Skip to main content

Privacy Policy

Last updated: April 26, 2026

Privacy Policy v1.2.0

Data Controller: CHW-Services · Website: preparaitor.ch

Legally binding version

The German version of this document is the legally authoritative text. Translations into other languages are provided for convenience only; in case of any conflict or discrepancy, the German version prevails.

1. Introduction

Welcome to preparAItor (“Service”), operated by CHW-Services (“Company,” “we,” “us,” or “our”). We are committed to protecting your personal information and your right to privacy in accordance with the Swiss Federal Data Protection Act (FADP), the EU General Data Protection Regulation (GDPR), and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. If you do not agree with this privacy policy, please do not access the Service.

Data Controller: CHW-Services acts as the data controller for all personal data processed through the preparAItor Service. This means we determine the purposes and means of processing your personal data. Our sub-processors (listed at Sub-processors) act as data processors on our behalf, processing data only according to our documented instructions.

2. Information We Collect

2.1 Personal Information You Provide

Account Registration:

  • Email address (required)
  • Password (encrypted)
  • Display name
  • First and last name
  • Language and timezone preferences
  • Age confirmation
  • Terms of Service acceptance

Profile Information:

  • Professional summary
  • Contact information (phone, LinkedIn, GitHub, portfolio URLs)
  • Location information (city, country, postal code)

User Preferences:

  • Theme preference (light/dark)
  • UI language and document generation language (EN, DE, FR, IT)
  • Document tone preference (formal, confident, friendly)
  • Swiss orthography preference (ss vs ß)
  • Data retention period preferences (generation history: 1, 7, or 30 days; interview sessions: 30, 90, or 180 days; application tracker entries are kept for 365 days)
  • Email and in-app notification preferences
  • Bulk download format preferences (PDF documents, Editable Word documents, Plain-text documents)

CV/Resume Data:

  • Employment history (companies, positions, dates, descriptions)
  • Educational background (institutions, degrees, fields of study, dates)
  • Skills and competencies (hard and soft skills)
  • Projects and achievements
  • Languages and proficiency levels
  • References (if provided)
  • Raw text extracted from CV analysis
  • File metadata (name, type, size, upload date, analyzer version)

Job Application Data:

  • Job titles and descriptions
  • Company information
  • Application requirements
  • Application deadlines

Interview Practice Data:

  • Interview session transcripts (encrypted at rest)
  • AI-generated interview questions and candidate responses
  • Voice interview audio (transient): when you use the voice interview feature, your microphone audio is streamed to Google Vertex AI for real-time speech recognition and is not stored — only the resulting encrypted transcript is retained
  • Session metadata and timing

Payment Information:

  • Stripe customer ID
  • Subscription details
  • Transaction history
  • Billing address (if provided)
  • Note: We do not store credit card numbers or banking information directly

Cloud Sync Preferences:

  • Google Drive connection status and OAuth tokens (encrypted)
  • OneDrive connection status and OAuth tokens (encrypted)

2.2 Information Automatically Collected

Device and Browser Information:

  • IP address, browser type and version, screen resolution, operating system
  • Language preferences, time zone, cookie and JavaScript status
  • Device/browser fingerprint (a hashed visitor ID combining canvas, audio, font, timezone and similar browser-API signals) — computed locally in your browser using the open-source FingerprintJS library and used solely to detect multi-account abuse at signup
  • WebGL support — for compatibility checking
  • Touch capability — for UI optimization

Legal Basis: Legitimate interest (Art. 6(1)(f) GDPR / Art. 31(1)(c) FADP) in preventing fraud, abuse of free credits, and ensuring service compatibility. The device fingerprint is computed entirely in your browser and is not transmitted to any third party — only the resulting hashed visitor ID is sent to our servers, where it is used to detect multiple account creations from the same browser.

Usage Information:

  • Pages visited, features used, generation history
  • Click patterns, form interaction timing, session duration
  • Error logs

Authentication & Security:

  • Login timestamps, last activity time, security events
  • reCAPTCHA assessments, App Check tokens

Cookie Notice Acknowledgement:

  • Notice version, acknowledgement timestamp, and ID (UUID)
  • Stored in browser localStorage only, to avoid re-showing the notice on every visit

2.3 Information from Third Parties

OAuth Providers (Google): Email address, display name, profile photo URL.

OAuth Providers (Microsoft): Email address, display name, OneDrive access permissions.

Payment Processor (Stripe): Payment confirmation, subscription status, transaction details.

