Privacy Policy

1. Privacy at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to personally identify you.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. You can find their contact details in the section "Information about the responsible party" in this privacy policy.

How do we collect your data?

Your data is collected when you provide it to us. This may include data you enter in a contact form or when registering.

Other data is automatically collected or collected with your consent when you visit the website through our IT systems. This is mainly technical data (e.g., internet browser, operating system, or time of page access). This data is collected automatically as soon as you enter this website.

What do we use your data for?

Some of the data is collected to ensure the website is provided correctly. Other data may be used to analyze your user behavior.

What rights do you have regarding your data?

You have the right to receive information about the origin, recipient, and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data under certain circumstances.

Furthermore, you have the right to lodge a complaint with the competent supervisory authority.

2. Hosting

We host the contents of our website with the following provider:

Vercel

Data location: We host the contents of our website via Vercel. Depending on the access location, delivery may occur via a global network; where technically available, we use EU regions for processing and storage.

Our database (Vercel Postgres, powered by Neon) is operated in the Frankfurt (Germany) region.

The provider is Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA (hereinafter "Vercel"). Vercel is a web hosting service. When you visit our website, Vercel collects various log files including your IP addresses.

For details, please refer to Vercel's privacy policy: https://vercel.com/legal/privacy-policy.

The use of Vercel is based on Art. 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website. Vercel is certified under the EU-US Data Privacy Framework (DPF); data transfer to the USA is based on the EU Commission's adequacy decision (Art. 45 GDPR).

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

3. General Information and Mandatory Information

Privacy

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.

Information about the Responsible Party

The responsible party for data processing on this website is:

Storage Duration

Unless a more specific storage period has been stated within this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a legitimate request for deletion or revoke consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., tax or commercial law retention periods); in the latter case, deletion will take place after these reasons cease to apply.

Revocation of Your Consent to Data Processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

SSL or TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

4. Data Collection on This Website

Registration on This Website

You can register on this website to use additional functions. We only use the data entered for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we will reject the registration.

Inquiry by Email or Phone

If you contact us by email or phone, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We do not pass on this data without your consent.

Interview Data and Retention Periods

When using our interview training, the following data is stored:

• Interview questions and your answers
• AI-generated feedback and ratings
• Chat messages with the AI coach
• Scores and evaluations

Retention Periods

• Anonymous users (without registration): Interview data is automatically deleted after 30 days.
• Registered users: Interview data remains stored until you delete it yourself or delete your account. You can delete individual interviews at any time in your dashboard.

Archiving and Deletion

We reserve the right to archive or delete detailed interview data (questions, answers, chat messages) after 24 months. A summary (date, position, score) will be retained. You will be notified by email at least 30 days before planned archiving.

Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in efficient data management).

Access by the Operator

For quality assurance, technical troubleshooting, and abuse detection, the operator may access stored interview data (questions, answers, feedback). Access is limited to the stated purposes and restricted to authorized persons.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring service quality and preventing abuse).

4a. Authentication via Third-Party Providers

Google OAuth

You can log in with your Google account. The following data is transmitted from Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to us:

• Email address
• Name
• Profile picture URL (optional)
• Google user ID

We do not have access to your Google password or other Google services.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

More information: Google Privacy Policy

LinkedIn OAuth

You can log in with your LinkedIn account. The following data is transmitted from LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) to us:

• Email address
• First and last name
• Profile picture URL (optional)
• LinkedIn user ID

We do not have access to your LinkedIn password, contacts, or other LinkedIn data.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

More information: LinkedIn Privacy Policy

Email Magic Link

Alternatively, you can log in passwordless via email. You will receive a one-time login link that is valid for 24 hours. Only your email address is processed.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

5. OpenAI API (AI-Powered Features)

Recipient: OpenAI API (provider: OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA).

Data Processed

Content you enter or upload as part of our AI features (e.g., answers, job descriptions, profile/job details, experience descriptions for the STAR generator; optionally PDFs) as well as context data required for providing the respective feature.

Confirmation Dialog Before AI Use

Before first use of AI features, you will be informed about data processing by OpenAI and asked to confirm usage. This confirmation is not consent within the meaning of Art. 6(1)(a) GDPR, but serves transparency and is part of contract performance (Art. 6(1)(b) GDPR). The confirmation is stored with version tracking and logged (see Section 13).

Legal Basis

We process your inputs/uploads to provide AI features (e.g., generating interview questions, feedback, evaluations, STAR answers). The legal basis is Art. 6(1)(b) GDPR (contract performance). AI-generated content is for practice purposes only and does not constitute professional advice.

