Privacy Policy

The data controller for the personal data described in this Privacy Policy is Joshua Sievert (Utably), Landsbergerstraße 46, 04157 Leipzig, Germany. You can contact us at support@utably.com or via the details on our Imprint page.

This Privacy Policy covers personal data processed when you use Utably, including account creation, product usage, content you store, customer support, billing, and security. Analytics-specific processing is covered separately in our Privacy Notice — Analytics.

Depending on how you use the product, we may process identifiers (name, email), account credentials, profile data you provide, documents and content you upload or generate, subscription and payment metadata, customer support communications, and security or fraud-prevention signals (including bot-protection signals collected via Cloudflare Turnstile when you submit public forms).

SOCIAL LOGIN DATA: If you choose to sign in or register using a social login provider (currently Facebook or LinkedIn), you initiate a data transfer from that provider to us by clicking "Sign in with [Provider]". We receive and process the following data from the social provider:

• Email address — used to identify your account, match existing accounts, or create a new account • Name (given name and family name) — used to populate your profile • Profile picture — downloaded from the social provider and stored on our infrastructure (AWS S3) to ensure reliable availability within the Service • Social provider identifier — a unique ID from the provider used to link your social identity to your Utably account

You can change or delete your profile picture at any time in your account settings. If you sign in with multiple social providers using the same email address, those identities are linked to a single Utably account.

SPECIAL CATEGORY DATA: CVs and profile information you upload may incidentally contain special category data (e.g., health conditions, ethnicity, religious beliefs, trade union membership) if you choose to include such information. We do not require you to provide this data, and we process it only because you have voluntarily included it in your documents. We recommend you consider whether to include such sensitive information. Our legal basis for any incidental processing of special category data is your explicit consent through voluntary disclosure (GDPR Article 9(2)(a)).

We process personal data to provide and improve the service, generate and store your documents, deliver support, manage subscriptions, prevent abuse, and comply with legal obligations.

Utably uses artificial intelligence (AI) to provide certain features, including cover letter generation, CV content suggestions, career insights, and application analysis. When you use these features, your profile data and content may be processed by AI services (AWS Bedrock) to generate personalized outputs.

AI TRANSPARENCY (ART. 50 AI ACT): When you use the assistant "Uta", you are interacting with an AI system (Regulation (EU) 2024/1689, Art. 50). We expressly inform you that your conversation is with an artificial intelligence and not with a human.

POSITIONING OF THE ANALYSIS FEATURES: The job-match analysis, Document Check, and FitCheck are self-assessment tools that you, the candidate, use on your own materials. They are not employer-side recruitment, selection, screening, or candidate-ranking systems within the meaning of Annex III No. 4 of the EU AI Act (Regulation (EU) 2024/1689). Utably makes no decisions about you; the results are provided solely for your own orientation.

IMPORTANT: AI-generated content is provided "as is" and may contain errors or inaccuracies. You should review, customize, and verify all AI-generated content before use. We do not guarantee that AI outputs will be accurate, suitable, or free from bias.

Your data processed by AI services is not used to train AI models. AI processing occurs in our EU infrastructure (AWS eu-north-1 region) under our data processing agreements.

UTA ASSISTANT AND MEMORY: The built-in assistant "Uta" processes your chat messages and relevant profile and application data via AI services (AWS Bedrock) to help you within the product. To personalize its support, Uta keeps an internal memory (e.g., how you like to be addressed, your goals, or important events you share with it). This memory is stored together with your account data in our EU infrastructure, is included in your account data export (GDPR Articles 15 and 20), and is fully deleted when you delete your account.

VOICE MODE: When you activate Uta's voice mode, your microphone is used only for the duration of the voice session. Audio is transmitted in real time to a speech AI model (AWS Bedrock, Amazon Nova Sonic) in our EU infrastructure and processed there; we do not store audio recordings. Transcripts of the conversation are treated like regular chat messages.

We do not make decisions based solely on automated processing — including profiling — that produce legal effects concerning you or similarly significantly affect you (Art. 22 GDPR). AI-powered outputs are suggestions for your own orientation and do not replace a human decision.

When you use our contact form, we process the name, email address, subject, and message you enter, solely to receive and respond to your inquiry. Legal basis: your consent (GDPR Art. 6(1)(a)), which you give via the consent checkbox on the form; for the spam protection on the form (Cloudflare Turnstile) our legal basis is our legitimate interest in preventing abuse (GDPR Art. 6(1)(f)). Your message is transmitted to our backend hosted on AWS in the EU; Cloudflare Turnstile performs a bot check. We delete contact-form data once your inquiry has been dealt with, unless statutory retention periods require otherwise.

Utably offers an optional browser extension ("Utably Import") for Chrome, Edge, and Firefox that lets you import job postings from third-party websites into your Utably account. This section describes how the extension processes personal data. It supplements, and does not replace, the rest of this Privacy Policy.

