Privacy Policy

1. Who We Are

CVFox is an AI-powered career platform operated by the entity behind cv-fox.com. We provide tools for CV/resume review, employment reference (Arbeitszeugnis) analysis, AI-powered job discovery, and humanized application writing. For all privacy-related matters, you can reach us at privacy@cv-fox.com.

2. What Data We Collect

We collect the following categories of personal data:

Account Data: Name, email address, and a securely hashed password (or Google OAuth profile data) when you register.

Uploaded Documents: CVs, resumes, cover letters, and employment references (Arbeitszeugnisse) that you upload for analysis.

AI-Generated Content: Review results, job search queries, job discovery results, and application drafts created through our services.

Payment Data: All payment processing is handled by Stripe. We only store your Stripe customer ID and subscription status — we never see or store your credit card number.

Technical Data: IP address, browser type and version, device information, timezone, and referring URL.

Analytics Data: Page views, feature usage, and interaction patterns collected via PostHog and Google Analytics (only with your consent where required by law).

3. How We Use Your Data

We use your data for the following purposes:

• To provide our core services: CV review and sentence-level analysis, Arbeitszeugnis decoding and grading, AI-powered job discovery across web sources, and humanized application writing with industry-specific templates.
• To process payments securely via Stripe.
• To send transactional emails (account confirmation, password reset) via our email provider Resend.
• To improve the service through anonymous usage analytics.
• To comply with applicable legal obligations.

We never sell your personal data to third parties.

4. AI Processing Disclosure

Your uploaded documents and text inputs are sent to OpenAI's API for analysis. This includes CV text for review, Arbeitszeugnis content for decoding, and job search queries for web-based job discovery.

OpenAI processes this data under their data processing agreement and does not use API inputs for model training. We do not store your uploaded documents longer than necessary for the analysis (see Section 9 on data retention).

Job discovery queries are processed via OpenAI's Responses API with web search capabilities, which searches live job boards and career pages on your behalf.

5. Third-Party Services & Data Processors

We work with the following data processors, each serving a specific purpose:

OpenAI (api.openai.com) — Processes document text and queries for AI analysis. Privacy: openai.com/policies/privacy-policy

Stripe (stripe.com) — Handles all payment card data and subscription billing. Privacy: stripe.com/privacy

PostHog (eu.posthog.com) — EU-hosted product analytics. Tracks anonymous usage patterns to help us improve the product. Privacy: posthog.com/privacy

Google Analytics / Google Tag Manager (analytics.google.com) — Marketing analytics for page views and conversion tracking. Privacy: policies.google.com/privacy

Resend (resend.com) — Sends transactional and newsletter emails. Privacy: resend.com/legal/privacy-policy

DigitalOcean (digitalocean.com) — Cloud hosting infrastructure with servers located in the EU. Privacy: digitalocean.com/legal/privacy-policy

6. Cookies & Tracking Technologies

We use three categories of cookies and tracking technologies:

Essential Cookies (always active, no consent required): Authentication session token, theme preference (light/dark), locale preference (EN/DE), and cookie consent state. These are strictly necessary for the service to function.

Analytics Cookies (PostHog — consent required in EU/EEA): Anonymous product usage tracking hosted on EU servers (eu.i.posthog.com). These help us understand how features are used so we can improve the product. Only activated after you give explicit consent if you are in a region where DSGVO/GDPR applies. Automatically enabled in non-regulated regions.

Marketing Cookies (Google Analytics / GTM — consent required): Conversion tracking and campaign measurement. Only activated after explicit consent. Can be rejected independently from analytics cookies.

Users in the EU/EEA see a cookie consent banner before any non-essential cookies are set. You can change your preferences at any time by clearing your browser storage or using the cookie settings link in the footer.

7. Data Protection Rights (DSGVO/GDPR)

For users in the European Union, European Economic Area, and other jurisdictions where the DSGVO (Datenschutz-Grundverordnung) or equivalent data protection regulation applies, you have the following rights:

• Right of Access (Art. 15 DSGVO): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16 DSGVO): Correct inaccurate personal data.
• Right to Erasure / Right to Be Forgotten (Art. 17 DSGVO): Request deletion of your personal data.
• Right to Restriction of Processing (Art. 18 DSGVO): Limit how we process your data.
• Right to Data Portability (Art. 20 DSGVO): Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21 DSGVO): Object to processing based on legitimate interest.
• Right to Withdraw Consent (Art. 7 DSGVO): Withdraw any previously given consent at any time.

To exercise any of these rights, contact us at privacy@cv-fox.com. We will respond within 30 days.

8. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent (Art. 6(1)(a) DSGVO): For analytics cookies (PostHog) and marketing cookies (Google Analytics). You can withdraw consent at any time.
• Contract Performance (Art. 6(1)(b) DSGVO): For providing the core services you signed up for — CV review, Arbeitszeugnis analysis, job discovery, and application writing.
• Legitimate Interest (Art. 6(1)(f) DSGVO): For security measures, fraud prevention, and maintaining service integrity.

9. Data Retention

We retain your data for the following periods:

• Account data: Retained until you request account deletion.
• Uploaded documents: Deleted within 30 days of review completion.
• AI analysis results: Retained for 90 days to allow you to access your results, then anonymized.
• Payment records: Retained as required by applicable tax law (up to 10 years for financial records).
• Analytics data: Automatically expires after 12 months.

10. Data Security

We implement robust security measures to protect your data:

• All data encrypted in transit using TLS 1.3.
• Application hosted on EU-based infrastructure (DigitalOcean).
• Password hashing using bcrypt with salting.
• Regular security reviews and dependency audits.
• Access controls and structured logging for audit trails.
• Rate limiting and brute-force protection on all endpoints.

11. International Data Transfers

Some of our data processors are based outside the EU:

• OpenAI (United States): Data transferred under Standard Contractual Clauses (SCCs) and OpenAI's data processing agreement.
• Stripe (United States): Data transferred under SCCs and Stripe's certified compliance frameworks.

PostHog data remains entirely in the EU (eu.posthog.com). We ensure all international transfers comply with Chapter V of the DSGVO.

12. Children

CVFox is not intended for users under the age of 16. We do not knowingly collect personal data from minors. If we discover that a minor has provided us with personal data, we will delete it promptly.

13. Governing Law & Jurisdiction

This privacy policy and any disputes arising from it are governed by the laws of the jurisdiction in which the operator of CVFox is established. Any legal proceedings shall be brought exclusively in the competent courts of that jurisdiction.

14. Contact & Data Protection

For all privacy-related inquiries, data access requests, or to exercise your rights under DSGVO/GDPR:

Email: privacy@cv-fox.com

You also have the right to lodge a complaint with your local data protection supervisory authority if you believe your data protection rights have been violated.