Privacy Policy

Last updated: 8 May 2026

1. Who we are

Tarve ("we", "us", "our") operates the website tarve.co.uk and the Tarve application. We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For data protection enquiries, contact us at support@tarve.co.uk.

2. What data we collect

We may collect the following personal data:

Account information: name, email address, and password when you create an account.
Profile data: CV information, job preferences, and application history you provide.
Usage data: how you interact with our platform, including pages viewed and features used.
Technical data: IP address, browser type, device information, and cookies.
Payment data: billing information processed securely through our payment provider (Stripe).

2.5 Tarve Chrome Extension

If you install our Chrome extension ("the Extension") from the Chrome Web Store, the Extension processes a small, well-defined set of data while you browse supported job boards (LinkedIn, Indeed, Reed, Glassdoor, NHS Jobs and 25+ other recruitment ATS platforms — the full list is published in the Extension's manifest at the time of release).

What the Extension reads from a job page. Only the job title, company name, and posted salary (when present). The Extension does not read the full job description, the page URL, your profile, your messages, your application history, or any data outside the open job posting. The Extension does not run on non-job pages.

What the Extension sends to our API. The three fields above, plus the hostname (for example linkedin.com) of the job board for aggregate reporting. The full URL of the page you are viewing is never transmitted.

What the Extension stores on your device in chrome.storage.local:

Your authentication tokens (encrypted in transit via TLS 1.2+ during sign-in, stored at rest by Chrome's per-extension storage isolation)
A randomly-generated installation ID (a UUID) used to measure install-to-signup conversion in aggregate
Your saved badge-corner preference (which corner of the screen the floating chip sits in)
A 24-hour cache of sponsor-licence verdicts keyed by the SHA-256 hash of the company name (so we never store raw company names you've looked up in the cache key)

Tokens and other extension storage are never synced to your Google account (we use chrome.storage.local, not chrome.storage.sync). Passwords are never persisted to extension storage at any point — including during the OTP-verification window of inline signup, where only the email address is checkpointed for the 10-minute Cognito OTP TTL.

Extension telemetry. The Extension records anonymous lifecycle and operational events (install, popup opened, sponsor check started/completed, save attempted, error events, etc.) and batches them to our API every 30 seconds. Each event includes a randomly-generated session ID, the Extension version, the hostname of the job board where the event happened (no URL or path), and a 100-character truncation of your browser user-agent string. Telemetry never includes your URL, page contents, message bodies, profile data, or any third-party content. The full allowlist of event types we collect is defined in the Extension's open source code at src/lib/telemetry.ts.

3. How we use your data

We use your personal data to:

Provide and improve our job search, CV builder, and application tracking services.
Process your subscription and payments.
Send you service-related communications.
Send marketing communications (only with your consent).
Analyse usage patterns to improve our platform.
Comply with legal obligations.

4. Lawful bases (UK GDPR Article 6)

We rely on the following lawful bases for each category of processing:

Processing purpose	Lawful basis	Reference
Account creation, sign-in, account management	Contract	Art. 6(1)(b)
Sponsor-licence lookups and salary-threshold checks	Contract	Art. 6(1)(b)
Subscription billing and payment processing	Contract	Art. 6(1)(b)
Extension telemetry, error monitoring, support diagnostics	Legitimate interests	Art. 6(1)(f)
Marketing emails (newsletters, product updates)	Consent	Art. 6(1)(a)
Tax, accounting, and audit record-keeping	Legal obligation	Art. 6(1)(c)
Fraud prevention, security incident response	Legitimate interests	Art. 6(1)(f)

Where we rely on legitimate interests, we have completed a balancing assessment to confirm that our interest does not override your rights and freedoms. You can request a copy of that assessment by emailing the data-subject contact below.

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

5. Service providers

We share data with the following service providers under data-processing agreements (DPAs):

Amazon Web Services (eu-west-2 region, London) — hosting, database (Amazon RDS for PostgreSQL), storage (Amazon S3), and authentication (Amazon Cognito). All data at rest is encrypted by default; all data in transit is TLS 1.2+.
Stripe — payment processing for Pro and Pro+ subscriptions. We never see, store, or transmit your card details; payment collection is handled directly between you and Stripe via their hosted checkout. We receive a token representing the successful charge for receipt purposes.
Brevo (formerly Sendinblue) — transactional email (verification codes, password resets, billing notifications, account-status changes). Use is limited to authentication and account-related communications.

We do not sell, rent, lease, or otherwise transfer your personal data to any third party for advertising, marketing, or commercial purposes unrelated to operating the Tarve service.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide services. You can request deletion of your account and data at any time.

Specifically:

Data category	Retention period
Account data (email, name, address)	Lifetime of your account; deleted within 30 days of account closure unless legally required to retain (e.g. tax records).
Job-page lookup logs (per-user sponsor and salary checks)	30 days; aggregated query counts are retained longer for analytics in non-identifiable form.
Extension telemetry events	90 days; aggregated metrics may be retained longer in non-personally-identifiable form.
Payment records (Stripe transaction IDs, invoice references)	6 years to meet HMRC record-keeping requirements.
Authentication tokens	Stored on your device only; rotated automatically; cleared on logout or account closure.
Verification email logs (Brevo delivery records)	30 days.

7. Your rights

Under UK GDPR, you have the right to:

Access your personal data.
Rectify inaccurate data.
Request erasure of your data.
Restrict or object to processing.
Data portability.
Withdraw consent at any time.

To exercise these rights, email support@tarve.co.uk.

8. Cookies

We use cookies to improve your experience. See our Cookie Policy for details on the cookies we use and how to manage them.

8.5 Security

Extension storage security. Authentication tokens for the Tarve Chrome extension are stored in chrome.storage.local, which is isolated per-extension by the Chrome browser and is never synced to your Google account. Passwords are never written to extension storage at any point in any flow, including during the OTP-verification window of inline signup, where only the email address is checkpointed. All extension ↔ API communication is over TLS 1.2+ to api.tarve.co.uk.

9. Contact us

For any privacy-related question, feedback, or concern:

General queries: support@tarve.co.uk
Data-subject requests (access, rectification, erasure, portability, restriction, objection, withdrawal of consent): email support@tarve.co.uk with the subject line "GDPR request" and we will respond within 30 days.
Security disclosures: security@tarve.co.uk
Postal address: 45 Windsor Road, London E11 3QU, United Kingdom

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at https://ico.org.uk/concerns/.