Skip to main content
Home
Legal

Privacy Policy

Last updated

Who we are (data controller)

Sausage Dog is the trading name of Anthony Clasper, a sole trader based in the United Kingdom. We are the data controller for the personal data described in this policy.

What data we collect

  • Your CV content (uploaded file or pasted text) and any job descriptions you provide.

  • Your email address and name, if you sign in via Google or email magic link.

  • A Stripe customer reference and Premium status, if you subscribe. We never see your card details.

  • Audio recordings during interview practice sessions (Premium only, processed in memory, not stored).

  • Basic technical data: IP address, browser type, pages visited (consent-gated).

Special category data in CVs

CVs sometimes contain “special category” personal data under Article 9 of the UK GDPR. This can include information about your health, ethnic origin, religion, sexual orientation, trade union membership or political views. Even where we have not asked for it, this kind of information is foreseeably present in CVs.

By uploading or pasting your CV you give your explicit consent (the lawful basis under Article 9(2)(a)) for us to process any special category data it contains, for the sole purpose of tailoring your CV to a job description using AI.

You can withdraw consent at any time by deleting your account or contacting us. Withdrawal does not affect processing carried out before the withdrawal.

How we use it (lawful basis)

  • Account and CV tailoring. Article 6(1)(b) - performance of the contract you enter into when you create an account and use the Service.

  • Special category data in CVs. Article 9(2)(a) - your explicit consent, given by uploading your CV.

  • Marketing email. Article 6(1)(a) - your consent, given by ticking the opt-in box at sign-up. Withdraw any time.

  • Billing and tax records. Article 6(1)(b) - contract performance; and Article 6(1)(c) - legal obligation (HMRC record-keeping).

  • Security, rate limiting, fraud prevention. Article 6(1)(f) - legitimate interests, balanced against your rights.

We do not sell your data. We do not use your CV to train AI models. We do not profile you for advertising.

Sub-processors

We use the following sub-processors to operate the Service. Each operates under a written Data Processing Agreement that incorporates the UK International Data Transfer Addendum where data leaves the United Kingdom.

We will notify registered users by email at least 14 days before we add or replace a sub-processor.

  • Anthropic. Claude API for CV tailoring, cover letter and email generation. Region: United States. UK International Data Transfer Addendum.

  • OpenAI. Whisper transcription and TTS for interview practice (Premium only). Region: United States. UK International Data Transfer Addendum.

  • Vercel. Web hosting and serverless functions. Region: United States. UK International Data Transfer Addendum.

  • Neon. PostgreSQL database (account, saved CVs, tailoring history). Region: European Union. Within EEA. No transfer mechanism required..

  • Stripe. Subscription billing for Premium tier. Region: United States. UK International Data Transfer Addendum.

  • Resend. Transactional and (with consent) marketing email. Region: United States. UK International Data Transfer Addendum.

  • Google. OAuth sign-in (name and email only) and GA4 analytics (consent-gated). Region: United States. UK International Data Transfer Addendum.

International transfers

Several of our sub-processors are based in the United States. Where personal data is transferred outside the United Kingdom, we rely on the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, which is the post-Brexit mechanism approved by the ICO. Each US sub-processor publishes a Trust Centre describing their technical and organisational security measures, encryption at rest and in transit, and breach notification commitments.

Data retention

  • Account data. Retained while your account is active. Deleted within 24 hours of self-service account deletion. Inactive accounts (24 months with no sign-in) are flagged for deletion with notice.

  • Tailored CVs and saved jobs. Retained against your account until you delete them or delete your account.

  • Raw uploaded CV files. Processed in memory and not retained beyond the request lifecycle.

  • Interview practice audio. Not retained. Processed in memory.

  • Billing records. 6 years after the last transaction (HMRC tax records requirement). This overrides the right to erasure under Article 17(3)(b) UK GDPR - if you delete your account, your CVs, jobs and contact details are deleted within 24 hours but Stripe billing records and tax invoices are retained for the statutory period.

  • Server logs. Up to 30 days for debugging and abuse prevention.

  • Support correspondence. 24 months from last contact, then deleted.

Your rights (UK GDPR)

  • Right of access - request a copy of the personal data we hold about you.

  • Right to rectification - correct anything inaccurate.

  • Right to erasure - delete your account and all associated data.

  • Right to data portability - export your data in a machine-readable format.

  • Right to restrict or object to processing.

  • Right to withdraw consent at any time (where consent is the lawful basis).

  • Right to complain to the ICO (ico.org.uk) if you are unhappy with how we have handled your data.

Account deletion and data export are available in your account settings. For any other request, email hello@sausagedog.io. We will respond within 30 days. To protect you from impersonation we may need to verify your identity by asking you to send the request from the email address registered to your account.

The data export available in your account settings covers data held in our database (CVs, jobs, tailoring history, account details). Billing history and invoices are held by Stripe and can be downloaded directly from the Stripe billing portal linked in your account.

Storage and security

Your saved jobs, tailored CVs and account data are stored in a managed PostgreSQL database (Neon, EU region). Authentication uses signed HTTP-only cookies. Data is encrypted in transit (TLS) and at rest. Access to the database and the production environment is restricted to the controller.

Cookies

We use essential cookies (session, premium status, CSRF) and, with your consent, analytics cookies from Google Analytics 4. The cookie banner uses Consent Mode v2 - all non-essential cookies remain blocked until you explicitly accept them.

Changes to this policy

If we make material changes we will email registered users and post a notice in-app. The last-updated date at the top of this page tells you when it was last revised.

Contact

Questions, complaints or to exercise any of your rights, email hello@sausagedog.io.