Skip to content
Back to home

Last updated: February 2026

Privacy Policy

1. Who we are

CareerMetrics ("we", "us", "our") is a UK-based service providing career and salary data tools. We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

For any data protection queries, contact us at [email protected].

2. What data we collect

We collect the following personal data depending on how you use the service:

Account data

  • Email address — provided when you create an account.
  • Password — stored as a cryptographic hash. We never store or see your plain-text password.
  • Name — optionally provided in your profile settings.
  • MFA configuration — if you enable two-factor authentication, we store a TOTP secret and hashed recovery codes.

Subscription and payment data

  • Stripe customer ID and subscription ID — stored to link your account to your subscription. We do not store credit card numbers, CVVs, or full card details. All payment processing is handled by Stripe.
  • Subscription tier and status — Free, Premium, or Premium+.

Usage data

  • AI tool inputs — when you use our AI-powered tools (CV Optimiser, Skills Gap Analyser, etc.), the text you submit is sent to an AI model for processing. We log the tool name and timestamp for rate limiting but do not permanently store the content of your submissions.
  • Saved career paths and comparisons — stored in our database if you choose to save them.
  • Feedback submissions — stored with your user ID if you submit feedback through the platform.

Organisation data (B2B)

  • If you join or create an organisation, we store your membership, role, and association with that organisation.
  • Organisation owners/admins can see member lists and aggregated usage analytics for their organisation.
  • If your organisation uses SSO (SAML), your identity provider sends us your email, name, and group memberships during authentication.

Newsletter

  • If you subscribe to our newsletter ("The Salary Signal"), we store your email address. We use double opt-in: you must confirm your subscription via email before receiving newsletters. You can unsubscribe at any time via the link in every email.

Analytics

  • We use Google Analytics 4 (GA4) to understand how visitors use the site. GA4 collects anonymised usage data such as pages visited, time on site, and general geographic region. No personally identifiable information is collected. See section 6 and our Cookie Policy for details.

Local storage

  • We store your theme preference (light/dark mode) in your browser's localStorage. This data never leaves your device.

3. How we use your data

  • To provide, maintain, and improve the CareerMetrics service.
  • To authenticate you and manage your account and subscription.
  • To process payments via Stripe.
  • To send transactional emails (verification, password reset, subscription confirmations) via our email provider.
  • To send newsletter emails if you have opted in.
  • To process your inputs through AI tools and return results.
  • To provide organisation administrators with aggregated usage analytics.
  • To enforce rate limits on AI tools and API access.
  • To understand how the site is used and to improve it (via GA4).

4. Lawful basis for processing

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we rely on the following lawful bases:

  • Contract — processing your account data, subscription, and payment information is necessary to provide the service you have signed up for.
  • Consent — for newsletter subscriptions (double opt-in) and analytics cookies (GA4).
  • Legitimate interest — for security measures (session management, MFA, rate limiting), fraud prevention, and service improvement.

5. Third-party services

We share data with the following third-party services, each of which has its own privacy policy:

  • Stripe — payment processing. Receives your email address and payment details during checkout. We do not store card details.
  • Resend — transactional and newsletter email delivery. Receives your email address and the content of emails we send you.
  • Google Analytics — anonymised website usage analytics. See our Cookie Policy.
  • Cloudflare — hosting, CDN, database (D1), and AI model inference. Your data is processed on Cloudflare infrastructure in the EU (Western Europe region).

We do not sell, rent, or share your personal data with third parties for marketing purposes.

6. Cookies

We use a session cookie for authentication and Google Analytics cookies for anonymous usage tracking. Full details are in our Cookie Policy.

7. AI tools and data processing

Our AI-powered tools (CV Optimiser, Skills Gap Analyser, Negotiation Coach, Interview Prep, and Transition Modeller) process the text you submit using an AI language model hosted on Cloudflare Workers AI. Your input is sent to the model, a response is generated, and both are returned to you in real time. We do not permanently store the content of your AI interactions. We log the tool name, your user ID, and the timestamp for rate-limiting purposes only.

The AI model does not learn from or retain your inputs between requests.

8. Salary and career data

Salary data on CareerMetrics is sourced from:

  • ONS ASHE (Annual Survey of Hours and Earnings) — Crown Copyright, used under the Open Government Licence v3.0.
  • DfE LEO (Longitudinal Educational Outcomes) — Crown Copyright, published by the Department for Education.

This is publicly available government data. No personal data from these datasets is exposed through our platform.

9. Data retention

  • Account data — retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days.
  • Payment records — Stripe customer and subscription IDs are retained for as long as required for legal and accounting purposes (up to 7 years for financial records).
  • Session data — login sessions expire after 30 days and are automatically cleaned up.
  • AI usage logs — rate-limiting records (tool name, user ID, timestamp) are retained for 90 days.
  • Newsletter subscriptions — retained until you unsubscribe, at which point your email is marked as unsubscribed but retained for suppression purposes to prevent re-subscription errors.
  • Feedback — retained indefinitely for product improvement unless you request deletion.

10. Data security

We take reasonable measures to protect your data:

  • All connections are encrypted via HTTPS/TLS.
  • Passwords are hashed using cryptographic algorithms and never stored in plain text.
  • Session tokens are generated using cryptographically secure random values.
  • MFA (two-factor authentication) is available for all accounts and mandatory for administrators.
  • API keys are stored as SHA-256 hashes.
  • Data is stored in Cloudflare D1 databases in the Western Europe region.

11. International data transfers

Your data is primarily processed and stored in the Western Europe region (Cloudflare's EU infrastructure). Some third-party services (Stripe, Google Analytics) may process data in the United States. These transfers are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses as applicable.

12. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your data ("right to be forgotten").
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to restrict processing — request that we limit how we use your data.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — withdraw consent for newsletter or analytics at any time.

To exercise any of these rights, contact [email protected]. We will respond within 30 days.

You can also delete your account directly from your account settings, which will remove your personal data from our systems.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

13. Children

CareerMetrics is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. For significant changes, we will notify registered users by email.

15. Contact

For any questions about this Privacy Policy or your personal data, contact us at:

[email protected]