Clovisby Career Clinic

Privacy Policy

Last updated: 1 February 2025

1. Who we are

Clovis is operated by Career Clinic (“we”, “us”, “our”), a sole trader business run by Charlie Winstanley, based in the United Kingdom. Clovis is an AI-powered tool that provides rubric-based feedback on STAR (Situation, Task, Action, Result) answers for NHS job applications and interviews.

For data protection enquiries, contact us at: charlie@career-clinic.co.uk

2. What data we collect

2.1 Account data

When you create an account, we collect:

  • Your email address
  • Your password (stored in hashed form by our authentication provider - we never see or store your plaintext password)
  • If you sign in via Google, your Google account email and basic profile information as provided by Google’s OAuth service

2.2 Submission data

When you use Clovis to get feedback, we collect:

  • The STAR answer text you submit
  • The competency area and band level you select
  • Whether you used text or voice input
  • Any job description text you optionally provide
  • The AI-generated feedback, scores, and suggested rewrites produced for your submission

Important: Your STAR answers may contain information about your workplace, colleagues, patients, or other identifiable individuals. We recommend you anonymise any sensitive details before submitting. We are not responsible for personal data about third parties that you include in your submissions.

2.3 Voice recordings

If you use the voice input feature, your audio recording is sent to OpenAI’s Whisper API for transcription. The audio is processed in real time and is not stored by us after transcription is complete. OpenAI’s data handling is governed by their own privacy policy and API data usage terms.

2.4 Payment data

If you subscribe to a paid plan, payment is processed by Stripe. We do not see or store your full card number, CVV, or other payment card details. We receive from Stripe: your email address, Stripe customer ID, subscription status, and transaction amounts. Stripe’s handling of your payment data is governed by the Stripe Privacy Policy.

2.5 Usage data

We track:

  • Your weekly submission count (to enforce plan limits)
  • Your subscription tier and status
  • Timestamps of your submissions

2.6 Anonymous users

If you use Clovis without creating an account, we generate a pseudonymous identifier derived from a one-way hash of your IP address. This is used solely to enforce usage limits. We do not store your raw IP address in our database.

2.7 Technical data

Our hosting provider (Vercel) may collect standard server logs including IP addresses, browser type, and request timestamps. This data is handled according to Vercel’s Privacy Policy.

3. How we use your data

We use the data we collect to:

  • Provide the Clovis feedback service - your STAR answers are sent to Anthropic’s Claude API to generate scoring and feedback
  • Store your submission history so you can review past feedback in your dashboard
  • Manage your account and subscription
  • Enforce usage limits based on your subscription tier
  • Send you transactional emails (welcome email, subscription confirmation, feedback summaries) if you have an account
  • Process payments via Stripe
  • Improve the service (we may analyse aggregate, anonymised scoring patterns to improve our rubrics)

4. Legal basis for processing (UK GDPR)

We process your personal data on the following legal bases:

  • Contract: Processing your submissions and managing your account is necessary to provide the service you have signed up for (Article 6(1)(b)).
  • Legitimate interest: Enforcing usage limits, preventing abuse, and improving our rubrics are in our legitimate business interest (Article 6(1)(f)).
  • Consent: Where we send non-essential communications, we will obtain your consent first (Article 6(1)(a)).
  • Legal obligation: We may retain certain data to comply with legal obligations such as tax and accounting requirements (Article 6(1)(c)).

5. Third-party processors

Your data is processed by the following third-party services, each acting as a data processor on our behalf:

  • Anthropic (Claude API) - processes your STAR answer text to generate feedback and scores. Your submission text is sent to Anthropic’s servers in the United States. Anthropic’s API data is not used to train their models. See the Anthropic Privacy Policy.
  • OpenAI (Whisper API) - processes voice recordings for transcription if you use voice input. Audio is sent to OpenAI’s servers in the United States. API data is not used to train their models. See the OpenAI Privacy Policy.
  • Supabase - hosts our database and authentication system. Data is stored in Supabase’s cloud infrastructure. See the Supabase Privacy Policy.
  • Stripe - processes payments and manages subscriptions. See the Stripe Privacy Policy.
  • Vercel - hosts our website and serverless functions. See the Vercel Privacy Policy.
  • Resend - delivers transactional emails on our behalf. See the Resend Privacy Policy.

6. International data transfers

Some of our processors (Anthropic, OpenAI, Vercel, Supabase) are based in the United States. Data transferred to the US is protected by standard contractual clauses and/or the processor’s participation in recognised data transfer frameworks. By using Clovis, you acknowledge that your submission data will be processed in the United States for the purpose of generating AI feedback.

7. Data retention

  • Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion.
  • Submission data: Retained for as long as your account is active so you can access your feedback history. Deleted within 30 days of account deletion.
  • Payment records: Retained for 7 years after the transaction date to comply with UK tax and accounting obligations.
  • Anonymous usage data: IP-derived hashes are not linked to accounts and cannot be used to identify you. These are retained indefinitely.
  • Voice recordings: Not stored. Audio is transmitted to OpenAI for real-time transcription and discarded.

8. Your rights

Under UK GDPR, you have the right to:

  • Access - request a copy of the personal data we hold about you
  • Rectification - request correction of inaccurate data
  • Erasure - request deletion of your data (“right to be forgotten”)
  • Restriction - request that we limit how we use your data
  • Data portability - receive your data in a structured, machine-readable format
  • Object - object to processing based on legitimate interest
  • Withdraw consent - where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at charlie@career-clinic.co.uk. We will respond within 30 days.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

9. Cookies

Clovis uses essential cookies only. These are authentication session cookies set by Supabase to keep you signed in. We do not use advertising cookies, analytics cookies, or third-party tracking cookies. No cookie consent banner is required as these cookies are strictly necessary for the service to function.

10. Children

Clovis is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Security

We take reasonable measures to protect your data, including:

  • All data is transmitted over HTTPS (TLS encryption in transit)
  • Passwords are hashed using bcrypt and never stored in plaintext
  • Database access is controlled via row-level security policies ensuring users can only access their own data
  • API keys and secrets are stored as environment variables, not in source code
  • Payment processing is handled entirely by Stripe (PCI DSS compliant)

No system is 100% secure. If you become aware of a security vulnerability, please contact us at charlie@career-clinic.co.uk.

12. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by posting a notice on the website. The “last updated” date at the top of this page indicates when the policy was last revised. Your continued use of Clovis after any changes constitutes acceptance of the updated policy.

13. Contact

For any questions about this privacy policy or how we handle your data:

Charlie Winstanley
Career Clinic
Email: charlie@career-clinic.co.uk