Privacy Policy — EinfachBewerben

1. Data Controller

The data controller within the meaning of the GDPR is:

Pascal Lindenau
Email: support@lindenau.cloud

2. What Data We Collect

• Authentication (Apple Sign-In): We receive an anonymous user ID and optionally your name and email address from Apple.
• CV Data: Personal information (name, address, date of birth, phone, email, photo), professional information (work experience, education, skills, languages) that you enter in the app.
• Job Postings: Job posting texts that you paste or import into the app.
• Generated Content: AI-generated cover letters and applications.
• Photos for AI Generation: Photos you select for AI passport photo generation (may contain faces).
• Push Notification Tokens: Your device token for push notifications to inform you about completed generations.
• Purchase Receipts: Anonymized transaction receipts from Apple to unlock paid features.
• Diagnostic Data: If you have enabled Apple's "Share with App Developers", Apple may send anonymized crash reports.

3. Usage Statistics

We use our own analytics solution (no third-party SDK) to improve the app. You can disable collection at any time in the app settings.

We only collect:

• Event name and timestamp
• Device model, operating system and app version
• Anonymous session ID

No personal data is collected in usage statistics.

4. Face Data

Selfie photos that you select for AI passport photo generation contain face data. Because face data is sensitive, we treat it under stricter rules and ask for your explicit consent each time before any transfer takes place. The following describes our handling of face data in detail.

• What is collected: The selfie photos you actively select from your camera or photo library inside the AI Application Photo feature. We do not run any ambient or continuous face capture, and we do not access your photo library outside this flow.
• All planned uses: The selected photos are used solely as conditioning input to generate a stylised AI application photo at your request. They are not used to identify you, to authenticate you, to train a model, to enrich a profile, for advertising, or for any other purpose.
• Recipients: The selected selfie photos are transmitted via HTTPS through our server in Germany to Google Gemini (Google LLC, model "gemini-3.1-flash-image-preview") which generates the application photo. No other recipient receives face data.
• Storage location: On your device in the app's private SwiftData container; on our VPS in Germany only for the short delivery window; in transit at Google for the duration of the generation request.
• Retention: Google does not use commercial Gemini API data for model training under the Gemini API additional terms. On our server, generated photos are typically deleted immediately after successful delivery and at most after 48 hours. Selfie inputs uploaded to our object storage are removed once the generation pipeline finishes. We do not retain face data once the request is fulfilled.
• Biometric identifiers: We do not create, derive, store, or share biometric identifiers such as faceprints, embeddings, depth maps, face templates, or anti-spoofing vectors. Any on-device face framing for cropping/alignment is ephemeral and never leaves the device.
• User control and revocation: The transfer to Google Gemini occurs only after explicit, just-in-time consent in the app. You can revoke this consent at any time in Settings → AI Data Processing; the next AI photo generation will then ask for your consent again. Account deletion in the app removes all server-side data, including any in-flight inputs.
• Sharing with third parties beyond Google Gemini: No. Face data is not shared with anyone else.

5. How We Use Your Data

• CV and Job Postings: To generate tailored cover letters at your request.
• Photos: Exclusively for AI passport photo generation at your request.
• No tracking, no advertising, no profiling, no selling of your data.

6. Cloud Sync

Your CV and applications are synced with our server to enable cross-device access and data safety. In case of conflicts, the server version takes precedence (server-wins principle). Synced data is stored until account deletion.

7. Sharing and Disclosure

We rely on the following processors. In every case, transfers happen only after your explicit, just-in-time consent in the app, are protected by HTTPS, and are governed by data-processing agreements that contractually require equal or stronger protection than this policy provides. You can withdraw your consent at any time in Settings → AI Data Processing.

• Google Gemini (AI Image Generation): When you start an AI application photo generation, your selected selfie photos and the chosen style parameters are transmitted via HTTPS through our server to Google LLC's Gemini API (model "gemini-3.1-flash-image-preview"). Google does not use data submitted to the commercial Gemini API for training under the Gemini API additional terms. (ai.google.dev/gemini-api/terms)
• OpenAI (AI Text Generation): When you generate a cover letter, run the CV review, extract a CV from a PDF, or import a job posting from a URL, the relevant text — your CV data, the job posting, and the template/tone settings you chose — is transmitted via HTTPS through our server to OpenAI, L.L.C. (OpenAI API). OpenAI does not use API data to train models under the OpenAI API data-usage terms and retains it for at most 30 days for abuse monitoring before deleting it. (openai.com/policies/api-data-usage-policies)
• Our Server (Sync and Delivery): Your CV and applications are stored encrypted on our VPS in Germany for sync. Generated passport photos are temporarily cached only for delivery to your device and deleted afterwards.
• No Third-Party SDKs: We do not use any third-party tracking or advertising SDKs.
• No Selling: We do not sell or rent your data.

8. Where Your Data Is Stored

• Your Device: CV, applications, generated photos, and projects are stored in the app's private SwiftData container.
• Our VPS/Server (Germany): CV, applications, and generated photos (temporarily for delivery).
• Google Gemini (in-flight processing): Selfie photos are transmitted exclusively for generation via HTTPS and not retained for training under the Gemini API terms.
• OpenAI (in-flight processing): CV/job-posting/cover-letter text is transmitted exclusively for generation via HTTPS and retained for at most 30 days for abuse monitoring under the OpenAI API terms.

9. Retention

• On Your Device: Until you delete the data (you are in control).
• CV and Applications on Server: Until account deletion.
• Generated Photos on Server: Maximum 48 hours, typically deleted immediately after successful delivery. Selfie inputs are removed once the generation pipeline finishes.
• At Google Gemini: Not retained for training under the Gemini API terms. Standard request lifecycle storage only.
• At OpenAI: Not used for training under the OpenAI API terms. API data is retained for at most 30 days for abuse monitoring before deletion.

10. Your Rights

• Delete Account: You can delete your account completely in the app settings. This permanently removes all server and local data.
• View Data: Your data is accessible at any time within the app.
• Disable Statistics: You can disable usage statistics collection in the app settings.
• GDPR Rights: You have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), and erasure (Art. 17 GDPR) of your personal data. Contact us at support@lindenau.cloud.

11. Security

All data transfers are encrypted via TLS. Local data benefits from Apple's device encryption. Access to our server is protected by access controls.

12. Children

The app is not intended for persons under the age of 16. We do not knowingly collect personal data from children under 16.

13. Changes to This Privacy Policy

We may update this privacy policy as the app evolves. The date above will be adjusted accordingly. Continued use of the app after an update constitutes acceptance of the revised terms.

14. Contact

EinfachBewerben — Privacy

support@lindenau.cloud