Legal
Privacy Policy
Last updated: 20 April 2026 · Version 1.0
This policy explains how Career.Studio (“we”, “us”) collects, uses, stores and protects your personal data when you use our AI career coaching platform. It covers our website (career.studio) and our application (app.career.studio). We take your privacy seriously and aim to be straight about what we do with your data.
We are committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation where applicable.
1. Who we are
Career.Studio is operated by L2L1 Ltd, a company registered in England & Wales under company number 17140077. Our registered office is at 6 Gullivers Wharf, 105 Wapping Lane, London E1W 2RR.
For the purposes of UK/EU GDPR, we are the data controller for the personal data we collect and process.
For any privacy-related query — subject access requests, objections, complaints, or data deletion — contact us at Gab@career.studio. We aim to respond within 14 days and in all cases within the 30-day statutory deadline.
2. What data we collect
We collect the following categories of personal data:
2.1 Account information
- Name, email address, password (hashed — we never see it in the clear)
- LinkedIn profile URL, headline, profile photo (if you use LinkedIn Sign-In)
- Authentication metadata (sign-in times, IP address on sign-up for fraud prevention)
2.2 Profile and career data
- Your CV content — the full text, which you upload or generate
- Degree, university, graduation year, skills, interests, geographic preferences, languages
- Salary expectations, career values, constraints, long-term goals
- Tailored CV versions, cover letters, form-answer drafts created for specific job applications
2.3 Voice and video (opt-in)
- Voice recordings you submit to clone your voice. We send these to ElevenLabs to generate a cloned voice model; the generated voice is used only to produce audio in your own voice on your account.
- Video recordings you submit to create your AI avatar. These are processed on our GPU infrastructure to train a personalised avatar used for Mirror sessions.
You can delete your cloned voice and avatar at any time from your profile settings. Deletion removes the generated models from our systems and (for ElevenLabs) signals deletion through their API.
2.4 Networking data
- When you upload a LinkedIn data export (a ZIP of your connections), we parse it to power the Network Coach. We store the extracted connection list on your account. We do not share this data with anyone.
2.5 Job application tracking
- Company names, role titles, job descriptions you paste in, application stages you track, interview dates, notes and next actions.
2.6 Coaching interactions
- Chat messages with our AI coaches (Exec Coach, Strategist, CV Coach, etc.)
- Interview transcripts (captured via your browser’s speech recognition)
- Diagnostic scores, STAR-method analysis, ideal answers
- Mirror session recordings and scoring
2.7 Usage and analytics
- Pages visited, features used, events within the product (e.g. “completed an interview”)
- Training Points awarded, session counts, anonymised activity signals (role + nationality only) shown in our public activity ticker
- Device type, browser, operating system, approximate location (derived from IP address — city-level at most)
2.8 Payment data
- Payment processing is handled entirely by Stripe. We do not store card numbers, CVVs or full bank details. We store only your Stripe customer ID, subscription status, current period end, and whether your subscription is set to cancel at period end.
3. How we use your data
We use your personal data only for the purposes listed below. Each purpose has a clear legal basis.
| Purpose | Legal basis |
|---|---|
| Provide the service you signed up for (AI coaching, CV tailoring, interview practice, etc.) | Contract (UK GDPR Art. 6(1)(b)) |
| Generate your cloned voice and AI avatar | Explicit consent (Art. 9(2)(a)) — biometric data |
| Authenticate you, secure your account, prevent fraud | Legitimate interests (Art. 6(1)(f)) |
| Process payments and manage subscriptions | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Send transactional emails (interview summaries, receipts, account notifications) | Contract (Art. 6(1)(b)) |
| Product analytics and performance monitoring | Legitimate interests — aggregated and anonymised patterns only |
| Show anonymised live activity (role + nationality) in our public ticker | Legitimate interests — names and identifying detail are stripped before any public display |
| Comply with legal obligations (tax, regulatory requests) | Legal obligation (Art. 6(1)(c)) |
4. Who we share your data with
We do not sell your personal data. We share it only with the third-party processors listed below, each chosen for their security posture and GDPR compliance. Each processor acts only on our documented instructions.