DATA WE PROCESS VIA THE EXTENSION: • Job posting content you choose to import (job title, company, location, recruiter name, job description, source URL) — extracted from the page you are actively viewing only when you click "Auto-fill" or paste content yourself • Authentication tokens (short-lived access token and refresh token) — stored locally in the browser via chrome.storage.local and used only to authenticate requests to api.utably.com • FitCheck inputs — when you click "FitCheck", the job details shown in the preview form are sent to api.utably.com/extension/llm together with your stored Utably profile so we can generate a job-fit analysis using AI services (AWS Bedrock, EU region eu-north-1)

WHAT WE DO NOT DO: • No background browsing or crawling. The extension never reads pages in the background. Page content is only accessed after you click "Auto-fill" on a specific tab. • No password or credential capture. The extension does not read form fields, password inputs, cookies, or browser history. • No analytics, tracking pixels, or third-party advertising SDKs are bundled in the extension. • No data is sold or shared with third parties beyond the processors listed in "Recipients and Processors".

BROWSER PERMISSIONS: • activeTab / scripting / tabs — used only at the moment you click "Auto-fill" to read the job posting on the active tab • storage — used to store authentication tokens and your settings locally in the browser • sidePanel — used to render the extension UI • Optional host permissions (https:///) — requested per individual website at the moment you click "Auto-fill", so the extension can read the job posting on that site only. You can revoke these per-site permissions at any time in your browser's extension settings.

LEGAL BASIS: Performance of a contract (GDPR Article 6(1)(b)) — processing the data you choose to import is necessary to provide the import and FitCheck features you have requested.

DATA RETENTION: Imported job postings are stored in your Utably account and follow the same retention rules as the rest of your account data (see "Retention" and "Data Retention and Automatic Account Deletion"). Authentication tokens stored in the browser are short-lived and can be revoked at any time by clicking "Logout" in the extension or by clearing extension storage.

UNINSTALLING: Removing the extension from your browser deletes all locally stored extension data (tokens, settings). It does not delete data already imported into your Utably account; to delete that, use account deletion in the web app.

For GDPR users, our legal bases include performance of a contract (providing the service), consent (where required, such as certain communications), compliance with legal obligations, and legitimate interests (security, fraud prevention, and service improvement where balanced against your rights).

SOCIAL LOGIN: When you sign in via a social provider, you actively initiate the data transfer by clicking "Sign in with [Provider]". Our legal basis for processing the data received from social providers is performance of a contract (GDPR Article 6(1)(b)) — the data is necessary to create and maintain your account as you have requested. For storing your profile picture on our infrastructure, our legal basis is our legitimate interest in ensuring reliable service delivery (GDPR Article 6(1)(f)), balanced against your right to delete or change the picture at any time via your account settings.

We retain personal data only as long as necessary for the purposes above. Retention periods vary by system and data type. Where possible, we apply minimization, deletion, or aggregation. You can request deletion via Settings or by contacting support.

In accordance with the GDPR storage limitation principle (Article 5(1)(e)), we do not retain personal data longer than necessary. Accounts that have been inactive for twelve (12) consecutive months are automatically and permanently deleted, along with all associated data.

DEFINITION OF INACTIVITY: An account is considered "inactive" when the account holder has not logged in to the Service AND does not have an active paid subscription. Cancelled subscriptions that remain inactive follow the same twelve-month rule.

EXCEPTION FOR PAID SUBSCRIBERS: Accounts with an active paid subscription are never subject to automatic deletion, regardless of login activity. As long as your subscription remains active, your account and data are retained.

RESETTING THE INACTIVITY TIMER: Logging in to your account at any point resets the twelve-month inactivity timer. You do not need to take any other action beyond signing in to prevent automatic deletion.

NOTIFICATION SCHEDULE: Before any automatic deletion occurs, we notify you at the following intervals:

• Month 10 of inactivity: First warning email informing you that your account will be deleted in approximately two months if you do not log in • Month 11 of inactivity: Second reminder email informing you that your account will be deleted in approximately one month • One week before deletion (approximately Month 11.75): Final notice email informing you that your account will be deleted in seven days

All notification emails are sent to the email address associated with your account.

WHAT GETS DELETED: Upon automatic deletion, the following data is permanently removed:

• Your Cognito user account (authentication credentials) • All DynamoDB records associated with your account (user data, profile, settings, preferences, and all stored content) • All S3 files associated with your account (profile pictures, uploaded documents, and generated files) • Stripe customer data (deleted or anonymized in accordance with Stripe's data retention requirements) • Any other data associated with your unique user identifier

This deletion is permanent and irreversible. We cannot recover your data after automatic deletion has been carried out.

REQUESTING AN EXTENSION: If you are unable to log in but wish to retain your account, you may contact us at support@utably.com to request an extension of the inactivity period.

We do not sell your personal data, and we will not do so.

