Effective as of: May 11, 2026
Last updated: May 21, 2026
This Privacy Policy explains how Tolga A. Unold, operating under the trade name myApplicantBot.de ("we", "us", "our"), collects, processes, and protects personal data when you use our AI-powered career application service.
We are committed to processing your data transparently and lawfully, in full compliance with the General Data Protection Regulation (GDPR / EU 2016/679), the Federal Data Protection Act (BDSG), and applicable international data protection law.
For all data protection inquiries, please contact us at the email address above.
Data: Email address, password (stored as irreversible Argon2id hash), session token, IP address (hashed in session record), browser type, login timestamp.
Purpose: Creation and management of your account, authentication, prevention of unauthorized access, and sending important service emails (email verification, login confirmation, password reset).
Legal basis: Art. 6(1)(b) GDPR – performance of a contract; Art. 6(1)(f) GDPR – legitimate interest in service security.
Retention: Email address and password hash: until your account is deleted plus up to 30 days for residual cleanup. Login attempts (IP address + timestamp): automatically deleted after 90 days. Active session records: deleted immediately after logout or expiration.
Data: CV/resume data (personal details, work experience, education, skills, languages, certificates entered or uploaded by you), attachment PDFs (e.g. diplomas, reference letters), job descriptions and applications created by you.
Purpose: Provision of the core service – AI-powered CV analysis, cover letter generation, job ad analysis, and career planning.
Legal basis: Art. 6(1)(b) GDPR – performance of the contract concluded with us.
Storage: Your career content is encrypted with AES-256-GCM before being stored on our WebDAV file server. We use password-based end-to-end encryption: A random file key (FK) is protected solely by a user-specific key (UEK) derived from your password using Argon2id. The UEK is never stored persistently – neither in the database nor on the file server. This means: even the platform operator cannot read your stored data without your active session. Neither the storage provider nor third parties can view your files in plaintext.
Note on password reset: Since your data is secured exclusively with your password, a password reset results in permanent loss of all stored career data. We recommend regularly backing up important data locally.
Retention: Until you delete the data or close your account, plus up to 30 days for deletion processing. You can delete individual documents at any time in your profile.
What happens: When you request an AI-generated document (e.g. parse CV, generate cover letter), the relevant text provided by you is sent to an AI model. The AI generates structured outputs, which are returned to you and, if desired, stored in your account.
Provider: We use the Microsoft Azure OpenAI Service (EU data center region) for all processing of personal career data. Microsoft acts as our processor under a data processing agreement containing EU standard contractual clauses. Your data is processed exclusively within the European Economic Area and not transferred to the USA or other third countries.
No automated decisions with legal effect: The AI generates suggestions for your review. We do not use automated processing to make decisions about you that have legal or similarly significant effects within the meaning of Art. 22 GDPR. You always retain control over what is stored or used.
Legal basis: Art. 6(1)(b) GDPR – performance of the contract (the service is inherently AI-powered document creation).
We use only the following cookies:
These cookies are strictly necessary for the service to function. They are used solely for service provision and not for tracking, advertising, or analytics. No consent banner is required and no third-party cookies are set.
Legal basis: Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(f) GDPR – legitimate interest in secure session management.
We conduct aggregated, anonymized statistics on platform usage – e.g. how many job ads were analyzed on a given day, which job titles are most common, or the distribution of requested skills.
These statistics contain no personal data. No user IDs, session IDs, IP addresses, or other information are stored or linked to these statistics that would enable identification of a person. Qualification counts (e.g. "Education level: Bachelor") are kept only as aggregate counters; individual contributions are stored exclusively in a client-side encrypted snapshot in your personal WebDAV file and never written to the analytics database. This ensures k-anonymity at the aggregate level.
According to Recital 26 GDPR, anonymized data that cannot reasonably be used to identify a natural person is not subject to data protection law. Therefore, no legal basis under GDPR is required for this processing.