3. How We Use Your Information

3.1 Service Provision (Legal Basis: Contract Performance)

  • Create and manage your account
  • Process your CV and job information through AI systems
  • Generate customized application documents using AI
  • Store your documents and templates
  • Track your usage and credits
  • Perform web searches to enrich company information
  • Conduct interview practice sessions with AI-generated questions

3.2 Service Improvement (Legal Basis: Legitimate Interest)

  • Analyze usage patterns
  • Improve AI model accuracy (using anonymized data only)
  • Develop new features, fix bugs, optimize performance

3.3 AI Processing

We use artificial intelligence (Google Gemini models via Vertex AI on Google Cloud) to:

  • Process and analyze your CV and job descriptions
  • Generate customized application documents
  • Perform web searches to enrich company information
  • Extract relevant information from job postings
  • Generate interview practice questions tailored to job requirements
  • Analyze candidate responses during interview practice sessions

Important: AI processing involves automated content generation. You have the right to request human review of AI-generated content (see section 12.3). Google does not use your data submitted through Vertex AI to train its foundation models, as confirmed in the Google Cloud Data Processing Addendum.

3.4 EU AI Act Transparency (Regulation (EU) 2024/1689, Article 50)

In compliance with the EU Artificial Intelligence Act, we disclose the following:

  • AI system purpose: preparAItor uses AI to generate job application documents (cover letters, emails, interview Q&A, job summaries) and to conduct AI-powered interview practice sessions based on user-provided CV data and job descriptions.
  • AI provider and models: We use Google Gemini models accessed via the Vertex AI API (Google Cloud). AI processing takes place in europe-west3 (Frankfurt, Germany).
  • AI-generated content: All documents generated by our Service are produced by AI and are clearly labeled as such within the application interface. Users are responsible for reviewing and editing AI-generated content before submitting it to prospective employers.
  • Human oversight: Our AI system is a decision-support tool. It does not make autonomous hiring decisions or replace human judgment. You retain full control over whether to use, modify, or discard any AI-generated output.
  • Risk classification: preparAItor is not classified as a high-risk AI system under Annex III of the EU AI Act. It is a user-facing productivity tool that assists with document drafting; it does not perform recruitment, candidate screening, or automated filtering on behalf of employers.
  • Limitations: AI-generated content may contain inaccuracies, contextual misinterpretations, or outdated information from web searches. See our Terms of Service section 10.1 for full disclaimers.

3.5 Communication

  • Send service-related emails (account confirmation, password reset, document ready notifications)
  • Notify about account activity
  • Provide customer support
  • Send billing notifications
  • Alert about security issues

3.6 Business Operations

  • Process payments, prevent fraud and abuse
  • Enforce our Terms of Service
  • Comply with legal obligations

3.7 Marketing (with consent)

  • Send promotional emails, inform about new features
  • Share tips and best practices, conduct user surveys

4. How We Share Your Information

4.1 Service Providers

Firebase (Google): User authentication, database storage (Firestore), file storage (Cloud Storage), App Check. preparAItor does not use Firebase Analytics or Firebase Performance Monitoring. Location: europe-west6 (Zurich, Switzerland).

Google Vertex AI (Google Cloud): Document generation using Google Gemini models, content analysis, web search for company enrichment (grounding), interview question generation and response analysis. Location: europe-west3 (Frankfurt, Germany). Google does not use your data to train its AI models. Under the Google Cloud Data Processing Addendum and the Vertex AI Service Specific Terms, customer data submitted via the Vertex AI API is not used by Google to improve or train Google’s foundation models. Personal identifiers (name, email, phone, address) are stripped or minimized before data is sent to the AI API.

Google Cloud KMS: Field-level encryption of sensitive personal data (CV content, OAuth tokens). Location: europe-west6 (Zurich, Switzerland).

Google Drive: Cloud file synchronization for generated documents (only when explicitly enabled by user).

Microsoft OneDrive: Cloud file synchronization for generated documents (only when explicitly enabled by user).

Stripe: Payment processing, subscription management, customer portal access, transaction records. Stripe acts as an independent data controller for payment data it processes.

Brevo (formerly Sendinblue): Transactional email delivery (account confirmation, password reset, billing reminders). Marketing emails only with explicit consent. No CV or document content is sent via email.

reCAPTCHA (Google): Bot detection and security assessment.

4.2 Legal Requirements

We may disclose your information if required by law, including court orders, government requests, law enforcement requirements, and legal proceedings.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

4.4 Aggregated Information

We may share aggregated, anonymized information that cannot identify you with third parties for research or service-improvement purposes.

4.5 Your Consent

We may share your information with your explicit consent for specific purposes.

