Privacy Policy

The controller responsible for the processing of your personal data is: tupevo S.àr.l.-S 12, Rue du Château d'Eau, L-3364 Leudelange, Luxembourg RCS Luxembourg B306404 | VAT LU37375443 Email: [email protected] If you have questions about how your data is processed, please contact us at the email address above.

Given the current scale of our operations, a formal Data Protection Officer (DPO) has not been appointed as it is not required under Article 37 GDPR. For all data protection inquiries, please contact us at the email address listed in Section 1. Should our processing activities require it in the future, we will appoint a DPO and update this policy accordingly.

We process your personal data for the following purposes and on the following legal bases: - Account management and authentication (Art. 6(1)(b) GDPR - performance of a contract): We process your email address and OAuth profile data to create and manage your account. - AI-powered CV tailoring (Art. 6(1)(b) GDPR - performance of a contract): We send your CV content and job descriptions to the Anthropic Claude API to generate tailored suggestions. This is a core feature of the service you have contracted. - Subscription billing (Art. 6(1)(b) GDPR - performance of a contract): We share billing information with Stripe to process your subscription payments. - Web analytics (Art. 6(1)(f) GDPR - legitimate interest): We collect anonymous usage statistics via our self-hosted Umami instance to understand how our service is used. Umami is cookieless, stores and reads no information on your device, and collects no personally identifiable information, so no ePrivacy/cookie consent is required. Our legitimate interest is understanding and improving how the service is used. - Error tracking (Art. 6(1)(f) GDPR - legitimate interest): We use GlitchTip to monitor application errors and maintain service reliability. Our legitimate interest is ensuring service quality and security. - Legal compliance (Art. 6(1)(c) GDPR - legal obligation): We may process data where required by law, such as retaining billing records for tax purposes.

Where we rely on legitimate interests as a legal basis (Art. 6(1)(f) GDPR), these interests are: - Error tracking and security monitoring: Maintaining the reliability and security of our service by collecting error reports and performance data through GlitchTip. - Fraud prevention: Detecting and preventing unauthorized or abusive use of the service. We have conducted a balancing test to ensure these interests do not override your fundamental rights and freedoms. You have the right to object to processing based on legitimate interests (see Section 8).

We share your personal data with the following recipients only to the extent necessary for the purposes described in Section 3: - Anthropic (Claude API): Your CV content and job description text are sent to the Anthropic Claude API to generate AI-powered suggestions. Anthropic processes this data solely to provide the service and does not use it for model training. - Scaleway (EU LLM hosting): Depending on routing, the Claude inference for the AI tailoring feature may be served through Scaleway, a French/EU cloud provider, in an EU region. Where the request is served via Scaleway, the inference processing stays within the EU/EEA. Data processed: the same CV content and job description text described above for the AI feature. - Stripe: Your billing information (name, email, payment method) is shared with Stripe for subscription payment processing. - GlitchTip: Error reports may contain technical information such as IP addresses and browser metadata. No CV content is included in error reports. - Umami: Anonymous, aggregated usage statistics are collected via our self-hosted Umami instance on the basis of our legitimate interest (Art. 6(1)(f) GDPR). Umami is cookieless and collects no personally identifiable information. - OAuth provider (Google): When you sign in via Google OAuth, Google shares your email and profile name with us. We do not share your data back with Google beyond the authentication flow. - Hosting provider: Our infrastructure is hosted on Hetzner dedicated servers located in Germany. Your data is stored on these servers. - Resend: Transactional emails (e.g., welcome email) are sent via Resend's API. Data processed: recipient email address, email content. No CV data is included in transactional emails. Resend processes data solely for email delivery.

Some of the recipients listed in Section 5 are located outside the European Economic Area (EEA): - Anthropic (United States): CV content and job descriptions are transferred to Anthropic's servers in the US for AI processing. This transfer is governed by EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. - Stripe (United States): Billing data is transferred to Stripe's US infrastructure. Stripe is certified under the EU-US Data Privacy Framework and additionally relies on SCCs. All transfers to third countries are conducted with appropriate safeguards in accordance with Chapter V of the GDPR.

We retain your personal data only for as long as necessary for the purposes described in this policy: - Account data (email, name, preferences): Retained for the duration of your account. Deleted within 30 days of account closure. - CV data and job descriptions: Retained for the duration of your account. You may delete individual CVs at any time. All CV data is deleted within 30 days of account closure. - Payment records: Retained for 10 years after the transaction date, as required by Luxembourg tax law. - Analytics data: Collected in aggregated, anonymous form. No personal data is retained. - Error logs: Retained for 90 days, then automatically purged. - Consent records: Retained for the duration of your account plus 3 years for compliance demonstration.

