Privacy Policy – CV Builder
Last updated: July 2026
This is an English courtesy translation. In case of any conflict, the Italian version prevails.
1. Introduction
This Privacy Policy describes how the Stipendee CV Builder service (hereinafter the "Service") processes users' personal data. The Service is provided by Forcelab di Rodolfo Puglia (VAT number IT14481340967), with registered office at Via Merano 9, 20093 Cologno Monzese (MI), Italy (hereinafter the "Data Controller").
Stipendee is committed to protecting users' privacy and to ensuring maximum transparency in the processing of personal data, in compliance with Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree (D.Lgs.) 196/2003 as amended by Italian Legislative Decree (D.Lgs.) 101/2018.
2. Fundamental Principle: Privacy by Design
The CV Builder has been designed with a "Privacy by Design" approach: by default, the personal data entered by the user to build their curriculum vitae remain on the user's device and are not saved on Stipendee's servers. There are only two exceptions, both explicitly activated by the user: the use of the AI features (which involves the transient transmission of only the content needed, see section 7) and the encrypted cloud sync reserved for Premium users (see section 6).
How it works
- Local processing: all CV data (personal details, work experience, education, skills, photo, etc.) are processed and stored in the user's browser via local storage (IndexedDB/localStorage)
- Client-side PDF generation: the CV PDF is generated directly on the user's device, without the content being sent to any server
- No account required: no registration is needed to use the free version of the Service
In short: Stipendee does not collect or store the contents of your curriculum vitae in plain text. If you choose to activate cloud sync, the contents are stored exclusively in encrypted form; if you use the AI features, the necessary contents are processed only for the time needed to handle the request.
3. Personal Data Collected
3.1 CV data
The following data, entered by the user to create their CV, remain on the user's device, unless the user activates the encrypted cloud sync (section 6) or uses the AI features (section 7):
- Personal details (first name, last name, address, date of birth, etc.)
- Contact details (phone, personal email, social profiles)
- Work and educational experience
- Skills, languages, certifications
- Profile photo and other multimedia content
- Any other information entered in the CV
3.2 Account and Premium subscription data
For users who purchase the Premium Plan, Stipendee collects and stores the email address provided at the time of purchase and the subscription-related data: chosen plan, subscription status, end-of-period date and pseudonymous identifiers assigned by the payment provider (Stripe). Stipendee does not receive or store full payment card data, which are processed exclusively by Stripe.
Purposes of processing:
- Performance of the contract: to link the purchase to the user, enable access to the Premium features and manage the subscription lifecycle (renewals, cancellations, reactivations) via the customer portal
- Authentication: to enable login to the Premium service via an OTP code
- Transactional communications: sending the order confirmation and the payment receipt
- Support: responding to any support requests relating to the purchase
Legal basis: the processing of the email address and subscription data is necessary for the performance of the Premium Plan purchase contract (Art. 6(1)(b) GDPR).
Retention: the email address is retained for the entire duration of the contractual relationship and for the period necessary to comply with legal obligations (in particular tax and accounting obligations, up to 10 years from the transaction).
4. Cookies and Tracking Technologies
4.1 Technical cookies (necessary)
The Service uses technical cookies strictly necessary for its operation, which do not require the user's consent:
- Authentication session: to keep Premium users logged in
- Local preferences: to store interface settings
4.2 Analytics cookies (subject to consent)
Stipendee uses Google Analytics to collect anonymous information about site usage, with the following characteristics:
- IP address anonymization
- No individual profiling
- Data used exclusively to improve the Service
Analytics cookies are activated only with the user's prior consent, which can be withdrawn at any time by changing the browser settings.
4.3 Managing cookies
Users can manage their cookie preferences directly from their browser settings. Disabling technical cookies may impair some features of the Service (in particular Premium access).
5. Local Storage in the Browser
CV data are saved in the user's browser local storage (IndexedDB/localStorage). This means that:
- The data are accessible only from the device and browser used
- The data are not synchronized across different devices, unless the encrypted cloud sync is activated (section 6)
- Clearing the browser's browsing data results in the loss of the local data
- The user is responsible for backing up their own data via the export feature
Stipendee has no access whatsoever to the data stored locally in the user's browser.
6. Encrypted Cloud Sync (Premium, optional)
Premium users can activate, on an optional and explicit basis, the cloud synchronization of their CVs to access them on multiple devices. When the feature is active:
- On-device encryption: the CV contents and images are encrypted directly in the user's browser (AES-256-GCM) before being sent to the servers. Only encrypted data transit through and are stored on the servers.
