Privacy Policy
Last updated: 2026-06-10
1. Who we are
AI Stream Jobs is a CV-tailoring tool operated by Næxt AI ("we", "us", "our"). You can reach us at the email listed in §11 Contact.
If you live in the EU, EEA, or UK, the data controller for the personal data you submit to the Service (your account, CV content, drafts, applications, usage history) is Næxt AI.
Sold through Link, LLC (f/k/a Lemon Squeezy, LLC, and operating as "Lemon Squeezy"; a Stripe company, registered in the United States at 354 Oyster Point Blvd, South San Francisco, CA 94080) is our Merchant of Record and is an independent data controller for the personal data it collects from you to process your payment — billing address, card or wallet details (which we never see), and order history. Lemon Squeezy's processing of that data is governed by Lemon Squeezy's Privacy Policy; we and Sold through Link, LLC are independent (not joint) controllers under GDPR Article 26 and exchange data under our written controller-to-controller arrangement with them.
2. The short version
We collect the things you'd expect — your account email, the CV content you upload, the job postings you save, and how you use the product (drafts generated, plan, billing). We use them to run the product, generate AI-tailored CVs and cover letters, charge you correctly, and improve the service. We send your CV text and the job description to Anthropic and Google when you generate a draft, because those are the AI providers that do the rewriting; their commercial terms forbid them from training on this data. We never sell your data. You can export or delete everything you've put in at any time.
The full version follows.
3. What we collect, why, and the legal basis (GDPR Article 6)
| Category | Specifics | Why we need it | Legal basis |
|---|---|---|---|
| Account identity | Email, name (from your sign-in provider) | To know who you are | Contract performance |
| CV content | Anything you type or upload to the Knowledge or Studio pages | To generate tailored drafts; to let you re-export later | Contract performance + your explicit consent for sending it to AI providers |
| Cover letters and tailored drafts | LLM output you keep editing | Same as above | Same as above |
| Job-search activity | Postings you've searched, scored, marked as applied, status updates | To track your job hunt | Contract performance |
| Plan and usage | Plan tier, model choice, token / cost / draft counters | To bill you correctly and enforce caps | Contract performance + legitimate interest (preventing runaway costs) |
| Payment data | Lemon Squeezy customer/order IDs and subscription identifiers (card details are entered directly on Lemon Squeezy's checkout — we never see card numbers) | To charge you and reconcile your subscription | Contract performance |
| Cookies + session | Strictly necessary cookies set when you sign in and cleared when you sign out; with your consent, analytics (Google Analytics 4) and Google Ads conversion-measurement cookies; a first-party campaign-attribution cookie when you arrive from a tagged link | To keep you logged in; to understand which pages help; to measure which ads lead to sign-ups | Strictly necessary (sign-in) · Consent (analytics + advertising measurement) · Legitimate interest (first-party attribution) — see §8 Cookies |
| Server logs | IP address, request path, timestamps, model + tokens per LLM call | Debugging, abuse detection, billing reconciliation | Legitimate interest |
We do not collect sensitive categories under GDPR Article 9 (race, religion, health, biometrics, etc.) intentionally. CVs sometimes mention these — that's user-volunteered content; we treat it the same as the rest of the CV (encrypted at rest, sent only to the AI providers we list, deletable on request).
4. How long we keep it
| What | Retention |
|---|---|
| Account + CV + drafts | Until you delete your account, then immediate hard-delete from Firestore. Cloud-side backups age out within 30 days. |
| Server logs | 30 days raw, then aggregated for 1 year |
| Anonymous LLM-call audit (no CV content, just metadata) | Up to 1 year for billing reconciliation |
| Lemon Squeezy billing records (held by Lemon Squeezy as Merchant of Record; we hold only the Lemon Squeezy customer/order IDs needed to reconcile your subscription) | 7 years (tax law in most jurisdictions) |
| Backups | Rotating 30-day window. After deletion, takes up to 30 days for backup expiry. |
5. Who we share it with
We don't sell your personal data. We share it only with the vendors that make the product work:
| Vendor | What they get | Why | Where they're based |
|---|---|---|---|
| Anthropic | The CV text + job description + system prompt for each draft you generate | To generate the rewrite | USA (we'll route EU users via the Vertex EU endpoint when EU launch lands) |
| Google (Gemini API on Vertex AI) | Same | Same — used for utility calls and some tailor models | USA (EU endpoint planned) |
| Lemon Squeezy (Sold through Link, LLC, USA — f/k/a Lemon Squeezy, LLC; a Stripe company) | Email, name, billing address, card or wallet details (entered on Lemon Squeezy-hosted checkout, never seen by us), order history | Payment processing as our Merchant of Record — Sold through Link, LLC is the seller of record, charges your card, remits VAT/sales tax, and handles refunds and chargebacks on our behalf. They are an independent data controller for this data — see §1 and Lemon Squeezy's Privacy Policy. | United States, with onward transfers per Lemon Squeezy's published terms |
| Google Cloud (Cloud Run, Firestore, Cloud Logging) | All hosted data, encrypted at rest | Hosting | us-central1 today; europe-west1 for EU users (planned) |
Both Anthropic and Google's commercial terms commit them not to train models on production API traffic. We will publish signed Data Processing Agreements with both before EU launch. Our arrangement with Lemon Squeezy is controller-to-controller rather than processor-based — see §1 and Lemon Squeezy's Privacy Policy.
We will never share your data for marketing, advertising, or sale to third parties.
