Privacy Policy (Datenschutzerklärung)
Last updated: February 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Context Studios UG (haftungsbeschränkt)Kaiser-Friedrich Str. 6
10585 Berlin, Germany
Email: contact@myceve.app
Phone: +49-30-20096840
1.1 Privacy Contact
As a small enterprise with fewer than 250 employees, we are not required to appoint a formal Data Protection Officer under Art. 37 GDPR. For all privacy-related inquiries, please contact:
Email: contact@myceve.app
2. Overview of Processing Activities
myceve is an AI-powered career page builder that helps users create, adapt, and manage professional career pages and CVs. We process personal data in connection with the following activities:
- Account creation and management
- CV creation, editing, and storage
- AI-powered CV adaptation
- Payment processing for Pro subscriptions
- Analytics and product improvement
- Marketing and attribution
- Email communications
3. Processing Purposes, Legal Bases, and Data Categories
3.1 Account Creation and Management
| Aspect | Details |
|---|---|
| Purpose | Creating and managing user accounts, authenticating users, maintaining session state |
| Legal basis | Art. 6(1)(b) GDPR – Performance of a contract |
| Data categories | Email address, name, profile picture (if provided via social login), authentication tokens, session data |
| Retention | Duration of the account relationship; deleted upon account deletion request |
3.2 CV Creation and Storage
| Aspect | Details |
|---|---|
| Purpose | Enabling users to create, edit, store, and export CVs |
| Legal basis | Art. 6(1)(b) GDPR – Performance of a contract |
| Data categories | Full name, address, phone number, email, work history, education, skills, certifications, uploaded documents (PDF, DOCX), photos, videos |
| Retention | Anonymous CVs: 30 days; Incomplete CVs: 48 hours; Archived CVs: 90 days; Active CVs: duration of account |
3.3 AI-Powered CV Adaptation
| Aspect | Details |
|---|---|
| Purpose | Using artificial intelligence to adapt and optimize CVs for specific job postings |
| Legal basis | Art. 6(1)(b) GDPR – Performance of a contract (AI processing is part of the core service); Art. 6(1)(a) GDPR – Consent (you may withdraw via account settings, after which AI features are disabled but manual CV editing remains available) |
| Data categories | CV content (work history, education, skills), job posting text. For CV adaptation, personal contact details (name, email, phone) are excluded via data minimization. For cover letter generation, personal contact information is included as it is necessary for the letter format. |
| Processing | CV content is sent to Anthropic (Claude) for CV adaptation and cover letter generation, and to Google (Gemini) for ATS scoring, interview preparation, skills gap analysis, description generation, and content suggestions. Providers are located in the United States. |
| Retention | AI-generated adaptations are stored with the CV; AI providers do not retain data beyond the API request (per their data processing agreements) |
Important: You may withdraw your consent to AI processing at any time through your account settings. Without AI processing, you can still create and edit CVs manually.
3.4 Payment Processing
| Aspect | Details |
|---|---|
| Purpose | Processing payments for Pro subscriptions (€9/month or €90/year, or local currency equivalent via Stripe) |
| Legal basis | Art. 6(1)(b) GDPR – Performance of a contract |
| Data categories | Billing name, email address, payment method details (handled by Stripe), transaction history, subscription status |
| Retention | Payment records are retained as required by applicable tax and commercial law (§ 147 AO: 10 years; § 257 HGB: 6 years) |
3.5 Analytics and Product Improvement
| Aspect | Details |
|---|---|
| Purpose | Understanding how users interact with our service to improve the product, measure performance, and diagnose issues |
| Legal basis | Art. 6(1)(a) GDPR – Consent (for non-essential analytics cookies); § 25(1) TDDDG (consent required for non-essential storage on end devices) |
| Data categories | Page views, click patterns, session duration, device type, browser type, approximate location (country/city level via IP geolocation), anonymized usage data |
| IP handling | IP addresses used for geolocation are not stored in raw form; only the derived country/city is retained |
| Retention | Analytics data: 90 days; Audit logs: 365 days |
3.6 Marketing and Attribution
| Aspect | Details |
|---|---|
| Purpose | Measuring the effectiveness of marketing campaigns, attributing sign-ups to marketing channels |
| Legal basis | Art. 6(1)(a) GDPR – Consent; § 25(1) TDDDG (consent for non-essential cookies) |
| Data categories | Marketing click identifiers, referral source, campaign data, TikTok pixel events |
| Retention | Attribution data: 90 days; Consent records: 1 year |
3.7 Email Communications
| Aspect | Details |
|---|---|
| Purpose | Sending transactional emails (authentication, account notifications) and, where consented, marketing communications |
