Last updated: 2 March 2026

1. Controller and Contact

Controller: ContactVault (Owner: Louis Dauphin)
Thomas-Mann Str., 85080 Gaimersheim, Germany
E‑mail: Show email

Data Protection Officer: Not appointed. For all privacy requests, contact the Controller using the email above.

2. What data we process

• Sender data: your email address, recipient email address, message content, job title, employer name, and any CV details you add (work history, education, skills/levels).
• Operational metadata: timestamps, message/token identifiers, email verification status, proof‑of‑work parameters, and anti‑abuse counters.
• Network/technical data: IP address and request/security metadata used for rate limiting, abuse prevention, and security logging.
• Newsletter data (optional): your email if you opt in.
• Employer feedback data (optional): flags or ratings, stored with limited per‑IP deduplication.
• Applicant rating/comment data (optional): after an employer feedback cycle, applicants may submit an employer rating and optional comment. These entries are published in the employer ratings area of the service.

3. Purposes and legal bases

• Delivering your message/CV to your chosen recipient and managing verification flows. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or steps at your request).
• Security, fraud and abuse prevention, rate limiting, and service reliability. Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Our interests include keeping the service available and preventing misuse.
• Legal compliance (e.g., logs required to investigate abuse). Legal basis: Art. 6(1)(c) GDPR.
• Newsletter (only if you opt in). Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time.

4. Recipients and processors

• Email delivery provider: Mailgun Technologies, Inc. (as processor) for sending transactional emails and handling bounces/complaints.
• Hosting and infrastructure: standard cloud/server providers used to run the application and store encrypted data.
• Automated content moderation (if enabled): a third‑party moderation service acting as our processor.
• Your chosen recipient: we send your message and any attachments to the employer/recipient you specify. They act as an independent controller of any copy they receive.
• Public website visitors: applicant-submitted employer rating entries (including optional comments) are displayed publicly in the ratings section until moderated, removed, or archived.

5. International transfers

Where processors or recipients are located outside the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. If you address a recipient outside the EEA/UK, that transfer occurs at your request and is necessary for service delivery (Art. 49(1)(b) GDPR).

6. Retention periods

• Pending submissions: stored encrypted with a short verification TTL (currently 10 minutes), deleted on completion, and regularly purged after expiry.
• Delivered messages: stored encrypted and purged after the configured retention window (default: 90 days), unless legal obligations require longer retention.
• Operational logs: retained and rotated with a target retention of 30 days; aggregated rate‑limit counters are retained for 14 days.
• Public ratings/comments: employer-rating entries remain published until moderated, removed for policy/legal reasons, or otherwise retired by product operations; no fixed universal TTL applies today.
• Newsletter: retained until you unsubscribe; suppression entries kept to prevent unwanted mail.

7. Security measures

We use industry‑standard transport encryption (TLS). Message bodies and sensitive identifiers are encrypted at rest using modern authenticated encryption with per‑record salts. Access is restricted, keys are managed via environment secrets, and abuse controls include proof‑of‑work and rate limiting. Operational logs are limited and periodically purged.

8. Your rights

• Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
• Right to withdraw consent at any time, without affecting prior processing.
• Right to lodge a complaint with a supervisory authority, in particular in your habitual residence or where we are established. In Germany, you can contact your state authority (e.g., Berlin Commissioner for Data Protection).

9. Cookies and similar tech

We currently use only essential cookies or equivalent storage necessary to operate the service (for example, session and security tokens). No advertising or cross‑site tracking cookies are used.

If non-essential cookies are introduced later, controls and disclosures will be updated and reflected at /en/cookies.

10. Source of data

Most data is provided directly by you. Some technical data is generated by your device or our systems during use (e.g., timestamps, IP address for security).

11. Automated decision‑making

No decisions with legal or similarly significant effects are made solely by automated means. Automated moderation is used to score and block abusive content to protect the service.

12. How to exercise your rights

Email us at Show email . To protect your data, we require verification of ownership of the mailbox you used with the service. You may also submit a deletion request via /gdpr/delete; requests are reviewed and processed according to legal obligations and abuse-prevention safeguards.

13. Changes to this policy

We may update this policy to reflect changes to our processing. Substantive changes will be announced within the service. The current version is always available at /en/privacy-policy.