Home Legal Privacy Notice

Privacy Notice

How A1 Jobs collects, uses, stores, and shares your personal data — and the rights you have over it under UK and EU data-protection law.

Version v1.1 · Effective 2026-05-20 · Last updated 2026-05-20

Plain English summary

We use your CV and the information you give us only to provide the tailoring service to you. Your CV is processed by Google Vertex AI (Gemini) inside the EU; Google contractually does not use it to train its models. You can ask us to access, correct, export, or delete your data at any time — we respond within one month.

1. Who we are

A1 Jobs is a software service operated by the team behind jobs.a1ergo.tech, established in the United Kingdom (London). For the purposes of UK GDPR and the Data Protection Act 2018, we are the controller for the personal data that job-seekers upload to use the self-service CV-tailoring product described in this notice.

When a recruiter or agency uses our recruiter product to upload third-party candidate CVs, the recruiter is the controller of that candidate data and we act as their processor under a separate Data Processing Agreement. That recruiter scenario is covered by a separate candidate-facing notice provided by the recruiter; this page is the notice for direct, self-service use of A1 Jobs.

You can reach our data-protection lead at jobs.privacy@a1ergo.tech.

2. What personal data we collect

We collect only what we need to operate the service:

  • Account data — your email address, a salted password hash, and an optional display name. If you sign in via a third-party identity provider (Google, etc.) we also receive the basic profile data that provider sends us.
  • CV content — the CVs, cover letters, and job descriptions you choose to upload or paste in. CVs typically contain name, contact details, employment history, education, and skills, and may imply protected characteristics (e.g. health, ethnicity, religion). Please do not upload data about anyone other than yourself unless you have a clear lawful basis.
  • Generated outputs — tailored CVs, fit analyses, and cover letters the AI produces from your inputs.
  • Service logs and metadata — timestamps, request IDs, error logs, IP address (for security), and basic usage counters needed to enforce quotas and detect abuse.
  • Communications — emails you send us and any support correspondence.

3. Why we use it and our lawful basis

We process your personal data for the following purposes:

PurposeLawful basis (UK / EU GDPR Art. 6)
Provide the core CV-tailoring service to you (account creation, accepting your CV uploads, generating tailored outputs, delivering them back to you, retaining them in your account). Performance of a contract with you (Art. 6(1)(b)).
Send the CV content you upload to our AI sub-processor (Google Vertex AI, EU multi-region) so the model can tailor it. Where your CV implies special-category information, we rely on your explicit choice to upload it for tailoring. Contract for the AI processing itself (Art. 6(1)(b)); explicit consent (Art. 9(2)(a)) for any special-category data implied by your CV.
Keep the service secure, prevent abuse, enforce quotas, and meet legal obligations (e.g. responding to a regulator or court order). Legitimate interests (Art. 6(1)(f)) — running a secure service — and legal obligation (Art. 6(1)(c)).
Send you product updates and "founding member" emails, if you opt in. Consent (Art. 6(1)(a)), separately captured (unticked box). You can withdraw any time.

We do not sell your personal data, share it with advertisers, or use it for advertising profiling. We do not run targeted ads.

4. How your CV is processed by AI

The core feature of A1 Jobs is rewriting and analysing your CV with a Large Language Model. We use Google Vertex AI (Gemini) in Google's EU multi-region. That means:

  • Inference (the model running on your prompt) happens inside Google's EU multi-region — physically across several data centres in EU member states, not in a single named country, and not in the United States.
  • Under Google's Cloud Data Processing Addendum (Signed — Cloud Data Processing Addendum, Google Cloud, effective 2026-05-20) and Vertex AI generative-AI terms, Google does not use your prompts or the model's responses to train its foundation models. Google may briefly cache them for abuse detection and to return the response, with minimum retention.
  • Google acts as our sub-processor: they may only process your data on our documented instructions, and we list them in our public sub-processor list.
  • We hard-code the Vertex location to the EU multi-region in our infrastructure and we have an automated configuration guard that refuses to send traffic to a non-EU region.

AI output is generated text — it can be inaccurate, incomplete, or fabricated. You are responsible for reviewing and editing the output before relying on it. See our AI Use & Transparency page for the full picture.

5. Who we share your data with

We share personal data with these categories of recipients:

  • Sub-processors we have engaged to operate the service — in particular Google Cloud / Vertex AI (LLM inference, EU multi-region), our hosting provider, our transactional email provider, and (if you interact with billing) our payment processor. We maintain a public sub-processor list and notify users in advance of material changes.
  • Identity providers if you choose to sign in with a third-party account (e.g. Google) — we receive your basic profile from them, and they receive the fact that you used their sign-in.
  • Professional advisors (lawyers, auditors, accountants) under duties of confidentiality, where strictly necessary.
  • Regulators, courts, and law-enforcement where we have a legal obligation to disclose.
  • A successor entity in the unlikely event of a sale, merger, or reorganisation; you would be told and your rights would carry over.

