Legal
Privacy Policy
- We use your data to run your private job-search workspace.
- We do not sell personal data or use advertising or cross-site tracking.
- Your CV is optional. We store extracted text, not the original PDF.
- Some matching features send relevant text to the AI providers listed below.
1. Controller and contact
The controller under Art. 4(7) GDPR is:
Aleksandra KurzewskaBerlin
Germany
Email: privacy@kugiro.com
2. Scope of this policy
This policy applies to the Kugiro website, beta access requests, user accounts, personalized job scans, CV analysis, job tracking, and related service emails. Kugiro is currently an invite-only beta.
3. Data, purposes, and legal bases
| Data | Purpose | Legal basis |
|---|---|---|
| Beta request email and invitation status | Reviewing your request, preventing duplicates, and sending an invitation | Steps at your request before entering a contract, Art. 6(1)(b) GDPR |
| Email, display name, language, and account settings | Authentication, account administration, and service communication | Performance of the service contract, Art. 6(1)(b) GDPR |
| Search profiles, including roles, keywords, locations, filters, exclusions, and salary expectations | Running, filtering, and ranking personalized job scans | Performance of the service contract, Art. 6(1)(b) GDPR |
| CV text and profile information extracted from a CV | Creating profile suggestions and improving match relevance | Performance of the optional CV feature you request, Art. 6(1)(b) GDPR |
| Saved jobs, statuses, reviews, ratings, and notes | Providing your job-tracking workspace and adapting future rankings | Performance of the service contract, Art. 6(1)(b) GDPR |
| Digest preference, delivery status, and digest content | Sending the optional job digest you enable and monitoring delivery | Performance of the requested feature, Art. 6(1)(b) GDPR |
| IP address, request time, user agent, error, and security logs | Delivering the site, troubleshooting, security, and abuse prevention | Our legitimate interests in a secure and reliable service, Art. 6(1)(f) GDPR |
| Messages sent to our contact or privacy addresses | Responding to your request and documenting its handling | Art. 6(1)(b), (c), or (f) GDPR, depending on the request |
Your email address is required to request access and use an account. The search criteria marked as required are needed to run a useful scan. A CV, notes, salary expectations, and the email digest are optional. Without required account data, we cannot provide the relevant service.
4. CVs and sensitive information
CV upload is optional. We extract text for the purposes above and do not retain the original uploaded PDF. Please do not include information that is unnecessary for job matching, especially health information, religious beliefs, trade-union membership, or other special-category data under Art. 9 GDPR. You can replace or remove the extracted CV data in Settings at any time.
5. Cookies and local preferences
We do not use analytics, advertising, or cross-site tracking cookies. We use the following storage only to authenticate you or provide a function you requested, in accordance with Section 25(2) TDDDG:
| Name | Purpose | Typical duration |
|---|---|---|
| Supabase authentication cookies | Secure session and sign-in | Session-dependent |
| profile | Remembers the last selected search profile | 1 year |
| lang | Remembers your language choice | 1 year |
| sidebar | Remembers your sidebar preference | 1 year |
| cookie_notice | Remembers that the information notice was closed | 1 year |
If we add non-essential analytics or marketing technology, we will request consent first.
6. Job listing sources
Kugiro reads publicly accessible job postings from sources such as LinkedIn, Bundesagentur für Arbeit, and employer career sites using Greenhouse. Listings can include business contact information published by an employer. We use listing data to find and rank roles, not to create profiles of the people named in a posting. The original provider remains responsible for its website and posting.
7. AI-assisted processing
AI services help extract structured CV information, assess job relevance, and suggest keywords. Depending on the enabled feature, CV text, search criteria, profile summaries, and job descriptions may be sent to Groq or OpenAI through their business APIs. We minimize the text sent to what the feature needs. Details are in our service provider list.
Scores and suggestions support your own job-search decisions. Kugiro does not make decisions that produce legal or similarly significant effects about you solely by automated means within Art. 22 GDPR.
8. Recipients and international transfers
We do not sell your data. Data is disclosed only to hosting, database, authentication, email, and AI providers where needed to operate the service, and to email forwarding or mailbox providers when you contact us. Where required, processors are bound by an agreement under Art. 28 GDPR. Providers may process data outside the EU/EEA. Depending on the provider, transfers rely on an adequacy decision, the EU-US Data Privacy Framework, EU Standard Contractual Clauses, or another safeguard under Chapter V GDPR. See the current provider list.
9. Retention and deletion
- Beta requests are kept until they are accepted, declined, withdrawn, or no longer needed for the beta; unhandled requests are reviewed for deletion after 12 months.
- Account, search, job, scan, review, and delivery data is kept while your account exists and deleted from the active database when you delete the account, unless law requires longer retention.
- Extracted CV data is kept until you replace or remove it, or delete the account.
- AI API providers may retain abuse-monitoring logs for up to 30 days under their standard API settings, unless a stricter retention setting applies.
- Technical and email delivery logs are retained according to the configured provider plan and only as long as needed for security, troubleshooting, or proof of delivery.
- Residual copies in protected backups are removed when the provider backup cycle expires.
10. Security
We use measures appropriate to the risk, including passwordless authentication, access controls, encrypted transport, row-level access rules, and restricted administrative credentials. No online service can guarantee absolute security.
11. Your rights
Subject to the legal conditions, you have rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection to processing based on legitimate interests (Art. 21 GDPR). Settings provides a machine-readable export of your core workspace data; you may contact us for a complete rights request. Where processing is based on consent, you may withdraw it at any time without affecting earlier lawful processing.
Contact privacy@kugiro.com to exercise a right.
12. Complaint
You may complain to any competent data protection authority, in particular the authority where you live or work. Our lead local authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
13. Changes to this policy
We update the date above when this policy changes and will give appropriate notice of material changes.