Privacy Policy

1. Introduction

CVJinny, operated by Danu AI Solutions ("Company", "Owner", "we", "us"), respects your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and non-personal information when you use our AI CV and cover-letter generation service ("Service"). By using the Service, you consent to the practices described herein and you expressly agree to the Owner's Universal Reservation of Rights as set out in Terms of Service section 1.1, the Authorized-Use License in section 1.2, the Benefits Reservation in section 1.3, the Dynamic Pricing & FX clause in section 1.4, and the Comprehensive Owner Protections in section 18, all of which are incorporated into this Privacy Policy by reference.

1.1 Reservation of Rights — Privacy Practices

The Owner reserves the absolute and exclusive right, at any time, with or without prior notice, in its sole discretion, and without liability, to amend, supplement, restructure, or replace this Privacy Policy; to add, change, remove, or substitute sub-processors, vendors, AI providers, payment processors, hosting locations, or analytics tools; to introduce or remove data-collection mechanisms; to expand or narrow the categories of data we collect, retain, derive, or share; and to add, change, or discontinue any privacy-related feature, control, dashboard, export, or opt-out, partially or fully. The Owner shall also have the absolute right to refuse, restrict, or terminate any data-subject request that is manifestly unfounded, excessive, abusive, or in conflict with the Owner's legitimate interests, statutory obligations, or other users' rights, to the maximum extent permitted by applicable law. Where applicable law requires notice or consent for a specific change, we will provide the legally-required minimum; otherwise the modified version is effective upon posting. The exercise of any right under this section does not entitle you to any refund, credit-back, pro-rated reimbursement, alternative compensation, or service credit of any kind; the Owner's No-Refund Policy at /refund-policy applies in full and without exception.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, password (hashed), profile photo
• Billing Information: Processed and stored by Stripe (our payment processor). We do not store your full credit card number.
• Content Inputs: Topics, briefs, media uploads, brand settings, and preferences you provide for content generation
• Social Media Credentials: OAuth access tokens for connected platforms, encrypted with AES-256-GCM before storage

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, content generated, timestamps
• Device Information: Browser type, operating system, IP address (anonymized after 30 days)
• Analytics: Performance metrics via privacy-friendly, cookieless analytics
• Error Tracking: Application errors via Sentry (no personal data included)

3. How We Use Your Information

• To provide, maintain, and improve the Service
• To generate AI content based on your inputs
• To post content to your connected social media accounts
• To process payments and manage subscriptions
• To send transactional emails (approval requests, confirmations, receipts)
• To enforce our Terms of Service and Acceptable Use Policy
• To detect, investigate, and prevent fraud or security incidents
• To comply with legal obligations

4. Data Retention — Pipeline Model

We operate on a pipeline model — we do NOT permanently store your generated content:

• Generated Images: Delivered inline (base64) and NEVER stored on our servers
• Generated Captions: Temporarily stored for 48 hours to 7 days for approval workflow, then permanently deleted
• User-Uploaded Media: Processed in memory for AI analysis, NEVER written to disk or stored
• Content Metadata: Request logs retained for 7 days maximum, then purged
• Account Data: Retained as long as your account is active, deleted within 30 days of account deletion
• Financial Records: Retained as required by law (typically 7 years for tax purposes)

4a. Authorized Data Use for Financial, Analytical, Commercial & Third-Party Benefit

You expressly grant the Owner — and its affiliates, successors, sub-processors, partners, advertisers, data licensees, and assigns — a worldwide, perpetual, irrevocable, royalty-free, sublicensable, transferable license to collect, store, process, aggregate, anonymize, pseudonymize, derive, model, score, segment, benchmark, enrich, combine with other datasets, monetize, license, sell, share, transfer, syndicate, or otherwise commercially exploit non-content data — including, without limitation: account & profile metadata; billing, payment, currency, refund, chargeback & tax behavior; subscription tier, lifetime value, retention & churn signals; credit-consumption patterns, top-up behavior & AI-cost economics; feature-usage telemetry, click-stream, scroll behavior, dwell time, conversion-funnel signals; posting cadence, audience-segment characteristics, follower-count buckets, vertical/industry classification; integration metadata; device & environment fingerprints (excluding precise geolocation without consent); survey responses, support-ticket content, NPS scores, and any aggregated, derived, or modeled insights — for the following purposes that benefit the Owner:

