Privacy Policy

Version: 2.5

Last updated: March 14, 2026

Privacy Policy

Thank you for your interest in our company. Data protection is a particularly high priority for us. You can visit our website and learn about our services without providing personal data. Using our AI-powered job application services requires registration with the data listed below.

1. Definitions

This Privacy Policy uses terminology from the General Data Protection Regulation (GDPR). Our goal is to keep it easy to read and understand – both for the general public and for our customers and business partners.

2. Name and address of the controller

Controller within the meaning of the GDPR:

EasyJobAI
Owner: Mario Michael Heinrich
Bahnhofstraße 55A
94469 Deggendorf
Germany
Email: team@easy-job.ai
Phone: +4915560907868

3. Legal bases for processing (Art. 6 GDPR)

We only process your personal data if one of the following legal bases applies:

  • Consent (Art. 6 (1) lit. a GDPR): For marketing emails, cookies and optional profile information.
  • Performance of a contract (Art. 6 (1) lit. b GDPR): For registration, application creation, payment processing and all platform services.
  • Legal obligation (Art. 6 (1) lit. c GDPR): For statutory retention periods and invoicing data.
  • Legitimate interests (Art. 6 (1) lit. f GDPR): For website analytics, security monitoring, fraud prevention and system optimization.

4. Collection and storage of personal data and the nature and purpose of its use

When you use our website, we collect the following data from you:

4.1 Automatically collected data (legal basis: Art. 6 (1) lit. f GDPR – legitimate interests)

  • Information about your browser and operating system
  • Your IP address (anonymized after 24 hours)
  • Date and time of your visit
  • Referring websites
  • Devices and endpoints used
  • Geographic origin (country/region)
  • Time spent on individual pages
  • Interaction data (clicks, scroll behavior)

Purpose: Ensuring technical functionality, website security, detecting abuse and improving our services.

5. Cookies and tracking technologies

We only use the cookies and services described below. Analytical tracking takes place exclusively after your consent.

5.1 Necessary cookies (legal basis: Art. 6 (1) lit. b and f GDPR)

These cookies are required to operate the website and provide our services:

  • easyjob_auth_token: Stores your sign-in status (session). Set by the server, HttpOnly and "secure" over HTTPS.
  • easyjob_remember_me: Remembers the "Stay signed in" option (flag only, no token).
  • easyjob_cookie_consent: Stores your cookie consent (necessary, functional, analytics) for up to 12 months.
  • Session / security cookies: We may set a session cookie related to CSRF protection for certain actions; this serves exclusively for security and fraud prevention.

Note: Theme (light/dark) is stored locally on your device (localStorage) only, not in cookies. A separate cookie for language preferences is not currently used.

5.2 Analytics services (legal basis: Art. 6 (1) lit. a GDPR – only with consent)

Only if you have consented to the "Analytics" category in cookie settings will we load:

  • Google Tag Manager (GTM): Enables us to evaluate usage statistics (e.g. page views, events) via the container we have configured. No personal data is shared with third parties for advertising purposes.
  • Microsoft Clarity: Provides anonymized analysis of user behavior (e.g. clicks, scrolling) to improve usability and performance. Clarity may produce session recordings; we use these exclusively in aggregated/anonymized form.

Without your consent, GTM and Clarity will not be loaded. You can withdraw your consent at any time (see below).

5.3 Managing your cookie settings

We do not use any marketing or advertising cookies; there is therefore no corresponding category in our settings. You can adjust your cookie settings at any time in your browser (e.g. block or delete cookies) or, via the cookie icon (biscuit) at the bottom left of the page, enable or disable the "Functional" and "Analytics" categories. Refusing or withdrawing consent for non-essential cookies does not restrict the core functions of the website (sign-in, application creation, payment); only analytics evaluations will then not be performed.

6. Registration and application process

Registration is required to use our application-creation service.