5. Data Security

5.1 Security Measures

  • HTTPS / TLS encryption for all data transmission (HSTS enforced)
  • Field-level encryption using AES-256-GCM for sensitive personal data (CV content, OAuth tokens), with encryption keys managed by Google Cloud KMS
  • Firebase Authentication for secure password handling and session management
  • Firebase security rules with role-based access control
  • Firebase App Check API protection enforced via reCAPTCHA Enterprise
  • OAuth tokens encrypted at rest (AES-256-GCM) with user-bound authenticated data
  • Strict Content Security Policy and browser security headers, including an explicit frame-ancestors allowlist and X-Content-Type-Options
  • Regular security audits
  • Geographic restrictions to European data centers where possible
  • Encryption at rest in all data centers
  • Rate limiting and anti-abuse protections on all API endpoints

5.2 Data Breach Response

In the event of a data breach:

  • We will notify affected users within 72 hours via email
  • We will notify the Swiss FDPIC within 72 hours
  • We will notify relevant EU supervisory authorities if EU residents are affected
  • We will document the breach and take immediate steps to minimize harm

6. Data Retention

6.1 User-Configurable Retention

  • Generation history (cover letters, emails, generated documents): 1, 7, or 30 days — default 30 days, capped at 30 days
  • Interview sessions (transcripts, summaries): 30, 90, or 180 days — default 90 days, capped at 180 days
  • Application tracker entries: fixed 365-day retention from import (not user-configurable)
  • Temporary upload blobs (raw CV/job PDFs): deleted within minutes of processing; in any case removed within 1 hour by an automated sweep and within 1 day by storage lifecycle rules
  • Automatic deletion after the configured period
  • You can change generation-history and interview-session retention at any time in your account preferences

6.2 Fixed Retention Periods

  • Consent records: 3 years (for GDPR/FADP compliance proof of consent)
  • Security logs: 180 days
  • Email logs: 90 days
  • Deletion audit records: 30 days (no personal content; retained for anti-abuse and compliance purposes)
  • Anti-abuse records: 30 days
  • Error logs: 30 days
  • Pending checkout sessions: automatically cleaned up after expiration
  • Payment records: transaction metadata retained by our payment processor (Stripe) per their retention policies

6.3 Account Deletion

You can delete your account at any time through your account settings. Deletion requires multi-language confirmation (typing “DELETE”, “LÖSCHEN”, “ELIMINA”, or “SUPPRIMER”). Deletion is immediate and irreversible — there is no grace period and no recovery window. When you confirm:

  • All personal information is permanently deleted right away (account, CVs, parsed jobs, generated documents, tracker entries, interview sessions, summaries, custom templates)
  • Active Stripe subscriptions are cancelled as part of the same flow, so no further charges will occur
  • A deletion confirmation email is sent
  • A deletion audit record (no personal content — just a record that a deletion happened) is retained for 30 days for anti-abuse and compliance purposes
  • Billing records and transaction metadata held by Stripe are retained per their policies and applicable tax law
  • Anonymized, aggregated usage data may be retained for service improvement
  • Files already synced to your own Google Drive or OneDrive remain in your cloud storage; revoke our OAuth access from your Google/Microsoft account if you want to sever that connection too

Export anything you need to keep before you confirm — nothing can be recovered after deletion.

7. Your Privacy Rights

7.1 Access and Portability

You have the right to access your personal information, download your data in a portable format, view generation history, export your CV information, and request a complete copy of all your data by emailing admin@preparaitor.ch.

Note: Complete data access requests may take up to 30 days.

7.2 Correction and Update

You can update your profile information, correct inaccurate data, modify your preferences, and change notification settings.

7.3 Deletion

You can request deletion of individual documents, specific data points, or your entire account. Some data may be retained for legal compliance.

7.4 Restriction and Objection

You can restrict processing of your data, object to certain uses, and opt-out of marketing communications. preparAItor does not collect analytics data, so there is nothing to disable in that category.

7.5 Consent Withdrawal

You can withdraw consent for marketing communications, non-essential cookies, and promotional emails.

Cannot Opt-Out From: Essential cookies, AI processing (core service functionality), storage of public job offer data, and basic usage tracking for security and billing. These are fundamental to providing our Service.

8. Cookie Policy

Scope: This Cookie Policy applies to the preparAItor application available at app.preparaitor.ch. The public landing page at preparaitor.ch does not set any cookies or use tracking technologies.

preparAItor uses only cookies and local storage that are strictly necessary to provide the service you requested. We do not run Google Analytics, Firebase Analytics, Firebase Performance Monitoring, advertising pixels, or any other tracking tool. There is nothing to opt in or out of, and no consent toggles — because there is nothing tracking you.