PII minimization on utility calls. When we send your CV text to an AI provider for tasks that don't actually need to identify you — scoring how well your CV matches a job posting, extracting your career profile (function, level, target roles) for the search-suggestion chips — we strip your name (where applicable), email, phone, LinkedIn URL, and other personal handles from the text before sending. The provider sees something like "[REDACTED_NAME] worked as a Senior Engineer at a fintech company 2020–2024" and produces an equally accurate score / extraction. Tasks that genuinely need your full content — generating tailored CVs, rewriting bullets, drafting cover letters, generating interview-prep questions — keep the full text because the output references you by name and writes in your voice.
6. International transfers
If you're in the EU, EEA, UK, or Switzerland, your data may be transferred to and processed in the United States by the vendors above. We rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, embedded in our DPAs with Anthropic and Google (signed before EU launch — see open gap above). The controller-to-controller transfer to Lemon Squeezy is covered by Lemon Squeezy's published Privacy Policy and merchant-of-record terms.
- Adequacy decisions where they apply (EU–US Data Privacy Framework as of 2026).
When EU data residency lands (planned), EU users' CV content, drafts, applications, and AI model calls will stay within Google Cloud's europe-west1 region. One exception remains: see §6.1.
6.1 Documented exception — Firebase Authentication identity
AI Stream Jobs uses Google Firebase Authentication to handle sign-in. As of 2026, Firebase Authentication does not offer EU data residency: your sign-in identity (email address and display name) is stored and processed by Google in the United States.
We rely on the following legal bases for this transfer:
- GDPR Article 6(1)(b) — performance of a contract. We cannot operate the service without storing your authentication identity. This processing is therefore not "consent" in the Article 6(1)(a) sense, but a contractual necessity. If you do not accept this exception, please do not create an account.
- Standard Contractual Clauses — the EU–US transfer of your sign-in identity is covered by SCCs in the Google Cloud Data Processing Addendum, which you can review at cloud.google.com/terms/data-processing-addendum.
- EU–US Data Privacy Framework — Google is a certified participant where the framework applies.
What is and isn't covered by this exception:
| Data | Where it lives for EU users | Why |
|---|---|---|
| Email address (sign-in) | United States | Firebase Authentication |
| Display name (sign-in) | United States | Firebase Authentication |
| OAuth refresh tokens (if you use Google sign-in) | United States | Firebase Authentication |
| CV content, cover letters, drafts, applications, settings, usage history | europe-west1 (EU) | stored only in our EU Firestore |
| AI model calls (CV text + job description sent to Anthropic / Google models) | europe-west1 (EU) | routed via European Vertex AI endpoints |
Every EU user is shown this exception in the consent dialog at sign-up and must explicitly acknowledge it via a checkbox — the audit trail of acceptances is in Firestore at users/{uid}/consents/*.
We will revisit this exception when either (a) Firebase Authentication ships full EU data residency, or (b) our EU customer base requires us to migrate to an EU-resident authentication provider.
7. Your rights
Wherever you live, you can:
- Access what we hold —
Settings → Data → Export everything(planned/api/account/export). - Correct anything wrong — edit it directly in the app.
- Delete everything —
Settings → Danger zone → Delete account(planned/api/account/delete). This is permanent. - Take it elsewhere — same export endpoint, machine-readable JSON.
- Withdraw consent for sending CV content to AI providers — toggle in
Settings → Privacy. This stops further AI calls; it doesn't retroactively delete drafts already generated. - Object to specific processing — email us via §11 Contact.
- Lodge a complaint with your data protection authority if you live in the EU/EEA/UK. We'd appreciate a heads-up first so we can fix whatever's wrong.
We respond to rights requests within 30 days (often within 7).
8. Cookies
We use the following cookies and similar technologies:
- Strictly necessary — cookies that keep you signed in and operate the Service (session, security). Exempt from consent under the ePrivacy Directive (Article 5(3)).
- Analytics — only with your consent. If you accept the cookie banner, we load Google Analytics 4 with IP anonymization to understand which pages help job-seekers most. If you decline, it never loads.
- Advertising measurement — only with your consent. We advertise on Google Ads. If you accept the banner, Google's tag may set cookies to count which ads lead to sign-ups (conversion measurement). We use Google Consent Mode v2: every advertising signal defaults to "denied" until you accept. We show no third-party ads on the Service, build no advertising profiles, and never sell personal data.
- First-party campaign attribution. If you arrive through a link carrying campaign parameters (e.g.
utm_*or an ad-click id likegclid), we store those parameters in a first-party cookie (asj-attrib, expires after 90 days, never shared with third parties) and, if you create an account, save them on your account record so we know which campaign brought you (legitimate interest, GDPR Article 6(1)(f)). This data is included in your data export and deleted with your account.
You can change your choice at any time via Cookie settings in the page footer. Declining costs you no features.
9. Children
AI Stream Jobs is for adults. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, contact us and we'll delete the account.
10. Changes
We may update this policy from time to time. When we do, we update the "Last updated" date at the top. For material changes that affect your rights or how we process your data, we'll email you before the new version takes effect. For non-material changes (typos, links), we just publish.
11. Contact
AI Stream Jobs is a service operated by Næxt AI. For any questions about this policy or our service, please contact us:
- Email: support@aistreamjobs.com
- CVR: 46456556
- VAT: DK46456556
If you have a security finding, please email support@aistreamjobs.com.
12. Definitions
- Personal data — anything that can identify you, directly or indirectly, including your name, email, IP address, and the contents of your CV.
- Processing — any operation performed on personal data: collecting, storing, using, sharing, deleting.
- AI provider — Anthropic and Google. Both run their APIs on commercial terms that exclude API traffic from model training.