Compliance & Regulation

Last updated: May 15, 2026

CVeetje complies with the GDPR and the EU AI Act

CVeetje is a service of GroeimetAI (Dutch Chamber of Commerce 90102304, Apeldoorn). We process personal data primarily on infrastructure in the Netherlands (europe-west4), with encryption at all layers and strict access control. The AI functionality is classified as limited-risk under Regulation (EU) 2024/1689 ("AI Act") and meets the transparency obligations of Article 50.

Our four pillars

Data stays in the Netherlands

Account, profile and CV data is stored on Google Cloud in europe-west4 (Eemshaven). No primary data storage outside the EU.

Encryption at every layer

TLS in transit, Google-managed encryption at rest, AES-256 for stored API keys. We never have access to your password or plaintext API keys.

AI with human oversight

CVeetje is a limited-risk AI system under the EU AI Act. You always review generated content yourself before using it.

Full transparency

Which models we use, where data flows, which sub-processors we engage — all of it is public on this site, including this overview.

GDPR compliance

Controller: GroeimetAI, Fabriekstraat 20, 7311GP Apeldoorn, Netherlands.
Legal basis: contract performance (art. 6(1)(b)) for account data; consent (a) for analytics; legitimate interest (f) for security and abuse detection.
Data residency: primary storage in the Netherlands (europe-west4). International transfer to Anthropic (USA) under SCCs + TIA.
Retention: account data while active, then up to 30 days until final deletion; payment records 7 years (tax obligation).
Right to access, rectification, erasure, restriction, objection and data portability — exercisable via settings or info@groeimetai.io.
Data portability: in-app data export as structured JSON (GDPR art. 20).
Account deletion: self-service via Settings → Account → Delete account. Removes Auth, Firestore and Storage.
Data breaches: notification within 72 hours to the Dutch DPA and, where required, to data subjects.
Supervisory authority: Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).

EU AI Act compliance

CVeetje is not a high-risk AI system within the meaning of Annex III. We do not evaluate, screen or select candidates on behalf of employers — CVeetje is purely a writing aid for the user themselves. Under Article 6(3)(b) we fall outside high-risk because the AI is intended to improve the result of a previously completed human activity (your own work experience, education, skills).

Risk classification: limited risk. Documentation available for supervisors.
Art. 50 transparency: before every AI action you see which model will be used (Platform AI or your own key).
AI output is clearly labelled as AI-generated. The user always reviews and edits the output themselves.
AI literacy (art. 4): this page, /ai-transparency and in-app explanations contribute to understanding what AI does and does not do.
No prohibited practices (art. 5): no subliminal manipulation, no social scoring, no exploitation of vulnerable groups.
GPAI deployer: we consume Anthropic Claude (a general purpose AI model); own logging of inputs/outputs for incident review.
Strict anti-hallucination rules in prompts: AI must not invent experience, education or skills that are not in your profile.
Disputes flow: if the AI generates something wrong, you can report it; a gatekeeper LLM reviews the objection and regenerates correctly.

Documents and pages

Privacy Policy

GDPR art. 13: purposes, legal basis, retention, your rights.

Terms of Service

Credits, BYOK, liability, right of withdrawal.

AI Transparency

EU AI Act art. 50 — models, purposes, limitations.

Sub-processors

Public list of all engaged sub-processors (art. 28 GDPR).

Cookie Policy

Which cookies we use and how to withdraw consent.

Contact and complaints

Privacy or AI questions, DPA request, or report a data breach?

info@groeimetai.io · GroeimetAI · Fabriekstraat 20 · 7311GP Apeldoorn

You always have the right to lodge a complaint with the Dutch Data Protection Authority (autoriteitpersoonsgegevens.nl).