Skip to main content

— Privacy

Your data, your rules.

CVVia is operated by MEDTIP GmbH (Passau, Germany) and serves users across the EU, Türkiye, and beyond. This policy explains — in plain English — what we collect, why, where it goes, and the rights you have over it under GDPR (EU 2016/679), KVKK (Law 6698), and the EU AI Act (Regulation 2024/1689).

Last updated: 2026-05-22

01

Who we are

CVVia is a product operated by MEDTIP GmbH, Innstraße 69b, 94032 Passau, Germany (HRB 13100, Amtsgericht Passau; USt-IdNr. DE361378149). MEDTIP GmbH is the data controller for the purposes of GDPR Art. 4(7) and the "veri sorumlusu" under KVKK Art. 3(1)(ı).

Managing director: Osman Nergiz. Questions about this policy or your data can always be sent to privacy@cvvia.ai. For formal data-protection requests we additionally monitor dpo@cvvia.ai.

02

What we collect

We only collect what the product genuinely needs. Everything below is tied to a real feature — we do not collect "just in case".

  • Account: email address, display name, and (if you sign in with Google) a profile photo from your Google account. Authentication is handled by Firebase Authentication; we never see your password in plain form.
  • Preferences: your UI language, theme, and chosen output language for AI content. Terms-of-service acceptance timestamp and version, and an age-confirmation timestamp (you confirm you are 16 or over at signup).
  • Profile content: basic profile information, uploaded CVs and documents, manual knowledge entries, and any other text you choose to provide to personalize your applications.
  • Generated materials: base CVs, tailored CVs, cover letters, ATS check results, interview practice sessions (including your answers), follow-up email drafts, and company research you trigger.
  • Application metadata: job positions you track, company information, position status, interview records.
  • Operational data: log data (request paths, response times, errors), rate-limit counters, background-task state, audit events of significant actions you take.
  • Website visitor data: minimal request data (IP, user-agent) kept briefly for security and abuse prevention; not used for advertising or profiling.
03

Why we process it (legal basis)

Under GDPR Art. 6 and KVKK Art. 5, we rely on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR; Art. 5(2)(c) KVKK): to provide the CVVia service you signed up for — generating documents, running analyses, saving your work, sending operational emails.
  • Legitimate interest (Art. 6(1)(f) GDPR; Art. 5(2)(f) KVKK): keeping the service secure, preventing abuse and fraud, improving reliability, defending against legal claims. You can object at any time and we will assess the balance.
  • Consent (Art. 6(1)(a) GDPR; Art. 5(1) KVKK "açık rıza"): for anything optional, like non-essential cookies or any future marketing emails. You can withdraw consent at any time, without penalty and without losing access to the service.
  • Legal obligation (Art. 6(1)(c) GDPR; Art. 5(2)(a) KVKK): keeping invoicing and tax records for statutory retention periods (German HGB §257 — 10 years for invoices) if you become a paying customer.
04

How AI is used — and what it does not do

CVVia is an AI-assisted product. Our AI does not make decisions about you — it generates content for you, which you review and decide what to do with. There is no automated decision-making in the sense of GDPR Art. 22 (no automated hiring decisions, no credit checks, no profiling with legal effect). You remain the human in the loop.

When you use an AI-powered feature, the text needed for that feature (your CV content for a tailored CV, the job posting for an ATS check, your background summary plus answer for interview practice) is sent to a large-language-model provider through our self-hosted AI gateway. The providers we route to:

  • OpenAI Ireland Ltd. (Ireland; compute may extend to the United States) — primary LLM provider for CV tailoring, cover letters, ATS scoring, interview prep, follow-up emails, and embeddings.
  • Anthropic PBC (United States) — alternative LLM provider, used when configured.
  • Google LLC (United States) — Gemini models, used for some company-research and structured-extraction tasks.
  • Microsoft Corporation (United States) — text-to-speech for the optional interview-prep voice playback feature. Only the question text is sent; no microphone audio is sent there. Best-effort feature — may be temporarily unavailable; your browser's native speech synthesis is the fallback.
05

What AI providers do with your data

Provider retention: OpenAI retains API requests for up to 30 days for safety and abuse monitoring and then deletes them. Anthropic retains for up to 30 days. Google's API tier follows a comparable policy. Our AI gateway keeps request logs (metadata only, not full prompt bodies) for 14 days and then deletes them.