Data Transfer to Third Countries (esp. USA)

As the provider OpenAI is based in the USA, personal data is transferred to the USA. OpenAI is certified under the EU-US Data Privacy Framework (DPF). Data transfer is based on the EU Commission's adequacy decision (Art. 45 GDPR). Additionally, Standard Contractual Clauses (SCCs) are in place. Details are available upon request at kontakt@bewerbungsfreund.de.

More information can be found in OpenAI's Privacy Policy.

Note: Please do not enter particularly sensitive data or upload corresponding documents, and do not transmit personal data of third parties without appropriate authorization.

5a. Resend (Email Delivery)

For sending emails (e.g., login links, confirmations, credit grant invitations), we use Resend (provider: Resend, Inc., San Francisco, USA).

What data is processed?

• Email address
• Name (optional)
• Email contents (login links, transaction confirmations)
• Delivery status (delivered, opened, error)

Data Location

Resend uses EU servers (Dublin, Ireland) for email delivery to European recipients.

Legal Basis

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in reliable email delivery) and Art. 6(1)(b) GDPR (contract performance).

More information: Resend Privacy Policy

5b. Sentry (Error Monitoring)

For detecting and fixing technical errors, we use Sentry (provider: Functional Software, Inc. dba Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA).

What data is processed?

• Error reports (stack traces, error messages)
• Browser and device information
• URL of the affected page
• Anonymized IP address (last octets removed)

No personally identifiable user data (name, email) is transmitted to Sentry. This is filtered out before transmission.

Retention Period

Error reports are stored for 90 days and then automatically deleted.

Data Transfer and Legal Basis

Sentry is certified under the EU-US Data Privacy Framework (DPF). Data transfer is based on the EU Commission's adequacy decision.

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the stability and error fixing of our website).

More information: Sentry Privacy Policy

5c. Upstash Redis (Abuse Protection)

To protect against abuse and to limit request frequency (rate limiting), we use Upstash (provider: Upstash, Inc., San Francisco, USA).

What data is processed?

• Anonymized identifier (hashed IP address with daily rotating salt, or user ID)
• Request counters and time windows

No personal content (such as answers, questions, or email addresses) is transmitted to Upstash. IP addresses are irreversibly hashed before storage and cannot be reversed.

Retention Period

Request counters are automatically deleted after the time window expires (maximum 1 hour). The daily hash salt is renewed each day, preventing long-term tracking.

Legal Basis

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in protecting against abuse and ensuring service stability).

More information: Upstash Privacy Policy

6. Payment Service Provider

Stripe

For payment processing, we use the payment service provider Stripe (provider: Stripe Technology Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland). Stripe handles the secure technical payment processing. VAT calculation is handled automatically via Stripe Tax.

When you make a payment via Stripe, your payment data (card information, name, address) is transmitted directly to Stripe. We do not store complete payment details ourselves – only the last 4 digits of your card, the card type, and expiration date for display in your account.

Stripe meets the requirements of PCI DSS Level 1 certification (highest security standard for payment data) and is GDPR compliant.

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Details on data processing by Stripe can be found here: https://stripe.com/privacy.

7. Your Rights

You have the following rights:

• Right of access (Art. 15 GDPR): You can request information about your stored data.
• Right to rectification (Art. 16 GDPR): You can request the correction of inaccurate data.
• Right to erasure (Art. 17 GDPR): You can request the deletion of your data ("right to be forgotten").
• Right to restriction of processing (Art. 18 GDPR): You can request the restriction of processing.
• Right to data portability (Art. 20 GDPR): You can receive your data in a structured, machine-readable format. Use the data export function in your dashboard for this.
• Right to object (Art. 21 GDPR): You can object to the processing.
• Right to lodge a complaint: You can lodge a complaint with a supervisory authority.

Competent Supervisory Authority

Unabhängiges Datenschutzzentrum Saarland
Fritz-Dobisch-Straße 12
66111 Saarbrücken, Germany
Email: poststelle@datenschutz.saarland.de
Website: www.datenschutz.saarland.de

To exercise your rights, contact us at: kontakt@bewerbungsfreund.de

8. Cookies

Our website uses cookies. Cookies are small text files that are stored on your device and saved by your browser. Cookies do not cause any damage to your computer and do not contain viruses.

We only use technically necessary cookies for the functionality of our website:

Cookies Used

Local Storage (localStorage)

In addition to cookies, we use your browser's local storage (localStorage) for the following technically necessary purposes:

This data remains exclusively on your device and is not transmitted to servers unless required for the respective function.

Legal Basis

The use of these cookies and localStorage entries is based on Art. 6(1)(f) GDPR (legitimate interest in the technical functionality of the website) and Art. 6(1)(b) GDPR (contract performance for registered users). These are exclusively technically necessary storage items for which no consent is required (§ 25(2) TTDSG).

