Privacy Policy

⚠️ DRAFT FOR BETA — NOT LAUNCH-READY Last updated: 2026-05-21 Effective: 2026-05-21

1. Who We Are (Data Controller)

Satyhra GmbH (hereinafter "Curilum", "we", "us", "our") is a GmbH incorporated in Switzerland.

  • Registered office: c/o ExpertFid & Audit AG, Zweigniederlassung Zürich, Strehlgasse 2, 8001 Zurich, Switzerland
  • Commercial register Nr.: CHE-424.838.119
  • General contact: satyhra@pm.me
  • Privacy contact: curilum@pm.me

For the purposes of the EU General Data Protection Regulation ("GDPR") and the revised Swiss Federal Act on Data Protection ("nFADP"), Curilum is the data controller for personal data you provide to us.

2. Scope

This Privacy Policy applies to:

  • The Curilum web application at curilum.vercel.app and related subdomains
  • Any data you provide when signing up, using the service, or contacting us
  • Data automatically collected through your use of the service

This Policy does not apply to third-party services you choose to link to Curilum (e.g., LinkedIn profiles you import) — those are governed by their own privacy policies.

3. What Data We Collect

3.1 Account Data

Provided by you at signup:

  • Email address
  • Hashed password (we never store passwords in plaintext — managed by Supabase Auth)
  • Beta invite code (during beta only)
  • Locale preference (EN / DE / FR)

3.2 Profile & Resume Data

Provided by you through the application:

  • Full name (first name, last name)
  • Contact details: email, phone number, address, postal code, city, country
  • Date of birth (optional)
  • Gender (optional)
  • Marital status (optional)
  • Work permit status (optional)
  • Availability / notice period (optional)
  • Professional photo (optional)
  • Signature image (optional)
  • Social/professional profile URLs (LinkedIn, GitHub, personal website)
  • Work history: employers, job titles, dates, responsibilities, achievements
  • Education: institutions, degrees, dates, coursework
  • Skills, languages, hobbies, projects
  • Work certificates (uploaded documents)
  • Certifications: professional certifications with issuer and date
  • Job applications: companies applied to, job descriptions, application dates, outcomes
  • Job descriptions: raw text of job postings (scraped or pasted by you)
  • Documents generated: resumes, cover letters (in multiple languages and versions)
  • Submitted files: documents you upload and attach to applications

3.3 AI Interaction Data

When you use AI features (resume tailoring, cover letter generation, certificate translation, etc.):

  • The portions of your profile/resume data sent to our AI provider for processing
  • AI-generated outputs (stored in your account)
  • Metadata: feature used, processing time, credit cost
  • Anonymized security telemetry (see Section 7 — AI Security)

3.4 Usage & Technical Data

Collected automatically:

  • IP address (pseudonymized after processing)
  • Browser type and version
  • Device type and operating system
  • Pages visited and actions taken within the app
  • Timestamps of sessions
  • Correlation IDs for request tracing
  • Error logs (scrubbed of PII before storage)

3.5 Payment Data (Post-Beta)

When paid plans launch, payment processing will be handled by a third-party payment processor ([PAYMENT_PROVIDER_TBD]). Curilum does not store full card numbers or banking details. We store only:

  • Subscription status and plan type
  • Billing history (amounts, dates, invoices)
  • Last 4 digits of payment method (for display only)

3.6 Communication Data

  • Emails you send to our support address
  • Newsletter subscription status (if you opt in)
  • Survey responses and beta feedback (if you provide them)

4. How We Collect Data

SourceWhat
Direct from youAccount, profile, resume, uploads
AutomaticallyUsage, technical, session data
From AI providersAI-generated outputs
From payment processorSubscription status (post-beta)

We do not purchase data from data brokers.

