Privacy Policy

Last updated: 10 May 2026

This policy explains what personal data getshortlisted.ai processes, why, where it lives, and what rights you have under the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). Plain language, no boilerplate.

1. Who is the data controller

The data controller for getshortlisted.ai is the operator of the service, based in Switzerland. For any data-protection request, write to privacy@getshortlisted.ai. There is no formal Data Protection Officer at this stage; the same address reaches the person responsible for privacy decisions.

2. What we collect

We collect only what we need to run the service:

  • Account data — your email address, and the OAuth identifier from your sign-in provider (Google) if you used one. We never see your password.
  • Profile and CV content — every field you fill in: name, contact details, work history, education, skills, languages, certifications. This is the working copy of your CV.
  • Imported PDFs — when you import a CV, the PDF text is extracted, sent to the AI provider for structured-data extraction, and returned to you for review. We do not retain the extracted text after the request returns.
  • Job descriptions you paste in — temporarily processed to tailor AI suggestions to a specific role.
  • Operational logs — request paths, timestamps, error stack traces, and a per-call AI usage record (token counts only, never content). Used for security, debugging, and rate-limit accounting.
  • Cookies — see section 7.

3. Why we process it

  • To provide the service — store your CV, run AI suggestions when you trigger them, render the export. Legal basis: performance of the contract (GDPR Art. 6(1)(b)).
  • To keep the service secure and stable — rate limiting, abuse detection, error monitoring. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • To honour our legal obligations — responding to lawful requests, complying with accounting and tax law. Legal basis: legal obligation (GDPR Art. 6(1)(c)).
  • Optional analytics — only after you have given consent through the cookie banner. Legal basis: consent (GDPR Art. 6(1)(a)).

4. What gets sent to OpenAI

AI processing is handled by OpenAI's API. OpenAI is a sub-processor — we send them the minimum data needed to fulfil each request, and they do not retain it beyond a short abuse-monitoring window.

OpenAI's API terms commit to not training on API inputs — see the official OpenAI policy: https://platform.openai.com/docs/models/how-we-use-your-data. API inputs are retained by OpenAI for up to 30 days for abuse monitoring, then deleted.

Concretely, the following data is sent to OpenAI:

  • When you save your profile, each role in your work history is summarised as "role title @ company (dates): summary + events" and sent to OpenAI's embedding endpoint (text-embedding-3-small). The resulting numerical vector is stored in our vector database; the text itself is not retained by OpenAI past the 30-day window.
  • When you start an AI generation flow, the job description you pasted is sent to the same embedding endpoint to retrieve the most relevant role chunks from your profile, then the assembled prompt — including those role chunks and the job description — is sent to OpenAI's chat-completions streaming endpoint.
  • When you import a CV from PDF, the extracted text (truncated to 32 000 characters) is sent to OpenAI's chat-completions endpoint with a structured-output schema, which returns a draft profile. We do not auto-save it; you review and confirm before anything lands in your account.

OpenAI processes this data on infrastructure outside the EU. The transfer relies on the EU Standard Contractual Clauses and OpenAI's commitments under the EU-US Data Privacy Framework. AI suggestions appear in the editor for your review and are never written to your profile without your explicit action — you remain the decider on every line. The EU AI Act Article 50 transparency requirements (from August 2026) will be marked in-line at the point of generation. If you are not comfortable with this transfer, do not use the AI features — the rest of the service (manual editing, account management) works without sending anything to OpenAI.

5. Where your data is stored

Application data — your account, your profile, your CV — is stored in a PostgreSQL database on a Swiss VPS hosted by AlexHost in Switzerland. The vector representations of your role chunks live in a Qdrant instance on the same server. Backups stay on the same Swiss host.

PDF rendering for export uses a headless-browser service running on the same Swiss host. Your CV does not leave the host during export.

The only routine cross-border transfer is to the OpenAI API, described in section 4. Email delivery uses a transactional SMTP provider for sign-in links and notifications; the email contains your address and a link, never CV content.

6. How long we keep it

  • Waitlist entries — kept until the waitlist closes or you ask us to delete them.
  • Unverified accounts — deleted after 30 days of inactivity if you never confirmed your email.
  • Active accounts — kept while your account is open. Your data is yours; we don't expire it on you.
  • Closed accounts — deleted within 30 days of closure. Encrypted backups containing the data may persist for up to 30 additional days before backup rotation overwrites them.
  • Operational logs — 30 days, then rotated.
  • Per-call AI usage records — kept for one year for billing and abuse-monitoring purposes (token counts only, no content).

7. Cookies

We use as few cookies as possible:

  • Essential cookies — required for sign-in (the session cookie) and for remembering your cookie-banner choice. No consent needed; the service can't run without them.
  • Analytics cookies — only set if you accept them in the banner. None are active by default.
  • Third-party cookies — Google reCAPTCHA v3 sets a `_GRECAPTCHA` cookie when a form (waitlist, contact) is shown, used by Google to score the request as human-or-bot before submission. See sub-processors (section 10) for details.

You can change your mind at any time using the "Manage cookies" link in the footer. The banner reappears with your current choices and you can adjust each category individually.

8. Your rights

Under GDPR and the Swiss FADP, you can:

  • Access your data — ask for a copy of everything we hold about you.
  • Correct your data — fix anything inaccurate. Most fields you can edit yourself in your profile.
  • Export your data — request a structured copy of your account, profile, and exports.
  • Delete your account — close your account and have the associated data deleted within 30 days (subject to the backup window in section 6).
  • Object or restrict — tell us to stop processing your data for a given purpose, where the law allows it.
  • Withdraw consent — for anything you opted into (analytics cookies, marketing email), at any time, with no effect on processing already done.
  • Lodge a complaint — with the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or, if you are in the EU, with the supervisory authority in your country.

To exercise any of these rights, write to privacy@getshortlisted.ai. We respond within 30 days. We never charge a fee for the first copy of your data or for a deletion request.

9. Security

Data in transit is encrypted with TLS. The database, the vector store, and the export service all live behind a private network on the same host; none of them are reachable from the public internet. Sign-in uses one-time email links or OAuth — we never store passwords.

We monitor errors with Sentry, configured to scrub personally identifiable information from stack traces and breadcrumbs. No raw CV content reaches Sentry.

If a breach happens that affects your data, we notify the FDPIC within 72 hours and contact affected users by email.

10. Sub-processors

Current sub-processors:

  • AlexHost (Switzerland) — hosting provider for the application server, database, vector store, and PDF-export service.
  • OpenAI (United States) — AI inference for embedding, chat-completion, and structured-extraction endpoints. See section 4.
  • SMTP provider — transactional email delivery for sign-in links and account notifications.
  • Sentry (United States / EU) — error monitoring, configured to scrub personal data.

If we add or change a sub-processor, the change appears here and the "last updated" date is bumped. Material changes are notified by email.

11. Children

The service is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@getshortlisted.ai and we will delete it.

12. Changes to this policy

When we update this policy, the "last updated" date at the top changes. Material changes (a new sub-processor, a new processing purpose, a new retention rule) are announced in-product and by email. We do not silently relax our privacy posture.

13. Contact

Privacy questions, data-subject requests, complaints: privacy@getshortlisted.ai.