Training data: we use the API tiers whose contracts explicitly exclude your inputs and outputs from being used to train provider models. We do not opt your data into any "share with the provider for model improvement" toggle. If a provider ever changes this default, we will treat it as a material policy change and notify you in advance.

06

How long we keep your data

We keep your personal data only as long as it is useful to you or legally required. The table below lists every retention period we currently apply:

  • Authentication identity (Firebase Auth): until you delete your account, or 24 months of consecutive sign-in inactivity on a Free plan (30-day warning e-mail sent first).
  • Profile, uploaded documents, CVs, cover letters, interview sessions, chat history: until you delete your account or until inactivity-based suspension under the Free-plan policy above; on deletion, removed from primary storage within 30 days.
  • Off-site encrypted backups (EU region): 7-day rolling window — overwritten automatically.
  • Local panic-recovery database dumps on the production server: 3-day rolling window — overwritten automatically.
  • Audit log of significant user actions (anonymized after account deletion): 12 months — legitimate interest (abuse and fraud investigation).
  • Error-monitoring events: 90 days, with personal-data scrubbing applied before ingestion.
  • AI gateway request logs (no full prompt bodies retained): 14 days.
  • Contact-form inbound messages held in our Google Workspace inbox: 24 months — legitimate interest (follow-up correspondence).
  • DMARC aggregate reports for the cvvia.ai domain: 6 months.
  • Anonymized, non-identifying aggregate statistics (e.g. "X CVs generated this month"): may be retained indefinitely — this data cannot be linked back to you.
07

Who we share data with

We do not sell your personal data. Ever. The only third parties that see it are processors and sub-processors we need to deliver the service, each bound by a Data Processing Agreement (DPA) under GDPR Art. 28:

  • EU-based hosting provider (Germany) — production infrastructure. EU-only data residency for the primary application database and file storage.
  • Google Ireland Ltd. (Firebase Authentication, Google Workspace) — sign-in identity, operational e-mail hosting for our inbox.
  • Google LLC (Firebase Storage) — file hosting for profile photos and uploaded documents, in an EU multi-region.
  • EU-region object-storage and DNS provider — off-site encrypted backups and domain DNS.
  • EU-based e-mail delivery provider — transactional e-mail for the contact form and account notifications.
  • Error-monitoring provider — exception monitoring via an EU (Germany) endpoint; personal data is scrubbed by our SDK before send.
  • OpenAI Ireland Ltd., Anthropic PBC, Google LLC — AI model providers, used via our self-hosted AI gateway. See "How AI is used" above.
  • Microsoft Corporation — text-to-speech endpoint for the optional interview-prep voice feature.
  • A public web-search API — used for public job-discovery queries; no personal data is sent.
08

Current sub-processor list

For the canonical, always-current list of sub-processors — including legal entity, jurisdiction, the data category they handle, and the transfer mechanism — see our /subprocessors page. Before adding any new sub-processor that handles personal data we ordinarily notify you at least 14 days in advance by e-mail and an in-app banner. Where a security incident, a legal or regulatory obligation, or the unavailability of the current sub-processor requires us to switch faster, we notify you as soon as practicable and the 14-day notice period does not apply. You may object to a new sub-processor; if we cannot proceed without it, you may terminate your account and export your data first.

09

International transfers

Our primary infrastructure, database, and backups are in Germany and the EU. Some processors are headquartered in the United States but operate the services we use from EU regions.

When we use OpenAI, Anthropic, Google AI, or Microsoft Edge TTS endpoints, some data is processed in the United States. These transfers rely on EU Standard Contractual Clauses (Module 2 — Controller-to-Processor, 2021/914) combined with the EU-U.S. Data Privacy Framework certifications of those providers where available, and supplementary technical measures (TLS in transit, no-training contracts).

You can request a complete picture of which of your specific data has left the EU by e-mailing privacy@cvvia.ai.