5. Why We Process Your Data (Purposes & Legal Bases)

Under GDPR Art. 6 and nFADP Art. 31, we process personal data on the following legal bases:

5.1 Contract Performance (GDPR Art. 6(1)(b))

To provide the core service:

  • Account creation and authentication
  • Storing and displaying your resume/profile data (including optional fields you choose to provide: date of birth, marital status, gender, headshot, signature)
  • Generating and saving AI-tailored documents
  • Managing your job applications and tracking
  • Processing payments (post-beta)
  • Customer support

5.2 Legitimate Interest (GDPR Art. 6(1)(f))

Where we have a legitimate interest that does not override your rights:

  • Security monitoring (preventing unauthorized access, detecting attacks)
  • Fraud prevention (abuse detection, canary token leak detection in AI responses)
  • Error tracking and user identification (user ID, name, email sent to Sentry for error correlation, incident response, and abuse identification)
  • Service improvement (aggregated, anonymized analytics)
  • Error logging and debugging (PII-redacted in application logs)
  • Defending legal claims

5.3 Consent (GDPR Art. 6(1)(a))

With your explicit consent, which you can withdraw at any time:

  • Marketing communications (newsletters, feature announcements)
  • Non-essential cookies and analytics

5.4 Legal Obligation (GDPR Art. 6(1)(c))

Where required by law:

  • Retention of billing records (Swiss Code of Obligations — 10 years)
  • Compliance with lawful authority requests
  • Tax and accounting records

6. How We Use AI (Automated Processing Disclosure)

6.1 What AI Does

Curilum uses large language models (LLMs) to:

  • Tailor resumes to specific job descriptions
  • Generate cover letters
  • Translate work certificates
  • Extract structured data from uploaded documents

6.2 AI Provider

Our current AI provider is Google Cloud Vertex AI (Gemini models), processing occurs in the European Union (europe-west4 region, Netherlands).

We use Vertex AI EU specifically to ensure EU data residency and enterprise-grade data processing terms.

6.3 AI Data Handling

  • No training: Google contractually guarantees that data sent via Vertex AI is not used to train their models
  • PII protection: Before sending any data to AI, we apply:
    • PII redaction for fields not essential to the task
    • Canary tokens to detect prompt-injection data leaks
    • Integrity tokens to verify response authenticity
  • Application-level logging: We do NOT log prompt content or AI response text in our application logs (Axiom) — only metadata (tokens used, duration, feature, error codes)
  • Cloud-level logging: AI requests and responses are logged within Google Cloud (BigQuery / Cloud Logging) for debugging, error resolution, and verifications. This data is retained for 90 days, then automatically deleted.
  • Retention at provider: Google may additionally retain data for abuse prevention per their DPA (typically 0–28 days)

6.4 Automated Decision-Making (GDPR Art. 22)

AI features assist you in creating documents. They do not make automated decisions with legal or significant effects about you. You always review and approve AI-generated content before use. You have the right to object to automated processing under Art. 21 GDPR.

7. Who We Share Data With (Sub-processors)

We share data with third-party service providers ("sub-processors") who help us operate the service. Each sub-processor is bound by a Data Processing Addendum (DPA) and processes data only on our instructions.

See our full Sub-Processor List for details. Summary:

ProviderPurposeLocationTransfer Mechanism
SupabaseDatabase, authentication, storageSwitzerland (Zurich, eu-central-2)DPA + Swiss region
VercelApplication hosting, CDNGlobal (EU edge)DPA + SCCs
Google CloudAI inference (Vertex AI)EU (europe-west4)DPA + EU region
ResendTransactional emailEUDPA + EU region
SentryError tracking, user feedbackEU (configured)DPA + EU region
AxiomLog aggregationEUDPA + EU region
[PAYMENT_TBD]Payment processingTBDTBD

We do NOT sell your personal data. We do NOT share it with third parties for their own marketing purposes.

