Privacy Policy
Last updated: June 2026
Meritvo ("we", "us", "our") is committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR, Regulation EU 2016/679) and applicable Swedish data protection law. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have.
1. Data Controller
The data controller responsible for your personal data is:
- Name: Meritvo
- Contact: hello@meritvo.se
If you have questions or requests regarding your personal data, please contact us at the email address above.
2. Personal Data We Collect and Why
We collect and process the following categories of personal data:
2.1 Account Data
Data: Full name, email address, password hash.
Purpose: Creating and managing your user account; authenticating you when you log in.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)) — processing is necessary to provide you with the Meritvo service.
2.2 Career and CV Data
Data: Work experiences, education, skills, projects, certifications, professional summary, CV content, and any other information you enter into the CV builder.
Purpose: Generating and storing your CVs; enabling AI-powered suggestions and match-score features.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
2.3 Profile Image
Data: Profile photo you optionally upload.
Purpose: Displaying your photo on generated CVs.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)); legitimate interest (GDPR Article 6(1)(f)) in enabling a complete CV product where photos are a standard component.
2.4 Billing Data
Data: Stripe customer ID, subscription plan, subscription status, and billing history. Payment card details are handled exclusively by Stripe and are never stored by Meritvo.
Purpose: Processing payments, managing subscriptions, and complying with accounting and tax obligations.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)) and compliance with a legal obligation (GDPR Article 6(1)(c)), such as bookkeeping requirements under Swedish law.
2.5 Usage and Technical Data
Data: AI feature usage logs, session metadata, and error information.
Purpose: Monitoring service health, preventing abuse, debugging issues, and improving the service.
Legal basis: Legitimate interest (GDPR Article 6(1)(f)) in maintaining a secure and functioning service.
3. Data Retention
We retain personal data only for as long as necessary for the purposes described above:
- Account, career, and profile data: Retained for as long as your account is active. To have this data erased, send a deletion request (GDPR Article 17) to hello@meritvo.se. Once we have verified your identity, we delete the data within 30 days, subject to the billing-record retention obligations described below.
- Billing records: Retained for 7 years from the date of the transaction in accordance with the Swedish Bookkeeping Act (Bokföringslagen, SFS 1999:1078).
- AI usage logs: Retained as long as necessary for service monitoring and abuse prevention. Server-side operational logs are retained according to the standard log retention policy of our hosting infrastructure.
4. Third-Party Data Processors
We use the following third-party data processors to operate the service. Each processor is bound by a Data Processing Agreement (DPA) and may only process your data according to our instructions:
- Supabase, Inc. (USA, EU data region) — Provides the database. Stores account data, career data, and usage metadata. Supabase offers standard contractual clauses (SCCs) for EU data transfers.
- Stripe, Inc. (USA) — Processes payments and manages subscriptions. Receives billing information. Stripe is certified under the EU–US Data Privacy Framework.
- OpenAI, L.L.C. (USA) — Powers AI features such as CV suggestions and match scoring. Career data you ask the AI to process is sent to OpenAI. OpenAI is certified under the EU–US Data Privacy Framework and offers SCCs.
- Resend, Inc. (USA) — Sends transactional emails (account verification, password reset, notifications). Receives your email address for this purpose. Resend offers SCCs for EU data transfers.
- S3-compatible object storage provider — Stores and serves profile images you upload. The specific provider is configured per deployment. For information about the current provider and the applicable data transfer mechanism, please contact us at hello@meritvo.se.
We do not sell your personal data to third parties, and we do not share it with any party other than the processors listed above unless required by law.
4.1 OAuth Authentication Providers (independent controllers)
If you choose to sign in with Google or GitHub, those providers authenticate your identity and share your name and email address with Meritvo. In this OAuth flow Google LLC and GitHub, Inc. act as independent data controllers, not as our data processors: they process your login data for their own purposes and under their own privacy policies, not on Meritvo's instructions or under a Data Processing Agreement with us.
- Google LLC (USA) — Certified under the EU–US Data Privacy Framework. See Google's Privacy Policy.
- GitHub, Inc. (USA) — Offers SCCs for EU data transfers. See GitHub's Privacy Statement.
These providers are only involved if you opt in to OAuth login. Once you have signed in, the account data we receive is handled by Meritvo as described in this policy.
5. Cookies and Browser Storage
We use only the cookies and browser storage strictly necessary to operate the service. We do not use advertising or tracking cookies.
- NEXT_LOCALE— A cookie that stores your preferred UI language (e.g., "en" or "sv"). Retained for 1 year. This cookie is necessary for the service to display content in your chosen language.
- Authentication session cookie — Set by NextAuth.js to keep you logged in. This cookie contains a signed JWT session token and is essential for authentication; it expires when your session ends or you log out.
Because these cookies are strictly necessary for the service to function, we do not require separate consent for them under GDPR and the ePrivacy Directive.
6. Your Rights
Under the GDPR you have the following rights regarding your personal data:
- Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of it.
- Right to rectification (Article 16): You have the right to have inaccurate personal data corrected without undue delay.
- Right to erasure (Article 17):You have the right to request deletion of your personal data ("right to be forgotten") where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent, subject to legal retention obligations.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to object (Article 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
To exercise any of these rights, please contact us at hello@meritvo.se. We will respond within 30 days as required by the GDPR. We may ask you to verify your identity before fulfilling a request.
7. Right to Lodge a Complaint
If you believe that we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the Swedish supervisory authority:
- Integritetsskyddsmyndigheten (IMY)
- Website: www.imy.se
- Email: imy@imy.se
- Phone: +46 8-657 61 00
You also have the right to lodge a complaint with the supervisory authority in your country of residence or place of work within the EU/EEA.
8. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the application before the changes take effect. The "Last updated" date at the top of this page reflects the date of the most recent revision. We encourage you to review this policy periodically.
9. Contact Us
For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us at: hello@meritvo.se. We aim to respond to all inquiries within 5 business days.