1. Controller
Ahmad Sakka — Saseler Chaussee 30c, 22391 Hamburg, Germany — [email protected]
Last updated: 07 July 2026
The German-language version of this document is the legally binding reference in case of any discrepancy in interpretation.
Ahmad Sakka — Saseler Chaussee 30c, 22391 Hamburg, Germany — [email protected]
Art. 6(1)(b) performance of contract: account (including age verification), upload/analysis/build of the CV, reports. Art. 6(1)(a) consent: statistics/marketing cookies and special-category data (Art. 9) in the CV. Art. 6(1)(c) legal obligations: retention of invoices. Art. 6(1)(f) legitimate interest: platform security, fraud prevention, stable operation.
The website and its database are hosted entirely on a VPS at netcup GmbH (Karlsruhe, Germany). All CVs and reports are stored exclusively on this server within Germany/the EU. A data-processing agreement (AV-Vertrag) under Art. 28 GDPR is in place with netcup.
The original CV file is never stored. Its text is extracted in memory and deleted after the report is generated. Only the derived report remains, which you can delete at any time.
To generate the analysis, the CV text is sent over an encrypted API to Anthropic PBC (USA) — a third-country transfer under the safeguards of Art. 44–49 GDPR (EU-US Data Privacy Framework and/or Standard Contractual Clauses). Anthropic is engaged as a sub-processor under Anthropic's standard Data Processing Addendum, which is incorporated into its Commercial Terms. We have enabled the zero-data-retention option available in our Anthropic account settings; under Anthropic's Commercial Terms, inputs and outputs are not used to train models. The transfer relies on Standard Contractual Clauses (SCC). Anthropic's data-processing terms and sub-processor list: https://www.anthropic.com/legal/commercial-terms · https://trust.anthropic.com
Account data (name, date of birth [for age verification], email with double opt-in confirmation, hashed password, language); content data (CV text temporarily, reports, job descriptions); payment data (entirely at Paddle – no card data on our servers); logfiles (IP, time, browser/system).
Access logs are collected on the basis of legitimate interest (Art. 6(1)(f)) for attack detection and deleted automatically within 7 days (retained only as evidence in an ongoing security incident).
Strictly necessary cookies (session/security): without consent (Art. 6(1)(f) + § 25(2) TDDDG). Cloudflare Turnstile (human/bot check, Cloudflare Inc., USA — transfer with DPF/SCC safeguards). Cloudflare Web Analytics runs cookieless. No statistics/marketing cookies are currently used; any use would only occur with your express consent.
Payments are handled by Paddle.com Market Ltd as Merchant of Record. Your payment data (card, name, email, billing address) is processed directly at Paddle and not stored on our servers. Paddle handles invoicing and international tax compliance. Paddle privacy: https://www.paddle.com/legal/privacy
For B2B customers uploading candidate data, we provide an AV-Vertrag (Art. 28 GDPR), available for acceptance in the dashboard and forming part of the contract.
You can delete your CVs and reports at any time; they are removed from the server immediately. Invoices are excepted and retained: 8 years under § 147 AO.
You have the right of access, rectification, erasure, restriction, data portability, and objection (Art. 21) to processing based on legitimate interest. To withdraw consent or exercise your rights: [email protected].
You have the right to lodge a complaint: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 20459 Hamburg.
Encryption in transit (TLS) and at rest, strict access control, network separation, encrypted backups and data minimisation.
There is no solely automated decision. The analysis is a supporting tool with an evaluative logic (matching skills/experience/ATS); the decision remains with a human. Note: systems that score/rank job applicants may be classified as high-risk under the EU AI Act (Annex III); the related obligations will be addressed before commercial launch. AI Act note: obligations for high-risk systems (Annex III) apply — following the Digital Omnibus postponement — from 2 December 2027. Independently, under Art. 50 EU AI Act (from 2 August 2026) we clearly inform you that you are interacting with an AI system and that the outputs are AI-generated.