you send to us.

1.2 Data We Collect Automatically

When you use the Platform we automatically collect:

• Usage data - features used, tools accessed, session frequency, and time spent on the Platform.
• Technical data - IP address, browser type and version, device type, operating system, and referring URLs.
• Cookie data - as described in our Cookie Policy at xenzar.com/cookies.
• Performance data - CV scores, mock interview completion rates, and career readiness scores generated by your use of Platform tools.

1.3 Data We Do Not Collect

We do not collect special category data (as defined under UK GDPR Article 9) such as race, ethnicity, health data, religious beliefs, or biometric data unless you voluntarily include this in content you upload. We strongly advise you to remove any such information from CVs or other documents before uploading.

2. How We Use Your Data

We use your personal data for the following purposes and on the following lawful bases:

• To provide the Platform and its features - Lawful basis: Contract performance (Article 6(1)(b)). Processing your CV, generating feedback, running mock interviews, and delivering all platform services requires this data.
• To process payments - Lawful basis: Contract performance (Article 6(1)(b)). We share necessary billing data with Stripe to process subscription payments.
• To send service communications - Lawful basis: Contract performance (Article 6(1)(b)). Emails about your subscription, payment confirmations, account security, and platform updates.
• To send marketing communications - Lawful basis: Legitimate interests (Article 6(1)(f)) or consent where required. You may unsubscribe at any time.
• To improve the Platform - Lawful basis: Legitimate interests (Article 6(1)(f)). Analysing aggregated, anonymised usage patterns to improve features and user experience.
• To comply with legal obligations - Lawful basis: Legal obligation (Article 6(1)(c)). Retaining financial records, responding to legal requests from authorities.
• To protect against fraud and misuse - Lawful basis: Legitimate interests (Article 6(1)(f)). Monitoring for suspicious activity, enforcing our Terms, and protecting the security of the Platform.

3. How We Share Your Data

We do not sell your personal data to any third party. We share your data only in the following limited circumstances:

• Stripe - payment processing. Stripe is certified to PCI DSS Level 1. Data is processed under a data processing agreement.
• Clerk - authentication and account management. Data is processed under a data processing agreement.
• Vercel - Platform hosting and infrastructure. Data is stored on Vercel's secure servers.
• NeonDB - database storage. Your account and usage data is stored securely.
• Law enforcement or regulators - where required by law or court order or to protect the rights, property, or safety of Xenzar, our users, or the public.
• Business transfers - in the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity with appropriate protections.

All third-party processors are contractually bound to process your data only on our instructions and in compliance with applicable data protection law.

3.1 International Transfers

Some of our third-party service providers may process your data outside the UK. Where this occurs we ensure appropriate safeguards are in place including Standard Contractual Clauses approved by the ICO or transfers to countries covered by UK adequacy regulations. You may request details of these safeguards by contacting support@xenzar.com.

4. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes described in this Policy or as required by law. Our retention periods are:

• Account data - retained for the duration of your account plus 12 months after account deletion, to allow for any outstanding disputes or legal requirements.
• CV and career content - processed in real time and not stored permanently. Content uploaded for AI analysis is deleted within 30 days of processing.
• Payment and billing records - retained for 7 years in accordance with HMRC requirements under the Finance Act 2008.
• Usage and analytics data - retained in anonymised form indefinitely for product improvement purposes. Identifiable usage data is deleted 24 months after your account closure.
• Support communications - retained for 3 years from the date of the communication.

When your data is no longer required we securely delete or anonymise it in accordance with our data disposal procedures.

5. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access (Article 15) - you have the right to request a copy of the personal data we hold about you and information about how we process it. We will respond within one calendar month.
• Right to rectification (Article 16) - you have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Article 17) - you have the right to request deletion of your personal data in certain circumstances, including where it is no longer necessary for the purposes for which it was collected.
• Right to restrict processing (Article 18) - you have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Article 20) - you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object (Article 21) - you have the right to object to processing based on legitimate interests, including for direct marketing purposes.
• Rights in relation to automated decision-making (Article 22) - you have the right not to be subject to a decision based solely on automated processing that significantly affects you. Our AI tools provide recommendations and feedback but final decisions remain with you.
• Right to withdraw consent - where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights please contact us at support@xenzar.com with the subject line "Data Rights Request." We will respond within one calendar month. We may request verification of your identity before processing your request.

6. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of material changes by email or by displaying a notice on the Platform at least 14 days before the changes take effect. The current version will always be available at xenzar.com/privacy. Your continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.

7. Contact Us and Data Protection Queries

For any questions, concerns, or requests relating to this Privacy Policy or your personal data please contact us:

We aim to respond to all data protection queries within 5 business days and all formal data subject requests within one calendar month.