10

Your rights

Under GDPR Art. 15–22 and KVKK Art. 11, you have the following rights at any time:

  • Access — ask us what data we hold about you and receive a copy (Art. 15 GDPR; Art. 11(1)(b)(c) KVKK).
  • Rectification — correct anything that is inaccurate or incomplete (Art. 16 GDPR; Art. 11(1)(e) KVKK).
  • Erasure — delete your account and all associated personal data; the right to be forgotten (Art. 17 GDPR; Art. 11(1)(e) KVKK).
  • Restriction — limit how we process your data while an issue is being resolved (Art. 18 GDPR).
  • Portability — export your data in a structured, machine-readable format (Art. 20 GDPR).
  • Objection — object to processing based on legitimate interest, including any future profiling (Art. 21 GDPR; Art. 11(1)(g) KVKK).
  • No automated decision-making about you — already excluded, see "How AI is used" (Art. 22 GDPR).
  • Withdraw consent — for anything based on consent, at any time, without penalty (Art. 7(3) GDPR; KVKK "açık rıza").
  • Lodge a complaint with a supervisory authority — see the section below.
11

How to exercise your rights — in one click

We try to make this concrete rather than buried in legalese. From your Settings page you can self-serve the most common requests:

For anything our self-service UI does not cover — a copy of all communications with us, a specific export format, anything else — e-mail privacy@cvvia.ai. We respond within 30 days as required by GDPR Art. 12; KVKK Art. 13's 30-day clock starts when we receive your written request.

  • Download my data — produces a structured ZIP containing your account JSON, uploaded documents, generated CVs and cover letters, and chat history. You'll receive a signed download link by e-mail within 24 hours; the link is valid for 24 hours.
  • Delete my account — permanently removes your account and personal data from primary storage within 30 days, with a cascade across all generated materials. Off-site backup copies are overwritten in the ordinary 7-day rolling cycle. Audit-log entries are anonymized but timestamps and action types are retained for legitimate-interest fraud and abuse investigations.
  • Rectification — edit any field directly in your profile and saved applications; for fields that aren't user-editable, e-mail privacy@cvvia.ai.
12

Security

All traffic to and from CVVia is encrypted with TLS 1.2 or higher (HSTS enforced; we hardened the chain to two years on the apex domain). Passwords are handled by Firebase Authentication and never seen by us in plain form. The primary database and Firebase Storage data are encrypted at rest by the provider. Off-site backups are encrypted at rest using AES-256.

Access to production systems requires SSH-key authentication; password login is disabled. Administrative access to our infrastructure and Firebase is protected with multi-factor authentication.

If a personal-data breach ever affects your information, we will notify the competent supervisory authority within 72 hours as required by GDPR Art. 33, and we will notify you directly without undue delay if the breach is likely to result in a high risk to your rights (Art. 34).

13

Children

CVVia is intended for job seekers aged 16 and over. At signup you confirm you are 16 or older — the timestamp of that confirmation is stored alongside your terms-acceptance record. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact privacy@cvvia.ai and we will close the account and delete the data.

14

Supervisory authorities and complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the supervisory authority of your country of residence. You also have the right to contact our supervisory authority directly:

  • Germany — Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — our competent authority because MEDTIP GmbH is registered in Bavaria (Passau).
  • Other EU member states — the data-protection authority of your country (e.g. CNIL in France, AEPD in Spain, AP in the Netherlands). The European Data Protection Board maintains the current list.
  • Türkiye — Kişisel Verileri Koruma Kurumu (KVKK Kurumu). MEDTIP GmbH is established in the EU and does not have a representative in Türkiye; KVKK applications addressed directly to us at privacy@cvvia.ai will be handled within the 30-day statutory period.
15

Changes and how to contact us

We may update this policy when we add features, change processors, or update legal requirements. Material changes are announced via e-mail and an in-app banner at least 14 days before they take effect. The last-updated date at the top of this page always reflects the current version.

To exercise any right, ask a question, or file a complaint, write to privacy@cvvia.ai. We respond within 30 days as required by GDPR Art. 12 and KVKK Art. 13.