8.1 What is stored, and why

  • Sign-in (Firebase Auth, IndexedDB): keeps you signed in across browser sessions. Cleared when you sign out or delete your account.
  • Bot protection (reCAPTCHA via Firebase App Check): short-lived tokens and Google-side cookies on google.com/recaptcha used to block automated abuse. Required for the app to function.
  • Cross-tab sign-out signalling (localStorage): a transient flag that lets other open tabs know you signed out in this tab.
  • Payment processing (Stripe): Stripe.js sets its own cookies (__stripe_mid, __stripe_sid) but only during the checkout flow and only on pages where you are actively paying.
  • Theme, UI language, and user settings (localStorage): so the app remembers your preferred light/dark mode, interface language, and saved settings between visits. First-party, never transmitted.
  • Cookie notice acknowledgement (localStorage): so we don’t re-show the notice on every visit.

All of the above fall under the “strictly necessary for a service the user requested” exemption from the ePrivacy Directive’s consent requirement, as interpreted by CNIL (France) and the ICO (UK).

8.2 Google Sign-In

If you choose to sign in with Google, Google sets its own cookies on accounts.google.com during the OAuth flow, under Google’s own privacy policy. preparAItor does not control these cookies and cannot read them. Using email sign-in instead avoids this entirely.

8.3 AI processing consent

Processing of your CV, job descriptions, and interview-practice content by Google Gemini (Vertex AI) requires explicit consent. By accepting this Privacy Policy at sign-up you give that consent — there is no separate AI consent modal, and the cookie notice does not cover it. The full scope of AI processing (purposes, models, region, EU AI Act transparency, data minimization, and Google’s contractual no-training guarantee under the Vertex AI Service Specific Terms) is set out in sections 3.3, 3.4 and 4.1 of this Policy. You can withdraw your consent at any time by deleting your account; without AI processing the core service cannot function.

8.4 How to manage this

You can re-read the cookie notice at any time from Settings → Preferences → Privacy → Show cookie notice. Because nothing tracks you, there is nothing to disable. To remove what is stored locally, use your browser’s Clear site data control — this will sign you out and reset your theme/language preferences.

9. Children’s Privacy

Our Service is not intended for children under 16 (in accordance with GDPR Article 8). We do not knowingly collect personal information from children. If we discover that a child under 16 has provided us with personal information, we will delete it immediately.

10. International Data Transfers

10.1 Data Processing Locations

Primary Data Centers:

  • Firebase Services: europe-west6 (Zurich, Switzerland)
  • AI Processing (Google Gemini / Vertex AI): europe-west3 (Frankfurt, Germany)
  • Document Generation (Cloud Run): europe-west6 (Zurich, Switzerland)
  • Rate Limiting & KMS: europe-west6 (Zurich, Switzerland)

Third-Party Processing:

  • Stripe: European data centers (primary), with potential US processing
  • Google OAuth/reCAPTCHA: Global infrastructure, nearest data center
  • Microsoft OAuth (OneDrive): European data centers (primary)
  • Brevo Email Delivery: European data centers

10.2 Transfer Safeguards

For any transfer of personal data outside Switzerland or the EEA, we implement the following safeguards:

  • Standard Contractual Clauses (SCCs): Executed with all processors and sub-processors where required
  • Transfer Impact Assessment (TIA): We have conducted a Transfer Impact Assessment in accordance with the Schrems II ruling (CJEU C-311/18) for all data flows to processors that may involve non-EEA processing. Our assessment considers the legal framework of the recipient country, supplementary technical measures (encryption, pseudonymization), and the practical likelihood of government access to transferred data. The TIA is reviewed annually.
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Compliance with FADP and GDPR transfer provisions
  • Data localization to European data centers (Zurich, Frankfurt) as default
  • Regular security and compliance audits

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to know what personal information is collected and if it is sold or disclosed, the right to say no to sale, the right to equal service and price, and the right to delete personal information. We do not sell personal information to third parties.

12. Swiss and European Privacy Rights (FADP/GDPR)

12.1 Your Rights

Right to access, rectification, erasure, restrict processing, data portability, object to processing, withdraw consent, not be subject to automated decision-making, and lodge a complaint with supervisory authorities.

