Privacy Policy
Last updated: 28 March 2026
The short version
Forte helps you understand your career strengths and find matching roles. To do that, we need to process some of your personal data — primarily the CV you upload and the account you create.
We use Google’s Gemini AI to analyse your CV and generate competency insights. We search for jobs using SerpApi (Google Jobs) and Reed, but we never send your personal data to those services — only search criteria such as job titles, location, and country. Payments go through Stripe, who handle your card details directly.
We don’t run analytics trackers, we don’t send marketing emails, and we don’t sell your data. If you want your data deleted, you can ask us and we’ll do it within 30 days.
1. Who we are
Forte is the data controller responsible for your personal data. When this policy says “we”, “us”, or “our”, it means Forte.
Contact: privacy@myforte.online
2. What data we collect
Account data
When you sign up, we collect your email address and display name. If you sign in with Google, we receive your name, email, and profile photo URL from Google OAuth. Firebase Authentication stores and manages these credentials.
CV and career data
When you upload your CV, we extract and store: your work history, skills, qualifications, and any other information contained in the document. This forms the basis of your competency analysis.
AI-generated data
We generate and store competency maps, job match analyses, gap analyses, tailored application documents, and company research summaries produced by our AI analysis of your CV data.
Payment data
When you purchase credits, Stripe processes your payment. We store your Stripe customer ID and transaction records (amount, date, credit balance). We never see or store your full card number — Stripe handles that directly.
Technical data
Firebase automatically collects limited technical data needed to operate the service, including your Firebase authentication token and session information. We do not use analytics tracking, advertising pixels, or fingerprinting technologies.
3. How we use your data
Under UK GDPR, we must have a lawful basis for each way we use your personal data. The table below sets out our purposes and the legal basis for each.
| Purpose | Lawful basis |
|---|---|
| Creating and managing your account | Contract — necessary to provide the service you signed up for |
| Analysing your CV and generating competency insights | Contract — this is the core service we provide |
| Searching for matching job listings | Contract — part of the service you use credits for |
| Tailoring application documents | Contract — part of the service you use credits for |
| Processing payments and managing credit balances | Contract — necessary to fulfil your purchase |
| Maintaining security and preventing abuse | Legitimate interest — keeping the service safe and operational |
| Complying with legal or tax obligations | Legal obligation — e.g. retaining payment records for HMRC |
4. AI and automated processing
Forte uses Google’s Gemini AI to analyse your CV, extract competencies, match you to job listings, identify skill gaps, and generate tailored application documents. This processing is automated.
Important: All AI-generated outputs are advisory. They are designed to help you reflect on your experience and explore opportunities — not to make decisions about your employment or eligibility for anything. No automated decision with legal or similarly significant effect is made about you.
Your CV data is sent to the Gemini API for processing. Google’s data processing terms govern how they handle that data. We use Gemini’s paid API tier, under which Google does not use your data to train their models.
5. Who we share data with
We do not sell your data. We share it only with the following service providers, each acting as a data processor on our behalf:
| Provider | Purpose | Data shared |
|---|---|---|
| Google Cloud / Firebase | Hosting, authentication, database | Account data, CV data, AI outputs |
| Google Gemini API | AI analysis of your CV and career data | CV content, competency data |
| Stripe | Payment processing | Email, payment details (handled by Stripe directly) |
| SerpApi | Job listing search (Google Jobs) | Search criteria only (job titles, location, country) — no personal identifiers |
| Reed | Job listing search (UK) | Job title keywords only — no personal data |
6. International transfers
Your data is stored in Google Cloud’s us-west1 region (Oregon, United States). This means your personal data is transferred outside the United Kingdom.
We rely on the following safeguards for these transfers:
- Google Cloud and Gemini: Protected by Google’s International Data Transfer Addendum (IDTA) and Standard Contractual Clauses (SCCs), as part of their Cloud Data Processing terms.
- Stripe: Protected by Stripe’s Data Processing Agreement, which includes SCCs and IDTA provisions for UK transfers.
7. How long we keep data
| Data type | Retention period |
|---|---|
| Account, CV, and AI-generated data | Retained while your account is active. Deleted within 30 days of account deletion or your erasure request. |
| Payment and transaction records | 6 years after the transaction, as required by UK tax and accounting law. |
| Firebase authentication data | Deleted when your account is removed from Firebase Auth. |
8. Your rights
Under UK GDPR, you have the following rights. To exercise any of them, email privacy@myforte.online. We will respond within one month.
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your personal data. We will do so within 30 days, unless we are legally required to retain certain records (e.g. payment records for tax purposes).
- Right to restrict processing — ask us to limit how we use your data in certain circumstances.
- Right to data portability — request your data in a structured, commonly used, machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
9. Cookies and sessions
Forte uses only strictly essential cookies set by Firebase Authentication to keep you signed in. These are necessary for the service to function and do not require your consent under UK cookie regulations.
We do not use analytics cookies, advertising cookies, social media trackers, or any other non-essential cookies.
10. Children’s data
Forte is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you by posting a notice within the Forte application. The “last updated” date at the top of this page tells you when it was last revised.
12. How to contact us
If you have any questions about this privacy policy or how we handle your personal data, please contact us at privacy@myforte.online.