Privacy Policy

CVeetje ("we", "us" or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store and protect your data when you use our website and services.

This policy applies to all users of CVeetje, including visitors to our website and registered users of our service.

By using CVeetje, you agree to the processing of your data as described in this privacy policy.

CVeetje is a service of GroeimetAI and is the data controller for the personal data collected through our service.

Business details: GroeimetAI Fabriekstraat 20 7311GP Apeldoorn The Netherlands

Chamber of Commerce (KvK): 90102304 VAT number: NL004787305B79 Email: info@groeimetai.io

For questions about this privacy policy or the processing of your personal data, you can contact us at the email address above.

When you create an account, we collect:

• Email address • Name (if provided) • Profile photo (if you sign in via Google or Apple) • Password (stored encrypted)

If you sign in via Google or Apple, we receive certain profile data from these services in accordance with their privacy policies.

To generate CVs, we collect the information you enter:

• Personal details (name, contact information, location) • Work experience and job descriptions • Education and certifications • Skills and competencies • Profile photos you upload • LinkedIn profile data (if you paste or import it) • Screenshots or documents of old CVs

You determine what information you enter. We recommend only sharing information that is relevant to your CV.

We automatically collect certain information about your use of the service:

• IP address and device information • Browser type and version • Pages you visit and features you use • Date and time of your visits • Referrer information (how you came to us)

This data is anonymized for analytical purposes.

We use your data for the following purposes:

• Providing our service: Generating CVs, cover letters and LinkedIn content based on your profile data.

• Account management: Creating and managing your account, processing payments, and tracking your credit balance.

• Communication: Sending important service messages, such as purchase confirmations or changes to our terms.

• Improving the service: Analyzing usage patterns to improve our service (anonymized data only).

• Fraud prevention: Detecting and preventing fraudulent or unauthorized use.

• Legal obligations: Complying with legal obligations, such as tax administration for payments.

We process your personal data based on the following legal grounds (in accordance with GDPR):

• Performance of a contract: Processing is necessary for providing the service you requested (Article 6(1)(b) GDPR).

• Consent: For certain processing we ask for your explicit consent, for example for storing your profile data (Article 6(1)(a) GDPR).

• Legitimate interest: For improving our service and preventing fraud, taking into account your interests and rights (Article 6(1)(f) GDPR).

• Legal obligation: For complying with legal obligations, such as tax legislation (Article 6(1)(c) GDPR).

We do not sell your personal data to third parties. We only share your data in the following situations:

• With service providers: See section 7 for an overview of the external services we use.

• With AI providers: When you generate a CV, your profile data is processed by the AI provider whose API key you provided (such as OpenAI, Anthropic or Google). This happens directly with your own API key.

• When legally required: If we are legally obligated to do so, for example by a court order.

• In case of business transfer: In the event of a merger, acquisition or sale of assets, your data may be transferred to the new owner.

We use Firebase from Google for:

• Authentication (login and account management) • Database (storage of your profiles and CVs) • Hosting of certain services

Firebase processes data in accordance with Google's privacy policy. Data may be stored in data centers within the EU or US. Google is certified under the EU-US Data Privacy Framework.

More information: https://firebase.google.com/support/privacy

We use Mollie for processing payments. When you purchase credits, your payment details are processed directly by Mollie. We only receive confirmation of payment, not your full payment details.

Mollie is based in the Netherlands and processes data in accordance with GDPR.

More information: https://www.mollie.com/en/privacy

For generating CV content, AI models are used in two ways:

1. Platform AI (our built-in AI): We offer Claude by Anthropic (currently Claude Opus 4.6) as an AI service. When using Platform AI, CVeetje is the data controller and Anthropic is the data processor. We have a Data Processing Agreement (DPA) with Anthropic. Your profile data and job posting text are sent to Anthropic (US) for processing. Anthropic does not use this data for training AI models (in accordance with their API terms for commercial use).

2. Own API key: You can bring your own API key from a supported provider, including OpenAI (GPT-4), Anthropic (Claude), Google (Gemini), and more than 20 other providers. When using your own key, your data is sent directly to your chosen provider. This processing falls under the privacy policy and terms of the respective provider.

For more information about how we use AI, see our AI Transparency page.

CVeetje makes limited use of cookies and local storage:

• Essential cookies: For the functioning of the website and remembering your login status. These are strictly necessary and do not require consent.

• Preferences: Your language preference and theme setting (light/dark) are stored locally in your browser.

• Authentication: Firebase places cookies for managing your login session.

We do not use tracking cookies or advertising cookies. We do not share cookie data with third parties for marketing purposes.

You can block cookies via your browser settings, but this may limit the functionality of the website.

We do not retain your data longer than necessary:

• Account data: Retained as long as your account is active. Upon deletion of your account, your data is permanently deleted within 30 days.

• Profile data: Retained as long as you save them in your account. You can delete profiles yourself at any time.

• Generated CVs: Retained in your account until you delete them or terminate your account.

• Transaction data: Retained for 7 years in accordance with legal requirements (tax legislation).

• Log data: Anonymized or deleted after 90 days.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: You can request what data we process about you.

• Right to rectification: You can have incorrect data corrected.

• Right to erasure: You can request deletion of your data ("right to be forgotten").

• Right to restriction: You can request restriction of the processing of your data.

• Right to portability: You can request your data in a structured format to transfer to another service.

• Right to object: You can object to processing based on legitimate interest.

• Right to withdraw consent: You can withdraw previously given consent at any time.

To exercise these rights, you can contact us at info@groeimetai.io. We will respond to your request within 30 days.

You also have the right to file a complaint with the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl) or your local supervisory authority.

Your data may be processed outside the European Economic Area (EEA), specifically:

• By Firebase/Google (US): Google is certified under the EU-US Data Privacy Framework and uses Standard Contractual Clauses (SCCs).

• By Anthropic (US) for Platform AI: When you use Platform AI, your profile data and job posting text are processed by Anthropic in the United States. We maintain Standard Contractual Clauses (SCCs) as safeguards for this transfer.

• By AI providers (US) with own key: OpenAI, Anthropic and Google are all based in the US. When using your own API key, processing takes place under the terms of the respective provider.

We take appropriate measures to ensure an adequate level of protection in accordance with Chapter V of the GDPR.

We take the security of your data seriously and have implemented appropriate technical and organizational measures:

• Encryption: All data is transmitted encrypted (HTTPS/TLS). API keys are stored encrypted with AES-256 encryption.

• Access control: Only authorized personnel have access to systems containing personal data.

• Infrastructure: We use secure cloud infrastructure (Google Cloud/Firebase) with enterprise-grade security.

• Passwords: Passwords are stored hashed and are not accessible in plain text.

Despite these measures, no method of data transmission or storage can be guaranteed to be 100% secure. If you suspect your data has been compromised, please contact us immediately.

CVeetje is not intended for children under 16 years of age. We do not knowingly collect personal data from children under this age.

If you are a parent or guardian and discover that your child has provided us with data without your consent, please contact us. We will immediately delete the data.

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons.

In case of significant changes, we will:

• Update the "last updated" date at the top of this policy • Inform you by email if you have an account • Show a notification in the application

We recommend regularly reviewing this privacy policy. Continued use of the service after changes constitutes acceptance of the updated policy.

For questions, comments or requests regarding this privacy policy or the processing of your personal data, you can contact us:

GroeimetAI Fabriekstraat 20 7311GP Apeldoorn The Netherlands

Chamber of Commerce (KvK): 90102304 VAT number: NL004787305B79 Email: info@groeimetai.io

We aim to respond to general questions within 5 business days and to requests regarding your rights under GDPR within 30 days.