Version: 11 June 2026
JobrivoAI is an AI-powered job application assistant. Protecting your personal data — especially the contents of your application documents — matters to us. This privacy policy informs you, in accordance with Art. 13 and 14 GDPR, about what data we process, for which purposes and on which legal basis, who receives it, how long we store it, and what rights you have.
The controller within the meaning of the GDPR for data processing in connection with JobrivoAI (www.jobrivoai.com) is: Felix Terjung (sole proprietor) E-Mail: jobrivoai@gmail.com You can reach us at this email address for all privacy matters. No data protection officer has been appointed, as the legal requirements for a mandatory appointment (Art. 37 GDPR, Section 38 of the German Federal Data Protection Act, BDSG) are not met.
The most important points up front: • We do not sell your data and we do not run advertising. • Your application content is processed solely to create the results you request — not to train AI models. • Uploaded photos are not stored on our servers. • Usage analytics (PostHog) only runs if you explicitly opt in, and only on EU servers. • You can delete your account with all data yourself in the dashboard at any time, and export your data as a file.
We process the following categories of personal data: • Account and profile data — name, email address, profile picture (if any) and identifiers of your chosen sign-in provider (e.g. "Sign in with Google"), plus sign-in timestamps; collected via our authentication provider Clerk on registration and sign-in. • Application content — resumes/CVs, cover letters, job descriptions, answers and notes that you enter into the tools or upload as PDF. From uploaded PDF files only the text is extracted server-side; the PDF file itself is not stored. • Photos — only if you use the Photo Analyzer or add a photo to your resume PDF (see Section 5). • Generated results — the outputs created by the AI (e.g. rewritten resume, cover letter, interview questions), stored in your account history. • Application organizer — application folders you create (company, position, status, deadlines, notes, job URL). • Payment and subscription data — your plan, credit balance, credit transactions and technical event IDs from the payment platform. The actual payment is handled entirely by Lemon Squeezy (Section 7); payment card details never reach us. • Usage data — tool usage, credits spent, technical token consumption per request, timestamps. • Feedback and support — ratings (thumbs up/down), comments, support requests including your email address. • Referral data — your personal referral code and, where applicable, the code through which you were referred. • Technical data — IP address, browser type and server logs at our hosting provider Vercel; short-lived IP-based keys for rate limiting (Upstash). • Analytics data (only with your consent) — pseudonymous usage events via PostHog; the IP address is discarded and no session recordings take place. • Error data — in the event of technical errors, our service Sentry captures error messages and masked context data for debugging.
We process your data for the following purposes on the following legal bases: • Providing the service — account, AI generation of your documents, storage of your results, application organizer, credits: Art. 6(1)(b) GDPR (performance of a contract). • Payment and subscription management — assigning purchases and subscriptions to your account: Art. 6(1)(b) GDPR. • Transactional emails — e.g. the welcome message: Art. 6(1)(b) GDPR. • Product notices by email — e.g. a low-credit notice or a reminder about unused credits, always with an unsubscribe link: Art. 6(1)(f) GDPR (legitimate interest in informing our users about our own service); you can object at any time via the unsubscribe link or informally by email. • Abuse and fraud prevention, rate limiting, IT security, server logs: Art. 6(1)(f) GDPR (legitimate interest in a secure, stable service). • Error diagnostics (Sentry): Art. 6(1)(f) GDPR. • Usage/product analytics (PostHog): Art. 6(1)(a) GDPR (consent) in conjunction with Section 25(1) of the German TDDDG — only after your active consent in the consent banner; you can withdraw consent at any time with effect for the future. • Compliance with legal obligations — e.g. retention of business records under commercial and tax law: Art. 6(1)(c) GDPR. • Special categories of data contained in your documents: Art. 9(2)(a) GDPR (explicit consent, Section 5).
Application documents may contain special categories of personal data within the meaning of Art. 9 GDPR — for example information revealing health (e.g. a disability), religious beliefs, trade union membership, or characteristics inferable from a photo such as ethnic origin. We do not ask for such data and we do not need it. Please follow the principle of data minimisation: include in your texts and photos only what you actually wish to submit; you can remove sensitive details before submitting. If you nevertheless submit content containing such data — by pasting a resume text, uploading a PDF or uploading a photo — and actively start the generation or analysis, you thereby explicitly consent to the processing of this data for the sole purpose of creating the results you requested (Art. 9(2)(a) GDPR). You can withdraw this consent at any time with effect for the future by deleting stored results or your account, or by contacting us by email. Photos in particular: • Photo Analyzer: your photo is transmitted from your browser to our AI provider Anthropic and analysed there solely to assess quality (background, lighting, attire, expression, framing). No biometric identification or verification of your person takes place. We do not store the photo itself — only the textual analysis result is stored; at Anthropic the deletion period in Section 6 applies. • Resume photo: a photo you add to your resume PDF is processed exclusively locally in your browser and embedded into the PDF file; it is not transmitted to our servers.
