Privacy policy

Controller (Art. 4(7) GDPR)

[VOLLSTÄNDIGER NAME]
[STRASSE HAUSNUMMER]
[PLZ ORT]
Germany
Email: [KONTAKT-E-MAIL]

1. What this is about

This privacy policy explains which personal data Midvalla processes, for what purposes, and what rights you have. Application data is particularly sensitive — data minimisation is therefore a core principle of this platform: we only collect what the features require, we do not sell data, and we do not show ads.

2. Hosting (Vercel)

This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. When you visit the site, Vercel processes technically necessary connection data (in particular IP address, time of access, page accessed, browser identifier) in server logs to deliver the website and keep it secure. The legal basis is our legitimate interest in secure and stable operation (Art. 6(1)(f) GDPR). Vercel is certified under the EU-US Data Privacy Framework; EU standard contractual clauses apply in addition.

3. Account, profile and application data (Supabase)

When you create an account, we store your email address and your password (stored in encrypted form). The data you enter into your profile — e.g. work experience, education, skills, contact details — as well as the CVs, cover letters and application-tracker entries you create are stored so you can use the platform's features. The legal basis is performance of the user agreement (Art. 6(1)(b) GDPR).

The database and sign-in are operated by our processor Supabase; the data is stored in the Frankfurt am Main region (EU). Access is technically protected by row level security: each user can only read and change their own data.

Optionally, you can sign in with your Google account. In that case we receive your email address from Google; Google's privacy policy applies in addition.

4. AI features (Anthropic)

For the AI features (CV and cover-letter generation, profile chat, CV import, job-ad import, matching score) we transmit the necessary content — e.g. your profile data or a job ad you provide — to the Claude API operated by Anthropic (Anthropic PBC, USA). Data is only transmitted when you actively use an AI feature. The legal basis is performance of the contract (Art. 6(1)(b) GDPR).

According to Anthropic, data submitted via the API is not used to train its models and is only retained for a limited period for abuse monitoring. EU standard contractual clauses are in place for the transfer to the USA; Anthropic is also certified under the EU-US Data Privacy Framework.

5. Job search (Federal Employment Agency)

The job search uses the public job-search API of the German Federal Employment Agency (Bundesagentur für Arbeit). Your search parameters (e.g. keyword, location, radius) are transmitted to the agency — without your name or account data.

6. Cookies

Midvalla only uses technically necessary cookies: for your sign-in session and for your language preference. There are no advertising or tracking cookies and no third-party marketing cookies — which is why there is no cookie banner to dismiss. The legal basis is § 25(2) no. 2 of the German TDDDG and Art. 6(1)(b) GDPR.

7. Reach measurement in the guide

In the guide section we count how often recommended article links are clicked — as a pure daily aggregate without IP addresses, without cookies and without any link to your account. This count contains no personal data.

8. Email notifications

Where enabled, we send you account emails (e.g. registration confirmation, password reset) and reminders about the follow-ups and deadlines you have entered in the application tracker. The legal basis is performance of the contract (Art. 6(1)(b) GDPR). We do not send marketing newsletters.

9. Retention and deletion

We store your data for as long as your account exists. If you delete your account or request deletion by email, your personal data will be deleted unless statutory retention obligations require otherwise. Server logs are deleted automatically after a short period.

10. Your rights

You have the right of access to your stored data (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection to processing based on legitimate interests (Art. 21). Simply contact the email address given above.

You also have the right to lodge a complaint with a data protection supervisory authority.

Last updated: 14 July 2026. We will update this policy when the platform's features change.