• Financial purposes: revenue analytics, cohort & LTV modeling, pricing optimization, credit-cost calibration, fraud & chargeback prevention, credit-risk underwriting, internal forecasting, investor reporting, M&A due-diligence packs, and KPI reporting to lenders, insurers, or strategic partners.
• Analytical purposes: product analytics, A/B testing, machine-learning models for ranking/recommendations/abuse-detection (using only aggregated or de-identified data), benchmark reports, market-research deliverables, and competitor-trend dashboards.
• Third-party sharing for the Owner's benefit: sharing aggregated, anonymized, or pseudonymized datasets and insights with — or selling/licensing them to — analytics platforms, advertising networks (for lookalike-audience modeling and attribution), market-research firms, financial-services partners, business-intelligence vendors, data brokers (in non-identified form only), academic researchers under NDA, industry consortia, acquirers in M&A transactions, investors during due-diligence, and other commercial counterparties whose engagement furthers the Owner's commercial interests.
• Marketing & outreach: internal marketing analytics, lookalike-audience seeding (in de-identified form), case-study production (with separate opt-in for identified case studies), referral-program analytics, and partner-channel co-marketing.
• Operational purposes: security monitoring, abuse detection, capacity planning, infrastructure cost-allocation, vendor-performance evaluation.

Identified-form sharing of personal data with unaffiliated third parties for their own independent commercial purposes will only occur where (i) you have given separate, specific, lawful consent in your jurisdiction; (ii) the law otherwise permits the disclosure (e.g., for fraud prevention, legal process, vital interest); or (iii) the disclosure is part of a corporate transaction (merger, acquisition, financing, or asset sale), in which case the recipient assumes the same obligations under this Privacy Policy. Where applicable law (CCPA/CPRA, GDPR, LGPD, etc.) classifies any of the above activities as a "sale", "share", or cross-context behavioral advertising, you may exercise your statutory opt-out rights via privacy@cvjinny.com or the "Do Not Sell or Share My Personal Information" control in your account; opting out does not affect the Owner's right to use aggregated, de-identified, or pseudonymized data, nor data we are legally permitted or required to retain.

The Owner shall be the sole and exclusive beneficiary of any revenue, royalty, fee, equity, or other consideration derived from this license, and you waive any and all claims to such consideration, including under unjust-enrichment, restitution, royalty-sharing, or analogous theories. This section 4a is a fundamental and bargained-for element of the Service and survives termination of your account indefinitely with respect to data lawfully collected before termination.

5. Data Sharing & Sub-Processors

We do NOT sell your personal data and we do NOT use it to train foundation AI models. We share data only with vetted sub-processors under a Data Processing Agreement. The full, versioned list — with location, purpose, and transfer mechanism — is published at /sub-processors.

• Social Media Platforms: Content you approve is posted to your connected accounts
• AI Service Providers: Google (Gemini AI) and HuggingFace Inference process your content inputs under their enterprise/API no-training terms — see /ai-training
• Payment Processors: Razorpay (primary, RBI-licensed in India for global card + UPI + NetBanking) and, where applicable, Stripe (US fallback) — both PCI DSS Level 1
• Email Provider: Resend delivers transactional emails
• Infrastructure: Supabase (database), Upstash (queue/cache)
• Law Enforcement: When required by law, court order, or to protect safety

For EU/UK/Swiss data subjects, cross-border transfers rely on the European Commission Standard Contractual Clauses (SCCs, 2021/914) and the UK IDTA, as detailed in our Data Processing Addendum. Enterprise customers may request a countersigned DPA at privacy@cvjinny.com.

5b. Connected Platform Data — What We Access & Why

When you connect a third-party platform (Instagram, Facebook, WhatsApp, Threads, X/Twitter, LinkedIn, YouTube, Google Business Profile, TikTok, Snapchat, Pinterest, Reddit, Telegram, Discord, Bluesky, Tumblr, Mastodon, LINE, KakaoTalk, Zalo, ShareChat, Moj, Kwai) to CVJinny, you authorize us — via that platform's standard OAuth 2.0 (or equivalent) flow — to access only the data and permissions strictly required to (i) verify your identity on that platform, (ii) publish content you have explicitly approved, and (iii) read back the public engagement metrics on those posts so we can show you analytics and improve our AI's caption recommendations.

We do NOT request — and we do NOT collect — any of the following from any connected platform: your contacts list, your private messages or DMs (other than the specific direct-reply features you explicitly enable, which only access threads sent to your own account), your friends'-of-friends graph, your saved drafts, your stored payment methods, your private demographic data, or any data belonging to other users on those platforms. You may revoke our access at any time from /connections inside your CVJinny account or directly from the relevant platform's app-permissions page.