12.2 Legal Basis for Processing

  • Contract Performance: Account management, service delivery, AI document generation
  • Legitimate Interest: Security, fraud prevention, service improvement
  • Consent: Marketing communications, AI model improvement (anonymized data only)
  • Legal Obligation: Tax records, compliance

12.3 Automated Decision-Making (Art. 13(2)(f) / Art. 22 GDPR)

Our Service involves automated processing in the following ways:

  • Document generation: AI automatically generates cover letters, emails, and other application documents based on your CV data and job descriptions. This is the core functionality of the Service and is based on your explicit consent and contract performance.
  • CV analysis: AI extracts structured information (skills, experience, education) from uploaded CV documents.
  • Interview practice: AI generates tailored interview questions and evaluates your responses across multiple dimensions.
  • Job matching signals: AI may highlight relevant skills or experience gaps based on job requirements. This is informational only and does not constitute a binding decision.

No decisions with legal or similarly significant effects: preparAItor does not make hiring decisions, screen candidates on behalf of employers, or produce outputs that have legal or similarly significant effects on you within the meaning of GDPR Article 22(1). The AI output is a draft for your review.

Your rights regarding automated processing:

  • Request human review of any AI-generated content by contacting admin@preparaitor.ch
  • Express your point of view regarding AI-generated outputs
  • Contest any output you believe is inaccurate or unfair
  • Request an explanation of how a particular output was generated
  • We aim to respond to human review requests within 5 business days

12.4 Supervisory Authorities

Switzerland: Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Bern — www.edoeb.admin.ch

EU: Your local data protection authority. A directory of EU/EEA supervisory authorities is maintained by the European Data Protection Board (edpb.europa.eu/about-edpb/about-edpb/members_en).

12.5 Geographic Scope

preparAItor is primarily designed for the Swiss job market. During registration, users confirm that they are residents of Switzerland or acknowledge that the Service is primarily designed for the Swiss job market. We extend FADP and GDPR-equivalent privacy protections to all users regardless of their location. Users outside Switzerland use the Service at their own discretion and are responsible for compliance with their local data protection regulations.

Our Service may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to read their privacy policies.

14. Changes to This Privacy Policy

We may update this policy from time to time. We will notify you by posting the new policy, updating the “Last Updated” date, and sending email notification for material changes.

15. Data Processing Addendum

For business customers requiring a DPA, contact admin@preparaitor.ch. Our standard DPA includes FADP and GDPR compliance terms, Standard Contractual Clauses, security obligations, audit rights, and a sub-processor list.

16. Records of Processing Activities

In compliance with FADP and GDPR Article 30, we maintain records of all processing activities. These records are available to supervisory authorities upon request.

17. Privacy by Design

  • Data minimization in AI prompts: We strip or pseudonymize personal identifiers (full name, email, phone number, address) from AI prompts before sending them to the Vertex AI API. Only the professional content of your CV (skills, experience descriptions, education details) and job description text are included in AI requests.
  • Encryption by default (Cloud KMS for sensitive fields, HTTPS for transit)
  • Regular privacy impact assessments
  • Data Protection Impact Assessment (DPIA): Conducted in accordance with GDPR Article 35 for our AI-based CV processing activities, which involve large-scale processing of personal data and automated profiling. The DPIA is reviewed annually or whenever significant changes are made to our AI processing pipeline.
  • Security testing and audits
  • Separation of personal data from AI training data
  • Anonymization before any AI model training

A summary of our DPIA findings is available upon request to supervisory authorities. The assessment covers the necessity and proportionality of AI processing, risks to data subjects, and the safeguards we implement (encryption, data minimization, retention controls, and human review rights).

18. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Data Protection Contact

CHW-Services

Ettenhauserstrasse 46, 8620 Wetzikon, Switzerland

Email: admin@preparaitor.ch

Website: preparaitor.ch

EU Representative (Art. 27 GDPR): CHW-Services has not appointed a representative in the European Union under Article 27 GDPR. preparAItor is primarily designed for the Swiss job market — by language (DE, FR, IT are Swiss national languages), currency (CHF only), top-level domain (.ch) and marketing — and therefore does not "offer goods or services" to data subjects in the Union within the meaning of Article 3(2)(a) GDPR. EU/EEA residents who use the service nevertheless can address GDPR-related inquiries directly to admin@preparaitor.ch and will be answered within the statutory time-limits. Complaints can be lodged with the competent national supervisory authority of the EU/EEA. This position is reviewed quarterly and will be revisited if active EU targeting is introduced (EU advertising, EUR pricing, an EU-specific domain, or a substantial share of EU-resident users).

For data access requests: admin@preparaitor.ch (up to 30 days processing time)
For FADP/GDPR inquiries: admin@preparaitor.ch
For CCPA inquiries: admin@preparaitor.ch

You may also submit data requests through your account settings.

preparAItor is a service of CHW-Services, Ettenhauserstrasse 46, 8620 Wetzikon, Switzerland.

BY USING OUR SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.

← Back to Home