Your Data, Your Control: Privacy, Security, and GDPR Compliance
Learn how preparAItor protects your personal data with AES-256 encryption, Swiss-built operations, European data centres, strict GDPR compliance, and a zero-data-selling policy. Your job application data stays yours.
Author: preparAItor Team
When you upload your CV and generate application documents, you are trusting a platform with some of your most sensitive personal information: your career history, your contact details, your professional ambitions. At preparAItor, we take that trust seriously. Here is exactly how we protect your data, what rights you have, and why privacy is not just a feature but a foundational principle.
TL;DR - Quick Summary
Quick Summary:
- User data stored in European data centres
- AES-256-GCM encryption at rest with unique keys per document and Google Cloud KMS key management
- TLS 1.3 encryption in transit with no unencrypted data transmission
- Generated files are encrypted at rest and only decrypted via short-lived download links
- Your data is never sold to third parties and never used to train AI models
- Full GDPR compliance with rights to access, rectify, erase, restrict, port, and object
- No advertising cookies, no Facebook Pixel, no Google Ads tracking, no retargeting
- Account deletion is immediate and irreversible once confirmed
Where Your Data Lives: Built in Switzerland, Hosted in European Data Centres
One of the first questions privacy-conscious users ask is: where does my data physically reside? The answer matters because data residency determines which legal frameworks govern how your information is handled.
Data Residency at a Glance
preparAItor stores user data in European data centres. The product is Swiss-built, but the current public docs intentionally do not publish provider-level region or city details. The important point for users is the legal one: your data stays under European data-protection jurisdiction rather than being scattered across unknown global regions.
Why Switzerland Matters
Switzerland has some of the strongest data protection laws in the world. By hosting primary infrastructure in Zurich, preparAItor ensures your data benefits from both Swiss federal data protection legislation and the broader European privacy framework. This is not a marketing choice -- it is a deliberate architectural decision to provide the highest standard of data governance.
Payment Data: Handled by Stripe
Your payment information never touches preparAItor servers. All payment processing is handled by Stripe, which holds PCI DSS Level 1 certification -- the highest level of payment security compliance available. Credit card numbers, billing details, and transaction data are managed entirely within Stripe's certified environment.
Encryption: Protecting Data at Rest and in Transit
Encryption is the technical backbone of data protection. preparAItor implements encryption at every layer.
Encryption at Rest: AES-256-GCM
Every piece of sensitive data stored on our servers is encrypted using AES-256-GCM, the same encryption standard used by governments and financial institutions worldwide.
How Key Management Works
Each CV section and generated document is encrypted with its own unique Data Encryption Key (DEK). These DEKs are then wrapped (encrypted themselves) using Google Cloud KMS with a 10-key sharding approach. This means that even in the extremely unlikely event of a single key compromise, only a fraction of data would be affected.
Here is what this means in practice:
- Every document gets its own encryption key. Your cover letter and your interview preparation document each have separate DEKs.
- Keys are managed by Google Cloud KMS. The key management system is a dedicated, hardened service -- encryption keys never exist in plaintext on application servers.
- 10-key sharding distributes risk. Rather than relying on a single master key, the system shards across 10 keys, limiting the blast radius of any theoretical compromise.
Encryption in Transit: TLS 1.3
All data moving between your browser and preparAItor servers is protected by HTTPS with TLS 1.3, the latest and most secure transport layer protocol. There is no unencrypted data transmission at any point.
This covers:
- CV uploads from your browser to our servers
- Generated documents downloaded to your device
- API calls between frontend and backend services
- Cloud storage synchronization (Google Drive, OneDrive)
Generated Files: Encrypted With Short-Lived Download Links
Generated documents (PDF documents, Editable Word documents, Plain-text documents) are encrypted at rest using AES-256-GCM with unique Data Encryption Keys, just like your CV data. When you request a download, the file is decrypted on-demand and a short-lived, time-limited download URL is generated. Once the link expires, the decrypted file is no longer accessible — a fresh download request is required. This minimizes the window during which decrypted content exists outside of encrypted storage.
Password Security
Your account password is never stored in plaintext. Email/password authentication is handled by Firebase Auth, which uses modified scrypt rather than bcrypt for password hashing.
Breach Database Checking
Passwords are checked against known breach databases during account creation and password changes. If your chosen password has appeared in a known data breach, you will be prompted to choose a different one, protecting you from credential-stuffing attacks.
Your Data Is Never Sold and Never Used for Training
This is a straightforward commitment with no caveats:
- Your data is not sold to third parties. preparAItor's revenue comes exclusively from subscriptions and credits. There is no secondary data monetization.
- Your data is not used to train AI models. The documents you generate and the CV data you upload are not fed back into any machine learning training pipeline. Business API tiers include explicit no-training clauses.
No Hidden Data Monetization
Unlike many platforms that offer "free" services funded by data brokerage, preparAItor operates on a transparent subscription model. You are the customer, not the product.
GDPR Compliance: Your Rights in Full
preparAItor is fully compliant with the General Data Protection Regulation (GDPR). Here are your specific rights and how to exercise them.
Right of Access
You can request a complete copy of all personal data we hold about you. Requests are fulfilled within 30 days.
Right to Rectification
If any of your stored data is inaccurate or incomplete, you can request corrections at any time.