| Legal basis | Art. 6(1)(b) GDPR – Contract (transactional); Art. 6(1)(a) GDPR – Consent (marketing); Art. 6(1)(f) GDPR – Legitimate interest (service announcements) |
| Data categories | Email address, name, communication preferences |
| Retention | Duration of account; marketing consent records: 1 year after withdrawal |
4. Third-Party Recipients and Processors
We share personal data with the following categories of recipients, each acting as a data processor under a Data Processing Agreement (DPA):
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Clerk (clerk.com) | Authentication and user management | Email, name, profile picture, session tokens | United States |
| Convex (convex.dev) | Real-time database and file storage | All CV data, user profiles, uploaded files | United States |
| Anthropic (anthropic.com) | AI CV adaptation and cover letter generation (Claude) | CV content, job posting text. For cover letters: includes personal contact info (name, email, phone) as required for letter format | United States |
| Google (cloud.google.com) | AI-powered ATS scoring, interview preparation, skills gap analysis, description generation, content suggestions, and cover letter generation (Gemini) | CV content, job posting text. For cover letters: includes personal contact info | United States |
| Stripe (stripe.com) | Payment processing | Billing name, email, payment details, transaction data | United States / EU |
| PostHog (posthog.com) | Product analytics | Anonymized usage data, page views, events | EU (EU-hosted instance) |
| TikTok (tiktok.com) | Marketing attribution and pixel | Marketing identifiers, page view events, conversion events | United States / Singapore |
| Vercel (vercel.com) | Web hosting and edge delivery | IP address (transient), request metadata | United States |
| ipapi.co | IP geolocation (country/city detection) | IP address | United States |
| Resend (resend.com) | Transactional email delivery | Email address, name, email content | United States |
| Sentry (sentry.io) | Error monitoring and performance tracking | Error stack traces, browser metadata, anonymized session replay (with analytics consent) | United States |
5. International Data Transfers
Your personal data may be transferred to and processed in the United States and other countries outside the European Economic Area (EEA). For each transfer, we ensure appropriate safeguards are in place:
- EU-U.S. Data Privacy Framework (DPF): Where applicable, US-based processors are certified under the EU-U.S. Data Privacy Framework, providing an adequacy basis for transfers.
- Standard Contractual Clauses (SCCs): All US-based processors (Clerk, Convex, Anthropic, Google, Stripe, TikTok, Vercel, Resend, Sentry, ipapi.co) operate under EU-approved Standard Contractual Clauses as adopted by the European Commission.
- Transfer Impact Assessments (TIAs): We conduct transfer impact assessments for transfers to countries without an adequacy decision.
- EU-hosted services: PostHog analytics data is processed on EU-hosted infrastructure.
- Additional safeguards: Where applicable, we implement supplementary measures including encryption in transit and at rest, pseudonymization, and access controls.
6. Data Retention
| Data type | Retention period |
|---|---|
| Anonymous CVs (no account) | 30 days |
| Incomplete CVs (abandoned) | 48 hours |
| Archived CVs | 90 days |
| Active CVs (with account) | Duration of account |
| Server logs (IP addresses) | Not stored (only derived geolocation retained) |
| Audit logs | 365 days |
| Analytics data | 90 days |
| Consent records | 1 year after last update |
| Cookie preferences | 12 months |
| Payment records | As required by tax law (6–10 years per § 147 AO / § 257 HGB) |
| Account data (after deletion) | 14-day grace period (cancellable), then permanently deleted |
After the retention period expires, data is automatically and irreversibly deleted through scheduled cleanup processes.
7. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. To exercise any of these rights, please contact us at contact@myceve.app.
7.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to request access to that data along with information about the purposes, categories, recipients, and retention periods. You can also export your data directly through your account settings.
7.2 Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data and completion of incomplete data. You can also directly edit your CV data through the application.
7.3 Right to Erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data. You can delete individual CVs or your entire account through the application settings. Account deletion includes a 14-day grace period during which you may cancel the request; after the grace period, all associated data is permanently and irreversibly deleted.
7.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing in certain circumstances, for example while we verify the accuracy of disputed data. You can activate processing restriction through your account privacy settings.
