Privacy Policy

Cuvi (cuvi.io) is a professional verification service for job candidates and recruiters. This policy explains what data we collect when you use Cuvi as a candidate, why we collect it, who we share it with, and how to remove it.

When you sign up or get verified, you provide:

• Email address(es) — your sign-in email and, optionally, a separate work email for verification and a separate personal email for long-term contact.
• Name — either typed by you or pulled from your Google profile if you sign in with Google.
• Resume (optional) — the file you upload, plus extracted text used to populate your profile.
• LinkedIn URL (optional) — for recruiters to match you to your public profile.
• Phone number (optional) — used only for fraud detection. We store a one-way HMAC hash, not the raw number, after the initial collection.

When you use Cuvi, we automatically log:

• IP address and user-agent string at sign-in and key candidate actions, for security and abuse prevention.
• Verification status, work-email domain, and which companies have requested or fulfilled your verification.
• Anonymous behavioral metrics on the verification form (mouse movements count, time-to-submit, paste-from-clipboard flag) used to score automated bot submissions. These are never tied to an individual identity beyond your candidate record.

Personal emails are stored as one-way HMAC hashes alongside the plain-text address so we can detect cross-tenant identity reuse without exposing the address to other parts of the system.

Everything we collect serves one of three purposes:

• Verifying your professional identity so recruiters can trust applications under your name.
• Detecting fraud — phone or email reuse across multiple candidate accounts, automated form submissions, etc.
• Communicating with you (verification confirmations, recruiter notifications you opt into, account-related emails).

We share limited fields with companies who've requested your verification:

• Your name and verification status
• The domain of the work email you verified with
• Whether you have a verified badge

We do not share your personal email, phone number, or resume with recruiters unless you explicitly choose to send those as part of an application.

Cuvi does not sell candidate data. Cuvi has no advertising business model. If we ever introduce a future product that would require this practice, we will update this policy and notify candidates with active accounts before the change takes effect.

We use a small number of essential service providers to run the platform: Supabase (managed Postgres database and authentication), Vercel (hosting), Resend (transactional email delivery), Sentry (error monitoring), and OpenAI (resume text extraction and structured-field parsing). These providers process data only to deliver their service to us and are bound by their own terms. OpenAI's API terms prohibit them from using API-submitted data to train their models.

Data is encrypted in transit (TLS) and at rest. Sensitive fields used for fraud correlation (phone numbers, personal emails) are stored as HMAC-SHA256 hashes — the raw values cannot be reconstructed from the hash by anyone, including us.

Access to candidate records is limited to platform admins and the recruiters at companies who've specifically requested your verification. All admin actions are audit-logged.

We keep your data for as long as your Cuvi account is active. You can delete your account at any time by emailing support@cuvi.iowith the subject line “Delete my account” from the address you used to sign in.

After we receive a deletion request, your profile, resume, peer verifications, and notifications are scheduled for permanent deletion within seven days. You can cancel during that grace window by replying to the same email.

Audit logs that record security-relevant events (sign-ins, admin actions, abuse signals) are retained for up to 12 months for legal and security purposes, then purged.

You can:

• Access your data — email support@cuvi.io for a copy.
• Correct your data — edit name, work email, and other profile fields yourself at cuvi.io/profile.
• Deleteyour account — see “How long we keep it” above.
• Object or restrict processing — email support@cuvi.ioand we'll work with you on the specific concern.

If you're in the European Economic Area, the United Kingdom, or California, you have additional statutory rights under GDPR, UK GDPR, and CCPA respectively. Email support@cuvi.ioand we'll honor them.

Cuvi uses a small set of essential cookies — none for advertising, none from third-party trackers:

• Authentication session cookies (set by Supabase) so you stay signed in across pages.
• Verification-attribution cookie (cuvi_widget_attr) when you arrive via a company-specific verification link, so the right recruiter team gets notified after you complete verification. Expires after one hour.
• Pre-launch access cookie (cuvi_access) during the gated launch period.

Cuvi is intended for working-age adults seeking employment. We don't knowingly collect data from anyone under 18. If you believe a minor has signed up, email support@cuvi.io and we'll remove the account.

When we make material changes to this policy we'll update the “Last updated” date at the top and, for significant changes, email candidates with active accounts at least 14 days before the change takes effect.

Questions about this policy or your data? Email support@cuvi.io.