Back to home
Draft — not yet legally in effect. This policy is being finalized and reviewed; it is not the binding privacy notice until published.

Privacy Policy

Version 2026-06-03 · Effective: [[EFFECTIVE_DATE]]

NextStage AI respects your privacy and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR).

1

Data Controller

The controller responsible for your personal data is [[CONTROLLER_NAME]] ([[CONTROLLER_LEGAL_FORM]]), [[CONTROLLER_ADDRESS]], company number [[CONTROLLER_KBO_BCE]]. For any privacy question or to exercise your rights, contact us at [[CONTROLLER_CONTACT_EMAIL]].

2

Data We Collect

We collect and process the following categories of personal data:

  • Account data: your email address and name, provided at sign-up.
  • CV and profile data: the text and files of your CV, work experience, education, skills, and target roles. CVs may contain special-category data (see "Special-Category Data in Your CV").
  • Usage and technical data: limited diagnostic and error data needed to operate and secure the service.
  • Cookies: essential session and authentication cookies only (see "Cookies").
3

How We Use Your Data and Our Legal Bases

We process your personal data for the following purposes, each with a legal basis under the GDPR:

  • Providing your account and authenticating you — performance of our contract with you (Art. 6(1)(b)).
  • Storing your CV and powering AI features (CV analysis, tailoring, job intelligence, interview preparation) — performance of our contract (Art. 6(1)(b)); special-category content within your CV is processed only with your explicit consent (Art. 9(2)(a)).
  • Matching and scoring jobs against your profile — performance of our contract and our legitimate interest in providing relevant results (Art. 6(1)(b), 6(1)(f)).
  • Security, abuse prevention, and error monitoring — our legitimate interest in a safe, reliable service (Art. 6(1)(f)).
  • Measuring product usage to understand and improve the core experience, using privacy-friendly cookieless analytics — our legitimate interest in operating and improving the service (Art. 6(1)(f)).
  • Job-alert emails — your consent, which you may withdraw at any time.
4

Special-Category Data in Your CV

A CV can reveal sensitive ("special-category") information such as health, religion or belief, trade-union membership, or ethnic origin. We process such data only where you have given explicit consent at the point of CV upload. You may withdraw this consent at any time by deleting your CV or your account, or by contacting us; withdrawal stops further processing and does not affect processing already carried out.

5

Service Providers and Recipients

We share personal data only with the processors listed below, each bound by a data processing agreement. We do not sell your data, and your data is never used to train public AI models. We source job listings from public job boards and company career pages; this sourcing fetches public listings only and does not send these providers any of your personal data.

ProviderPurposeLocationSafeguard
SupabaseDatabase, authentication, and CV file storageEuropean Union — Frankfurt, GermanyWithin the EEA — no international transfer; Supabase DPA
Anthropic, PBCAI features (CV tailoring, job intelligence, interview preparation)United StatesAnthropic DPA + EU Standard Contractual Clauses; API inputs not used to train models
OpenAI, L.L.C.AI features (CV analysis, application tailoring)United StatesOpenAI DPA + EU Standard Contractual Clauses; API inputs not used to train models
Vercel Inc.Application hosting, serverless/edge compute, request logsUnited States (global edge)Vercel DPA + EU Standard Contractual Clauses
Functional Software, Inc. (Sentry)Error and performance monitoringUnited StatesSentry DPA + EU Standard Contractual Clauses
PostHogProduct analytics (activation-funnel measurement)European Union — Frankfurt, GermanyWithin the EEA — no international transfer; PostHog DPA
6

Where Your Data Is Stored and International Transfers

Your account data and CV files are stored within the European Union (Supabase, Frankfurt, Germany) and do not leave the EEA at rest. To provide AI features, hosting, and error monitoring, limited data is transferred to providers in the United States (Anthropic, OpenAI, Vercel, Sentry). Each such transfer is protected by that provider's data processing agreement and the EU Standard Contractual Clauses.

7

How Long We Keep Your Data

We keep your account and CV data until you delete your account, or after 24 months of account inactivity, whichever comes first. Error and diagnostic logs are retained for 90 days. When you delete your account, your data — including stored CV files — is permanently erased.

8

Your Rights

Under the GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten") — you can delete your account and all associated data at any time from your profile settings;
  • restrict processing in certain circumstances (Art. 18);
  • object to certain processing, including processing based on our legitimate interests (Art. 21);
  • data portability — receive your data in a portable format;
  • withdraw consent at any time where processing is based on consent;
  • not be subject to solely automated decisions producing legal or similarly significant effects (we do not carry out such decision-making — see "Automated Processing");
  • lodge a complaint with your supervisory authority — in Belgium, the Gegevensbeschermingsautoriteit / Autorité de protection des données (www.gegevensbeschermingsautoriteit.be).

To exercise any right, use the controls in your account or contact us at [[CONTROLLER_CONTACT_EMAIL]].

9

Automated Processing

We use automated processing to score and rank how well jobs match your profile, based on the overlap between your CV and each job's requirements. This helps you find relevant roles but does not make decisions that produce legal or similarly significant effects about you — you decide which jobs to pursue. We do not carry out automated decision-making within the meaning of Article 22 GDPR.

10

Cookies

We use only essential cookies required to sign you in and keep your session secure. We do not use advertising or cross-site tracking cookies. For product analytics we use a privacy-friendly, EU-hosted tool (PostHog) configured without tracking cookies — analytics data is held in memory for the duration of your visit only and is not stored on your device.

11

How We Protect Your Data

Your data is stored in the EU with strict per-user access controls (row-level security) so that your data is private to your account and inaccessible to other users. Account deletion permanently and completely erases your data across our systems.

12

Changes to This Policy

We may update this policy as our service evolves. We will post the updated version here with a new version number and effective date, and notify you of material changes.

NextStage AI · Belgium · GDPR compliant · nextstageai.eu