JJ-JobHunter

Privacy Policy

Last updated: 4 April 2026

This policy explains how JJ-JobHunter collects, uses, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable national laws.

1. Data Controller

The data controller responsible for your personal data is JJ-JobHunter. For all data protection enquiries, contact us at privacy@jj-jobhunter.de.

2. Data We Collect

We collect the following categories of personal data:

  • Account data: Email address, full name, password (hashed), plan type.
  • CV & application data: Work history, education, skills, cover letters you generate or upload.
  • Payment data: Transaction amounts, PayPal subscription IDs. We do not store card numbers — PayPal handles card processing.
  • Usage data: Pages visited, features used, error logs, API call counts and costs.
  • Communication data: Gmail OAuth token (send-only permission) if you connect Gmail.
  • Technical data: IP address, browser type, session cookies.
  • Consent records: Cookie preferences, marketing opt-ins/outs, GDPR request history.

3. Purposes & Legal Basis

We process your data for the following purposes:

PurposeLegal basis
Providing the job application serviceContract performance (Art. 6(1)(b))
Processing paymentsContract performance (Art. 6(1)(b))
Generating CVs and cover letters via AIContract performance (Art. 6(1)(b))
Sending emails via Gmail on your behalfConsent (Art. 6(1)(a))
Fraud prevention and securityLegitimate interests (Art. 6(1)(f))
Analytics and product improvementConsent (Art. 6(1)(a))
GDPR compliance and record-keepingLegal obligation (Art. 6(1)(c))
Tax and financial record retention (7 years)Legal obligation (Art. 6(1)(c))

4. Retention Periods

  • Account data: Until account deletion, then purged within 30 days.
  • CV and application data: Deleted with account.
  • Payment records: Retained for 7 years to comply with EU tax law, even after account deletion.
  • API usage logs: 90 days.
  • Session data: 8 hours of inactivity.
  • GDPR request records: 3 years from resolution.

5. Data Sharing

We share your data only with:

  • Supabase (database & auth) — EU-hosted, processes data on our behalf.
  • Anthropic (AI generation) — CV and cover letter content is sent to generate tailored documents. See Anthropic's privacy policy.
  • PayPal (payment processing) — PayPal handles payment data under their own privacy policy.
  • Google (Gmail OAuth) — only if you connect Gmail. We obtain send-only permission and do not read your emails.

We do not sell your data to third parties.

6. International Transfers

Our infrastructure is primarily EU-based. Where data is transferred outside the EEA (e.g., to Anthropic in the USA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism.

7. Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, row-level security (RLS) policies in our database, hashed passwords, and regular access reviews. In the event of a data breach affecting your rights, we will notify the relevant supervisory authority within 72 hours (Art. 33 GDPR) and notify affected individuals without undue delay (Art. 34 GDPR).

8. Your Rights (GDPR)

Under GDPR, you have the following rights. Exercise them in Settings → Privacy.

  • Right of access (Art. 15): Download a copy of all your data.
  • Right to erasure (Art. 17): Delete your account and all associated data (subject to legal retention requirements).
  • Right to restriction (Art. 18): Restrict processing of your data.
  • Right to portability (Art. 20): Export your data in machine-readable JSON format.
  • Right to object (Art. 21): Object to analytics processing via the toggle in Privacy settings.
  • Right to rectification (Art. 16): Update your data via account settings.

We respond to all requests within 30 days. You may also lodge a complaint with your local supervisory authority (e.g., CNIL in France, BfDI in Germany, APD in Belgium).

9. Cookies

We use essential cookies to maintain your session and preferences. Analytics cookies are only set with your explicit consent. See our Cookie Policy for full details.

10. Children

Our service is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us at privacy@jj-jobhunter.de.

11. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects solely through automated processing. AI-generated CVs and cover letters are presented for your review and require your approval before submission.

12. Changes to this Policy

We will notify registered users of material changes via email or an in-app notice at least 14 days before the change takes effect. The "Last updated" date at the top indicates the most recent revision. Continued use of the service after that date constitutes acceptance.

13. Contact

For any data protection questions or to exercise your rights: privacy@jj-jobhunter.de

You have the right to lodge a complaint with your supervisory authority without prejudice to any other administrative or judicial remedy.