Privacy Policy
Last updated: 13 March 2026
1. Who we are
consuliq (“we”, “us”, “our”) is a career intelligence platform operated by consuliq Sarl (registration pending). We are the data controller for personal data processed through consuliq.com. For questions about your data, contact our Data Protection Officer at team@consuliq.com.
2. What data we collect
- Account data: Name, email address, profile picture (from Google or LinkedIn OAuth).
- Career data: Answers to assessment questions, CV content (if uploaded), job preferences, career history, skills.
- Usage data: Pages visited, features used, session duration. We use Plausible Analytics which collects no personal data and sets no cookies.
- Payment data: Processed by Stripe. We do not store card numbers — only subscription status and Stripe customer ID.
- Device data: Browser language (for country detection and currency display). No fingerprinting or device identifiers are collected.
3. How we use your data
- Provide the service: Generate career assessments, briefs, toolkit outputs, and job matches.
- AI processing: Your career data is sent to AI providers (Anthropic, OpenAI) to generate personalised insights. Data is not used to train AI models. AI calls are stateless — prompts and responses are not retained by the provider.
- Improve the product: Aggregated, anonymised usage patterns help us improve features.
- Communications: Transactional emails (brief delivery, account changes) via Loops.so. No marketing emails without explicit consent.
4. Legal basis for processing (GDPR)
- Contract (Art. 6(1)(b)): Processing necessary to provide you the service you signed up for.
- Consent (Art. 6(1)(a)): AI processing of your career data, marketing emails, non-essential cookies.
- Legitimate interest (Art. 6(1)(f)): Product improvement using anonymised data, fraud prevention, security monitoring.
5. Data sharing & subprocessors
We share data only with service providers necessary to operate consuliq. See our full Subprocessor List for details. We do not sell your data. We require all subprocessors to enter into Data Processing Agreements (DPAs) that meet GDPR Article 28 requirements.
6. International transfers
Some subprocessors are based in the United States. All cross-border transfers are protected by the following safeguards:
- Standard Contractual Clauses (SCCs): We use the European Commission’s 2021 SCCs (Module 2: Controller-to-Processor) with all US-based subprocessors including Anthropic, OpenAI, Stripe, Vercel, and Loops.so.
- UK International Data Transfer Agreement (IDTA): For transfers from the UK, we apply the UK IDTA Addendum alongside SCCs as required by the UK Data Protection Act 2018.
- Technical safeguards: All data in transit is encrypted with TLS 1.2+. Data at rest is encrypted (AES-256) by each subprocessor. AI providers process data ephemerally and do not retain prompts or outputs beyond the API call.
- Supplementary measures: We conduct Transfer Impact Assessments (TIAs) for each subprocessor annually. AI API calls contain no direct identifiers (name, email) unless required for the specific feature.
- Certifications: All primary subprocessors maintain SOC 2 Type II or equivalent (see Subprocessor List).
We do not transfer personal data to countries without adequate protections unless the above safeguards are in place. You can request a copy of the relevant SCCs by emailing team@consuliq.com.
7. Data retention
We retain personal data only as long as necessary for the purposes described above. For full details including deletion triggers and automated purge schedules, see our Data Retention Policy. A summary of our retention schedule:
| Data category | Retention period | After deletion |
|---|---|---|
| Account data (name, email) | While account is active | Purged within 30 days |
| Career assessments | While account is active; anonymised after 12 months of inactivity | Purged within 30 days |
| CV files | 90 days after last use | Immediately on account deletion |
| Chat & toolkit outputs | 12 months after generation | Purged within 30 days |
| Payment records | Per PCI DSS / Stripe retention | Subscription ID removed within 30 days |
| Email engagement | 24 months (Loops.so) | Anonymised after retention |
| Analytics | Indefinite (aggregated, non-personal) | N/A — no personal data |
| Server logs | 30 days (Vercel) | Auto-purged |
8. Your rights
Under GDPR (Articles 15–22) and UK Data Protection Act 2018, you have the right to:
- Access (Art. 15): Request a copy of all your data (“Download my data” in Settings).
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Delete your account and all associated data (“Delete my account” in Settings).
- Portability (Art. 20): Export your data in a machine-readable format (JSON).
- Restriction (Art. 18): Request we restrict processing while a complaint is resolved.
- Object (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent (Art. 7): Withdraw AI processing consent at any time in Settings.
- Lodge a complaint: You have the right to complain to your local supervisory authority. For UK residents, this is the Information Commissioner’s Office (ICO) at ico.org.uk. For EU residents, contact your national Data Protection Authority.
To exercise any right, use the in-app tools in Settings or email team@consuliq.com. We respond within 30 days (extendable to 90 days for complex requests, with notification).
9. Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all subprocessors in accordance with GDPR Article 28. DPAs cover: processing scope and purpose, data categories, security measures, sub-processor approval, breach notification (within 72 hours), audit rights, and data return/deletion obligations. To request a copy of any DPA, email team@consuliq.com.
10. Cookies
We use only essential cookies required for authentication and session management. Plausible Analytics does not use cookies. No tracking or marketing cookies are set unless you give explicit consent via the cookie banner. You can manage your cookie preferences at any time via the cookie settings link in the footer.
11. AI-specific disclosures
- Automated decisions: AI-generated career assessments, fit scores, and recommendations are advisory only. No automated decision has legal or similarly significant effects. You may request human review of any AI output.
- Data minimisation: We send only the minimum career data needed for each AI call. Personal identifiers are excluded where possible.
- No model training: Neither Anthropic nor OpenAI use your data to train their models. All API calls use “zero data retention” configurations where available.
12. Children
consuliq is not intended for users under 16. We do not knowingly collect data from children. If we learn we have collected data from a child under 16, we will delete it promptly.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The “Last updated” date at the top reflects the most recent revision.
14. Contact & regulatory information
Data controller: consuliq Sarl (registration pending)
Data Protection Officer: team@consuliq.com
General enquiries: team@consuliq.com
ICO registration: Pending (will be published here upon completion)
Supervisory authority (UK): Information Commissioner’s Office — ico.org.uk