Under the GDPR, you have the following rights regarding your personal data: - Right of access (Art. 15): You may request a copy of the personal data we hold about you. You can export your data from Settings > Data & Privacy. - Right to rectification (Art. 16): You may request correction of inaccurate personal data. You can update your profile information directly in your account settings. - Right to erasure (Art. 17): You may request deletion of your personal data. You can delete your account from Settings > Danger Zone, which initiates a 30-day grace period before permanent deletion. - Right to data portability (Art. 20): You may request your data in a structured, machine-readable format. Use the export feature in Settings > Data & Privacy. - Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances. - Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes. To exercise any of these rights, please contact us at the email address in Section 1. We will respond within 30 days.

Where we process your data based on consent, you may withdraw your consent at any time, and withdrawal does not affect the lawfulness of processing carried out before the withdrawal. You can manage your data processing preferences in your account settings. Our web analytics (Umami) are not based on consent: they are cookieless and rely on our legitimate interest (Art. 6(1)(f) GDPR), so there is no analytics consent to withdraw. You may instead exercise your right to object to processing based on legitimate interests at any time (see Section 8).

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR. The supervisory authority for Luxembourg is: Commission nationale pour la protection des donnees (CNPD) 15, Boulevard du Jazz L-4370 Belvaux Luxembourg Website: https://cnpd.public.lu You may also lodge a complaint with the supervisory authority in your country of residence or place of work.

Providing your email address is required to create an account and use the service (contractual requirement). Without it, we cannot provide the Applivoo service. Providing CV data and job descriptions is voluntary but necessary to use the AI-powered CV tailoring features. There is no statutory obligation to provide personal data. However, failure to provide certain data may limit your ability to use specific features of the service.

Applivoo uses the Anthropic Claude AI to analyze job descriptions and generate tailored CV suggestions. This involves automated processing of your CV content and job description text. Important clarifications: - The AI generates suggestions only. All final decisions about your CV content remain with you. You review, select, and edit all AI-generated variants before they are applied. - This processing does not constitute solely automated decision-making with legal or similarly significant effects as defined in Art. 22 GDPR, because human review (yours) is always part of the process. - The AI does not make hiring decisions, evaluate your employability, or produce legally binding assessments. - You may choose not to use AI features and still use the CV editor manually.

Applivoo uses the following categories of cookies and similar technologies: - Necessary cookies: Required for authentication, session management, and security. These cannot be disabled as they are essential for the website to function. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). - Analytics (Umami): We use our self-hosted Umami instance to collect anonymous usage statistics. Umami is cookieless: it sets no cookies, and stores or reads no information on your device. It also collects no personally identifiable information. Because it does not store or access information on your terminal equipment, no ePrivacy/cookie consent is required, and we therefore do not present any cookie-consent prompt. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Because our analytics are cookieless and we use no non-essential cookies, there is no cookie preference setting to manage.

We use the following third-party services in connection with Applivoo: - Anthropic Claude API: Provides AI-powered CV tailoring and job description analysis. Data processed: CV content, job descriptions. Privacy policy: https://www.anthropic.com/privacy - Scaleway: EU cloud provider that may host the Claude inference for the AI tailoring feature in an EU region. Data processed: CV content, job descriptions. Privacy policy: https://www.scaleway.com/en/privacy-policy/ - Stripe: Processes subscription payments. Data processed: name, email, payment method, billing address. Privacy policy: https://stripe.com/privacy - GlitchTip: Self-hosted error tracking (Sentry-compatible). Data processed: error reports, browser metadata, IP addresses. Hosted on our own infrastructure. - Umami: Self-hosted, cookieless web analytics. Data processed: anonymous page views and events. No personally identifiable information. Hosted on our own infrastructure. - Google OAuth: Authentication provider. Data received: email, name, profile picture. Privacy policy: https://policies.google.com/privacy - Resend: Transactional email delivery service. Data processed: recipient email address. Privacy policy: https://resend.com/legal/privacy-policy

The following table summarizes our data retention periods: - Account data (email, name): Until account deletion + 30 days - CV data and job descriptions: Until deletion by user or account closure + 30 days - Payment and billing records: 10 years (Luxembourg tax law requirement) - Authentication logs: 90 days - Error logs (GlitchTip): 90 days - Analytics data (Umami): Aggregated, anonymous, no retention limit - Consent records: Account duration + 3 years - Cookie preferences: Stored in browser local storage, controlled by user

Applivoo is not targeted at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at the email address in Section 1.

We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or service features. We will notify you of material changes by: - Displaying a notice in the application after you log in. - Sending an email notification to the address associated with your account. The "Last updated" date at the top of this policy indicates the most recent revision. Continued use of the service after being notified of changes constitutes acceptance of the updated policy.