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, storage, compute, authentication | All platform data | eu-west-2 (London) primary; selective processing in eu-central-1 / eu-north-1 / eu-west-3 for avatar rendering |
| Anthropic (Claude) | AI coaching and content generation | Coach interactions, CV content, JD content, application context | USA (under Anthropic’s data processing terms) |
| ElevenLabs | Voice cloning and text-to-speech | Voice samples, text to be synthesised | USA / EU |
| Stripe | Payment processing | Email, name, payment method (handled by Stripe directly) | USA / EU |
| Adzuna | Live job search | Search keywords and geography (no user identifiers sent) | UK |
| Single Sign-On (optional) | Name, email, public profile fields on sign-in | Ireland / USA |
4.1 International transfers
Some of our processors (notably Anthropic, Stripe, ElevenLabs, LinkedIn) are based in or transfer data to the USA. Where personal data leaves the UK or EEA, the transfer is protected by Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent approved safeguards.
4.2 We do not
- Sell your personal data to third parties
- Use your content to train third-party AI models outside the scope of your coaching sessions
- Share your CV, application tracker, notes or interview transcripts with anyone other than you
- Share your voice clone or avatar with any other user
5. How long we keep your data
- Active accounts: for as long as your account exists.
- Cancelled subscriptions: your account and data remain for 12 months after cancellation, so you can re-subscribe without losing history. After 12 months of inactivity we delete the account unless you ask us to retain it.
- Cloned voices and avatars: kept only while your account is active. Deletion is immediate on request.
- Payment records: kept for 7 years from the last transaction to meet UK tax and accounting obligations.
- Backups: automated backups rotate out within 35 days of deletion.
6. Your rights under UK/EU GDPR
You have the following rights in respect of your personal data:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — ask us to delete your account and data
- Portability — receive your data in a structured, machine-readable format
- Restriction — ask us to stop processing your data in certain circumstances
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent, you can withdraw at any time (e.g. delete your cloned voice)
- Complain to a supervisory authority — in the UK this is the Information Commissioner’s Office (ico.org.uk)
To exercise any of these rights, email Gab@career.studio. We aim to respond within 14 days, and in all cases within the 30-day statutory deadline.
7. Cookies and similar technologies
We use a small number of essential cookies and localStorage entries to keep you signed in, remember your theme preference, and prevent abuse. We do not use advertising cookies or third-party tracking pixels.
- Authentication cookies (essential) — issued by AWS Cognito
- Theme preference (
localStorage) — dark / light mode - In-app analytics (first-party) — aggregated usage events stored in our own database; no third-party tracker
- Marketing-site analytics — the public marketing site
l2l1.aiuses Plausible, a privacy-friendly analytics service that does not use cookies and does not collect personal data. Plausible records aggregate metrics (page views, referrer, country, device type) without identifying individual visitors. GDPR-compliant by design.
You can clear or block cookies in your browser, though this may stop you staying signed in.
8. Security
- Data is encrypted in transit (TLS 1.2+) and at rest (AWS-managed keys on S3 and DynamoDB)
- Access to production data is restricted to authorised staff on a need-to-know basis
- We follow the principle of least privilege on all infrastructure
- We monitor for suspicious activity and rate-limit abusive usage patterns
- Payment data is handled entirely by Stripe (PCI DSS Level 1 certified)
No system is 100% secure. If we suffer a data breach affecting your personal data, we will notify you and the ICO within 72 hours in accordance with UK GDPR requirements.
9. Children
Career.Studio is not intended for users under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
10. Automated decision-making
Our coaches use AI to score interview answers, generate CV content, and suggest career directions. None of this output is final or binding — you can always override, edit, or discard it. We do not make automated decisions that produce legal or similarly significant effects on you.
11. Changes to this policy
We may update this policy from time to time. If we make a material change, we will notify you by email (for account holders) or by a prominent notice in the app. The “last updated” date at the top of this page always reflects the latest version.
12. Contact us
Email Gab@career.studio with any questions about this policy or how we handle your data.
You also have the right to complain to the Information Commissioner’s Office (ICO) in the UK, the supervisory authority for data protection:
- Website: ico.org.uk/make-a-complaint