Privacy Policy

Last updated: 2026-05-17

This notice explains the processing of personal data when using the CorraV service (the “Service”) pursuant to Art. 13, 14 GDPR.

1. Controller

Wolfgang Rathgeb, Siemensstr. 14, 10551 Berlin, Germany
Email: hello@corrav.com

A data protection officer is not legally required. Please direct privacy requests to the address above.

2. Data processed

  • Account & sign-in data: email address, sign-in timestamps, registered passkeys (WebAuthn) if any.
  • CV content: everything you enter or upload (name, contact details, work history, education, skills, languages, free text, optional photo/image data). This may voluntarily include special categories of personal data under Art. 9 GDPR.
  • Generated documents: produced PDF files.
  • Technical data: server logs, IP address, timestamps, technically necessary session information.

3. Purposes and legal bases

  • Providing the Service (account, editing and storing CV content, PDF generation): Art. 6(1)(b) GDPR (performance of contract). Where you voluntarily enter special categories of personal data within the meaning of Art. 9(1) GDPR into your CV (e.g. data relating to health, religion or belief, trade-union membership or ethnic origin), their storage and processing to provide the Service is based solely on your explicit consent under Art. 9(2)(a) GDPR. Providing such data is voluntary and not required to use the Service; you may withdraw this consent at any time with effect for the future by removing the relevant content or deleting your account; the lawfulness of processing carried out before withdrawal remains unaffected. We do not request such data and advise against entering it; if you nevertheless enter special categories of personal data into free-text fields, by deliberately entering and saving that content you give your explicit consent under Art. 9(2)(a) GDPR to its storage for the provision of the Service. This consent is separate from acceptance of the Terms.
  • Passwordless sign-in (one-time codes by email, passkeys): Art. 6(1)(b) GDPR.
  • Security and abuse prevention (logs, rate limiting): Art. 6(1)(f) GDPR (legitimate interest in secure operation).
  • AI analysis and template creation: on request, CV content may be analysed by AI services and used to create or improve templates. This is carried out solely on the basis of your separate, explicit consent, which you may withdraw at any time (Art. 6(1)(a); additionally Art. 9(2)(a) for Art. 9 data). It is off by default, not a condition of using the Service, and independent of accepting the Terms. Withdrawal takes effect for the future and does not affect the lawfulness of processing carried out before withdrawal.
  • Statutory retention: Art. 6(1)(c) GDPR where applicable.

4. Recipients

We engage carefully selected service providers as processors under data processing agreements pursuant to Art. 28 GDPR:

  • Cloudflare (hosting, D1 database, KV storage) – Cloudflare Germany GmbH / Cloudflare, Inc., USA.
  • Hetzner Online GmbH, Germany – PDF rendering server.
  • Resend, Inc., USA – sending sign-in emails.
  • IONOS SE, Germany – mailbox for the contact address (handling your enquiries).
  • Mistral AI SAS, France – AI processing (only with consent).
  • Anthropic PBC, USA – AI processing (Claude; only with consent).
  • OpenAI (OpenAI Ireland Ltd. / OpenAI, L.L.C., USA) – AI processing (only with consent).

The third-party sign-in providers in Section 14 act as independent controllers and are not covered by this Section.

5. Third-country transfers

OpenAI Ireland Ltd. (the contracting party for users in the EEA) and Mistral AI process within the EU/EEA. Where processing is carried out by recipients in the USA (in particular Cloudflare, Resend and group-internal US entities of Anthropic and OpenAI), transfers rely, where the recipient is certified under the EU-US Data Privacy Framework, on the European Commission’s adequacy decision of 10 July 2023 (Implementing Decision (EU) 2023/1795, Art. 45 GDPR), and otherwise on the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).

6. Cookies

The Service uses only a strictly necessary session cookie for authentication (set on sign-in, not for anonymous visitors). It maintains your session and expires on session end or sign-out. There is no tracking, analytics or advertising. This cookie is consent-exempt under § 25(2) no. 2 TDDDG, as it is strictly necessary to provide the service you have expressly requested; no cookie banner is therefore required.

7. Retention and deletion

Account and CV data are stored for the duration of use. After account deletion the data is first kept in a recoverable state for up to 90 days (restore feature); where possible it is deleted within 30 days. After that period the data — including generated PDFs and intermediate storage — is permanently erased by an automated process, unless a statutory retention duty applies. On an explicit erasure request under Art. 17 GDPR we delete without undue delay, without waiting out the restore period.

Backups serve disaster recovery only and are not used to restore individual deleted records. Cloudflare D1 Time Travel rotates within roughly 30 days by design; an additional encrypted backup outside Cloudflare is kept for disaster-recovery purposes for at most 12 months and then deleted on rotation. If a backup is ever restored, data deleted in the meantime is removed again.

The processors we engage do not store CV content permanently; the AI services do not use the data for training and retain it only temporarily for security and abuse-prevention purposes under their data processing terms. Log files are kept briefly and deleted regularly.

8. Your rights

You have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21) to processing based on Art. 6(1)(f). You may withdraw any consent at any time with effect for the future.

You may lodge a complaint with a supervisory authority; the competent one for us is the Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59–61, 10555 Berlin, Germany. Without prejudice to that authority’s competence, you may also lodge a complaint with the supervisory authority of your habitual residence, your place of work or the place of the alleged infringement (Art. 77(1) GDPR).

9. Necessity of provision

Data required to perform the contract (in particular email address and CV content) must be provided to use the Service. The AI/template feature is entirely optional. Special categories of personal data you choose to include in your CV are not required to use the Service and are governed exclusively by Section 3.

10. No automated decision-making

No automated individual decision-making, including profiling, with legal effect under Art. 22 GDPR takes place. AI features are user-initiated tools and make no decisions about you.

11. Minors

The Service is intended for adults and is not directed at persons under 16. We do not knowingly process personal data of persons under 16. Use by minors is permitted only with the consent of a legal guardian; if we become aware of a minor’s data without the required consent, we delete it.

12. Data security

Connections are encrypted (TLS), and access to data is limited to what is necessary for operating the Service.

13. Third-party data in your CV

CV content may contain personal data of third parties (e.g. referees, former managers). You are responsible for being entitled to provide this data and for informing the persons concerned where required. Where CV content contains personal data of third parties, that data originates from your input and is not collected by us from the persons concerned (Art. 14(2)(f) GDPR). Affected third parties may exercise their rights via the email address above.

14. Third-party login (Single Sign-On)

If you sign in using a third-party provider (planned or offered: Google, Apple, LinkedIn, GitHub), we receive from that provider the data needed to create and authenticate your account (in particular your email address and, where available, your name). The legal basis is Art. 6(1)(b) GDPR (sign-in and authentication at your request). We obtain this data from the third-party sign-in provider you choose (Art. 14(2)(f) GDPR); we collect no further personal data from that provider. These providers are independent controllers for their own processing; their privacy notices apply. Some providers are based outside the EU (USA); transfers rely on the providers’ safeguards (including EU Standard Contractual Clauses). Using a third-party login is optional.

15. Changes

We update this notice if processing changes. We notify you of material changes by email or by a clear notice in the Service. The version published here applies.

This English version is provided for your information. For this privacy notice the German version is authoritative (see Section 15 of the Terms of Use); this does not limit your data-protection rights, which arise from the GDPR regardless of language version.