- Per-user key: the encryption key is derived individually for each user and is used only on the user's device. Stipendee's systems do not decrypt the contents server-side.
- Where the data are stored: the encrypted data are stored on Google Firebase infrastructure (Cloud Firestore and Cloud Storage).
- User control: synchronization can be deactivated at any time from the editor. Deleting a CV also removes the encrypted data and images from the cloud.
- Subscription expiry: when the Premium subscription ends, access to the cloud data is blocked; the CVs remain available locally on the user's device.
Legal basis: performance of the contract (Art. 6(1)(b) GDPR), since synchronization is a Premium Plan feature activated at the user's request. Retention: the encrypted data are stored for as long as the user keeps synchronization active or until they are deleted by the user.
7. AI Features
Some features of the Service rely on artificial intelligence models (Google Gemini API). These features are activated only at the user's explicit request and involve sending only the content needed for processing:
- PDF import: the text of the uploaded CV is sent in order to extract and automatically fill in the editor sections.
- Tailored CV: the professional contents of the CV and the text of the job posting are sent, excluding contact details (name, email, phone, address), which never leave the browser.
- CV translation: only the texts to be translated are sent (descriptions, bullet points, skills), excluding contact details and factual data such as company and school names, dates and links.
The content sent is processed on a transient basis, for the sole purpose of generating the requested result: Stipendee does not store it on its own systems. The processing carried out by the model provider is governed by the relevant terms (Google AI - Terms of Service).
Legal basis: performance of the contract and of the user's request (Art. 6(1)(b) GDPR).
8. Data Sharing
8.1 Service providers
In order to provide the Service, users' data may be processed by the following providers, appointed as data processors where applicable:
- Stripe (payment provider): for transaction management. Stripe acts as an independent controller for payment data. Stripe Privacy Policy
- Firebase/Google Cloud (infrastructure): for authentication, subscription management and storage of the encrypted cloud sync data. Firebase Privacy Policy
- Google (Gemini API) (AI features): for the transient processing of the content sent by the user via the AI features (section 7). Gemini API Terms
8.2 No sale of data
Stipendee does not sell, rent or transfer users' personal data to third parties for marketing or profiling purposes.
8.3 Legal obligations
Data may be disclosed to third parties only if required by law or by a competent judicial or administrative authority.
9. Data Transfers Outside the EU
Some of our service providers (Stripe, Google/Firebase) may process data in countries outside the European Union. In such cases, the transfer takes place in compliance with the safeguards provided by the GDPR, in particular:
- Standard contractual clauses approved by the European Commission
- Adequacy decisions (where applicable)
- Certifications and binding commitments of the providers
10. Rights of the Data Subject
In relation to the data processed by Stipendee (email, subscription data, encrypted cloud sync data), the user has the right to:
- Access: obtain confirmation of the existence of processing and access their data
- Rectification: request the correction of inaccurate data
- Erasure: request the deletion of the data, within the limits provided by law
- Restriction: request the restriction of processing in certain cases
- Portability: receive the data in a structured, readable format
- Objection: object to processing on legitimate grounds
To exercise these rights, contact: info@stipendee.it
The user also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it).
11. Data Security
Stipendee adopts appropriate technical and organizational security measures to protect the personal data it processes:
- Encrypted connections (HTTPS/TLS)
- Client-side encryption (AES-256-GCM) of the content synced to the cloud
- Secure authentication via OTP code
- Cloud infrastructure with security certifications (Firebase/Google Cloud)
- Data access limited to authorized personnel
12. Minors
The Service is not intended for minors under 16 years of age. We do not knowingly collect personal data from minors. If a parent or guardian believes that a minor has provided personal data, they may contact us to request its deletion.
13. Changes to this Policy
Stipendee reserves the right to amend this Privacy Policy at any time. Changes will be published on this page with an indication of the last update date.
In the event of substantial changes affecting users' rights, notice will be given via the site or, for Premium users, by email.
14. Contact
For any question regarding the processing of personal data or to exercise your rights:
Email: info@stipendee.it
Data Controller:
Forcelab di Rodolfo Puglia
VAT number (P.IVA) IT14481340967
Via Merano 9
20093 Cologno Monzese (MI)
Italy