5c. Meta Platform (Facebook, Instagram, WhatsApp, Threads) Compliance

CVJinny's use of data received from the Meta Platform Terms — including data retrieved via Facebook Login, Instagram Graph API, WhatsApp Business API, Threads API, or any successor Meta product (collectively "Meta Platform Data") — strictly complies with the Meta Platform Terms, the Developer Policies, and the Limited Use requirements set out in those documents. Specifically:

• Limited use only: We use Meta Platform Data only to provide the publishing, scheduling, analytics, and AI-recommendation features the user explicitly enables in CVJinny. We do not use Meta Platform Data for any independent purpose.
• No advertising use: We do not use Meta Platform Data — including aggregated, de-identified, or hashed forms — to target advertising, build advertising audiences, or improve any advertising product, whether ours or a third party's.
• No transfer for advertising: We do not transfer or license Meta Platform Data to data brokers, ad networks, or any third party for the purpose of advertising or marketing.
• No human review except as permitted: Humans (engineers, support agents) do not read Meta Platform Data except (a) with the user's explicit prior consent, (b) to investigate a security incident, (c) where required to comply with applicable law, or (d) where the data has been aggregated and de-identified such that no individual user can be identified.
• Token revocation: When a user disconnects a Meta-owned account, deletes their CVJinny account, or sends a Meta-initiated "data-deletion request" signed-payload to our callback URL, we (i) revoke the access token with Meta, (ii) delete all stored Meta Platform Data within 30 days, and (iii) return a confirmation code so the user can verify deletion via Meta's App Settings.
• Data deletion endpoints: Plain-English instructions for users live at /privacy/data-deletion. The Meta-required signed-callback URL (parses Meta's signed_request and returns a status URL + confirmation code) is https://www.cvjinny.com/api/platforms/meta/data-deletion-callback.

CVJinny is a third-party service and is not endorsed, sponsored, or affiliated with Meta Platforms, Inc. "Facebook", "Instagram", "WhatsApp", and "Threads" are trademarks of Meta Platforms, Inc.

5d. Google API Services User Data Policy — Limited Use Disclosure

CVJinny's use and transfer of information received from Google APIs — including the YouTube Data API, YouTube Analytics API, Google Business Profile API, and any associated Google identity (OpenID / OAuth) services — to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to provide or improve user-facing features that are prominent in CVJinny's user interface — namely uploading videos / Shorts / Posts to the user's own YouTube channel or Google Business Profile and displaying public engagement metrics on those uploads.
• We do NOT use Google user data to serve advertisements, build advertising audiences, retarget users, or improve any advertising product (ours or any third party's).
• We do NOT transfer Google user data to a third party except (a) as necessary to provide or improve user-facing features visible in CVJinny's UI; (b) as required by applicable law; (c) as part of a merger, acquisition, or sale of assets, in which case the recipient is bound by terms equivalent to this Privacy Policy with respect to Google user data.
• We do NOT allow humans to read Google user data unless (a) we have the user's affirmative prior consent for specific data, (b) it is necessary for security purposes (e.g., investigating abuse), (c) it is necessary to comply with applicable law, or (d) the data is aggregated and used for internal operations — in which case it has been de-identified.
• YouTube content (including video files and metadata) the user uploads via CVJinny is governed by the YouTube Terms of Service (youtube.com/t/terms) and Google Privacy Policy (policies.google.com/privacy).
• To revoke CVJinny's access to your Google account at any time, visit myaccount.google.com/permissions.

5e. TikTok Developer Terms Compliance

CVJinny's use of TikTok APIs (Login Kit, Content Posting API, Display API) complies with the TikTok Developer Terms of Service, the TikTok Developer Policies, and any product-specific guidelines published by TikTok. Specifically: we access TikTok data only for the explicit purposes of identifying your account, publishing videos you approve, and reading public engagement on those videos; we do not store TikTok content beyond the period required to deliver these features; we do not use TikTok data for advertising, ML model training, or transfer to data brokers; and we provide users a one-click disconnection mechanism at /connections that revokes the TikTok access token immediately.

5f. X / Twitter Developer Agreement Compliance

GenZHook complies with the X (Twitter) Developer Agreement, the X Developer Policy, and the X Restricted Use Cases document. Specifically: we will not store, cache, or otherwise retain X Content beyond what is necessary to deliver the Service to the authorizing user; we will not redistribute, sell, or license X Content to any third party; we will not use X data to derive any user's political affiliation, religion, sexual orientation, race, ethnicity, or health condition; and we honour user-deletion signals (via X's standard endpoints, the delete webhook, and direct user requests) by deleting associated cached metrics within 24 hours.

