SeriousLetter is a job application management platform that helps users create CVs, generate cover letters, and track job applications with AI assistance. Because this Service involves the processing of detailed personal and professional data, we treat privacy as a core responsibility.
This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have regarding your data.
We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area, and the Swiss Federal Act on Data Protection (FADP / nDSG) as the primary applicable law. Where both apply, we follow the stricter standard.
Our legal basis for processing your data is primarily the performance of the contract between you and us (Article 6(1)(b) GDPR) and, where applicable, our legitimate interests in providing and improving the Service (Article 6(1)(f) GDPR). We will seek your explicit consent where required by law.
The data controller responsible for your personal data is:
| Name | Matthias Nott |
| Address | Chemin de la Tarpa 8a, 1872 Troistorrents, Switzerland |
| support@seriousletter.com | |
| Website | seriousletter.com |
For all data protection enquiries or to exercise your rights, contact us at support@seriousletter.com.
We collect only the data necessary to provide the Service. The categories below describe what we collect and why.
When you sign in via LinkedIn OAuth, we receive your name and email address from LinkedIn. We use this to create and identify your account. We do not receive your LinkedIn password, connections, or other profile data unless you explicitly provide it.
The core of the Service involves you entering or uploading your professional profile. This may include:
This data is sensitive in nature. We process it solely to provide the Service and do not use it for any purpose unrelated to your job application workflow.
If you use the AI chat assistant, your messages and the AI's responses are stored to maintain conversation context and allow you to review past sessions. You may delete individual conversations or all conversation history at any time from within the Service.
We collect basic usage data such as which features you use, timestamps of actions, and error logs. This data is collected in aggregate and used to operate and improve the Service. We do not use third-party analytics trackers or advertising pixels. We do not track your browsing across other websites.
Billing is handled entirely by Stripe. We do not store your payment card details, bank account information, or full card numbers on our servers. We receive from Stripe a customer ID, subscription status, and billing history records necessary to manage your account and subscription.
When you use the API or MCP server, we record request timestamps and rate limit counters in memory to enforce usage limits. These records are not persisted to disk and are cleared when the server restarts. API tokens are stored as SHA-256 hashes; the raw token is never stored after initial creation.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Service (CV management, job tracking, letter generation) | Account, CV, job application, conversation data | Contract performance (Art. 6(1)(b) GDPR) |
| AI feature processing (sending data to Anthropic) | CV data, job descriptions, chat messages | Contract performance; see Section 5 |
| Billing and subscription management | Account data, billing records via Stripe | Contract performance; legal obligation |
| Authentication and session management | Account data, session cookies | Contract performance; legitimate interest |
| Security and fraud prevention | Usage data, API logs | Legitimate interest (Art. 6(1)(f) GDPR) |
| Service improvement (aggregated, anonymized) | Anonymized usage patterns | Legitimate interest |
| Legal compliance and dispute resolution | As required by applicable law | Legal obligation (Art. 6(1)(c) GDPR) |
We do not use your personal data for advertising, profiling for marketing purposes, or sale to third parties. We do not create advertising profiles based on your use of the Service.
Depending on the AI feature used, the following data may be included in API requests:
We do not send data that is not relevant to the specific AI operation being performed. We do not send payment data or LinkedIn authentication credentials to Anthropic.
API calls to Anthropic are routed through Stripe's AI Gateway. This means your AI requests pass through Stripe's infrastructure, which provides metering, billing, and logging of token usage. Stripe's handling of this data is governed by Stripe's Privacy Policy.
Per Anthropic's API usage terms, data submitted via the API is not used to train Anthropic's AI models. Anthropic may retain API request and response data for a limited period for trust and safety purposes. For details, see Anthropic's Privacy Policy and their Acceptable Use Policy.
AI features are initiated only by your explicit action (clicking "Generate", sending a chat message, etc.). No AI processing of your data occurs in the background without your initiation. You can delete AI-generated content and conversation history at any time from within the Service.
We share your personal data only with the following third parties, and only as necessary to provide the Service:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Anthropic | AI processing (cover letter generation, chat, CV analysis) | CV data, job descriptions, chat messages |
| Stripe | Payment processing, subscription management, AI token billing | Name, email, billing records |
| Authentication (OAuth only) | Name, email (received from LinkedIn at login) |
We do not sell your personal data. We do not share your data with advertising networks, data brokers, or analytics providers. We do not share data with any other third parties except as required by law or with your explicit consent.
If we are required by law, court order, or governmental authority to disclose your data, we will notify you in advance where legally permitted to do so.
Your data is stored on servers located in Europe. We implement the following security measures to protect your personal data:
No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities as required by applicable law.
| Data Category | Retention Period |
|---|---|
| Account data (name, email) | Retained for the lifetime of your account. Deleted within 30 days of account deletion. |
| CV and profile data | Retained for the lifetime of your account. Deleted within 30 days of account deletion. |
| Job application and letter data | Retained for the lifetime of your account. Deleted within 30 days of account deletion. |
| AI conversation history | Retained until you delete it or your account is deleted. You may delete at any time in-app. |
| Billing records | Retained for 10 years as required by Swiss accounting law and tax regulations. |
| API access logs (in-memory) | Not persisted; cleared on server restart. Rate limit counters reset automatically. |
| Server/application logs | Retained for up to 90 days for security and debugging purposes. |
When your account is deleted, we initiate deletion of your personal data within 30 days. Backup copies may persist for a limited additional period before being overwritten by the normal backup rotation cycle.
Under the GDPR and Swiss FADP, you have the following rights regarding your personal data:
How to exercise your rights: Email support@seriousletter.com with your request. We will respond within 30 days (or within 1 month as required by GDPR). We may ask you to verify your identity before acting on a request.
In-app options: You may directly export CVs and letters as PDFs from within the Service. You may delete conversation history and individual data records from within your account. Account deletion can be requested through the account settings page.
Supervisory authority: Swiss users may contact the Federal Data Protection and Information Commissioner (FDPIC). EU users may contact the supervisory authority in their country of residence.
We use a minimal number of cookies, limited to what is necessary for the Service to function. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Maintains your authenticated session. Required for the Service to function. | Session (deleted when browser closes) |
| Authentication token | Keeps you logged in between visits (JWT stored in browser storage). | Until logout or expiry |
Because we use only strictly necessary cookies, we do not display a cookie consent banner. If we introduce any optional cookies in the future, we will update this policy and seek your consent where required.
The Service is not intended for use by persons under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at support@seriousletter.com and we will delete the data promptly.
Anthropic, Inc. is a US-based company. When you use AI features, your data is transferred to the United States for processing. This transfer occurs under the following safeguards:
By using AI features, you acknowledge that your data will be transferred to the United States. If you have concerns about this transfer, you may choose not to use AI features; the Service's basic job tracking and CV management functions do not require data to leave our servers.
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and by posting a notice in the Service at least 14 days before the changes take effect.
The "Last updated" date at the top of this page reflects when the policy was last revised. We encourage you to review this policy periodically. Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the changes.
If you are located in the European Union and have a complaint regarding our data processing practices that we have not resolved to your satisfaction, you may use the EU Online Dispute Resolution (ODR) platform: ec.europa.eu/consumers/odr.
You also have the right to lodge a complaint directly with the supervisory authority in your EU member state, or with the Swiss FDPIC if you are a Swiss resident.
For any questions, requests, or concerns regarding this Privacy Policy or the processing of your personal data:
We aim to respond to all privacy-related inquiries within 5 business days and to formally respond to rights requests within 30 days.