Right to Erasure
You can request deletion of your personal data. In the product itself, account deletion is a self-service, immediate, irreversible action once you confirm it.
Right to Restriction
You can request that we limit the processing of your data while disputes or concerns are being resolved.
Right to Data Portability
You can request an export of your data in a portable format via a support request, allowing you to transfer your information to another service.
Right to Object
You can object to certain types of data processing, including processing based on legitimate interest.
Right to Withdraw Consent
Where processing is based on your consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority if you believe your data rights have been violated.
Contact for Data Requests
All GDPR-related requests can be directed to admin@preparaitor.ch. The team is committed to responding promptly and transparently.
Data Retention: You Control the Timeline
preparAItor gives you direct control over how long your data is stored.
Configurable Retention Periods
Retention is split by data type. Generation history supports 1, 7, or 30 days (default 30). Interview sessions support 30, 90, or 180 days (default 90). Application Tracker entries are kept for 365 days from when they enter the tracker.
Account Deletion
When you delete your account, personal application data is removed immediately. Billing records are retained only where tax or accounting law requires it.
Legal Retention Requirements
The one exception to user-controlled deletion is billing records, which are retained for 7 years as required by law. This applies only to financial transaction records, not to your CV content or generated documents.
Cloud Storage Integration: Minimal Permissions
preparAItor offers optional integration with Google Drive and OneDrive for saving generated documents. These integrations are designed with the principle of least privilege.
App Folder Only
Cloud storage connections use OAuth 2.0 with limited scope -- preparAItor can only access its own app-specific folder. It has no access to your personal files, photos, or other documents stored in your cloud drive.
This means:
- preparAItor creates a dedicated folder in your cloud storage
- Only files within that folder are accessible to the application
- Your personal documents, photos, and other files remain completely private
- You can revoke access at any time through your cloud provider's settings
Cookies: Minimal and Transparent
preparAItor takes a restrained approach to cookies.
Essential Cookies
These are always active because they are necessary for the application to function. They handle session management, authentication state, and basic functionality.
Analytics Cookies
There are no analytics cookies in the current product.
Marketing Cookies
There are no marketing cookies in the current product.
What We Do Not Use
This is just as important as what we do use:
- No advertising cookies
- No Facebook Pixel
- No Google Ads tracking
- No retargeting of any kind
No Surveillance Advertising
preparAItor does not participate in the ad-tech ecosystem. Your browsing behavior on our platform is never shared with advertising networks, and you will never see preparAItor retargeting ads following you across the internet.
Multi-Layer Security Architecture
Beyond encryption, preparAItor employs several additional security measures to protect your account and data.
Rate Limiting
All API endpoints are protected by rate limiting, preventing automated attacks and abuse. Requests that exceed reasonable thresholds are throttled.
Account Lockout
After a defined number of failed login attempts, accounts are temporarily locked to prevent brute-force password attacks.
Anomaly Detection
The system monitors for unusual patterns of access or behavior that might indicate unauthorized use of your account.
Session Management
Active sessions are tracked and managed. You can review and terminate active sessions, and sessions expire automatically after periods of inactivity.
Putting It All Together
Privacy and security at preparAItor are not afterthoughts or checkbox exercises. They are architectural decisions made at every level of the platform:
| Layer | Protection |
|---|---|
| Infrastructure | Built in Switzerland, hosted in European data centres |
| Storage | AES-256-GCM with unique DEKs and Cloud KMS |
| Downloads | Short-lived, time-limited download URLs for decrypted files |
| Transport | TLS 1.3, no unencrypted transmission |
| Authentication | Firebase Auth with modified scrypt, breach database checking |
| Payments | Stripe PCI DSS Level 1, no card data on our servers |
| Cloud Storage | OAuth 2.0; Google Drive is limited to app-created files, and OneDrive uses a broader scope but the app writes only inside preparAItor.ch/ |
| Cookies | Essential only by default, no ad tracking |
| Data Policy | No selling, no AI training, user-controlled retention |
| Compliance | Full GDPR with all eight data subject rights |
| Account Security | Rate limiting, lockout, anomaly detection, session management |
Frequently Asked Questions
Can I see exactly what data you have on me?
Yes. Under your Right of Access, you can request a full export of all personal data within 30 days by contacting admin@preparaitor.ch.
What happens to my data if I cancel my subscription?
Your data remains accessible according to the retention rules for each feature. If you delete your account, personal application data is removed immediately.
Do you share data with AI providers for model training?
No. Your data is not used to train AI models. Business API tiers include explicit no-training clauses.
How fast can you delete my data?
Account deletion inside the app is immediate once confirmed. Other formal privacy requests are handled through support.
Final Thoughts
Choosing a job application platform means choosing who to trust with your professional identity. At preparAItor, that trust is earned through transparent policies, strong encryption, minimal data collection, Swiss-built and EU-hosted infrastructure, and full compliance with European privacy law.
Your data belongs to you. We are here to help you use it effectively in your job search -- not to monetize it, not to train models with it, and not to share it with advertisers. That is the commitment, and it is built into every layer of the platform.
For any privacy or security questions, reach out to admin@preparaitor.ch.
Tags
About the Author
preparAItor Team is a career expert at preparAItor, helping thousands of job seekers land their dream positions through AI-powered tools and strategies.
Ready to Transform Your Job Search?
Use AI to create perfect, personalized job applications