Privacy Policy

1. Introduction
Execuro UG (haftungsbeschränkt) (“we”, “us”, “our”), a company registered in Berlin, Germany (HRB 279608 B), operates the CV Upgrade platform (https://getcvupgrade.com and https://app.getcvupgrade.com), a CV improvement SaaS service.
We are committed to protecting your privacy and handling your personal data responsibly in compliance with:

EU General Data Protection Regulation (GDPR)
German Federal Data Protection Act (BDSG)
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Québec Law 25

By using our website or app, creating an account, or purchasing a subscription, you consent to this Privacy Policy.

2. Data We Collect
We collect and process the following categories of data:
a) Account & Billing Data

First name, last name
Email address
Billing information (processed securely via Stripe)
Subscription type (monthly or one-time)

b) CV Content (User-Provided Data)

Personal details (name, email, phone, location, links such as LinkedIn, GitHub, personal website, X/Twitter)
Work experience, education, skills, certifications, languages, projects, awards, volunteer experience, publications, hobbies
Optional job descriptions or additional notes you submit for analysis
⚠️ Sensitive data: We do not request special categories of personal data (e.g., health, ethnicity, religion, political views). If you include such information in your CV, you do so voluntarily and at your own responsibility.

c) Technical & Usage Data

Cookies and analytics data (Google Analytics 4)
Device, browser, and IP information
Platform interactions (e.g., login, “auto-fix”, “manual fixes”, downloads)

d) Communication Data

Emails you send to us and notifications we send through Mailgun (transactional)
Newsletter or marketing emails sent via Brevo (only with your explicit consent)

3. How We Use Your Data
We use your data to:

Deliver our CV review, scoring, and improvement services
Provide AI-generated recommendations based on your CV (OpenAI API)
Process payments (via Stripe)
Manage accounts and authentication
Send transactional emails (Mailgun) and optional marketing emails (Brevo)
Analyze and improve our platform (Google Analytics)
Comply with legal and tax obligations
Maintain security and prevent fraud

We may also use aggregated or anonymized data for statistical or product-improvement purposes.

4. Use of AI (OpenAI)
We use OpenAI’s API to analyze CV content and provide recommendations. This means that portions of your CV text may be transmitted securely to OpenAI’s servers for processing.

Only necessary CV text is sent securely to OpenAI for processing
OpenAI does not use your data to train their models.
Data is transmitted over encrypted channels (HTTPS).
Standard Contractual Clauses (SCCs) are used to legally safeguard these transfers under GDPR.

5. Data Storage & Transfers

Your data is hosted on Heroku servers located in the United States.
By using our service, you acknowledge that your data will be stored and processed outside the EU/EEA.
We rely on SCCs and vendor DPAs (OpenAI, Heroku/AWS, Stripe, Mailgun, Brevo) to ensure adequate protection for international data transfers.

6. Data Retention

Active accounts: We retain your data for the duration of your subscription or account use.
Canceled accounts: Your CV data is kept for 30 days after cancellation and then deleted or anonymized.
User-initiated deletion: You can delete your account and data anytime via your account settings.
Backups and logs: may persist for up to 30 days for security and audit purposes.
We retain billing records and tax information for up to 10 years as required under German tax law.

We may retain minimal billing and transactional data as required by German tax law.
7. Legal Basis for Processing (GDPR)
We process your data based on the following legal grounds:

Art. 6(1)(b) GDPR – Contractual necessity (to provide our services)
Art. 6(1)(f) GDPR – Legitimate interest (improving services, preventing fraud)
Art. 6(1)(c) GDPR – Legal obligation (tax/accounting compliance)
Art. 6(1)(a) GDPR – Consent (for cookies, analytics, marketing emails)

8. Sharing of Data
We only share your personal data with trusted service providers:

Stripe (payment processing)
Heroku (Salesforce) (hosting)
OpenAI (AI-powered part of the CV Analysis engine)
Google Analytics (usage analytics)
Mailgun (Transactional emails)
Brevo / Sendinblue (Marketing emails)

We do not sell or rent your personal data to third parties.

9. Your Rights.
Depending on your jurisdiction, you have the following rights:

EU / EEA (GDPR): Access, rectification, erasure, restriction, objection, data portability, complaint to a supervisory authority.
Canada (PIPEDA / Québec Law 25): Access, correction, withdraw consent, and contact the Office of the Privacy Commissioner or Commission d’accès à l’information du Québec.
Other regions: Applicable local rights as per law.

You can exercise these rights at any time by contacting us at contact@getcvupgrade.com.

10. Cookies & Tracking
We use cookies for:

Authentication & session management
Analytics (Google Analytics)
Improving website functionality
Track marketing campaign performance

You can manage cookies via your browser settings.

11. Security
We implement technical and organizational measures such as encryption in transit (HTTPS), secure storage (AWS S3), role-based access, and regular audits.

However, no internet service is completely secure; we encourage you to use strong passwords and avoid sharing credentials.

12. Contact Us
Execuro UG (haftungsbeschränkt)
Registered in Berlin, Germany

Email:

privacy@ getcvupgrade.com (for privacy matters)
contact@ getcvupgrade.com (general contact)

Privacy Officer (Québec Law 25): the responsible person is reachable at privacy@ getcvupgrade.com
Supervisory Authority (EU): Berliner Beauftragte für Datenschutz und Informationsfreiheit
Website: https://getcvupgrade.com

September, 1 / 2025