JobrivoAI's AI features use the Claude models by Anthropic. When you start a tool, the content required for it (e.g. resume text, job description, photo where applicable, your custom instructions) is transmitted to Anthropic and the result is returned to us. • Processing on our behalf: Anthropic, PBC (San Francisco, USA) processes this data as our processor. A data processing agreement including the EU Standard Contractual Clauses is automatically incorporated into Anthropic's commercial terms of service. • No AI training: Anthropic does not use content submitted via the API to train its models unless this has been expressly agreed — we do not give such consent. • Retention at Anthropic: inputs and outputs are generally deleted automatically at Anthropic within 30 days. Only where a violation of Anthropic's usage policies is suspected may the affected content be retained for up to 2 years. • AI transparency: the generated texts and assessments are AI-generated and are labelled accordingly in the product. AI outputs can contain errors — please review results before using them. • No automated individual decision-making: JobrivoAI does not make automated decisions that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR). All outputs — including scores and assessments — are non-binding suggestions; whether and how you use them is entirely your decision.
We use the following service providers as processors (Art. 28 GDPR). Data processing agreements are in place with all of them; details given as: purpose — provider, seat — place of data processing — basis for third-country transfers. • Authentication — Clerk, Inc., San Francisco (USA) — processing in the USA — EU-US Data Privacy Framework (certified) and EU Standard Contractual Clauses. To prevent automated mass sign-ups, Clerk uses a CAPTCHA by Cloudflare (Turnstile) during registration and sign-in; Cloudflare acts here as a sub-processor of Clerk (legal basis Art. 6(1)(f) GDPR). • Database — Supabase, Inc. (USA) — data resides in the EU (AWS region eu-west-1, Ireland) — EU Standard Contractual Clauses for any third-country access. • AI processing — Anthropic, PBC, San Francisco (USA) — processing in the USA — EU Standard Contractual Clauses (details in Section 6). • Hosting and delivery of the website, server logs — Vercel Inc., Covina (USA) — global network — EU-US Data Privacy Framework (certified) and EU Standard Contractual Clauses. • Transactional and notice emails — Resend (Plus Five Five, Inc., USA) — sending configured via the EU region (Ireland) — EU Standard Contractual Clauses. • Product analytics (only with consent) — PostHog Inc., San Francisco (USA) — EU cloud (Germany) — EU-US Data Privacy Framework (certified) and EU Standard Contractual Clauses. • Error monitoring — Functional Software, Inc. d/b/a Sentry, San Francisco (USA) — EU data residency (Germany) — EU-US Data Privacy Framework (certified) and EU Standard Contractual Clauses. • Rate limiting — Upstash, Inc. (USA) — data in the EU (Frankfurt) — EU Standard Contractual Clauses. In addition, there are recipients who do not act as our processors: • Payment processing — Lemon Squeezy (Sold through Link, LLC, formerly Lemon Squeezy, LLC, Salt Lake City, USA; part of the Stripe group) acts as "Merchant of Record": it is your contractual partner for the purchase and thus an independent controller for payment processing including invoicing and tax remittance. You enter your payment data (name, billing details, payment method) directly on Lemon Squeezy's checkout pages; Lemon Squeezy's privacy policy applies in that respect (lemonsqueezy.com/privacy). From Lemon Squeezy we only receive the order/subscription status and your email address for assignment — never payment card details. • Content you share — if you actively create a share link for a result or an application folder, the shared content is publicly accessible to anyone with that link until you revoke the link. • Authorities and other third parties — only where we are legally obliged.
Some of the providers listed are US companies; in some cases processing takes place in the USA (Clerk, Anthropic, Vercel, Lemon Squeezy, Resend), in others the data resides in the EU and only access from the USA is possible (Supabase, PostHog, Sentry, Upstash). We base transfers to the USA on: • the European Commission's adequacy decision on the EU-US Data Privacy Framework (Art. 45(3) GDPR) for providers currently certified under the framework (Clerk, Vercel, PostHog, Sentry), and • the European Commission's Standard Contractual Clauses (Art. 46(2)(c) GDPR), which are agreed with all processors listed — including in addition to certification. You can request a copy of the applicable Standard Contractual Clauses at jobrivoai@gmail.com.