6.1 Mandatory data (legal basis: Art. 6 (1) lit. b GDPR – performance of a contract)

  • Your email address (for communication and account management)
  • Your name (to personalize applications)
  • Your gender (for the correct salutation in applications)
  • Your password (stored securely hashed)
  • Acceptance of the Terms of Service and Privacy Policy

6.2 Optional profile information (legal basis: Art. 6 (1) lit. a GDPR – consent)

  • Professional title
  • Phone number
  • Address
  • Your country of residence (for country-specific application standards and legal requirements)
  • Date of birth
  • Your nationality (for work-permit-relevant information and application optimization)
  • Language skills

6.3 Uploaded documents (legal basis: Art. 6 (1) lit. b GDPR – performance of a contract)

  • Resume
  • Certificates of employment
  • Certifications
  • Application documents

Security measures: All uploaded files pass through our intelligent CDR security check to protect against malware and harmful content.

6.4 AI headshots (facial images)

When using our AI headshot service, you upload a selfie or portrait photo that is processed into a professional headshot by AI models (Gemini 3 Pro Image or GPT Image 2.0).

  • Data processed: Your uploaded facial photo is transmitted to the selected AI provider (Google or OpenAI) for image generation.
  • Storage: The generated headshot is stored on our servers in the EU and is available via your gallery. It is deleted when your account is deleted.
  • No biometric identification: Processing is exclusively for image optimization (background, lighting, expression, clothing). No biometric identification within the meaning of Art. 9 GDPR takes place.
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract) – processing takes place at your explicit request to create a headshot.

6.5 AI-powered generation and the privacy of your contact details

The following applies when using AI models (Claude Sonnet 5, GPT 5.6 Terra, Gemini 3.1 Pro / 3.5 Flash, Mistral):

Cover letter generation and AI resume generator:

  • Name and contact details are not transmitted: Name, email address, phone number and address are not sent to the AI – only title, gender and professional information (experience, education, skills, languages, certifications).
  • AI resume generator: Name and contact details are not transmitted to the AI.

Resume analysis (upload & parse):

  • Mistral and DOCX/DOC/TXT: Your contact details are not transmitted to the AI. Best protection for your contact details.
  • PDF with OpenAI, Gemini or Claude: The original PDF including contact details is transmitted to the AI for analysis. If you want maximum protection of your contact details, choose Mistral for PDF resumes or upload DOCX/DOC.

Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract) in conjunction with Art. 32 GDPR (security of processing).

For cover letters and the AI resume generator: your sensitive contact details are not transmitted to external AI providers. For resume analysis, you achieve the best protection by choosing Mistral or by using DOCX/DOC.

7. Data processing by AI and external service providers

We use artificial intelligence to create personalized cover letters and analyze resumes. We work with the following third-party providers:

7.1 AI service providers

7.1.1 Anthropic (Claude AI) – Ireland/EU/USA
  • Purpose: AI-powered cover letter generation, resume analysis and optimization
  • Models used: Claude Haiku 4.5 and Claude Sonnet 5
  • EU contracting party: Anthropic Ireland, Limited (for customers in the EEA, Switzerland and UK)
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • Data processing: Processing in EU regions (AWS Frankfurt, London, Paris) or the USA for optimal performance, secured by EU Standard Contractual Clauses (SCCs) pursuant to EU 2021/914
  • Data storage: Exclusively in the USA (30-day retention)
  • Data processing agreement: A Data Processing Addendum (DPA) is automatically part of the Commercial Terms
  • Privacy safeguards:
    • SOC 2 Type II and ISO 27001 certified
    • Your data is not used to train AI models
    • Data retention: 30 days, then automatic deletion
    • AES-256 encryption for data at rest, TLS 1.2+ for transit
    • EU data processing has been available since August 2025
  • Applicable law: Irish law for EU customers
  • Legal documents:
7.1.2 Mistral AI – France (🇪🇺 EU)
  • Purpose: AI-powered cover letter generation and resume optimization with EU data protection
  • Models used: Mistral Medium and Mistral Large
  • Contracting party: Mistral AI, Paris, France
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • GDPR advantage: 100% EU data processing in France – no third-country transfer required
  • Data processing agreement: Data Processing Agreement (DPA) in place
  • Privacy safeguards:
    • ISO 27001 certified
    • Your data is not used to train AI models
    • Zero Data Retention (ZDR) requested – currently in progress (standard retention per Mistral Privacy Policy)
    • End-to-end encryption with TLS 1.3
    • Full GDPR compliance as an EU company
  • Applicable law: French and EU law
  • Legal documents:
7.1.3 OpenAI (ChatGPT) – USA
  • Purpose: AI-powered cover letter generation, resume optimization and AI headshots
  • Models used: GPT 5.6 Terra (Premium) and GPT 5.6 Luna (Budget/Standard) for text generation, GPT Image 2.0 for AI headshots
  • Contracting party: OpenAI, L.L.C., USA
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • Data transfer: Processing in the USA, secured by EU Standard Contractual Clauses (SCCs)
  • Data processing agreement: Data Processing Agreement (DPA) in place
  • Privacy safeguards:
    • SOC 2 Type II certified
    • Your data is not used to train AI models (Zero Data Retention for API)
    • Data retention: 30 days, then automatic deletion
    • AES-256 encryption for data at rest, TLS 1.3 for transit
    • API call logging disabled for maximum privacy
  • Applicable law: US law with SCC safeguards
  • Legal documents:
7.1.4 Google (Gemini) – USA
  • Purpose: AI-powered cover letter generation, resume optimization and AI headshots
  • Models used: Gemini 3.1 Pro (Premium) and Gemini 3 Flash (Budget) for text generation, Gemini 3 Pro Image for AI headshots
  • Contracting party: Google LLC, USA
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • Data transfer: Processing and storage exclusively in the USA (no EU regions available), secured by EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914
  • Data processing agreement: Data Processing Agreement (DPA) in place under the "Data Processing Addendum for Products Where Google Is a Data Processor"
  • Privacy safeguards:
    • SOC 2 Type II and ISO 27001 certified
    • No use for product improvement: For paid usage, Google does not use your prompts and responses to improve Google products
    • Data retention: Prompts and responses are logged for a limited period, exclusively to detect violations of usage policies and for required legal or regulatory disclosures. The data may be temporarily stored or cached in any country in which Google maintains facilities
    • AES-256 encryption for data at rest, TLS 1.3 for transit
    • Strict data protection policies under the Google Cloud Privacy Notices
  • Note for EU users: For users in the European Economic Area, Switzerland or the United Kingdom, the terms for paid services (no use for product improvement) also apply to free services
  • Note on third-country transfer: Unlike other AI providers, Google Gemini currently does not offer EU regions for data processing. All data is processed and stored in the USA. The transfer takes place on the basis of EU Standard Contractual Clauses (SCCs) and a Data Processing Agreement (DPA).
  • Applicable law: US law with SCC safeguards
  • Legal documents:

7.2 Job search and external job portals

7.2.1 External job aggregators – international job search
  • Purpose: Providing job listings via external job aggregators
  • Providers: External job portals and aggregators (EU/UK/USA)
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • Data processed:
    • Your search queries (job title, location, salary expectations)
    • Your location (city/region) for the job search
    • Search filters (radius, salary range, contract type)
  • No storage of personal search data: We do not store any personal data about your job searches on our servers. Search queries are not linked to your user account or permanently stored.
  • Data transfer: Only anonymized search parameters are transmitted to external job aggregators to retrieve relevant job listings
  • No disclosure of personal data: We do not transmit any personal identification data (name, email, user ID, etc.) to external job portals – exclusively anonymized search parameters without personal reference
  • Job data: Job listings returned by external portals are displayed temporarily but not stored on our servers
  • Data processing agreement: All external job aggregators act as processors under Art. 28 GDPR with corresponding data protection agreements

7.3 Hosting and infrastructure

7.3.1 Cloud hosting – EU
  • Purpose: Cloud hosting of our application
  • Legal basis: Art. 6 (1) lit. f GDPR (legitimate interests)
  • Server location: Exclusively EU West (Amsterdam, Netherlands)
  • Security: SOC 2 Type II, ISO 27001, automatic encryption
  • Data processing agreement: Data Processing Agreement (DPA) in place
  • GDPR advantage: No third-country transfer required
7.3.2 MongoDB Atlas – Germany (Frankfurt)
  • Purpose: Secure storage of all user data, applications and resumes
  • Provider: MongoDB, Inc.
  • Legal basis: Art. 6 (1) lit. f GDPR (legitimate interests)
  • Server location: Frankfurt, Germany (eu-central-1)
  • Security:
    • SOC 2 Type II and ISO 27001 certified
    • Encryption of all data at rest and in transit
    • Automated backups with encryption
    • High availability through replication
  • GDPR advantage: 100% EU data residency in Germany – no third-country transfer required
  • Data processing agreement: Data Processing Agreement (DPA) in place

