Privacy Policy

1. Controller

2. What Data We Process

When you use CVKite, we process the following personal data:

• Account Data: Email address and password (encrypted in storage) upon registration
• Resume Data: All content you enter in your resumes (name, job title, work experience, education, skills, etc.)
• Profile Photo: Optionally uploaded photo for your resume
• Job Listings: Job descriptions and application materials you save
• Language Setting: Your selected interface language (DE/EN/ES)

3. Purpose and Legal Basis

We process your data exclusively to provide the CVKite service:

• Create, manage, and export resumes
• Provide AI-powered improvement suggestions for resume content
• Enable application and job tracking
• Generate cover letters

The legal basis for this processing is Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interests in providing secure and reliable service).

4. External Service Providers and Processors

CVKite uses the following external services where personal or content-related data may be shared. All providers are engaged as data processors under Art. 28 GDPR.

• Anthropic, Inc. (USA) — AI text generation (Claude language models). Relevant resume content is transmitted for text improvement. Anthropic processes your data solely for providing our AI functions and does not store data after processing is complete. Data processing is governed by a Data Processing Agreement (Art. 28 GDPR) and Standard Contractual Clauses (Art. 46(2)(c) GDPR) for data transfers to the US. Privacy Policy

• OpenAI, L.L.C. (USA) — AI text generation (GPT language models, fallback). Data transfer to the US is based on Standard Contractual Clauses (SCC). Privacy Policy

• Jina AI GmbH (Germany) — Web scraping to extract job listings from URLs you provide. Only explicitly provided URLs are transmitted; no personal resume data is shared. Privacy Policy

• Cloudflare, Inc. (USA) — Object storage (R2) for uploaded files such as profile photos. Your file uploads are stored in Cloudflare R2. Data processing is governed by a Data Processing Agreement and Standard Contractual Clauses (Art. 46(2)(c) GDPR) for data transfers to the US. Privacy Policy

• Plausible Analytics (EU) — Privacy-friendly website analytics without cookies. Plausible collects anonymized usage statistics (page views, approximate country of origin) without storing personal data or persistent identifiers. No cookies are set and no cross-device tracking is performed. Processing occurs on servers within the EU. Privacy Policy

• Email Provider — Transactional emails (password reset). Only the recipient's email address is transmitted.

None of the listed providers use your data for AI model training or advertising purposes.

5. Transparency under the EU AI Act

CVKite uses AI systems in accordance with the EU Regulation on Artificial Intelligence (EU AI Act, Regulation 2024/1689). We provide you with transparent information about the use of these systems:

• Risk Classification: The AI functions used by CVKite (text improvement, summaries, keyword extraction) fall under the category of "limited risk" under Art. 50 of the EU AI Act.
• Human Review: All AI-generated content is presented to you for review and editing. You can reject, modify, or replace AI suggestions with your own formulations at any time.
• No Automated Decisions: CVKite does not make automated decisions with legal or similarly significant effects for you. All essential decisions in the application process remain entirely with you.
• AI Disclosure: AI-generated text suggestions are clearly marked as such in the user interface.

6. Hosting and Infrastructure

CVKite is hosted on servers within the European Union. The hosting provider processes technical connection data (IP addresses, timestamps) in the course of operating the infrastructure. Processing is based on Art. 6(1)(f) GDPR.

7. Cookies and Authentication

CVKite uses only technically necessary session tokens for authentication (JWT, stored in browser LocalStorage). No tracking cookies and no advertising cookies are used. No Google Analytics, no Facebook Pixel, no ad tracking. For anonymized usage statistics, we use Plausible Analytics — a cookie-free, privacy-friendly tool without personal data (see Section 4). Since Plausible does not set cookies, no cookie consent is required.

8. Data Retention

Your data is stored as long as your account is active. Upon account deletion, all personal data will be permanently deleted within 30 days, unless legal retention obligations apply.

AI-Powered Features: When you use our AI features (e.g., bullet improvement, summarization, keyword analysis), your inputs and generated suggestions are stored for a maximum of 30 days to improve the service and speed up repeated requests. Data is used exclusively for your account and is automatically deleted after 30 days. Upon account deletion, all stored AI data is immediately and permanently removed (Art. 17 GDPR).

9. Your Rights

Under GDPR, you have the following rights:

• Access to your stored data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure of your data (Art. 17)
• Restriction of processing (Art. 18)
• Data Portability (Art. 20) — export via JSON Resume
• Objection to processing (Art. 21)

To exercise your rights, please contact: info@netving.com

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for NetVing GmbH is: