This GDPR notice explains how Job4Talents handles account data, CV and application documents, AI workflows, billing, public sharing, local storage, cookies, and data-rights requests.
Last updated: 11 June 2026
Privacy contact
security@j4t.atGuest documents, import staging, private vault material, and many preferences stay in browser storage unless you sign in and enable cloud features.
Hosted AI sends the prompt and selected document context through the Job4Talents server to the configured provider. Local Ollama keeps model processing on your device unless you choose a cloud-backed runtime.
A resume is public only when you publish a share link. You can unpublish it, and the published snapshot is separated from your private workspace document.
You can request access, correction, deletion, restriction, portability, objection, or consent withdrawal at security@j4t.at.
The table maps the product surfaces in this repository to the main GDPR notice fields: data categories, purposes, legal bases, and retention.
| Activity | Personal data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account and authentication | Email address, user id, session cookies, profile settings, selected language, account status, and security metadata. | Create and secure accounts, keep users signed in, route magic links, apply access rules, and provide support. | Contract performance, legitimate interests in security, and legal obligation where records must be kept. | For the account lifetime, then deleted or anonymized unless needed for legal, security, or billing records. |
| CVs, cover letters, documents, templates, and imports | Document text, names, contact details, photos, education, employment history, skills, imported PDFs/DOCX/text, template settings, and local editing metadata. | Build, edit, import, export, synchronize, recover, and render application documents. | Contract performance. Special-category data is processed only when a user chooses to include it in their own document. | Local documents remain until the browser storage is cleared or the user deletes them. Cloud documents remain until deleted, account closure, or sync removal. |
| Private Vault and cloud sync | Encrypted vault material, passkey/device credential metadata, recovery state, cloud revision numbers, device ids, private document assets, and sync preferences. | Protect sensitive documents, coordinate device sync, recover document state, and enforce user-owned access. | Contract performance and legitimate interests in account and data security. | Until disabled, deleted, or account closure. Device credentials and private assets are removed when the relevant vault/sync records are deleted. |
| AI features and AI history | Prompts, selected document context, generated text, invalid JSON, issue summaries, provider/model metadata, token counts, latency, cost, workflow type, and scrubbed local-audit metadata. | Generate and improve CVs, cover letters, templates, translations, job-tailored variants, and AI history/usage reporting. | Contract performance for requested AI output and legitimate interests for abuse prevention, metering, reliability, and cost control. | Content-bearing AI history has a 90-day target and can be scrubbed earlier in AI History. Usage, billing, and audit metadata may be retained for up to 7 years. |
| Billing and paid access | Stripe customer, checkout, invoice, payment, subscription, tax, product, price, credit grant, reservation, and webhook identifiers. | Process payments, prevent duplicate subscriptions, grant paid access, handle refunds/disputes, calculate tax, and reconcile usage. | Contract performance and legal obligations for accounting, tax, and dispute records. | Billing, Stripe, and ledger records are retained for up to 7 years unless a longer legal requirement applies. |
| Public resume sharing and analytics | Published resume snapshot, slug, publish status, no-index preference, signed analytics token, event id, session id, event type, section id, duration, viewed time, referrer domain, and browser family. | Host the public resume selected by the user, measure aggregate views and engagement, prevent forged analytics events, and let users unpublish. | Consent or contract performance for publishing; legitimate interests for privacy-preserving analytics and security. | Published snapshots remain until unpublished/deleted. Event rows cascade when the published resume is deleted. |
| Waitlist and product updates | Email, name, audience, locale, source path, marketing consent, submission count, hashed email/IP rate-limit keys, short-retention IP security events, user agent, origin, referrer, and accept-language. | Manage launch access, send requested updates, prevent spam and abuse, and maintain consent evidence. | Consent for marketing and legitimate interests for abuse prevention. | Signup rows remain until unsubscribe/deletion. Security events default to 30 days and are capped at 90 days. |
| Job application workspace | Role titles, company names, job URLs, locations, salary notes, status history, follow-ups, interview prep, story bank records, application-pack drafts, and imported job-posting evidence. | Organize applications, build tailored application packs, track outcomes, and generate user-requested drafts. | Contract performance and legitimate interests in providing reliable workspace features. | Local records remain until deleted by the user or browser storage is cleared. Cloud-sync records remain until deleted or account closure. |
| Security, diagnostics, logs, and abuse controls | Request metadata, IP-derived rate-limit keys, error categories, scanner path blocks, CSP/security headers, and operational logs with content redaction where possible. | Secure the service, diagnose failures, enforce rate limits, prevent abuse, and maintain service availability. | Legitimate interests in security, reliability, fraud prevention, and legal defense. | Kept only as long as needed for operations and security unless tied to billing, legal, or abuse evidence. |
The controller for this notice is Job4Talents, the operator of the Job4Talents web application. Privacy and security requests can be sent to security@j4t.at. If a specific production deployment is operated by a separate legal entity, its imprint or terms should identify that legal entity and postal address.
