Privacy Policy (GDPR)

Last updated: 21 October 2025

1. Controller and Contact

Controller: ContactVault (Owner: Louis Dauphin)
Thomas-Mann Str., 85080 Gaimersheim, Germany
E‑mail: contactvault@tuta.io

Data Protection Officer: Not appointed. For all privacy requests, contact the Controller using the email above.

2. What data we process

• Sender data: your email address, recipient email address, message content, job title, employer name, and any CV details you add (work history, education, skills/levels).
• Operational metadata: timestamps, message/token identifiers, email verification status, proof‑of‑work parameters, and anti‑abuse counters.
• Network/technical data: IP address and user agent captured for rate limiting, abuse prevention, and security logging.
• Newsletter data (optional): your email if you opt in.
• Employer feedback data (optional): flags or ratings, stored with limited per‑IP deduplication.

3. Purposes and legal bases

• Delivering your message/CV to your chosen recipient and managing verification flows. Legal basis: Art. 6(1)(b) GDPR (performance of a contract or steps at your request).
• Security, fraud and abuse prevention, rate limiting, and service reliability. Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Our interests include keeping the service available and preventing misuse.
• Legal compliance (e.g., logs required to investigate abuse). Legal basis: Art. 6(1)(c) GDPR.
• Newsletter (only if you opt in). Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw consent at any time.

4. Recipients and processors

• Email delivery provider: Mailgun Technologies, Inc. (as processor) for sending transactional emails and handling bounces/complaints.
• Hosting and infrastructure: standard cloud/server providers used to run the application and store encrypted data.
• Automated content moderation (if enabled): a third‑party moderation service acting as our processor.
• Your chosen recipient: we send your message and any attachments to the employer/recipient you specify. They act as an independent controller of any copy they receive.

5. International transfers

Where processors or recipients are located outside the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses. If you address a recipient outside the EEA/UK, that transfer occurs at your request and is necessary for service delivery (Art. 49(1)(b) GDPR).

6. Retention periods

• Pending submissions: stored encrypted and automatically deleted after a short verification window (about 10 minutes) or on completion.
• Delivered messages: stored encrypted and automatically deleted after 90 days, unless legal obligations require longer retention.
• Operational logs: retained for approximately 30 days; aggregated rate‑limit counters about 14 days.
• Newsletter: retained until you unsubscribe; suppression entries kept to prevent unwanted mail.

7. Security measures

We use industry‑standard transport encryption (TLS). Message bodies and sensitive identifiers are sealed at rest using modern authenticated encryption with per‑record salts. Access is restricted, keys are managed via environment secrets, and abuse controls include proof‑of‑work and rate limiting. Operational logs are limited and periodically purged.

8. Your rights

• Right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21).
• Right to withdraw consent at any time, without affecting prior processing.
• Right to lodge a complaint with a supervisory authority, in particular in your habitual residence or where we are established. In Germany, you can contact your state authority (e.g., Berlin Commissioner for Data Protection).

9. Cookies and similar tech

We use only essential cookies or equivalent storage necessary to operate the service (for example, session and security tokens). No advertising or cross‑site tracking cookies are used.

You can manage non‑essential settings at /cookies if they are introduced later.

10. Source of data

Most data is provided directly by you. Some technical data is generated by your device or our systems during use (e.g., timestamps, IP address for security).

11. Automated decision‑making

No decisions with legal or similarly significant effects are made solely by automated means. Automated moderation may score or block abusive content to protect the service.

12. How to exercise your rights

Email us at contactvault@tuta.io. To protect your data, we may ask you to verify ownership of the mailbox you used with the service.

13. Changes to this policy

We may update this policy to reflect changes to our processing. Substantive changes will be announced within the service. The current version is always available at /privacy-policy.