How GetShortlisted protects your data under EU law
GetShortlisted is built with privacy as a core principle, not an afterthought. We comply fully with the EU General Data Protection Regulation (GDPR) and German Federal Data Protection Act (BDSG). This page explains how we protect your rights as a data subject.
GetShortlisted is the data controller responsible for processing your personal data. For any data protection inquiries, please contact us through our Contact page.
We process your data based on the following legal grounds:
Contract performance (Art. 6(1)(b) GDPR): processing your CV and generating tailored documents is necessary to provide the service you signed up for.
Consent (Art. 6(1)(a) GDPR): you provide explicit consent when creating an account and accepting our Terms of Service.
Legitimate interest (Art. 6(1)(f) GDPR): basic analytics and service improvement, always balanced against your privacy rights.
We only collect data that is strictly necessary to provide the service. When you upload a CV, we extract the structured information (text content) and do not permanently store the original file. We do not collect data beyond what is needed for account management, document generation, and payment processing.
All personal data is stored exclusively in European Union data centers:
Database: Neon PostgreSQL, Frankfurt, Germany (eu-central-1)
File storage: Cloudflare R2, EU region
Rate limiting: Upstash Redis, EU region
Your data never leaves the EU for storage purposes.
When generating tailored CVs and cover letters, your profile data and job descriptions are sent to Anthropic's Claude AI via encrypted API calls. Anthropic's usage policy states that API data is not used to train their models. The data is processed in transit and not stored by Anthropic beyond the request lifecycle.
Under GDPR, you have the following rights. You can exercise these at any time:
You can delete your account and all associated data at any time from the Settings page. When you delete your account, the following happens immediately:
Your Stripe subscription is cancelled. Your Stripe customer record is deleted. All uploaded files (photos, signatures) are deleted from cloud storage. Your profile, all generated documents, and all account data are permanently removed from our database.
This process is irreversible. Anonymized, aggregated statistics (e.g., total generation count across all users) may be retained as they contain no personal information.
GetShortlisted uses only essential cookies required for authentication. We use a secure, HTTP-only session cookie to keep you logged in. We do not use third-party tracking cookies, advertising pixels, or analytics scripts that collect personal data.
In the unlikely event of a data breach affecting your personal data, we will notify affected users within 72 hours as required by GDPR Article 33, and report the breach to the relevant supervisory authority.
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For Germany, this is the Bundesbeauftragte fur den Datenschutz und die Informationsfreiheit (BfDI) or your state data protection authority.
For any questions about GDPR compliance or to exercise your data rights, please contact us.