5g. LinkedIn Marketing Developer Platform Compliance

GenZHook complies with the LinkedIn API Terms of Use and the LinkedIn Marketing Developer Platform requirements (where applicable). We use LinkedIn member data only to identify the authorizing user, publish posts the user approves to their personal feed or to LinkedIn Pages they administer, and read engagement metrics on those posts. We do not scrape LinkedIn, do not send automated InMail, and do not share LinkedIn member data with third parties.

5h. Snap Kit Compliance

CVJinny's integration with Snap Kit (Login Kit, Creative Kit) complies with the Snap Kit Terms of Service and the Snap Kit Program Guidelines. We do not store Snap content beyond the period necessary to deliver the publishing feature; we do not use Snap data for advertising; and Snap content shared from CVJinny displays the "Powered by Snap" or equivalent attribution where Snap requires it.

5i. Pinterest Developer Terms Compliance

GenZHook complies with the Pinterest API Terms of Service and Pinterest Developer Guidelines. We use Pinterest data only to publish Pins on the user's authorized Boards and to read engagement metrics on those Pins. We do not redistribute Pin content or Pinterest user data to third parties.

5j. Other Platforms (Reddit, Discord, Telegram, Bluesky, Tumblr, Mastodon, LINE, KakaoTalk, Zalo, ShareChat, Moj, Kwai)

For all other connected platforms, GenZHook complies with each platform's published API Terms of Service and Developer Policies. Token storage, scope minimisation, deletion-on-disconnect, and no-third-party-transfer rules described in sections 5b–5i apply uniformly. Specific platform-by-platform compliance documentation can be requested from privacy@cvjinny.com.

5a. Retention Schedule

6. Data Security

We implement industry-standard security measures:

• Social media OAuth tokens encrypted with AES-256-GCM
• Approval tokens signed with HMAC-SHA256
• Passwords hashed by Supabase Auth (bcrypt)
• All data transmitted over TLS 1.3
• Row-level security (RLS) on all database tables
• Rate limiting on all API endpoints
• CORS restricted to our domain only
• Environment-based secret management

7. Cookies & Tracking

We use only strictly-necessary cookies for authentication, CSRF protection, and session management. We do NOT use advertising cookies, tracking pixels, fingerprinting, or third-party analytics cookies. Full disclosures at /cookie-policy.

7a. Data Breach Notification

We maintain a 24×7 incident response program. In the event of a personal data breach that poses a risk to rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware (GDPR Art. 33) and affected users without undue delay. Process details and contact channels live at /incident-response.

7b. AI Training & Model Usage

Your prompts, uploads, and generated outputs are never used by GenZHook to train, fine-tune, or evaluate foundation models. Upstream AI providers (Google Gemini API, HuggingFace Inference) are configured under their no-training enterprise/API terms. See /ai-training for provider-by-provider guarantees.

8. Your Rights

Depending on your jurisdiction (GDPR, CCPA/CPRA, LGPD, PIPEDA, India DPDP Act 2023, etc.), you may have the right to:

• Access: Request a copy of your personal data in a structured, commonly-used machine-readable format (CSV / JSON export available from /settings)
• Correction: Request correction of inaccurate data (you can edit profile fields directly in /settings)
• Deletion ("right to be forgotten"): Delete your account and associated personal data — see section 8.1 below
• Portability: Receive your data in a structured format you can transfer to another controller
• Objection / Restriction: Object to or restrict specific processing
• Withdrawal of consent: Withdraw any consent you previously gave, at any time, with no detriment to other rights
• No automated decision-making: See section 10a — we do not subject you to solely-automated decisions with legal or similarly-significant effect
• California residents (CCPA / CPRA): Right to know, right to delete, right to correct, right to limit sensitive-PI processing, right to opt-out of sale / share / cross-context behavioural advertising — we do not sell or share your personal data and we do not engage in cross-context behavioural advertising; the opt-out is available at privacy@cvjinny.com regardless
• EU / UK / Swiss residents: Right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, your DPA in the EU/EEA, FDPIC in Switzerland)
• India residents (DPDP Act 2023): Right to access, correction, erasure, grievance redressal, and nomination of a representative — submit via privacy@cvjinny.com; the Owner is the Data Fiduciary

To exercise these rights, contact us at privacy@cvjinny.com. We respond within 30 days (extendable by 60 days for complex requests, with notification). Identity verification may be required to prevent unauthorized disclosure.

