Privacy Policy

NoxPharm ("we", "us", "our") operates a specialist CV tailoring platform for Life Sciences and Pharmaceutical professionals. We are committed to protecting the privacy and security of the personal and professional data you entrust to us. This Privacy Policy describes what information we collect, how we use and safeguard it, and the rights available to you under applicable data protection legislation, including the EU General Data Protection Regulation (GDPR).

By creating an account or using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any provision herein, please do not use the service.

1. Information We Collect

We collect only the minimum information necessary to deliver and improve our service. The categories of data we process are as follows:

1.1 Account Data

When you register, we collect your email address and, optionally, a display name. This information is used solely for authentication, account management, and service-related communications.

1.2 Professional Documents

When you upload a CV or resume (PDF or DOCX), we extract the text content for processing. When you paste or import a job description, we retain that text for the duration of your project. These documents may contain sensitive professional information such as employment history, qualifications, and career details relevant to Life Sciences roles including Pharmacovigilance, Regulatory Affairs, Clinical Operations, Medical Affairs, Quality Assurance, and related disciplines.

1.3 Payment Information

Subscription payments are processed exclusively by Stripe, Inc. We never receive, access, or store your full credit card number, bank account details, or other payment credentials. We retain only a Stripe customer identifier and subscription status to manage your account tier. Please refer to Stripe's Privacy Policy for details on how they handle your payment data.

1.4 Usage and Technical Data

We collect basic usage metrics (e.g. number of tailorings performed, features used) and technical data (e.g. browser type, session timestamps) to maintain service reliability and diagnose issues. We do not use third-party analytics or advertising trackers.

2. How We Use Your Data

Your data is processed for the following purposes:

• Service delivery — generating tailored CVs, cover letters, and match-score analyses based on the job description and CV content you provide.
• Role classification — automatically detecting the relevant Life Sciences role family (e.g. Pharmacovigilance, Regulatory Affairs, Clinical Operations) from the job description text to optimise output quality. This classification uses keyword-based algorithms and does not involve external data sharing.
• Account management — authenticating your identity, managing your subscription, and enforcing usage limits.
• Service communications — sending transactional emails related to your account (e.g. password resets, subscription confirmations). We do not send marketing emails without your explicit opt-in consent.
• Service improvement — analysing aggregated, anonymised usage patterns to improve features and reliability. We never use individual CV content for this purpose.

3. File Handling and Raw Document Deletion

When you upload a CV or resume file, we extract the text content in-memory and then immediately discard the original file. The raw PDF or DOCX document is not written to persistent storage at any point. Only the extracted text representation is retained, and only for the period described in Section 4 below.

4. Data Retention

We retain your project data (extracted CV text, job description text, and generated documents) for a default period of 90 days from the date of processing to allow you to review and download your results. After this period, project data is automatically and permanently purged from our systems.

Account data (email address, subscription status) is retained for as long as your account remains active. Upon account deletion, all associated data is removed within 30 days.

You may request earlier deletion of any or all of your data at any time by contacting us (see Section 11).

5. Third-Party AI Processing

To generate tailored CVs, cover letters, and match-score analyses, your extracted text is transmitted to third-party AI language model providers via authenticated, encrypted API connections. We carefully select providers that meet the following criteria:

• No model training on customer data — we select providers whose API terms state that customer data sent via their API is not used to train or improve their models.
• Data processing standards — we select AI providers that offer enterprise-grade data handling practices and review their data processing terms before integration.
• Encryption in transit — all data transmitted to AI providers is encrypted using TLS 1.2 or higher.
• Minimal data exposure — we send only the text content necessary for the specific processing task. We do not transmit your email address, payment information, or account metadata to AI providers.

We reserve the right to change AI providers in order to improve service quality, reliability, or cost-effectiveness. Any replacement provider will be held to the same data protection standards described above.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or professional document content to any third party. We do not share your data with advertisers, data brokers, recruitment agencies, or any party outside the strict operational requirements of the service.

Data is shared only with the following categories of processors:

• AI language model providers — for document generation (see Section 5).
• Stripe, Inc. — for payment processing (see Section 1.3).
• Supabase (infrastructure provider) — for database hosting and authentication services.

We may disclose data if required to do so by law, regulation, or valid legal process (e.g. a court order or binding regulatory request). In such cases, we will notify you where legally permissible.

7. Data Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest.
• Row-level security policies ensuring users can only access their own project data.
• Secure authentication with hashed credentials and session management.
• Regular review of access controls and security configurations.

While we take every reasonable precaution, no system is completely immune to security threats. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or any jurisdiction with equivalent data protection legislation, you have the following rights:

• Right of access — request a copy of all personal data we hold about you.
• Right to rectification — request correction of any inaccurate or incomplete data.
• Right to erasure — request deletion of all your personal data, including extracted CV text, tailored documents, and account information.
• Right to restriction — request that we limit the processing of your data in certain circumstances.
• Right to data portability — receive your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on legitimate interests.
• Right to withdraw consent — where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at the address provided in Section 11. We will respond to your request within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.

9. Lawful Basis for Processing

We process your personal data on the following legal bases under the GDPR:

• Contractual necessity (Article 6(1)(b)) — processing is necessary to deliver the CV tailoring service you have requested.
• Consent (Article 6(1)(a)) — you provide consent when creating your account and uploading professional documents for processing.
• Legitimate interests (Article 6(1)(f)) — we have a legitimate interest in maintaining service security, preventing fraud, and improving service reliability, balanced against your rights and freedoms.

10. Cookies and Tracking

We use only strictly necessary session cookies required to authenticate your account and maintain session state. These cookies are essential for the service to function and cannot be disabled.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or any other non-essential tracking technologies. Because we employ only essential cookies, no cookie consent banner is required under EU ePrivacy regulations.

11. International Data Transfers

Your data may be processed by third-party providers (AI model providers, infrastructure services) located outside the European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions, to protect your data to the standard required by the GDPR.

12. Children's Privacy

Our service is designed for working professionals and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child under 16, we will take immediate steps to delete that data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify registered users via email at least 14 days before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

14. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a data protection concern, please contact us:

Email: info@noxpharm.com

This policy is governed by and construed in accordance with the laws of France. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of Paris, France. Nothing in this clause limits your rights under mandatory data protection legislation in your country of residence.