9. Campaign Tracking (UTM Parameters)

If you arrive at our website via an advertising link (e.g., from Google Ads, Facebook), we store information about the source locally in your browser (localStorage).

What data is collected?

• Advertising source (e.g., "google", "facebook")
• Marketing medium (e.g., "cpc", "email")
• Campaign name (e.g., "winter-2024")
• First visited page (landing page)

Retention Period

• In browser: 30 days (localStorage)
• On purchase: Data is linked to the transaction and retained for 10 years for tax purposes (§147 AO)
• On registration: Data is linked to your account (first-touch attribution)

Purpose

The data is used to analyze our advertising campaigns (e.g., "Which ad led to a purchase?"). We use this information exclusively internally to optimize our marketing spend.

Legal Basis

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in analyzing the effectiveness of our advertising measures).

10. Referral Program

If you arrive at our website via a referral link (e.g., from a friend), we store the referral code in a cookie.

What data is collected?

• Referral code (anonymous identifier)

Retention Period

• In cookie: 30 days
• On registration: The code is linked to your account to grant both parties the promised benefits

Purpose

Storage serves the correct attribution of referrals so that both the referrer and the referred person receive their promised benefits.

Legal Basis

Processing is based on Art. 6(1)(b) GDPR (contract performance of the referral program) and Art. 6(1)(f) GDPR (legitimate interest in attributing referrals).

11. Pirsch Analytics (Web Analytics)

We use Pirsch Analytics to analyze website usage (e.g., page views, visitor statistics). The provider is Pirsch UG (haftungsbeschränkt), Pestalozzistr. 28, 91058 Erlangen, Germany.

What makes Pirsch Analytics special?

• No cookies: Pirsch does not use cookies
• No personal data: No IP addresses or fingerprints are stored
• EU-hosted: All data is processed in Germany
• GDPR compliant: No consent banner required

What data is collected?

• Number of page views (aggregated)
• Pages visited (without user association)
• Referrer (where visitors come from)
• Device type, browser, and country (anonymized)

Data Location

All data is processed and stored exclusively on servers in Germany.

Legal Basis

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in optimizing our website). Since no personal data is processed, no consent is required.

More information: Pirsch Analytics Privacy

12. Automated Decision-Making and Profiling

AI-Based Evaluations

Our interview training uses AI models from OpenAI to evaluate your answers and generate feedback. This includes:

• Scoring: Evaluation of your answers based on quality, structure, and relevance (0-100 points)
• Feedback: Textual suggestions for improvement
• Sample answers: AI-generated example answers

No Legal or Similarly Significant Effects

These automated evaluations have no legal or similarly significant effects on you within the meaning of Art. 22(1) GDPR. The evaluations serve exclusively for training and practice purposes and have no influence on:

• Your actual job application chances
• Decisions by employers
• Your access to our services
• Pricing

Leaderboard

If you wish to publish your result on the public leaderboard, your score will be publicly visible. Participation is completely voluntary and only occurs with your explicit consent. You can have your entry removed at any time.

No Profiling for Marketing Purposes

We do not create profiles based on your interview data for advertising purposes. Your data is not used for personalized advertising or shared with third parties.

13. Logging and Audit Trail

Confirmation and Settings History

We permanently log your confirmations and settings to fulfill our obligation to provide evidence under Art. 7(1) GDPR:

• Confirmation dialog for use of AI features (OpenAI)
• Email marketing settings
• Leaderboard participation
• Terms of service acceptance

Stored data includes: timestamp, type of confirmation, anonymized IP address (only first two octets, e.g., 192.168.x.x).

Security Audit Log

To protect your account, we log security-relevant events:

• Login attempts (successful/failed)
• Password resets
• Account deletions
• Suspicious activities

Retention period: 30 days for security logs; confirmation/settings history is stored for evidence purposes.

IP Anonymization

IP addresses are anonymized before permanent storage. We only store the first two octets (e.g., 192.168.x.x instead of the full address). Identification of individual users is not possible.

Legal Basis

Art. 6(1)(c) GDPR (legal obligation to provide evidence of consents) and Art. 6(1)(f) GDPR (legitimate interest in account security).

14. Data Transfer to Third Countries

Some of our service providers may process personal data outside the EU/EEA (e.g., in the USA). In such cases, we ensure that the requirements of Art. 44 ff. GDPR are met and – where required – appropriate safeguards (e.g., Standard Contractual Clauses) are in place. Which service providers are affected is described in the respective sections (e.g., OpenAI, Vercel, Sentry, Resend). Information about safeguards is available upon request at kontakt@bewerbungsfreund.de.