Privacy Policy

CVeetje ("we", "us" or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store and protect your data when you use our website and services.

This policy applies to all users of CVeetje, including visitors to our website and registered users of our service.

By using CVeetje, you agree to the processing of your data as described in this privacy policy.

CVeetje is a service of GroeimetAI and is the data controller for the personal data collected through our service.

Business details: GroeimetAI Fabriekstraat 20 7311GP Apeldoorn The Netherlands

Chamber of Commerce (KvK): 90102304 VAT number: NL004787305B79 Email: info@groeimetai.io

For questions about this privacy policy or the processing of your personal data, you can contact us at the email address above.

When you create an account, we collect:

• Email address • Name (if provided) • Profile photo (if you sign in via Google or Apple) • Password (stored encrypted)

If you sign in via Google or Apple, we receive certain profile data from these services in accordance with their privacy policies.

To generate CVs, we collect the information you enter:

• Personal details (name, contact information, location) • Work experience and job descriptions • Education and certifications • Skills and competencies • Profile photos you upload • LinkedIn profile data (if you paste or import it) • Screenshots or documents of old CVs

You determine what information you enter. We recommend only sharing information that is relevant to your CV.

We automatically collect certain information about your use of the service:

• IP address and device information • Browser type and version • Pages you visit and features you use • Date and time of your visits • Referrer information (how you came to us)

This data is anonymized for analytical purposes.

We use your data for the following purposes:

• Providing our service: Generating CVs, cover letters and LinkedIn content based on your profile data.

• Account management: Creating and managing your account, processing payments, and tracking your credit balance.

• Communication: Sending important service messages, such as purchase confirmations or changes to our terms.

• Improving the service: Analyzing usage patterns to improve our service (anonymized data only).

• Fraud prevention: Detecting and preventing fraudulent or unauthorized use.

• Legal obligations: Complying with legal obligations, such as tax administration for payments.

We process your personal data based on the following legal grounds (in accordance with GDPR):

• Performance of a contract: Processing is necessary for providing the service you requested (Article 6(1)(b) GDPR).

• Consent: For certain processing we ask for your explicit consent, for example for storing your profile data (Article 6(1)(a) GDPR).

• Legitimate interest: For improving our service and preventing fraud, taking into account your interests and rights (Article 6(1)(f) GDPR).

• Legal obligation: For complying with legal obligations, such as tax legislation (Article 6(1)(c) GDPR).

We do not sell your personal data to third parties. We share your data only in the following situations:

• With sub-processors: See section 7 and our public sub-processor page (/sub-processors) for the complete current list, including jurisdiction and legal safeguards.

• With AI providers: In Platform AI mode we send prompt data to Anthropic under a Data Processing Agreement (DPA) + EU Standard Contractual Clauses. In BYOK mode your profile data is sent directly to the provider of your choice under their own terms.

• Under legal obligation: When we are legally required to do so, for example following a court order or report to the Dutch DPA.

• In case of business transfer: In the event of a merger, acquisition or asset sale your data may be transferred to the new owner; you will be informed in advance and may delete your account before the transfer.

We use Firebase (Google Cloud) for:

• Authentication (Firebase Auth — sign-in and account management) • Database (Cloud Firestore — storage of profiles, CVs, transactions) • File storage (Cloud Storage — uploads, profile photos, generated files) • Hosting (Cloud Run for the web app)

Our production environment runs in europe-west4 (Eemshaven, Netherlands). Primary data is therefore stored in the Netherlands. Google is certified under the EU-US Data Privacy Framework and uses EU Standard Contractual Clauses for any intra-group transfers.

DPA: https://cloud.google.com/terms/data-processing-addendum Privacy: https://firebase.google.com/support/privacy

We use Mollie for processing payments. When you purchase credits, your payment details are processed directly by Mollie. We only receive confirmation of payment, not your full payment details.

Mollie is based in the Netherlands and processes data in accordance with GDPR.

More information: https://www.mollie.com/en/privacy

AI models are used for content generation in two ways:

1. Platform AI (our built-in AI): We offer Claude by Anthropic (currently Claude Opus 4.7). In Platform AI mode GroeimetAI is the controller and Anthropic is the processor. We have a DPA with Anthropic, including EU Standard Contractual Clauses (module 2). Your profile summary and job description are sent to Anthropic. Anthropic does not use this data for training AI models (Anthropic Commercial Terms of Service).

2. Your own API key (BYOK): You can bring your own API key from a supported provider (OpenAI, Anthropic, Google Gemini, Mistral, Groq, DeepSeek, Together, Fireworks, Azure, Cohere and others). In that case you are the controller vis-à-vis the provider, and CVeetje only stores your encrypted key (AES-256) plus your model choice.

The full current list of AI and infrastructure sub-processors is available at /sub-processors. More on how we use AI is at /ai-transparency.

CVeetje uses cookies and local storage as little as possible:

• Essential cookies: for the functioning of the website (sign-in, language preference, cookie consent). These are strictly necessary and require no consent (Dutch Telecom Act art. 11.7a(3)(a)(b)).

