Privacy Policy
This is a pre-launch placeholder. The final policy is under attorney review before public launch and will replace this page in Phase 3.
Summary
We store your CV, job ads, and account data on Supabase servers in Frankfurt. Generated text is produced by Vertex AI in the EU with training opt-out enforced. We do not sell your data and we do not train any model on your inputs.
Controller
The controller responsible for processing your personal data under Art. 4 (7) GDPR is the entity named in our imprint.
Data we process
Account data (email, language preference), application data (your master CV including any profile photo embedded in it, uploaded job ads, generated CVs and cover letters, and intermediate parsed forms we cache to speed up tailoring), and technical telemetry needed to operate the service (error reports, request logs with PII scrubbed).
Profile photos in your CV
If the CV you upload includes a profile photo, we extract that image and store it on our Supabase servers in Frankfurt alongside the source CV. The photo shares the same retention as the CV it came from. You can hide the photo on any individual tailored CV before exporting, and when you delete your account the photo is removed together with the rest of your CVs within 30 days.
Cached AI inputs and outputs
To avoid re-parsing the same content on every tailoring, we cache derived forms of your uploaded data — for example a structured JSON representation of your master CV. These intermediate caches follow the same retention as the source they were derived from: they are deleted when you delete the source CV, and removed within 30 days when you delete your account.
Purpose and legal basis
We process your data to provide the tailoring service you requested (Art. 6 (1) (b) GDPR — performance of a contract) and to keep the service secure and reliable (Art. 6 (1) (f) GDPR — legitimate interests).
Subprocessors
Supabase (database, EU), Vercel (hosting, EU), Vertex AI (text generation, EU, no-training configuration), Trigger.dev (job orchestration; IDs-only payloads), Resend (transactional email), Stripe (payments), PostHog EU (product analytics), Sentry (error monitoring).
Your rights
Under the GDPR you can request access, rectification, erasure, restriction, portability, and objection. Reach us via the contact form to exercise any of these rights.
Retention
Anonymous trial data is purged automatically after 30 days. Account data is kept until you delete your account, at which point it is removed within 30 days.
Contact for privacy matters
Use our contact form for any privacy-related request — we typically respond within one business day.
Last reviewed: <<REPLACE: YYYY-MM-DD>>