Home
Career Toolkit
๐Ÿ“„ CVBot๐ŸŽฏ InterviewBot๐Ÿ” ScreenBotโœ‰๏ธ CoverLetterBotPricingContactSign InGet Started
Legal

Privacy Policy

Last updated: April 2026 ยท NexaBots Ltd ยท Registered in England & Wales

๐Ÿ”’
This policy explains how NexaBots Ltd handles your personal data. We are committed to transparency. If you have any questions, email us at hello@nexabots-ltd.com.

1. Who We Are (Data Controller)

NexaBots Ltd is the data controller for personal data collected through nexabots-ltd.com and all associated tools and services. We are registered in England and Wales. Our contact email for data protection matters is hello@nexabots-ltd.com.

We are not currently required to register with the Information Commissioner's Office (ICO) as a data controller, but we comply fully with UK GDPR and the Data Protection Act 2018. If you have an unresolved concern, you can contact the ICO at ico.org.uk or on 0303 123 1113.

2. What Data We Collect and Why

Account Data

When you create an account, we collect your email address, full name (optional), and a hashed password (we never store your password in plain text โ€” this is managed by Supabase Auth). Legal basis: Contract performance โ€” necessary to provide your account.

CV and Document Content

Text you submit to CVBot (your CV, job descriptions), InterviewBot (job role, company, responses), ScreenBot (CVs and job descriptions you paste), and CoverLetterBot (job details, your background) is processed to generate AI outputs. This content is sent to OpenAI's API for processing. We do not permanently store your submitted content after your session unless you explicitly save it to your account (e.g. saving a Master CV). Legal basis: Contract performance.

Saved Content (Registered Users)

If you choose to save a Master CV, cover letter history, or interview sessions to your account, this is stored in our Supabase database. You can delete it at any time from your dashboard. Legal basis: Contract performance / your consent when saving.

Usage Data

We log which tools you use and when (tool name + timestamp), tied to your user ID. This powers the daily usage limits on free accounts and your usage history in the dashboard. We do not log the content of your submissions in usage logs. Legal basis: Legitimate interests (service management and abuse prevention).

Billing Data

If you subscribe to a paid plan, payment is processed by Stripe. We never see or store your full card number. We receive from Stripe: your Stripe customer ID, subscription ID, plan status, and billing dates. Stripe's privacy policy applies to payment processing: stripe.com/gb/privacy. Legal basis: Contract performance.

Contact Form Data

When you submit our contact form, we collect your name, email address, optional phone number, and message. This is sent to our admin inbox and a confirmation is sent to you. We retain contact enquiries for up to 2 years for business records. Legal basis: Legitimate interests (responding to enquiries).

Guest Tracking (No Account)

For users without an account, we store an anonymous token (UUID) in your browser's localStorage and a device fingerprint derived from your browser's hardware and canvas rendering. We also store a hashed (non-reversible) version of your IP address. None of this data is personally identifiable. This is used solely to enforce the 1 free use per 24 hours rate limit and prevent abuse. Legal basis: Legitimate interests (service integrity and abuse prevention).

Technical Data

Error monitoring is handled by Sentry, which captures error logs, stack traces, and basic request context (but not the content of user submissions). Session replay data (if enabled) is anonymised with all text masked. Sentry's privacy policy: sentry.io/privacy.

Advertising Data (Free Users)

If you are on the free plan and have consented via our cookie banner, Google AdSense may place cookies to serve relevant advertisements. AdSense may use your browsing data for ad personalisation. This does not apply to paid subscribers โ€” all paid plans are ad-free. Google's privacy policy: policies.google.com/privacy. Legal basis: Your consent (cookie banner).

3. AI Processing โ€” How Your Data is Used

Content you submit to any NexaBots AI tool is transmitted to OpenAI's API for processing. This means your submitted text (CV, interview responses, etc.) is sent to OpenAI's servers in accordance with OpenAI's Privacy Policy. OpenAI processes this data to generate responses and does not use API inputs to train its models.

We use GPT-4o (OpenAI's multimodal model) for all AI processing. For image uploads (JPG/PNG CVs), the image is sent to OpenAI's vision API for text extraction.

We do not sell your data to any third party for training AI models or any other purpose.

4. Data Sharing

We share your data only with the following categories of recipients, and only as necessary:

  • OpenAI โ€” for AI processing of submitted content
  • Supabase โ€” database and authentication provider (EU data centre)
  • Stripe โ€” payment processing (for paid subscribers)
  • Google AdSense โ€” advertising (free users only, with consent)
  • Sentry โ€” error monitoring (anonymised technical data)
  • Microsoft 365 โ€” email delivery for transactional emails

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third party for commercial purposes.

5. International Transfers

Some of our third-party providers (notably OpenAI and Stripe) process data outside the UK/EEA, including in the United States. Where this occurs, we rely on Standard Contractual Clauses (SCCs) or other adequacy mechanisms approved by the ICO to ensure appropriate protections are in place. Our primary database (Supabase) is located in the EU (Stockholm, Sweden).

6. Data Retention

  • Account data: Retained until you delete your account
  • Saved CV / cover letter / session data: Retained until you delete it or your account
  • Usage logs: Retained for 12 months then automatically deleted
  • Guest tracking tokens: Deleted after 30 days of inactivity
  • Contact enquiries: Retained for up to 2 years
  • Billing records: Retained for 7 years as required by UK tax law
  • Error logs (Sentry): Retained for 90 days

7. Your Rights Under UK GDPR

As a UK resident, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you
  • Right to rectification: You can ask us to correct inaccurate data
  • Right to erasure: You can ask us to delete your data (subject to legal retention requirements)
  • Right to restriction: You can ask us to restrict processing in certain circumstances
  • Right to data portability: You can request your data in a machine-readable format
  • Right to object: You can object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent (e.g. advertising cookies), you can withdraw it at any time via our cookie banner

To exercise any of these rights, email hello@nexabots-ltd.com. We will respond within 30 days. If you are not satisfied with our response, you can lodge a complaint with the ICO at ico.org.uk/make-a-complaint.

8. Cookies

We use the following cookies:

  • Authentication cookies: Set by Supabase to maintain your login session. These are strictly necessary and cannot be disabled.
  • Preference cookies: We store your theme choice and language preference in your browser's localStorage. These are not cookies but local storage entries and do not leave your device.
  • Advertising cookies: Google AdSense cookies (free users only, consent required). You can withdraw consent using the cookie banner at any time.

We do not use tracking cookies, analytics cookies, or third-party marketing cookies beyond what is listed above.

9. Security

We take reasonable technical and organisational measures to protect your data, including HTTPS encryption for all data in transit, encrypted database storage via Supabase, hashed passwords (never stored in plain text), row-level security on all database tables (each user can only access their own data), and CORS restrictions limiting which domains can access our API.

No system is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.

10. Children's Privacy

Our Services are not directed at children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, please contact us at hello@nexabots-ltd.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The date at the top of this page indicates when the current version was published. Continued use of our Services after changes constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, data subject requests, or concerns, contact us at hello@nexabots-ltd.com or via our contact page. We aim to respond to all privacy enquiries within 5 business days.