Privacy Policy

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.

Your data is collected on the one hand by you providing it (e.g., entering resume data into the application). However, these entries are primarily processed locally in your browser. Other data is automatically collected by our IT systems when you visit the website. This consists primarily of technical data (e.g., internet browser, operating system, or time of the page view).

The data processing on this website is carried out by the website operator. Their contact details can be found in the "Note on the responsible body" section of this privacy policy.

The responsible body for data processing on this website is:

Maikel Hajiabadi
CVCanvas
Moselstraße 43
60329 Frankfurt am Main
E-Mail: cvcanvas.app+legal@gmail.com

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients, and the purpose of the data processing and, if applicable, a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact me at any time.

Furthermore, you have a right of appeal to the competent supervisory authority.

This website is hosted by an external service provider (host). CVCanvas uses the provider Netlify, Inc., 44 Montgomery Street, Suite 300, San Francisco, California 94104, USA for hosting.

The use of Netlify is for the purpose of a secure, fast, and efficient provision of the online offer by a professional provider (Art. 6 Para. 1 lit. f GDPR). Netlify uses a worldwide Content Delivery Network (CDN), through which data (such as your IP address) can be routed via servers all over the world to minimize website loading times. The resulting server log files (access data) are usually stored by Netlify for 30 days for security reasons and then deleted.

The data transfer to the USA is based on the standard contractual clauses of the EU Commission as well as on the EU-US Data Privacy Framework (DPF), under which Netlify is certified.

Order Processing: I have concluded a contract for order processing (AVV) for the use of the aforementioned service, which ensures that Netlify processes the personal data of our website visitors only according to my instructions and in compliance with the GDPR.

This application offers the possibility to interact directly with your GitHub account (e.g., to save or synchronize your resume data) via a GitHub Personal Access Token (PAT) voluntarily provided by you.

If you use this function, your browser establishes a direct connection to the servers of GitHub (GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA). In the process, your IP address as well as the data you entered in the application are transmitted directly to GitHub and processed there.

I do not store your GitHub PAT on any servers at any time; it is only used temporarily locally in your browser to authorize API requests to GitHub on your behalf.

The data transfer to GitHub takes place exclusively on the basis of your active consent (Art. 6 Para. 1 lit. a GDPR) by voluntarily using the function and entering your token. Please note that GitHub as a US company transfers data to the USA. Further information on data protection at GitHub can be found here:

To provide and function the CV builder, CVCanvas uses the so-called web-storage technology (local storage). In this process, your inputs (such as text data for the resume or locally processed profile pictures in Base64 format) are cached locally in the browser of your end device. This prevents your data from being lost in the event of an accidental reload of the page.

This data is processed exclusively locally on your end device and does not leave it in the direction of any servers. I have no access to this locally stored data at any time.

The storage of this data is technically strictly necessary for the core function of the application. The legal basis for storing and reading the data on your terminal device is § 25 Para. 2 No. 2 TDDDG. The subsequent processing is based on my legitimate interest in a user-friendly provision of the service according to Art. 6 Para. 1 lit. f GDPR. The data remains on your end device until you manually clear your browser's storage (cache/local storage).

When you create a user account (via Google OAuth), we store your email address and name to manage your access and personalized data. Please note that premium features (Pro Pass and credit consumption) are only available to registered users. We also store information about your active subscriptions, your current credit balance, and metadata about AI usage (timestamps and token amounts) for billing purposes. We strictly do not store any input (prompts) or output (results) of the AI optimization on our servers.

We use the service provider Stripe (Stripe, Inc.) for the processing of payments. During the payment process, Stripe collects your payment information. We do not store sensitive payment data (like credit card numbers) on our own servers; we only receive status information regarding the transaction from Stripe.

Upon deleting your user account, your profile and all linked metadata (e.g., active subscriptions and usage logs) will be immediately and permanently deleted from our active database. Please note that resume data is stored exclusively in your browser's local storage and is not affected by server-side account deletion.

Please note that we are legally required to retain transaction-related invoice data (specifically records of purchases made via Stripe) for a period of 10 years. This is done based on tax and commercial law requirements (e.g., in Germany according to AO and HGB). The legal basis for this is Art. 6 Para. 1 lit. c GDPR.

These specific data remain stored with our payment service provider, Stripe, for the duration of the legal periods to ensure proper documentation for tax authorities.

On CVCanvas systems, we only log metadata of the AI requests, but not the content of your individual prompts. The following are stored:

Type of request: (e.g., "Resume Optimization", "AI Resume Parsing") to constantly improve our product offering.

Usage data: The number of tokens used or requests.

• In the case of credit models: For correct billing and deduction of credits from your balance.

• In the case of time-based Pro Passes: To ensure proper operation, for error diagnosis, and to enforce our Fair Use Policy (avoidance of abusive, automated use).

The protection of your data is our highest priority. When using the Google Cloud API (Vertex AI), the following security guarantees apply:

No model training: Google explicitly does not use your entered data (prompts) to train its global AI models. Your data remains in our isolated Google Cloud environment.

Data location: Processing occurs on servers within the European Union (Region: Frankfurt / europe-west3) to ensure an appropriate level of data protection in accordance with GDPR.

No permanent storage with the provider: The data is processed only transiently by Google to handle the request and is not permanently stored after generation is complete.

To provide you with features for intelligent optimization and creation of resumes and cover letters, we use the Vertex AI platform from Google Cloud. In this process, the texts you enter are transmitted to and processed on Google's servers.

To ensure stable processing of AI requests, CVCanvas utilizes asynchronous background processes. The results generated by the AI are temporarily stored in our secure database for a short period (usually a few seconds, up to a maximum of 24 hours) until your browser successfully retrieves them. After this period, or once retrieved, these temporary results are automatically and completely deleted. Your data is used exclusively to provide the requested service and is never used for profiling, training, or any other purposes.

To better understand how users interact with CVCanvas and to improve our services, we use the analytics tool PostHog (PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA). To protect your privacy, we have configured PostHog in a strictly anonymous and cookieless manner.

Anonymous Tracking: We do not use any tracking cookies and do not store any personal identification in your browser. PostHog is configured to use memory-only persistence, meaning all session data is lost as soon as you close or reload the page.

Data Residency (EU): All data is sent to and stored on PostHog's European servers (Region: Frankfurt, Germany - https://eu.i.posthog.com) to ensure compliance with European data protection standards.

Session Recognition: For anonymous session recognition, a short-term hash value is generated on the server side, which is automatically deleted after 24 hours. This allows us to see interaction patterns (e.g., which themes are popular or how many resumes are exported) without being able to identify you as an individual.

The use of PostHog is based on our legitimate interest in the demand-oriented design and continuous optimization of our website (Art. 6 Para. 1 lit. f GDPR).