We use cloud and infrastructure providers as processors under data processing agreements, including AWS services (Cognito, Lambda, DynamoDB, S3, CloudFront). We use Cloudflare (Turnstile) as a data processor for bot-protection signals collected when you submit public forms such as newsletter sign-up, contact, and email preference management. We use MediaStack (mediastack.com) as a data processor to provide company news and research features; company names associated with your job applications may be sent to MediaStack to retrieve relevant news articles.

PAYMENT PROCESSING: We use Stripe (Stripe Payments Europe, Ltd.) as our payment processor to handle subscription payments. When you purchase a paid subscription, your payment and billing details are processed by Stripe; Utably does not store full card data.

TRANSACTIONAL EMAIL: We use Amazon Web Services Simple Email Service (AWS SES) as a processor to send system and transactional emails (e.g., system notifications, account-deletion reminders, and replies to contact inquiries). This involves processing your email address and the content of the relevant message.

PRODUCT ANALYTICS (POSTHOG): If you consent via our analytics banner, we use PostHog (PostHog EU) as a processor for product analytics and sampled session replay. PostHog is activated only after you opt in via the cookie banner. Hosting is in PostHog's EU cloud (eu.i.posthog.com); there is no transfer to the United States.

GOOGLE MAPS (OPT-IN EMBEDS): If you opt in to "Embedded maps & content" in our cookie preferences, we embed Google Maps (provided by Google LLC, USA) in the application detail and interview calendar pages so you can see locations of offices and interview venues. When you open such a page after opting in, your browser sends your IP address, request data, and basic device signals to Google in the United States. Google may set its own cookies via the embed. Google acts as an independent controller for the data it receives via the Maps embed; data flows are governed by the Google Maps Service Specific Terms and Google's privacy policy (policies.google.com/privacy). Until you opt in, Utably renders a click-to-load placeholder and no map data is sent to Google.

SOCIAL LOGIN PROVIDERS: If you choose to sign in via Facebook or LinkedIn, those providers act as independent data controllers for the authentication process on their platforms. We receive data from these providers only when you initiate a sign-in. Profile pictures received from social providers are stored in AWS S3. We do not share your Utably data back with social providers. For details on how these providers handle your data, refer to their respective privacy policies.

A list of subprocessors may be made available on request.

If we transfer personal data outside the EU/EEA, we apply appropriate safeguards such as Standard Contractual Clauses and technical and organizational measures.

US TRANSFERS VIA GOOGLE MAPS: When you opt in to embedded maps, your IP and request data are transferred to Google LLC in the United States. Google LLC is certified under the EU-US Data Privacy Framework, recognised by the European Commission as providing an adequate level of protection (Adequacy Decision of 10 July 2023). You can withdraw this consent at any time by re-opening the cookie preferences from the footer or your account settings.

CLOUDFLARE (TURNSTILE): Cloudflare, Inc. is a US provider. When you submit public forms, data may be transferred to Cloudflare in the United States. These transfers are safeguarded by Cloudflare's certification under the EU-US Data Privacy Framework and by standard contractual clauses.

POSTHOG: PostHog product analytics are hosted in PostHog's EU cloud (eu.i.posthog.com). There is no transfer to a third country.

AWS: Processing in our core infrastructure takes place in the AWS eu-north-1 (Stockholm) region, as stated elsewhere in this policy.

You may have rights to access, correct, delete, restrict, or export your personal data. You can also withdraw consent at any time where applicable. To exercise rights, use in-app controls or contact support.

Right to Object (Art. 21 GDPR)

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data that is based on our legitimate interests (Art. 6(1)(f) GDPR). If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where the processing serves the establishment, exercise, or defence of legal claims. To exercise your right to object, an informal message to support@utably.com is sufficient.

SOCIAL LOGIN DATA: You can manage data received from social providers in your account settings. You can change or delete your profile picture, update your name, and manage linked social identities at any time. Deleting your Utably account will delete all associated data, including any profile pictures downloaded from social providers.

SUPERVISORY AUTHORITIES: You have the right to lodge a complaint with a data protection supervisory authority. The authority competent for us is the Saxon Data Protection Commissioner (saechsdsb.de). You may alternatively contact the supervisory authority in your EU/EEA country of residence; a list is available at edpb.europa.eu.

We implement technical and organizational measures to protect personal data, including access controls, encryption in transit, and least-privilege policies. No method of transmission or storage is perfectly secure, but we strive to protect your data appropriately.

Utably is not directed to children under 16. Users must be at least 18 to create an account and purchase subscriptions. Users aged 16-17 may access free features with parental or guardian consent.

We have designed the Service with privacy-protective defaults following the principle of data protection by design and by default (GDPR Article 25), taking into account the special protection of minors. We minimize data collection, use high privacy settings by default, and do not use techniques that encourage users to provide more personal data than necessary.

If you believe a child under 16 has provided personal data without appropriate consent, please contact us so we can take appropriate action.

We may update this policy to reflect product or regulatory changes. We will update the effective date and, when required, provide additional notice.

Questions about this policy? Contact us at support@utably.com or via the Contact page.