• Analytics cookies (optional): for anonymous usage statistics via Google Analytics 4. Only loaded after explicit consent, with IP anonymisation and no advertising features.

You can withdraw consent at any time via the "Cookie settings" button in the footer or via our cookies page (/cookies). Under GDPR art. 7(3), withdrawing is as easy as giving.

The full list of cookies and retention periods is at /cookies.

We do not retain your data longer than necessary:

• Account data: Retained as long as your account is active. Upon deletion of your account, your data is permanently deleted within 30 days.

• Profile data: Retained as long as you save them in your account. You can delete profiles yourself at any time.

• Generated CVs: Retained in your account until you delete them or terminate your account.

• Transaction data: Retained for 7 years in accordance with legal requirements (tax legislation).

• Log data: Anonymized or deleted after 90 days.

Under the GDPR you have the following rights regarding your personal data:

• Right of access: You can request which data we process about you. • Right to rectification: You can have inaccurate data corrected. • Right to erasure: You can request deletion of your data ("right to be forgotten"). Self-service via Settings → Account → Delete account. • Right to restriction: You can request that processing of your data be restricted. • Right to portability: You can download your data as a structured JSON file via Settings → Account → Export my data (GDPR art. 20). • Right to object: You can object to processing based on legitimate interest. • Right to withdraw consent: You can withdraw previously given consent at any time (e.g. cookie consent via your browser). • Right to information on automated decision-making: CVeetje does not make automated decisions with legal effects for you.

To exercise these rights, contact info@groeimetai.io. We will respond to your request within 30 days (free of charge for the first request per calendar year).

You also have the right to lodge a complaint with the Dutch Data Protection Authority (https://autoriteitpersoonsgegevens.nl).

Your data may be processed outside the European Economic Area (EEA), namely:

• By Anthropic (USA) for Platform AI: under EU Standard Contractual Clauses (module 2) and a completed Transfer Impact Assessment. Inputs/outputs are not used for model training.

• By Google (USA/intra-group): EU-US Data Privacy Framework + Standard Contractual Clauses. Primary storage is in europe-west4 (Netherlands) — only support data may be accessed from the USA.

• By GitHub (USA) for feedback issues: EU-US Data Privacy Framework + Microsoft DPA.

• By Firebase Trigger Email extension (us-central1): for sending transactional emails. Source data is in EU Firestore; only the ephemeral send queue runs in the USA.

For each transfer we have assessed that the level of protection of the GDPR remains safeguarded through adequacy decisions (EU-US DPF, UK), contractual safeguards (SCCs), technical measures (encryption) and organisational measures (access control, audit logging).

We take the security of your data seriously and have implemented appropriate technical and organisational measures:

• Encryption in transit: all traffic via HTTPS/TLS 1.2+. • Encryption at rest: all Firestore and Storage data is encrypted at rest by Google (AES-256, Google-managed keys). • API keys: user-stored API keys are separately encrypted with AES-256-GCM (env key ENCRYPTION_KEY). • Authentication: Firebase Authentication with optional OAuth providers (Google, Apple); passwords are hashed by Firebase — we never see your password. • Access control: server-side admin routes explicitly check permissions via verifyAdminRequest(); Firestore Security Rules scope to user level. • Abuse detection: reCAPTCHA v3 on register/login; rate limiting on critical endpoints. • Admin audit log: every admin action that touches personal data (impersonation, credit changes, role updates, account deletion) is immutably logged in a separate Firestore collection with admin UID, target UID, IP and timestamp (GDPR art. 32(1)). • Responsible disclosure: see /.well-known/security.txt for the responsible disclosure procedure. • Breach procedure: notification within 72 hours to the Dutch DPA per GDPR art. 33; notification to data subjects in case of high risk (art. 34).

Despite these measures we cannot guarantee 100% security. In case of a (suspected) data breach or security incident, please contact info@groeimetai.io immediately.

CVeetje is not intended for children under the age of 16. We do not knowingly collect personal data from children under this age.

When registering with email/password you must explicitly confirm that you are 16 years or older (GDPR art. 8). This confirmation is recorded in your account document as audit trail.

For registration via Google or Apple, those providers perform their own age verification according to their own terms.

If you are a parent or guardian and discover that your child has provided data to us, please contact info@groeimetai.io so we can delete the account.

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons.

In case of significant changes, we will:

• Update the "last updated" date at the top of this policy • Inform you by email if you have an account • Show a notification in the application

We recommend regularly reviewing this privacy policy. Continued use of the service after changes constitutes acceptance of the updated policy.

For questions, comments or requests regarding this privacy policy or the processing of your personal data, you can contact us:

GroeimetAI Fabriekstraat 20 7311GP Apeldoorn The Netherlands

Chamber of Commerce (KvK): 90102304 VAT number: NL004787305B79 Email: info@groeimetai.io

We aim to respond to general questions within 5 business days and to requests regarding your rights under GDPR within 30 days.