This notice applies to the first-party Job4Talents web app, serverless API routes, Supabase-backed cloud features, public resume hosting, hosted AI proxy, and browser-local product surfaces.
Job4Talents uses infrastructure and subprocessors that may receive personal data only where needed for the relevant feature. These include Supabase for authentication, database, storage, and realtime sync; Vercel or a similar hosting platform for app delivery and serverless functions; Stripe for checkout, subscription, tax, invoicing, and payment records; OpenRouter and the selected upstream AI model provider for hosted AI calls; and an optional external renderer for server-side PDF rendering.
Some providers may process data outside the European Economic Area. Where that happens, Job4Talents should rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, data-processing agreements, or equivalent legal mechanisms required for the deployment.
The app uses necessary cookies and browser storage for authentication, language/theme preferences, local documents, editor recovery, private-vault state, recent AI model choices, and feature settings. These are not used for cross-site advertising.
Guest mode is local-first. If you do not sign in or enable cloud sync, your document workspace mainly stays in IndexedDB/localStorage on your device. Clearing browser storage, deleting documents, or signing out from shared devices may remove local data.
AI output is assistive. Job4Talents can suggest wording, translations, template structure, fit analysis, job-tailored variants, cover letters, and application materials, but users decide what to keep, publish, export, or send to employers.
The service does not make solely automated decisions that produce legal or similarly significant effects for users. Usage limits, paid-access checks, rate limits, and abuse controls may be automated, but they govern product access rather than employment eligibility or legal status.
Retention depends on the feature and legal basis. User-created local data remains on the device until deleted or browser storage is cleared. Cloud documents, templates, vault records, public resume snapshots, and application records remain until the user deletes them, disables the related feature, unpublishes, or closes the account, subject to backup and integrity windows.
Content-bearing AI history has a 90-day target and can be scrubbed earlier from AI History. Billing, credit, Stripe, tax, dispute, and usage metadata may be retained for up to 7 years. Waitlist security events default to 30 days and are capped at 90 days.
Subject to the conditions in the GDPR, you can request access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and withdrawal of consent for consent-based processing. Send requests to security@j4t.at.
You also have the right to lodge a complaint with your local data-protection supervisory authority. If you are in Austria, that authority is the Austrian Data Protection Authority. If you are elsewhere in the EEA, you may contact your local supervisory authority.
The project uses row-level security for user-owned cloud data, private storage buckets for private document assets, public buckets only for intentionally published assets, signed analytics tokens for public resume events, rate limits, CSP/security headers, abuse-path blocking, and metadata-first admin views where possible.
No web service can guarantee absolute security. Users should avoid placing unnecessary sensitive or special-category data in CVs or public resumes, keep account access private, and unpublish links they no longer want public.
Job4Talents is intended for job seekers and professional users. It is not directed to children. If a child has provided personal data without appropriate permission, contact us so the data can be reviewed and removed where required.
This notice may change when product features, processors, retention rules, or legal requirements change. Material updates should be reflected by changing the last-updated date on this page.