Data: Recipient's email address, subject, and content of transactional email.
Purpose: Sending account verification, MFA login, password reset, and (only with consent) marketing emails.
Provider: We use the SMTP service of Febas (Owner: Roman Baumgärtner), Ostlandstraße 5, 49565 Bramsche, Germany (mail.febas.net). Febas provides our email and security server (server location: Germany) and acts as processor under Art. 28 GDPR.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) for transactional emails; Art. 6(1)(a) GDPR (consent) for marketing emails.
Retention: Email addresses are processed only while your account is active. Marketing emails are sent only with active consent; unsubscribe at any time via the link in the email.
Data: Company names from job ads entered by you (no personal PII).
Purpose: Automatic completion of company address in your application form to facilitate data entry.
Provider: OpenStreetMap Foundation (Nominatim service, nominatim.openstreetmap.org). This service is operated by the non-profit OpenStreetMap Foundation. Only company names – no user-related data – are transmitted.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in convenient address completion. Privacy Policy of OSMF: osmfoundation.org/wiki/Privacy_Policy.
Data: Optional free-text message, selected error categories, accessed page, language, user ID if logged in.
Purpose: Platform improvement and error analysis.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in quality assurance of the service.
Retention: Feedback entries are automatically deleted after 90 days.
Data: For a one-time payment, you are redirected to a payment page of Stripe, Inc. (or their EU subsidiary Stripe Payments Europe, Ltd.). Stripe collects and processes your payment data, billing name, billing address, and transaction amount directly. We receive only a non-sensitive payment confirmation (transaction ID, status) from Stripe – we never see or store your full card number, CVV, or other sensitive payment data.
Purpose: Processing your payment and fulfilling your purchase.
Legal basis: Art. 6(1)(b) GDPR – performance of contract (purchase agreement).
Controller for payment data: Stripe is an independent controller for the payment data they collect. Their processing is subject to the Stripe Privacy Policy. Stripe is certified under the EU-U.S. Data Privacy Framework and processes European payment data within the EEA or based on standard contractual clauses.
Retention: Transaction confirmations (non-sensitive) are retained for 10 years to fulfill statutory accounting obligations (§ 147 AO, § 257 HGB). Stripe retains payment data according to its own retention policy and applicable financial regulation.
Data: IP addresses, request timestamps, HTTP method, path, response code, user agent string.
Purpose: Detection and response to attacks, error diagnosis, ensuring service availability.
Legal basis: Art. 6(1)(f) GDPR – legitimate interest in secure and stable service operation.
Provider: The website myapplicantbot.de is hosted on servers of 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany. IONOS acts as processor under Art. 28 GDPR; a DPA is in place.
Retention: Maximum 90 days, then automatic deletion.
We only share personal data with the following categories of processors, each under binding data processing agreements:
We do not sell your personal data. We do not share it with advertisers, data brokers, or other parties not mentioned here.
All personal data processing takes place within the European Economic Area (EEA):
Stripe Inc. is independently responsible for your payment data and certified under the EU-U.S. Data Privacy Framework. Should further third-country transfers become necessary in the future, we will rely on Art. 46 GDPR (SCCs) and update this policy.
As a data subject under GDPR, you have the following rights, which you can exercise free of charge by contacting privacy@myapplicantbot.de:
We respond within 30 days (extendable by another 60 days for complex requests with notification). Identity verification may be required to process requests.
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, workplace, or alleged infringement. Our competent supervisory authority is:
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include:
No system is unconditionally secure. In the event of a data breach posing a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected users without undue delay if applicable.
The service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If you suspect that we have inadvertently collected data from a person under 16, please contact us immediately for deletion.
We may update this policy to reflect changes to our service or legal requirements. We will inform registered users of material changes at least 14 days before they take effect by email or as required by law. The current version is always available at /txt/privacy_en.html. Continued use of the service after the effective date of an update constitutes acceptance.