Privacy Policy

Who we are

CareerFlip is published by Sico Software Ltd, a company registered in Scotland. We help you discover alternative career directions by analysing your CV and work preferences using AI. We are registered with the UK Information Commissioner's Office (ICO). Privacy questions: privacy@sico.software.

Data we collect

Account data. When you register, we store your email address via our authentication provider (SuperTokens).

CV and career data. When you upload or paste your CV, we store your employment history (job titles, employers, dates, descriptions), education and qualifications, and skills.

Work preferences. Answers you give during onboarding and in your profile — work location preference, preferred cities, salary expectations, working hours, people interaction style, employment type, and career change extent.

Behavioural data. Your swipe decisions (career directions you liked or rejected) and the AI-generated career directions we produce for you.

We do not store payment card details. Any subscription billing is handled directly by Stripe.

How we use your data

• To analyse your CV and generate personalised career direction suggestions
• To surface relevant job listings matched to those directions
• To refine suggestions based on your swipe feedback and stated preferences
• To generate contextual follow-up questions that improve recommendation quality
• To send transactional emails (account confirmation, billing notifications)

AI processing. Your CV content and career history are sent to Anthropic's Claude API to generate profile analysis, career direction suggestions, personalised probe questions, and job relevance scoring. This is core to how the service works. Anthropic processes this data as our sub-processor under a data processing agreement; they do not use your data to train their models by default. See Anthropic's privacy policy at anthropic.com/privacy. The lawful basis for this processing is contract performance — it is necessary to deliver the service you signed up for.

Job board searches

To find relevant live job listings, we send search queries — derived from your career direction titles — to third-party job boards: Adzuna, Reed, CareerJet, The Muse, RemoteOK, and Jooble. These queries are career role titles (e.g. "UX Researcher"). No personal data from your CV or account is transmitted to job boards. Results are cached on our servers for up to 24 hours.

Anonymised, aggregated job title and keyword data (no personal information) may be retained for up to 4 weeks as part of a cross-user job discovery pool used to improve career suggestions.

Data sharing

We do not sell your data. We share data only with sub-processors required to operate the service:

• Anthropic, PBC — AI model provider. Your CV content is processed by Claude to generate career analysis and suggestions.
• SuperTokens Inc. — Authentication provider. Your email address is stored in SuperTokens for login and session management.
• Stripe, Inc. — Payment processing. Stripe handles one-time payment processing; we store only your plan status.
• Hetzner Online GmbH — our VPS provider (Germany, EU). All personal data is stored on this server.
• Resend Inc. — transactional email (account and billing notifications).
• PostHog Inc. — product analytics (page views, feature usage; no personal data).
• Sentry Inc. — error monitoring (stack traces; personal data scrubbed before transmission).

Data retention

We retain your personal data for as long as you hold an active account. You can delete your account at any time from your billing page — all personal data is erased immediately. To request deletion by email instead, contact privacy@sico.software with the subject line "Delete my data" and we will action it within 30 days.

Financial records. Payment transaction records (amount, date, product, and Stripe reference) may be retained for up to 6 years after the end of the tax year in which the transaction occurred. This is required by UK law (HMRC record-keeping obligations) and is exempt from the right to erasure under UK GDPR Article 17(3)(b). These records do not contain your CV, career data, or any application-level personal data.

Deletion audit log. When an account is deleted we record a timestamped entry containing a masked email address (e.g. "s*****n@example.com"), your anonymised account reference, and the deletion timestamp. This log has no expiry — it is the evidence we would produce to the ICO if asked to demonstrate that we honoured your erasure request.

Your rights under UK GDPR

As a UK resident you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — ask us to delete your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Restriction — ask us to limit how we process your data
• Objection — object to processing based on legitimate interests

To exercise any right, email privacy@sico.software. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

Security

All data is transmitted over TLS. Our server (Hetzner, Germany) is access-controlled via SSH key and Tailscale VPN. Integration credentials and API keys are encrypted at rest using pgcrypto symmetric encryption.

Cookies

We use one strictly necessary session cookie to keep you logged in. We do not use advertising or tracking cookies. PostHog analytics uses a first-party cookie; it does not track you across other sites.

Changes to this policy

Material changes will be communicated by email and by updating the effective date above. Continued use of the service after notification constitutes acceptance.