Privacy Policy and GDPR Data Compliance

Version 1.0 — Effective 9 April 2026

1. Introduction

This Privacy Policy and GDPR Data Compliance document (the “Policy”) describes how M2Talents, operated by Mo Mohamed, Munich, Germany (the “Data Controller”, “we”, “us”, or “our”) collects, processes, stores, and protects personal data in connection with the ApplicantGrid platform at applicantgrid.com (the “Service”).

This Policy is issued in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), and the Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, “TTDSG”).

2. Data Controller

Controller: M2Talents — Mo Mohamed
Address: Munich, Germany
Email: privacy@applicantgrid.com

The Data Controller is responsible for determining the purposes and means of processing personal data through the Service.

3. Categories of Personal Data Collected

3.1 Data Provided by the User

Account data: name, email address, country, phone number, password (hashed).
Profile data: job search status, professional preferences.
CV/resume data: uploaded documents containing professional history, education, skills, and other personal information.
Application tracking data: job listings, company names, application statuses, notes, dates.
Networking contact data: names, email addresses, phone numbers, company information, LinkedIn URLs, notes, and tags of professional contacts.
Communication data: emails imported through connected email accounts for application tracking purposes.
Payment data: billing information processed through Stripe (the Controller does not store full payment card details).

3.2 Data Collected Automatically

Technical data: IP address, browser type, device type, operating system, screen resolution.
Usage data: pages visited, features used, click events, session duration, timestamps.
Authentication data: login timestamps, session tokens, authentication method.

3.3 Data Generated by the Service

AI processing outputs: CV analyses, rewritten CVs, interview preparation materials.
Application classification and status data.
X-Ray search queries and saved searches.
AI usage metrics: token counts and cost tracking for fair usage purposes.

4. Lawful Bases for Processing

We process personal data on the following lawful bases under Article 6(1) GDPR:

Lawful Basis	Processing Activity	GDPR Article
Performance of contract	Providing the Service, account management, application tracking, email integration, networking CRM	Art. 6(1)(b)
Consent	AI-powered CV analysis, CV rewriting, interview preparation, optional email import	Art. 6(1)(a)
Legitimate interest	Service improvement, security monitoring, fraud prevention, usage analytics	Art. 6(1)(f)
Legal obligation	Tax and accounting records, compliance with court orders or regulatory requests	Art. 6(1)(c)

5. Third-Party Data Processors

We engage the following third-party processors to deliver the Service. All processors are bound by Data Processing Agreements (DPAs) in compliance with Article 28 GDPR:

Processor	Purpose	Data Processed	Location
Supabase Inc.	Database, authentication, file storage	All user data, CVs, application data, contacts	EU (Frankfurt) / US with SCCs
Stripe Inc.	Payment processing, subscription management	Name, email, payment method, billing address, VAT ID	US with SCCs and EU representative
Mailgun (Sinch)	Transactional email delivery and inbound routing	Email address, name, email content	EU / US with SCCs
Anthropic PBC	AI processing (Claude Haiku model)	CV text, job descriptions, interview prep context	US with SCCs
Vercel / Replit	Application hosting	Technical and usage data	US / EU with SCCs

5.1 International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with Chapter V of the GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), adequacy decisions where applicable, and supplementary measures where required by the Schrems II ruling (CJEU C-311/18).

6. AI Data Processing

6.1 How AI Processes Your Data

When you use AI Features (CV review, CV rewrite, interview preparation, job description analysis), relevant text content is sent to Anthropic’s Claude API for processing. Specifically:

CV text is extracted and sent for analysis or rewriting. The original file is not transmitted — only the extracted text content.
Job description text is sent for parsing and matching purposes.
Interview preparation requests include job description context and your professional summary.

6.2 AI Data Retention by Processors

Anthropic’s API does not retain input or output data for model training purposes. Data sent to the API is processed in real-time and is not stored beyond the duration of the API request, subject to Anthropic’s data processing terms.

6.3 Automated Decision-Making

The Service uses automated processing to generate AI outputs. However, no automated decisions with legal or similarly significant effects are made solely on the basis of automated processing. All AI outputs are presented as suggestions for the User to review, modify, and apply at their own discretion. The User retains full control over whether to use, modify, or discard any AI-generated content.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data Category	Retention Period	Basis
Active account data	Duration of account + 30 days	Contract performance
Deleted account data	30 days post-deletion, then permanently erased	Legitimate interest (data recovery)
Payment and invoice records	10 years (§147 AO)	Legal obligation
Server logs	90 days	Legitimate interest (security)
AI usage metrics	Rolling monthly reset; aggregated statistics retained for 12 months	Contract performance / legitimate interest
Terminated account (violation)	Account identifiers retained for 24 months to prevent re-registration	Legitimate interest (abuse prevention)

8. Your Rights Under GDPR

Under the GDPR, you have the following rights in relation to your personal data:

Right of Access (Art. 15): You may request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17): You may request deletion of your personal data, subject to applicable legal retention requirements.
Right to Restriction of Processing (Art. 18): You may request that we limit the processing of your data in certain circumstances.
Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to Object (Art. 21): You may object to processing based on legitimate interests at any time.
Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. The competent authority for Bavaria is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

8.1 Exercising Your Rights

To exercise any of the above rights, please contact us at privacy@applicantgrid.com. We will respond to your request within thirty (30) days of receipt, as required by Article 12(3) GDPR. We may request proof of identity before processing your request.

8.2 Data Export

Users may export their data at any time through the account settings. Upon account termination, Users have thirty (30) calendar days to request a data export before permanent deletion.

9. Cookies and Tracking Technologies

9.1 Essential Cookies

We use strictly necessary cookies for authentication, session management, and security purposes. These cookies are essential for the operation of the Service and do not require consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) as implemented by the TTDSG.

9.2 Analytics

If analytics tools are implemented in the future, we will obtain explicit consent before deploying any non-essential cookies or tracking technologies, in compliance with the TTDSG and GDPR.

10. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include:

Encryption of data in transit (TLS 1.2+) and at rest.
Row-Level Security (RLS) policies ensuring Users can only access their own data.
Password hashing using industry-standard algorithms (bcrypt via Supabase Auth).
Regular security reviews and monitoring of access logs.
Principle of least privilege applied to all system access.
Secure API key management and environment variable isolation.

11. Data Breach Notification

In the event of a personal data breach, we will:

Notify the competent supervisory authority (BayLDA) within seventy-two (72) hours of becoming aware of the breach, as required by Article 33 GDPR, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.
Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR.
Document all breaches, including their effects and remedial actions taken, in accordance with Article 33(5) GDPR.

12. Children’s Data

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe we have inadvertently collected data from a child, please contact us at privacy@applicantgrid.com.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email or in-app notification at least fourteen (14) days before they take effect. The latest version of this Policy will always be available within the Service and at applicantgrid.com/legal/privacy.

14. Contact Information

For any questions, requests, or complaints regarding this Policy or the processing of your personal data:

Data Controller: M2Talents — Mo Mohamed
Privacy Email: privacy@applicantgrid.com
General Support: support@applicantgrid.com
Address: Munich, Germany

Supervisory Authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Website: https://www.lda.bayern.de