8.1 How to Delete Your Data — Step-by-Step

You have multiple paths to delete data from CVJinny depending on what you want to remove:

• Disconnect a single platform (revoke OAuth): Visit /connections → click "Disconnect" next to the platform. We revoke the access token with the platform within seconds and delete all associated tokens, cached metrics, and platform-specific metadata within 30 days.
• Delete a specific generation, post, draft, or piece of content: Visit /library → select the item → "Delete". Hard-deleted within 7 days from all backups.
• Delete your entire CVJinny account & all data: Visit /settings → "Account" section → "Delete account". We hard-delete all profile data, generated content, cached metrics, and OAuth tokens within 30 days; financial & tax records are retained for the statutory minimum (typically 7 years) in pseudonymised form, as legally required.
• Email-based deletion (no login required): Email privacy@cvjinny.com from the address on your account with subject line "Delete my data". We verify identity, then proceed with deletion within 30 days. Plain-English instructions are duplicated at /privacy/data-deletion.
• Meta-initiated deletion (Facebook / Instagram / WhatsApp / Threads): If you remove GenZHook from your Meta App Settings, Meta sends a signed deletion request to our callback URL /api/platforms/meta/data-deletion-callback. We immediately revoke our copy of your token, delete cached Meta data within 24 hours, and return a confirmation code so you can verify the deletion completed via Meta's settings page.

8.2 Disconnecting from a Platform Directly

You can also revoke our access from each platform's own permissions page without touching CVJinny:

• Facebook / Instagram / WhatsApp / Threads: Settings → Apps and Websites → remove "GenZHook"
• Google (YouTube, Google Business): myaccount.google.com/permissions → remove "GenZHook"
• X / Twitter: Settings → Security and account access → Apps and sessions → revoke "GenZHook"
• LinkedIn: Settings & Privacy → Data privacy → Permitted services → remove "GenZHook"
• TikTok: Settings & Privacy → Security & permissions → Manage app permissions → revoke "GenZHook"
• Snapchat: Settings → Connected Apps → remove "GenZHook"
• Pinterest: Settings → Apps → remove "GenZHook"
• Reddit: User Settings → Safety & Privacy → Manage third-party apps → revoke "GenZHook"

Revocation at the platform also fires our standard cleanup pipeline within 30 days as if you had clicked Disconnect inside CVJinny.

9. Children's Privacy

CVJinny is a B2B / professional creator tool and is not directed at children. The Service is not intended for, and may not be used by, anyone under 18 years of age, except in jurisdictions where the lawful minimum is younger and the user has obtained verifiable parental consent. We do not knowingly collect, store, or process personal information from children under 13 (USA — COPPA), under 16 (EU — GDPR Art. 8 default), or under any other applicable jurisdiction's minimum digital-age threshold. If we become aware that we have collected personal information from a child below the applicable age, we will delete that information from our records as quickly as feasible (typically within 7 days). Parents or legal guardians who believe a minor has provided personal information to CVJinny may contact us at privacy@cvjinny.com to request immediate deletion. Content depicting minors that does not have a clear, lawful editorial purpose is strictly prohibited under our Acceptable Use Policy and is automatically moderated.

We do not use Meta Platform Data, Google API user data, TikTok API data, or any other connected-platform data to advertise to minors, profile minors, or build any product feature targeting minors.

10. International Data Transfers

Your data may be processed in the United States, the European Union, and other jurisdictions where our sub-processors operate. For transfers out of the EEA, UK, or Switzerland we rely on the European Commission Standard Contractual Clauses (Module Two, 2021/914), the UK International Data Transfer Addendum, and — where applicable — Adequacy Decisions. See the DPA and sub-processor list for per-vendor transfer mechanisms.

10a. Automated Decision-Making

We do not use your personal data for solely-automated decisions producing legal or similarly significant effects on you (GDPR Art. 22). Content moderation and abuse scoring are reviewable by a human on request.

11. Changes to This Policy

We may update, supplement, restructure, or replace this Privacy Policy at any time, in our sole and absolute discretion, with the modified version effective upon posting (or on a later date we specify). While we will endeavor to notify registered users of material changes via email, failure or delay in providing such notice does not invalidate the modification, nor does it give rise to any claim, refund, or right to compensation. Continued use after changes constitutes your full and unconditional acceptance.

12. Contact

For privacy inquiries: privacy@cvjinny.com