We never share your CV content with other A1 Jobs users, with recruiters, or with advertisers.

6. International transfers

We are established in the United Kingdom; we process most data inside the UK and the EU. When data crosses borders:

  • The European Commission's UK adequacy decision was renewed on 19 December 2025 and is valid to 27 December 2031, so EU→UK transfers happen without extra safeguards.
  • Sending your CV to Vertex AI in Google's EU multi-region is a UK→EEA flow and is not a "restricted transfer" under UK GDPR, so no UK IDTA or SCCs are required for that specific path.
  • If a Google support engineer in the United States needs read access to diagnose a serious incident, that access is covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum incorporated into Google's Cloud Data Processing Addendum.

7. How long we keep your data

We keep your personal data only as long as we have a reason to:

  • Account data — while your account exists and for up to 30 days after closure to handle deletion, then it is purged from active systems. Encrypted backups are overwritten on a rolling cycle within 90 days.
  • Uploaded CVs, jobs, and generated outputs — while they're in your account; we apply an inactivity-driven cleanup so CVs you haven't touched for 12–24 months are deleted, and you can delete individual items at any time from the dashboard.
  • Logs and metrics — typically up to 12 months for security, debugging, and capacity-planning, then rotated.
  • Vertex AI processing — Google does not retain your prompts or responses for model training; any short-lived caching for abuse detection is governed by Google's Vertex AI terms.
  • Records we are legally required to keep (e.g. tax-relevant billing records) — for the statutory period (commonly six years), kept minimal and access-controlled.

8. Your rights

Under UK GDPR / EU GDPR you have the following rights over your personal data. We will respond to a verified request within one month (extendable by two more months for complex requests, with written reasons).

  • Access — get a copy of the personal data we hold about you (Art. 15).
  • Rectification — correct inaccurate or incomplete data (Art. 16).
  • Erasure — ask us to delete your data ("right to be forgotten") (Art. 17).
  • Restriction — ask us to pause processing while a dispute is resolved (Art. 18).
  • Portability — get a machine-readable export of the data you gave us (Art. 20). We provide JSON/PDF exports from your dashboard.
  • Objection — object to processing based on legitimate interests, and to direct marketing at any time (Art. 21).
  • Withdraw consent — where we rely on consent (marketing, special-category processing), withdraw at any time without affecting the lawfulness of past processing.
  • Automated decision-making — you have the right not to be subject to a solely-automated decision with significant effects. The self-service product does not make such decisions about you. (For the recruiter product, candidates have rights to information, representation, contestation, and human review — see the candidate notice your recruiter provides and our AI Use & Transparency page.)

To exercise any of these rights, email jobs.privacy@a1ergo.tech from the address on your account, or contact us through your dashboard. We may ask for proof of identity in proportion to the sensitivity of the request.

9. How to complain

We hope you'll come to us first so we can put things right. You also have the right to lodge a complaint with a data-protection regulator:

  • UK: the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk/make-a-complaint — helpline 0303 123 1113.
  • EU: your local supervisory authority in the EU member state where you live, work, or where the alleged breach took place.

10. EU representative

We are not yet established in the EU. Where we process the personal data of people in the EU and the EU GDPR applies extraterritorially under Art. 3(2), we will appoint an EU Article 27 representative before onboarding material numbers of EU users; that representative's details will be added here. Status: appointment pending. Until then, EU residents can reach us at jobs.privacy@a1ergo.tech.

11. How we keep your data secure

We apply a layered set of controls:

  • TLS in transit (HTTPS everywhere) and encryption at rest for databases and backups.
  • Least-privilege access controls for staff; multi-factor authentication on all administrative and cloud accounts.
  • Secrets (API keys, service-account credentials) held in a managed secret store, never in source code.
  • Automated patching of dependencies, security headers, and time-bounded session cookies.
  • Audit logging of administrative actions and a documented incident and breach-response runbook (ICO notified within 72 hours where Art. 33 applies).

12. Cookies and tracking

We use only the cookies needed to run the site (session cookies, the CSRF token, and consent flags). We do not run third-party advertising tags or cross-site tracking. If we ever introduce non-essential analytics or marketing cookies, we will ask for your consent in a PECR-compliant banner with a "reject all" option as easy to use as "accept all".

13. Changes to this notice

When we make a material change we will bump the version at the top of this page and, if you have an account, let you know in-app or by email. The current version is v1.1, effective 2026-05-20.

14. Contact

Questions about this notice or your data? Email jobs.privacy@a1ergo.tech. We will acknowledge promptly and respond substantively within one month.