7.4 Privacy safeguards for all third parties

  • Conclusion of data processing agreements (Art. 28 GDPR)
  • EU Standard Contractual Clauses for third-country transfers
  • Regular security audits and certifications
  • Encrypted data transmission (TLS 1.3)
  • Purpose limitation of data processing
  • No use of your data for AI model training without explicit consent
  • Right to erasure passed on to all processors

8. Payment processing and card details

8.1 Stripe – EU/USA

  • Purpose: Secure payment processing
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract)
  • Data processed: Payment information, transaction data, billing address
  • Security: PCI DSS Level 1 certified, the highest payment card standard
  • Server locations: EU and USA with Adequacy Decision
  • Retention: Payment data according to statutory retention periods (10 years)

Important: We do not store any card details on our servers. All sensitive payment data is processed directly by Stripe.

9. Email communication

9.1 Email delivery – EU/USA

  • Purpose: Transactional emails, system notifications and support communication
  • Legal basis: Art. 6 (1) lit. b GDPR (performance of a contract) and Art. 6 (1) lit. a GDPR (newsletter consent)
  • Data processed: Email address, name, subject, message content
  • Service provider: Professional email service
  • Server location: EU and international data centers with data protection safeguards
  • Security: Encrypted transmission, secure authentication
  • Certifications: ISO 27001 and SOC 2 certified
  • Email types:
    • Account verification and password reset
    • Application confirmations and status updates
    • Payment confirmations and invoices
    • Security notifications and important system updates
    • Support communication and technical notifications
    • Birthday emails with automatic vouchers (opt-out possible)
  • Opt-out: Newsletters via account settings; transactional emails are required for core functions

9.2 Automated email communication

  • Automatic emails: Birthday emails with vouchers and inactivity reminders
  • System emails: Automatic notifications for important events
  • Spam protection: Technical measures to prevent unwanted emails
  • Personalization: Content adapted to your usage and preferences

10. Your rights under the GDPR

You have the following rights, which you can exercise at any time via team@easy-job.ai:

10.1 Right of access (Art. 15 GDPR)

You can request a complete overview of all data we store about you, including origin, recipients and processing purpose.

10.2 Right to rectification (Art. 16 GDPR)

You can request the correction of inaccurate or incomplete data.

10.3 Right to erasure – "right to be forgotten" (Art. 17 GDPR)

You can request the complete deletion of your data if:

  • The data is no longer needed for the original purpose
  • You withdraw your consent
  • The data has been processed unlawfully
  • No statutory retention obligations prevent deletion

10.4 Right to restriction (Art. 18 GDPR)

You can request the restriction of data processing while a review is being carried out.

10.5 Right to object (Art. 21 GDPR)

You can object to processing based on legitimate interests. Objections to marketing emails are possible free of charge at any time.

10.6 Right to data portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format (JSON/CSV export via account settings).

10.7 Right to withdraw consent (Art. 7 (3) GDPR)

You can withdraw any consent you have given at any time, with effect for the future.

10.8 Right to lodge a complaint (Art. 77 GDPR)

You can lodge a complaint with a data protection supervisory authority. For Bavaria: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

11. Data security and technical safeguards

We use extensive technical and organizational security measures in accordance with Art. 32 GDPR:

11.1 Technical security measures

  • Encryption: Modern encryption for all data transmissions and stored data
  • Password security: Secure hashing of passwords with modern standards
  • User authentication: Multi-factor authentication and secure session management
  • Attack detection: Automatic detection and mitigation of cyberattacks
  • File security: Comprehensive scanning of uploaded files for malware
  • CDR system: Intelligent cleansing and reconstruction of documents
  • Security monitoring: Continuous monitoring and logging of security-relevant events
  • Access control: Role-based access permissions with different security levels
  • Data backup: Regular encrypted backups with secure retention
  • System hardening: Comprehensive security configuration following current standards

11.2 Organizational safeguards

  • Regular security training
  • Incident response plan
  • Data protection impact assessment for new features
  • Privacy by Design and Privacy by Default principles

12. Sharing data with third parties

We only share your data in the following cases:

12.1 Processors (Art. 28 GDPR)

All service providers listed above act as processors under corresponding agreements.

