Privacy Policy — Career Compile

1. Data Controller

The data controller responsible for your personal data is:

Career Compile

2. What Data We Collect

We collect only the data that is necessary to provide the service.

Account information

When you register, we collect your full name, email address, username, and a hashed password (or a Google account identifier if you sign up via Google). This data is required to create and manage your account.

Resume and career data

You may upload resume files (PDF, DOCX, images) and enter career-related information including work experience, education, skills, projects, and contact details. You may also add job applications, cover letters, interview notes, learning plans, interview playbooks, and company watchlists. All this content is yours and is stored solely to provide the service to you.

Usage data

We log which AI features you use (e.g. resume parsing, cover letter generation) together with token counts and estimated processing costs. This data is used only to display your own usage history in the Account section and is not shared or sold.

Analytics data

With your consent, we use Google Analytics 4 (GA4) with Consent Mode v2 to collect anonymised usage statistics such as page views and feature interactions. No personally identifiable information is sent to Google Analytics. You can decline analytics cookies via the cookie banner.

Profile photo

Profile photos are loaded from Gravatar based on the MD5 hash of your email address. We do not upload or store photos ourselves. Gravatar is an optional external service; if you do not have a Gravatar account, your initials are displayed instead.

3. Legal Basis for Processing

Contract (Art. 6(1)(b)):Processing your account data, resume content, and application data is necessary to provide the service you signed up for.

Consent (Art. 6(1)(a)):Analytics cookies are only placed after you give explicit consent via the cookie banner.

Legitimate interest (Art. 6(1)(f)):We log AI usage for transparency purposes so you can see how the service is used on your behalf.

4. How We Use Your Data

To create, authenticate, and manage your account.
To store and display your resumes, applications, and career data.
To send your resume text or job descriptions to an AI model in order to generate suggestions, cover letters, learning plans, and interview questions.
To monitor company career pages on your behalf (Watchlist feature).
To display your AI usage history and estimated costs in the Account section.
To improve the platform using aggregated, anonymised analytics (only with your consent).

We do not sell your data. We do not use your data for advertising. We do not use your data to train AI models.

5. AI Processing

Several features use AI to process your content. When you use these features, the relevant portions of your data (e.g. resume text, job description) are sent to an AI model and the response is returned to you. Processing happens on demand only when you trigger an AI action.

In production, AI processing is performed by Amazon Bedrock (Claude models via AWS), hosted within the EU (eu-central-1, Frankfurt, Germany). AWS processes data as a data processor on our behalf under standard contractual clauses. Your data is not used to train the underlying AI models.

AI-generated content (cover letters, suggestions, questions) is a tool to help you — always review it before use. We make no guarantees about the accuracy of AI outputs.

6. Third-Party Services

Service	Purpose	Location
AWS Cognito	Authentication	EU (Frankfurt)
AWS DynamoDB	Data storage	EU (Frankfurt)
AWS S3	File storage (resume uploads)	EU (Frankfurt)
Amazon Bedrock	AI processing	EU (Frankfurt)
Google Analytics 4	Anonymised analytics (consent only)	USA (SCCs apply)
Gravatar (Automattic)	Optional profile photos	USA (SCCs apply)

SCCs = Standard Contractual Clauses (EU Commission approved transfer mechanism).

7. Cookies

Strictly necessary cookies

We use cc_id_token, cc_access_token, and cc_refresh_token to keep you signed in. These are httpOnly, secure, SameSite cookies that expire within 1 hour (access/id) or 30 days (refresh). They are essential to the service and cannot be declined.

Analytics cookies (optional)

With your consent, Google Analytics 4 places cookies to measure anonymised usage. You can accept or decline these via the cookie banner shown on your first visit. You can change your preference at any time.

8. Data Retention

Account and career data — retained for as long as your account is active.
After a deletion request — when you request deletion (from your Account settings or by email), your account is deactivated immediately and all your personal data (DynamoDB records, S3 files, Cognito account) is permanently deleted within 14 days.
AI usage logs — anonymised AI usage records (token counts, estimated costs and timestamps, containing no name, email, or resume content) may be retained after deletion for accounting purposes. Once your account is deleted these records can no longer be linked back to you.
Server logs — CloudWatch logs may retain anonymised request logs for up to 30 days for security and debugging purposes.

9. Your Rights (GDPR)

As an EU/EEA resident you have the following rights under the GDPR:

Right of access (Art. 15):Request a copy of all personal data we hold about you.

Right to rectification (Art. 16):Correct inaccurate data via Account Settings or by emailing us.

Right to erasure (Art. 17):Request deletion of your account and all associated data.

Right to restriction (Art. 18):Ask us to pause processing of your data in certain circumstances.

Right to data portability (Art. 20):Request your data in a structured, machine-readable format.

Right to object (Art. 21):Object to processing based on legitimate interests.

Right to withdraw consent:Withdraw analytics consent at any time via the cookie settings.

To exercise any of these rights, email support@careercompile.com. We will respond within 30 days.

You can delete your account yourself from your Account settings (Danger Zone → Delete Account). Your account is deactivated immediately and all your data is permanently deleted after 14 days. If you change your mind during that period, email support@careercompile.com to cancel the deletion and restore your account.

To request a copy of your personal data (right to portability), use the Data Export feature in your Account settings. Your export (a ZIP containing all your data in machine-readable JSON format plus your uploaded files) will be ready within minutes. Alternatively, you can email support@careercompile.com with the subject "Data Export Request" and we will respond within 30 days.

You also have the right to lodge a complaint with your national data protection authority (e.g. the German BfDI or your local supervisory authority).

10. Data Security

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256, managed by AWS). Authentication tokens are stored as httpOnly cookies to prevent JavaScript access. We apply the principle of least privilege — each component accesses only the data it needs.

11. Children

Career Compile is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be communicated via a notice on the platform. Continued use of Career Compile after changes constitutes acceptance of the updated policy.

13. Contact

For any privacy-related questions or to exercise your rights, contact us at: support@careercompile.com