8. International Data Transfers

Some sub-processors may process data outside Switzerland or the EEA. In such cases, we rely on:

  • EU–Swiss adequacy decision (for transfers between EU and Switzerland)
  • Standard Contractual Clauses (for transfers to third countries lacking adequacy)
  • Sub-processor DPAs with transfer safeguards
  • Enterprise data residency commitments (e.g., Google Cloud EU region pinning)

9. How Long We Keep Data (Retention)

Data CategoryRetention Period
Account dataUntil account deletion + 30 days (backup purge)
Profile / resume dataUntil deleted by user OR account closure
Generated documentsUntil deleted by user OR account closure
Job applicationsUntil deleted by user OR account closure
Billing records10 years (Swiss CO Art. 958f)
Security logs90 days
Application logs (PII-redacted)30 days (Axiom)
AI cloud logs (prompts/responses)90 days (Google Cloud)
Sentry error data90 days
Email communications3 years
Beta feedbackUntil end of beta + 12 months
Beta invite codes (consumed)Until beta program closes

Upon account deletion, we irreversibly delete your personal data within 30 days, except where retention is required by law (billing records).

10. Your Rights

Under GDPR and nFADP, you have the following rights:

10.1 Right of Access (GDPR Art. 15, nFADP Art. 25)

Request a copy of the personal data we hold about you.

10.2 Right to Rectification (GDPR Art. 16)

Correct inaccurate data. Most profile data can be edited directly in the app; for other corrections, contact us.

10.3 Right to Erasure / "Right to be Forgotten" (GDPR Art. 17)

Request deletion of your data. You can delete your account yourself via Settings → Delete Account, which triggers irreversible deletion within 30 days.

10.4 Right to Data Portability (GDPR Art. 20)

Receive your data in a machine-readable format (JSON export) or have it transmitted to another controller where technically feasible.

10.5 Right to Restriction (GDPR Art. 18)

Request that we limit processing of your data under certain circumstances.

10.6 Right to Object (GDPR Art. 21)

Object to processing based on legitimate interest, or to marketing. We will honor marketing objections immediately.

10.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

10.8 Right to Lodge a Complaint

You can complain to a supervisory authority:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC / EDÖB) — edoeb.admin.ch
  • EU: Your local Data Protection Authority

10.9 How to Exercise Your Rights

Email curilum@pm.me with:

  • The right you wish to exercise
  • Enough information to identify your account (usually your email)
  • Specifics of the request

We will respond within 30 days (may be extended by 60 days for complex requests, with notice).

We may ask for identity verification before fulfilling certain requests.

11. Security

We take security seriously. Measures include:

  • Encryption in transit: TLS 1.3 for all connections
  • Encryption at rest: AES-256 for database and backups (Supabase default)
  • Authentication: Password hashing via bcrypt; optional multi-factor authentication
  • Access controls: Row-level security (RLS) in database ensures users only access their own data
  • Infrastructure: Swiss/EU-based hosting (Supabase Zurich eu-central-2, Vercel Frankfurt fra1)
  • AI security: PII redaction, canary tokens, integrity tokens, prompt injection detection
  • Logging: PII-redacted; error tracking with data minimization
  • Regular audits: Dependency vulnerability scans, security linting in CI/CD
  • Incident response: 72-hour breach notification per GDPR Art. 33

No system is perfectly secure. We will notify you and relevant authorities without undue delay if a breach affecting your data occurs.

12. Children's Data

Curilum is not intended for use by children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact us and we will delete it.

13. Cookies and Tracking

See our Cookie Policy for details. Summary:

  • Strictly necessary cookies (authentication, session, locale) — no consent required
  • Analytics cookies (planned) — only with your explicit consent

We do not use marketing, advertising, or third-party tracking cookies.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be:

  • Posted on this page with an updated "Last updated" date
  • Communicated via email to registered users
  • Announced at least 30 days before taking effect when material

Continued use of the service after changes indicates acceptance.

15. Contact

For any privacy-related question, request, or complaint:

Email: curilum@pm.me Postal: Satyhra GmbH, c/o ExpertFid & Audit AG, Strehlgasse 2, 8001 Zurich, Switzerland

16. Governing Law

This Privacy Policy is governed by the laws of Switzerland. The revised Federal Act on Data Protection (nFADP) and, where applicable, the EU General Data Protection Regulation (GDPR) apply to our processing of personal data.

Disputes relating to privacy, to the extent not resolved amicably, fall under the jurisdiction of the ordinary courts of Zurich, Switzerland, subject to any mandatory consumer protection provisions granting different jurisdictions.