Your data, your rules.

CVVia is operated by a small team based in Germany. The data controller for the purposes of GDPR Art. 4(7) and the "veri sorumlusu" under KVKK is CVVia (operator contact below).

Questions about this policy or your data can always be sent to privacy@cvvia.ai. You can also reach our Data Protection contact at dpo@cvvia.ai.

We only collect what the product genuinely needs. Everything below is tied to a real feature — we do not collect "just in case".

• —Account: email address, display name, and (if you sign in with Google) a profile photo from your Google account.
• —Preferences: your UI language, theme, and chosen output language for AI content.
• —Profile content: basic profile information, uploaded CVs and documents, manual knowledge entries — anything you choose to provide to personalize your applications.
• —Generated materials: base CVs, tailored CVs, cover letters, ATS check results, interview practice sessions, and company research you trigger.
• —Application metadata: job positions you track, company information, position status, interview records.
• —Operational data: log data (request paths, response times, errors), rate limit counters, background task state.
• —Website visitor data: minimal request data (IP, user-agent) kept briefly for security and abuse prevention.

Under GDPR Art. 6 and KVKK Art. 5, we rely on the following legal bases:

• —Contract (Art. 6(1)(b)): to provide the CVVia service you signed up for — generating documents, running analyses, saving your work.
• —Legitimate interest (Art. 6(1)(f)): keeping the service secure, preventing abuse, improving reliability. You can object at any time.
• —Consent (Art. 6(1)(a)): for anything optional, like newsletter emails or non-essential cookies. You can withdraw consent at any time.
• —Legal obligation (Art. 6(1)(c)): keeping invoicing and tax records for statutory retention periods if you become a paying customer.

We keep your data only as long as it is useful to you or legally required.

When you delete your account, we permanently remove your personal data and generated materials within 30 days. Backup copies are overwritten in the ordinary rolling backup cycle and never kept longer than 90 days.

Anonymized, non-identifying aggregate statistics (e.g. "X CVs generated this month") may be retained indefinitely for product planning — this data cannot be tied back to you.

We do not sell your data. Ever. The only third parties that see it are processors we need to deliver the service, bound by Data Processing Agreements:

• —Hetzner Online GmbH (Germany) — infrastructure hosting, EU-only data residency.
• —Firebase / Google Cloud (EU data centers) — authentication and file storage for profile photos and uploaded documents.
• —LiteLLM proxy (self-hosted, Germany) — routes prompts to LLM providers. Logs are retained for 14 days for debugging and then deleted.
• —OpenAI, Anthropic — AI model providers used via LiteLLM. We use API endpoints with contractual no-training clauses: your data is never used to train their models.
• —Resend (Netherlands) — transactional email delivery for contact form and account notifications.
• —Sentry (if enabled, EU region) — error monitoring. Personal data is scrubbed from stack traces before ingestion.

Most of our infrastructure is in Germany. When we use OpenAI or Anthropic APIs, some data is processed in the United States under EU Standard Contractual Clauses (SCCs 2021/914) combined with the EU-U.S. Data Privacy Framework certifications of those providers.

You can always request to know exactly which of your specific data has left the EU by emailing privacy@cvvia.ai.

Under GDPR Art. 15–22 and KVKK Art. 11, you have the following rights at any time:

• —Access — ask us what data we hold about you and receive a copy.
• —Rectification — correct anything that is inaccurate or incomplete.
• —Erasure — delete your account and all associated personal data ("right to be forgotten").
• —Restriction — limit how we process your data while an issue is being resolved.
• —Portability — export your data in a structured, machine-readable format (JSON).
• —Objection — object to processing based on legitimate interest, including profiling.
• —Withdraw consent — for anything based on consent, at any time, without penalty.
• —Lodge a complaint — with a supervisory authority. In Germany this is the competent Landesdatenschutzbeauftragter; in Turkey it is the KVKK Kurumu.

All traffic is encrypted with TLS 1.2+. Passwords are handled by Firebase Auth and never seen by us in plain form. Database connections are encrypted, backups are encrypted at rest, and access to production systems requires SSH key authentication.

If a data breach ever affects your personal information, we will notify the supervisory authority within 72 hours as required by GDPR Art. 33, and notify you directly without undue delay if the breach is likely to result in a high risk to your rights.

CVVia is intended for job seekers aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.

We may update this policy when we add features, change processors, or update legal requirements. Material changes will be announced via email and an in-app banner at least 14 days before they take effect.

To exercise any right, ask a question, or file a complaint, write to privacy@cvvia.ai or dpo@cvvia.ai. We will respond within 30 days as required by GDPR Art. 12.