7.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON) and to transmit it to another controller. You can export your data through the account settings.
7.6 Right to Object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interest (Art. 6(1)(f) GDPR), including profiling. Where we process your data for direct marketing, you can object at any time and we will cease processing for that purpose.
7.7 Rights Related to Automated Decision-Making (Art. 22 GDPR)
Our AI-powered CV adaptation constitutes automated processing that may produce legal or similarly significant effects (e.g., influencing job application outcomes). You have the right to:
- Request human review of any AI-generated CV adaptation
- Express your point of view regarding the automated decision
- Contest the automated decision
- Opt out of AI processing entirely through your account settings
AI processing is provided as part of the core service under Art. 6(1)(b) GDPR (contract performance) and Art. 22(2)(a) GDPR (necessary for contract performance). You may opt out of AI processing at any time via your account settings.
7.8 Right to Withdraw Consent
Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before the withdrawal. Consent can be managed through your account settings and the cookie consent banner.
8. Automated Decision-Making and Profiling
myceve uses AI (Anthropic Claude and Google Gemini) to automatically adapt CVs to specific job postings. This processing:
- Analyzes your CV content and the target job posting
- Rewrites and restructures sections to match the role requirements
- Generates confidence scores for each adaptation
- Provides source references linking adaptations to your original experience
We apply the following safeguards:
- Minimum confidence threshold of 0.75 for all AI-generated content; content below this threshold is flagged for manual review
- Source reference validation to prevent hallucinated information
- Data minimization: personal contact information is excluded from AI processing
- Users can review, edit, and reject any AI-generated content before use
- AI processing is enabled by default as part of the core service (Art. 6(1)(b) GDPR); users may disable it at any time
- Users can opt out at any time via account settings
9. Cookies and Tracking Technologies
We use cookies and similar technologies as described in our Cookie Policy. You can manage your cookie preferences at any time through the cookie consent banner. Non-essential cookies are only set after you have given consent in accordance with § 25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz).
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.3/HTTPS) for all data transmission
- Encryption at rest for stored data
- Role-based access controls
- Secure authentication via Clerk (Google OAuth and email OTP)
- Automatic data deletion after retention periods expire
- Data minimization in AI processing pipelines
11. Children's Privacy
Our Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have collected data from a child under 16, please contact us at contact@myceve.app.
12. Additional Regulations
12.1 German TDDDG (§ 25)
In accordance with § 25 of the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG, formerly TTDSG, renamed May 2024), we obtain consent before storing or accessing information on your end device that is not strictly necessary for providing the service (e.g., analytics and marketing cookies). Strictly necessary cookies (authentication, session management) are set without consent under § 25(2) TDDDG.
12.1a German BDSG
Where applicable, the provisions of the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), in particular §§ 26 (employee data processing) and 40 (supervisory authority powers), supplement the GDPR within the scope of this Privacy Policy.
12.2 CCPA / CPRA (California)
California residents have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to opt out of the sale or sharing of personal information. For details, see our Do Not Sell or Share page.
12.3 Additional US State Privacy Laws
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other US states with consumer privacy legislation may have additional rights, including the right to access, delete, and opt out of certain data processing activities. To exercise these rights, please contact us at contact@myceve.app. We will respond within the timeframe required by your state's applicable law.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR), providing details of the nature of the breach, likely consequences, and measures taken to address it.
14. Profiling and Automated Processing Disclosure (Art. 13(2)(f) GDPR)
myceve uses automated processing (AI-powered CV adaptation) that may influence your job application outcomes. This processing analyzes your CV content against job posting requirements and generates adapted versions. The logic involved includes natural language analysis, keyword matching, and content restructuring. The envisaged consequences are that your CV may be more effectively tailored to specific roles, potentially improving application success rates. You retain full control to review, edit, or reject any AI-generated content before use, and may disable AI processing entirely via account settings.
15. Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.
The competent supervisory authority for Berlin is the Berliner Beauftragte für Datenschutz und Informationsfreiheit. A list of all German supervisory authorities is available at: www.bfdi.bund.de
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes that affect your rights, we will provide additional notice (e.g., via email or in-app notification).
17. Contact
For any questions regarding this Privacy Policy or your personal data, please contact:
Context Studios UG (haftungsbeschränkt)Attn: Data Protection
Kaiser-Friedrich Str. 6
10585 Berlin, Germany
Email: contact@myceve.app