Privacy Policy – Jobara AI
Last updated: April 30, 2026
How Jobara AI handles your personal data under the GDPR and BDSG.
1. Who we are & how to contact us
"Jobara AI" ("we", "us", or "our") is operated by, and the data controller within the meaning of Art. 4(7) GDPR is:
Bashar DeebKurt-Schumacher-Str. 122
45881 Gelsenkirchen
Germany
Email: [email protected]
Full legal notice: Impressum
Data protection officer (DPO): We have not appointed a DPO, as we currently do not meet the threshold under § 38 BDSG. You can contact us about any data-protection matter at [email protected].
2. Data we process
- You provide: name, email, optional phone, date of birth, address, profile attributes (gender, optional nationality, optional LinkedIn, salary expectation, start date, U.S. work-permit status, driver’s-licence status, protected-veteran status, U.S. security-clearance status, willingness to relocate for a job), resumes, cover letters, certificates, work history, education, skills, preferences, feedback.
- Special-category (Art. 9 GDPR), all optional: race / ethnic origin, disability or chronic-illness status, nationality. Collected only to fill employer EEO forms; never used for matching, ranking or AI training.
- Application credentials (employee-assisted plans only): email-account password, AES-256 encrypted, used only by authorised employees to send applications. Revocable any time.
- Automatic: IP, IP-derived approximate location, user agent, device/browser identifiers, language, page views, click events, errors, server logs (may include your email + request IDs).
- Inferred: match scores, AI-generated notes, application history.
- Payment: Stripe customer ID, plan, status, billing dates. We do not store card numbers.
3. Special-category data (Art. 9 GDPR)
Some onboarding fields are categories of personal data given special protection under Art. 9 GDPR:
- Race / ethnic origin – optional, you may select “prefer not to disclose”.
- Disability or chronic-illness status – optional, you may select “prefer not to disclose”.
- Nationality – optional, you may select “prefer not to disclose”; we treat this as potentially revealing of ethnic origin.
We collect these fields only because some employer application forms (in particular U.S. equal-employment-opportunity questionnaires) request them. We do not use these fields for any automated decision, ranking or matching, and we never use them to train external AI models.
You are not obliged to provide these fields. Selecting “prefer not to disclose” does not affect access to the service. If you have already provided this information and would like it removed from your profile, please contact [email protected]; we will delete the values within 30 days.
In addition, your uploaded documents (resume, cover letter, certificates) may incidentally contain Art. 9 information that you have chosen to include. We process such information only to provide the service.
The safest course is to select “prefer not to disclose” on these fields if you do not wish them stored.
4. Legal basis for processing
| Processing activity | Legal basis |
|---|---|
| Operating your account; storing profile, resume, and search-request data; submitting applications on your behalf | Performance of contract – Art. 6(1)(b) GDPR |
| Processing payments and managing subscriptions | Performance of contract – Art. 6(1)(b) GDPR |
| Issuing invoices, retaining records for tax and accounting purposes | Legal obligation – Art. 6(1)(c) GDPR (§§ 147, 257 HGB / AO) |
| Storing race / ethnic origin, disability status, nationality (Art. 9 categories) | Explicit consent – Art. 9(2)(a) GDPR. You can withdraw this consent at any time by emailing us; withdrawal does not affect the lawfulness of past processing. |
| Error monitoring (Sentry), application logging, security and fraud prevention | Legitimate interest – Art. 6(1)(f) GDPR. Our legitimate interest is in keeping the service available, secure and free of abuse. |
| Web analytics (Google Analytics) and similar non-essential cookies / trackers | Consent – Art. 6(1)(a) GDPR and § 25(1) TTDSG. You can manage and revoke this consent through the cookie settings in your browser; we are deploying an in-app consent banner (see Section 8). |
| Sending transactional emails (sign-in codes, application updates) | Performance of contract – Art. 6(1)(b) GDPR |
5. AI processing
We use OpenAI LLMs to analyze resumes, score profile-vs-job similarity, and generate match notes. A human reviews and authorises every application before it is sent. Training-on-input is disabled at the provider.
6. Sub-processors
Sharing is limited to sub-processors bound by an Art. 28 GDPR DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe Ltd. | Payments | Ireland |
| OpenAI Ireland / OpenAI L.L.C. | LLM parsing, matching | Ireland; possible U.S. |
| Backblaze, Inc. | Resume/document storage | U.S. |
| Resend, Inc. | Transactional email | U.S. |
| Google Ireland Ltd. | Sign in with Google; address autocomplete | Ireland; possible U.S. |
| Google Analytics 4 | Analytics — only with consent | Ireland; possible U.S. |
| Sentry (Functional Software, Inc.) | Error monitoring | U.S. |
| Better Stack (Logtail) | Application logs | EU |
| Sanity.io | Blog CMS/CDN | U.S./EU |
| Cloudflare, Inc. | Marketing media hosting | Global edge |
We may disclose data to public authorities when legally required. We do not sell your data and do not share it for cross-context behavioural advertising.
7. International transfers
For U.S. transfers we rely on the EU–U.S. Data Privacy Framework adequacy decision (Decision (EU) 2023/1795) where the recipient is certified, otherwise on the EU Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by encryption, access controls and contractual confidentiality.
8. Cookies
For a full list of the cookies we set, their purpose, and how to manage them, see our Cookie Policy.
9. Retention
- Account, profile, resumes, search/application history: lifetime of account + up to 30 days, then deleted or anonymised.
- Support messages: lifetime of account + up to 12 months.
- Logs & errors: 30 days at Better Stack, 90 days at Sentry.
- Invoices and tax records: 10 years (§§ 147, 257 HGB / AO).
- Special-category data: with the rest of the account, or earlier on consent withdrawal.
10. Your rights
Under the GDPR you may: access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), object (Art. 21), withdraw consent (Art. 7(3)), and complain to a supervisory authority. Email [email protected] — we respond within 30 days and may verify your identity (e.g., reply from the email on file).
Lead authority:
LDI NRW — Kavalleriestraße 2–4, 40213 Düsseldorf, Germany[email protected] · www.ldi.nrw.de
You may also contact the authority of the EU member state where you reside, work, or believe a violation occurred.
11. Security
AES-256 at-rest encryption for selected sensitive fields (PBKDF2-derived keys with rotation); TLS in transit; least-privilege access controls; OAuth 2.0 / OTP auth with JWT sessions; periodic review of sub-processors and dependencies. No method is 100% secure. We will notify the supervisory authority within 72 hours of any breach likely to risk your rights, and you directly where required (Arts. 33 & 34 GDPR).
12. Children, updates, contact
The Service is for users 18+. We may update this policy and will notify you of material changes (and request renewed consent where law requires). Questions or rights requests: [email protected] · postal address in Impressum.