CVChecked

    Privacy Policy

    1. Controller

    Controller under GDPR:
    Niklas Schmolenski
    Nollendorfstraße 21A, 10777 Berlin, Germany
    E-Mail: [email protected]

    2. Data We Process

    • Account data such as name, email address, password-related authentication data, and login details when you register or sign in
    • Data received via Google login if you choose to sign in with Google, in particular your email address, name, and Google identifier within the relevant OAuth flow
    • Uploaded resumes and other ordinary application documents, document metadata, file names, hash values, and job descriptions or other text you submit
    • Generated analysis results, cover-letter drafts, history entries, credits, and plan- or billing-related status data
    • Paddle customer, subscription, invoice, and transaction data where you use paid plans and those data are required for checkout, billing, or plan assignment
    • Technical data such as IP address, timestamps, browser/device information, and necessary security and server logs
    • Usage and security events such as analysis starts, unlocks, upgrade attempts, credit-related events, and rate-limit or abuse signals
    • Necessary cookie and similar device data, in particular the guest session identifier rrh_guest_session, as well as local storage entries for language preferences and auth return paths

    CVChecked is intended for ordinary application documents such as resumes and role-related application texts. Please do not upload unnecessary special categories of personal data such as health data, religious beliefs, or trade-union membership.

    3. Purposes and Legal Bases

    • Provision of account, login, document upload, analysis, cover-letter features, and account-related settings under Art. 6(1)(b) GDPR
    • Handling of paid subscriptions, invoices, plan assignment, renewals, and terminations where paid plans are used or activated under Art. 6(1)(b) GDPR
    • Compliance with legal obligations, in particular tax and accounting retention duties, under Art. 6(1)(c) GDPR
    • Security measures, abuse prevention, technical stability, enforcement of limits, fraud prevention, internal product measurement, and the defence or enforcement of legal claims under Art. 6(1)(f) GDPR. Our legitimate interests are the secure, functional, and economically sustainable operation of the platform.

    4. Cookies, Local Storage, and Similar Technologies

    We currently use, in particular, a technically necessary guest-session cookie called rrh_guest_session to associate anonymous preview usage with a guest session, limit abuse, and map uploaded documents or analyses to the correct guest session. We also use browser local storage entries, in particular for language preferences and a temporary return path within the auth flow. These technologies are required for requested core functions or the secure provision of the service.

    Opening the payment checkout may additionally require technical cookies or similar technologies of the payment provider. We do not currently operate our own on-site advertising, remarketing, or newsletter-tracking stack.

    5. Recipients and Categories of Recipients

    • Hosting, infrastructure, and CDN providers for the website, backend, and secure delivery
    • Supabase for authentication, database services, and file storage
    • OpenAI for processing document contents and job descriptions to generate analyses and drafts
    • Paddle for checkout, billing, customer portal, and invoicing where paid plans are activated or used
    • Google where you choose Google sign-in
    • Queueing, rate-limit, and similar infrastructure providers such as Upstash/QStash where those functions are enabled
    • Advisers, authorities, or courts where legally required or necessary for the pursuit or defence of legal claims

    Uploaded documents are stored in a non-public storage bucket. Where documents are shown or made downloadable again inside the product, this is done through time-limited signed URLs. Uploaded documents are not reviewed manually on a routine basis. As the sole operator, I access documents only exceptionally where necessary for support, debugging, abuse or security handling, or the defence of legal claims.

    Where required, these providers process data as processors or as independent controllers, in particular for their own payment, authentication, or communications functions.

    6. International Transfers

    Some service providers are located in third countries, in particular the United States, or may access data from there. Where personal data is processed outside the EEA, we rely on appropriate safeguards, in particular an adequacy decision, standard contractual clauses, or another lawful transfer mechanism. Additional information about the safeguards relevant in an individual case is available on request where legally and practically possible.

    7. Retention and Deletion

    The current production baseline uses automatically enforced deletion rules for guest usage: guest documents and guest analyses are deleted after up to 24 hours. For registered accounts, we generally keep documents and analysis results while the account remains active and the data is needed to provide the service. We keep only the latest 10 analyses overall in dashboard history, so older entries and no-longer-needed related documents may disappear earlier for that reason. Account-related data can also be removed through the account deletion function. Documents that are clearly outside the intended service scope or contain obvious unnecessary special-category data may also be deleted earlier if we become aware of them. Billing, accounting, and other data subject to statutory retention obligations remain stored until the relevant retention periods expire.

    8. Automated Decision-Making

    Analyses and drafts provided by CVChecked are generated in part automatically. However, we do not use these processes for solely automated decisions that produce legal effects or similarly significant effects within the meaning of Art. 22 GDPR.

    9. Your Rights

    Under the GDPR, you have rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing based on Art. 6(1)(f) GDPR. You may also lodge a complaint with a data protection authority.

    10. Privacy Contact

    Please direct privacy inquiries to:
    Niklas Schmolenski
    Nollendorfstraße 21A, 10777 Berlin, Germany
    E-Mail: [email protected]

    No data protection officer has currently been appointed because, at present, there is no statutory obligation to do so.

    Version: March 24, 2026