The following retention periods and criteria apply: • Account, content, result, organizer, usage, feedback and support data: until your account is deleted. • Account deletion: you can delete your account yourself at any time in the dashboard under "My Usage". Your authentication account at Clerk and all data in our database are deleted immediately; residual copies in technical backups are overwritten or deleted within 30 days at the latest. • Photos: not stored by us (Section 5); at Anthropic the period in Section 6 applies. • Content at Anthropic: generally deleted automatically within 30 days (Section 6). • Server logs (Vercel): deleted automatically after a short period, generally within a few days. • Rate-limit keys (Upstash): expire automatically at the end of the respective time window (minutes up to one hour). • Payment-related event IDs and credit transactions: for as long as required to keep billing traceable, at most until account deletion. • Business and billing records held by us, if any: statutory retention periods of up to 10 years (Art. 6(1)(c) GDPR in conjunction with Section 147 of the German Fiscal Code, AO); invoices to end customers are issued and archived by Lemon Squeezy as Merchant of Record under its own responsibility.
Storing information on your device and accessing it is governed by Section 25 of the German TDDDG. • Strictly necessary cookies: our sign-in provider Clerk sets session cookies (e.g. __session, __client_uat) that keep you signed in — the service does not work without them (Section 25(2) no. 2 TDDDG, no consent required). • Referral cookie: if you arrive via a referral link, a cookie (ref_code) stores the referral code for 7 days so the bonus can be assigned on sign-up. • Local storage (localStorage): language setting, your consent decision, locally stored drafts/templates (e.g. resume versions, saved interview answers, weekly goal). This data remains in your browser and is not transmitted to us. • Analytics (PostHog): only loads after you have actively agreed in the consent banner (Art. 6(1)(a) GDPR, Section 25(1) TDDDG). You can change your decision at any time by deleting this site's data in your browser (the banner will then appear again) or by contacting us informally by email. Details can be found in our Cookie Policy (the "Cookies" page).
We send emails via the service Resend (Section 7): • Transactional emails, such as the welcome message after registration (Art. 6(1)(b) GDPR). • Product notices, such as a low-credit notice or after longer inactivity (Art. 6(1)(f) GDPR). Each of these emails contains an unsubscribe link; once unsubscribed you will no longer receive such emails. You can also object to receiving them at any time informally by email to jobrivoai@gmail.com.
You have the following rights: • Access (Art. 15 GDPR) — you can request a copy of your data at any time; in addition you can export your data yourself as a file in the dashboard under "My Usage". • Rectification (Art. 16 GDPR) — correction of inaccurate data. • Erasure (Art. 17 GDPR) — deletion of your data; fastest via account deletion in the dashboard under "My Usage". • Restriction of processing (Art. 18 GDPR). • Data portability (Art. 20 GDPR) — receiving your data in a structured, commonly used, machine-readable format (export function in the dashboard). • Withdrawal of consent (Art. 7(3) GDPR) — at any time with effect for the future, without affecting the lawfulness of processing carried out before the withdrawal. Right to object (Art. 21 GDPR): you have the right to object at any time, on grounds relating to your particular situation, to processing of your data based on Art. 6(1)(f) GDPR. You can object to product-notice emails at any time without giving reasons (the unsubscribe link suffices). To exercise your rights, an informal email to jobrivoai@gmail.com is sufficient. Right to lodge a complaint (Art. 77 GDPR): you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence. The authority responsible for us is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW) — Data Protection Authority of North Rhine-Westphalia, Germany Kavalleriestraße 2-4, 40213 Düsseldorf, Germany Phone: +49 211 38424-0 E-Mail: poststelle@ldi.nrw.de www.ldi.nrw.de
You are neither legally nor contractually obliged to provide us with personal data. However, without certain data we cannot provide the service: registration is not possible without an email address, and generation is not possible without submitted content. Special categories of data (Section 5) are never required to use the service.
We implement technical and organisational measures in accordance with Art. 32 GDPR to protect your data against loss, misuse and unauthorised access — including TLS encryption of all connections, encrypted storage at our infrastructure providers, strict access controls (user data is only accessible through the respective user's own account), protections against abusive requests, and regular security reviews. These measures are continuously adapted to the state of the art.
JobrivoAI is intended for persons aged 18 or over. The service is not directed at minors; we do not knowingly process data of persons under 18. If you become aware that data of a minor has been submitted to us, please contact us.
We update this privacy policy when the service, the providers we use or the legal situation change. The current version is always available on this page; the date at the top indicates the version. We will inform you of material changes by email or by a notice in the app.
This privacy policy is provided in several languages. The translations are provided solely for better understanding. In case of doubt or discrepancies, the German version alone is authoritative.