12.2 Legal obligations (Art. 6 (1) lit. c GDPR)

  • To authorities when required by law
  • To enforce our Terms of Service
  • To protect the rights and safety of our users and third parties

12.3 Never without a legal basis

We never sell, rent or transfer your data to third parties for their own business purposes.

13. Data storage and deletion

We only store your data for as long as legally permissible and operationally necessary:

13.1 Retention periods

  • Account data: Until account deletion. Inactive accounts (2 years without sign-in) are automatically deleted after a warning email. Backups are cleaned up per our backup policies (e.g. up to 30 days)
  • Application documents (cover letters, resumes): Until account deletion (voluntary or via automatic deletion of inactive accounts); then irreversible removal
  • Payment data: 10 years where legally required (§ 147 AO); card payment data is not stored by us (Stripe)
  • Log data / event data: Generally up to 90 days (security, fraud prevention; technically via automatic cleanup, among other things)
  • Email communication: Up to 3 years for customer support and legal evidence, unless a shorter period applies
  • Marketing data: Until consent is withdrawn
  • Security events: 90 days (low/medium severity), 180 days for high/critical severity (IT security, fraud prevention)
  • Activity data (e.g. IP / profile history): Limited retention (e.g. rolling, only the most recent entries) for account security

13.2 Automatic deletion

We have implemented automatic deletion processes that securely and irreversibly remove data after the retention periods expire:

  • Inactive accounts: Accounts inactive for at least 2 years are automatically deleted after a warning email (with deadline); all associated application documents are also removed
  • Regular cleanup: Automatic deletion of expired data (e.g. logs, security events)
  • Privacy-compliant deletion: Irreversible removal with no possibility of recovery
  • Logging: All deletion operations are documented
  • Optimized retention: Only necessary data is stored

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interests) – data minimization and system security

14. Age requirement

Our services are exclusively intended for persons of legal age (18 years or older). Use by minors is not permitted.

15. International data transfers

Your data is generally processed in the EU. Data transfers outside the EU only occur under the following conditions:

15.1 Data processing within the EU

  • Database: MongoDB Atlas in Frankfurt, Germany – 100% EU
  • Hosting: Cloud hosting in the EU

15.2 Data transfers outside the EU

15.2.1 Processing in the EU (privacy-friendly)
  • Mistral AI (France): 100% EU data processing – no third-country transfer required
  • Advantage: Highest GDPR protection through complete EU data residency
15.2.2 Data transfer to the USA (for AI processing and storage)
  • Anthropic (Claude AI):
    • Processing: May take place in EU regions (AWS Frankfurt, London, Paris) or the USA
    • Storage: Exclusively in the USA (30 days)
    • Advantage: EU processing reduces latency and increases GDPR compliance
  • OpenAI (ChatGPT): Processing and storage exclusively in the USA (30 days)
  • Google (Gemini): Processing and storage exclusively in the USA (30 days)
  • Legal basis: EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914
  • Contracting parties: Anthropic Ireland, Limited (for EU customers), OpenAI L.L.C., Google LLC
  • Safeguards:
    • Data Processing Addendum (DPA) with SCCs Module 2 (Controller → Processor)
    • UK Addendum for British users
    • Swiss Addendum for Swiss users
    • No use for AI training
    • Deletion after 30 days
    • SOC 2 Type II and ISO 27001 certification

15.3 Safeguards for all third-country transfers

  • To countries with an EU Commission adequacy decision
  • Through EU Standard Contractual Clauses (SCCs)
  • To certified companies with appropriate safeguards (SOC 2, ISO 27001)
  • With your explicit consent (if no other legal basis applies)

Transparency note: A complete list of our sub-processors is available on request at team@easy-job.ai.

16. Changes to this Privacy Policy

We may amend this Privacy Policy at any time to adapt it to current legal requirements. We will inform you of material changes in good time by email. Where changes concern processing based on your consent, we will obtain your renewed consent where necessary.

17. Contact for data protection

For questions about data protection or the exercise of your rights, you can contact us at any time:

17.1 Controller

EasyJobAI
Owner: Mario Michael Heinrich
Bahnhofstraße 55A
94469 Deggendorf
Germany
Email: team@easy-job.ai
Phone: +4915560907868

17.2 Data protection supervisory authority

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
Germany
Email: poststelle@lda.bayern.de
Website: lda.bayern.de