Last updated: 14 March 2026
ATSBuster (“we”, “us”, “our”) operates the website atsbuster.org and provides AI-powered CV optimisation services. We are the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contact: atsbuster.support@gmail.com
We collect and process the following personal data:
Account Data: Your name, email address, and hashed password when you create an account. If you sign in via Google, we receive your name and email from Google.
CV and Job Description Data: The CV content and job descriptions you submit for optimisation. This may include your name, work history, education, skills, contact details, and other information contained within your CV.
Payment Data: Payment processing is handled entirely by Stripe. We do not store your card details. We retain your Stripe session ID, transaction amount, and purchase history.
Usage Data: We collect data about how you use our service, including pages visited, features used, and timestamps. We use essential cookies for authentication only.
We use your personal data for the following purposes and legal bases under UK GDPR:
To provide our service (contractual necessity): Processing your CV through our AI to generate optimised versions and cover letters. Managing your account, credits, and transaction history.
To process payments (contractual necessity): Facilitating credit purchases through Stripe.
To communicate with you (legitimate interest): Responding to support requests and sending service-related notifications.
To improve our service (legitimate interest): Analysing usage patterns to improve functionality and user experience.
We share your data with the following third-party processors who act on our behalf:
Supabase (EU): Database hosting and authentication. Stores your account data, CV rewrites, and transaction records. Data is hosted in the EU (London region).
Stripe (US/EU): Payment processing. Receives your email and payment details to process transactions. Stripe is certified under EU-US data transfer frameworks.
Anthropic (US): AI processing. Your CV text and job descriptions are sent to Anthropic's Claude API for optimisation. Data is processed under their API terms and is not used to train AI models.
Vercel (US): Website hosting and serverless function execution.
We do not sell your personal data to any third party.
Some of our third-party processors are based outside the UK. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office (ICO), or adequacy decisions where applicable.
Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
CV and cover letter data: Retained for as long as your account is active so you can access your rewrite history. Deleted within 30 days of account deletion.
Transaction records: Retained for 7 years to comply with UK tax and accounting obligations.
You have the following rights regarding your personal data:
Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your personal data.
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interest.
To exercise any of these rights, contact us at atsbuster.support@gmail.com. We will respond within 30 days.
We implement appropriate technical and organisational measures to protect your personal data, including encryption of data in transit (TLS/HTTPS), secure authentication with hashed passwords, Row Level Security on our database ensuring users can only access their own data, rate limiting to prevent abuse, input sanitisation to prevent injection attacks, and security headers including Content Security Policy.
Our service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website. Your continued use of the service after changes constitutes acceptance of the revised policy.
If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.