Last updated: 26 May 2026 · Consent version: 1.0
This Privacy Notice explains how A Guy in Scotland ("we", "us") — operating at aguyinscotland.com — collects, uses and protects your personal data when you use the Career Portal. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller is the site operator. You can contact us via the About section. If you are not satisfied with our response, you may complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
2. What Data We Collect
For user accounts (sign in with Google):
- Identity: your Google email address and display name (provided by Google)
- Profile: the display name you optionally edit, and consent record (timestamp, IP, version)
- Career data you enter: job applications (company, role, dates, stage, notes), coaching booking requests, target role and experience level
- CV file: the PDF you choose to upload, stored encrypted at rest
- AI-generated insights: personalised welcome messages and CV analyses generated by AI based on the above data
For admin accounts (sign in with Microsoft):
- Identity (Microsoft email + name), session activity log (sign-in time + IP address) — retained 90 days for security
Operational logs: Azure and Cloudflare log standard HTTP request metadata (IP, user-agent, path, timestamp) under their own retention policies.
3. Lawful Basis (UK GDPR Article 6)
We process your data based on:
- Consent (Art. 6(1)(a)) — for storing your profile, applications, CV, and using AI analysis. You give this on first login via the consent modal; you can withdraw at any time by deleting your account.
- Legitimate interests (Art. 6(1)(f)) — for security logging (activity log) and abuse prevention (rate limiting). Our interest is preventing unauthorised access and protecting paid third-party API budgets; this is balanced against your privacy by retaining logs for the minimum period necessary.
We do not process special-category data (Art. 9) intentionally. If your CV happens to contain such data (e.g. health, religion), please be aware it will be processed by the AI provider as part of analysis.
4. How We Use Your Data
- To provide your account and dashboard features
- To send your CV text + target role to Anthropic Claude when you click "Analyse My CV", "Generate Cover Letter", or paste a job URL — to generate AI insights
- To send your CV text + a job listing's text to Anthropic Claude when you use "Analyse This Job"
- To match you with UK Skilled Worker visa sponsor companies from public Home Office data
- To produce a personalised welcome message based on your account activity
- To detect and prevent abuse of the AI features
We never sell your data. We do not show advertising. We do not share your data with employers automatically — every application you make is your own action.
5. Where Your Data Is Stored
- Azure Blob & Table Storage (West Europe) — encrypted at rest (AES-256). Soft-delete is enabled (14 days) so accidental deletions can be recovered.
- Azure Static Web Apps + Functions (East US 2) — application compute. Personal data is transferred to East US 2 for processing each time you make a request. This is an international transfer outside the UK/EEA, made lawful by the UK Addendum to the EU Standard Contractual Clauses agreed with Microsoft.
- Anthropic Claude API (UK / US) — your CV text, target role, and job listings are sent to Anthropic only at the moment you click an AI button. Anthropic does not retain your data for model training (Anthropic Commercial Terms).
- Cloudflare (global edge) — CDN/DNS for HTML and static assets. No personal data is cached at the edge (API responses use no-store cache headers).
6. Cookies and Sessions
We use only the session cookie set by Azure Static Web Apps for authentication. It is HttpOnly, Secure, and SameSite=Lax. We do not set advertising or analytics cookies. We do not use tracking pixels.
Your browser may store some user-experience data in localStorage (your last target role, cached welcome message). This is on your device only — we never see it server-side.
7. Data Retention
| Data | Retention |
|---|---|
| User profile, applications, coaching, CV | Until you delete your account |
| Admin activity log (admin only) | 90 days |
| Rate-limit counters | Rolling 1-hour window |
| AI-generated welcome cache | 6 hours (browser localStorage) |
| Azure / Cloudflare platform logs | Per provider policy (typically 30–90 days) |
8. Your Rights (UK GDPR)
- Access (Art. 15) — "Download My Data" button in My Profile produces a JSON export.
- Rectification (Art. 16) — edit your display name and applications anytime; "Delete CV" button replaces an outdated CV.
- Erasure / Right to be Forgotten (Art. 17) — "Delete Account" button in My Profile removes your profile, applications, coaching requests, and CV blob immediately.
- Data portability (Art. 20) — same JSON export as above.
- Restrict processing (Art. 18) and Object (Art. 21) — contact us via About.
- Withdraw consent (Art. 7(3)) — delete your account; this withdraws all consent.
- Complain — to the ICO at ico.org.uk/make-a-complaint.
9. Security
- All traffic is HTTPS (TLS 1.2+).
- Storage is encrypted at rest (AES-256, Azure-managed keys).
- API authentication uses Azure SWA platform sessions (HttpOnly cookies).
- CV uploads are PDF-only with magic-byte verification and 5 MB cap.
- Per-user rate limits prevent abuse.
- SSRF protection on the Job URL analyser.
- Strict Content Security Policy on all HTML pages.
10. Children
This service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us data, please contact us so we can delete it.
11. Automated Decision-Making
The AI features (CV analysis, job match score, welcome insights) are advisory only. No decision producing a legal or similarly significant effect on you is made solely automatically. You always make the final decision on which jobs to apply to.
12. Changes to This Notice
If we materially change this notice, the consent version is bumped and you will be asked to re-consent on next sign-in. The "Last updated" date and "Consent version" at the top reflect the current version.