Privacy Policy
Last updated: 24 March 2026
1. Data Controller
Alchema is operated by EliteX GbR, based in Germany. This privacy policy is provided in German as the authoritative version. This English translation is for convenience only. For data protection inquiries, please contact us at privacy@alchema.eu.
2. Data Processing
We process the following categories of personal data to provide our AI-powered job application services:
- Account data: Name, email address, authentication credentials — Legal basis: Contract performance (Art. 6(1)(b) GDPR)
- Resume data: Work history, education, skills, and other CV content you provide — Legal basis: Contract performance (Art. 6(1)(b) GDPR)
- Job application data: Applications submitted, job descriptions, cover letters — Legal basis: Contract performance (Art. 6(1)(b) GDPR)
- AI interaction data: Prompts and responses from resume tailoring, interview preparation, and cover letter generation — Legal basis: Contract performance (Art. 6(1)(b) GDPR)
- Usage data: Feature usage, analytics events — Legal basis: Consent (Art. 6(1)(a) GDPR)
3. Sub-Processors
In accordance with GDPR Article 13, we disclose the following sub-processors that process personal data on our behalf:
| Sub-Processor | Purpose | Legal Basis | Data Categories | Retention Period | Location |
|---|---|---|---|---|---|
| Mistral AI | AI text generation for resume tailoring, cover letters, and interview preparation | Contract performance (Art. 6(1)(b) GDPR), DPA | Resume text, cover letter text, job descriptions | Not stored by Mistral (API processing only) | EU (Paris, France) |
| Neon | Database hosting | Contract performance | All user data (profiles, resumes, jobs, credits) | Until account deletion + 30 days | EU (Frankfurt, Germany) |
| Vercel | Application hosting | Contract performance | Request logs, IP addresses | 30 days | EU |
| PostHog | Product analytics | Consent (Art. 6(1)(a) GDPR) | Anonymized usage events, session metadata | 26 months | EU (Frankfurt, Germany) |
| Brevo (Sendinblue SAS) | Transactional and marketing email | Contract performance, Consent for marketing | Email addresses, names, email content | Until unsubscribe + 30 days | EU (Paris, France) |
| Sentry | Error tracking and monitoring | Legitimate interest (Art. 6(1)(f) GDPR) | Error traces, browser info, anonymized user ID | 90 days | EU |
| Strato AG | Domain registration and DNS | Legitimate interest (Art. 6(1)(f) GDPR) | Domain registration data | Duration of domain registration | EU (Berlin, Germany) |
| Hetzner Online GmbH | Infrastructure hosting (automation and PDF services) | Contract performance | Server logs, application data | 7 days (logs) | EU (Nuremberg, Germany) |
| Stripe, Inc. | Payment processing and subscription management | Contract performance (Art. 6(1)(b) GDPR) | Payment details, billing address, email | 10 years (German tax law GoBD) | EU (Dublin, Ireland) |
| Google Ireland Limited | Authentication (Google OAuth) | Contract performance (Art. 6(1)(b) GDPR) | Email address, name, profile picture (OAuth) | Until account deletion | EU (Dublin, Ireland) |
| Apify | Job listing data collection and aggregation | Legitimate interest (Art. 6(1)(f) GDPR) | Publicly available job listings | Processed and deleted within 24 hours | EU |
| Cloudflare | DNS management, CDN, and email routing | Legitimate interest (Art. 6(1)(f) GDPR) | IP addresses, DNS queries | DNS logs 24 hours | Global (EU processing) |
4. Your Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Art. 15) — Obtain a copy of your personal data
- Right to rectification (Art. 16) — Correct inaccurate personal data
- Right to erasure (Art. 17) — Request deletion of your personal data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to restriction of processing (Art. 18) — Request restriction of processing of your personal data
- Right to withdraw consent (Art. 7(3)) — Withdraw consent for analytics at any time
To exercise any of these rights, contact us at privacy@alchema.eu. We will respond within 30 days.
5. Data Retention
We retain your personal data for as long as your account is active. Upon account deletion, all personal data (resumes, applications, AI interaction history) is permanently deleted within 30 days. Specific retention periods: User account data — deleted within 30 days of account deletion request. Analytics data (PostHog) — 26 months. Error tracking data (Sentry) — 90 days. Payment records (Stripe) — 10 years (German tax law, GoBD/AO S147). Email communication data (Brevo) — until unsubscribe plus 30 days. Server logs (Hetzner, Vercel) — 7-30 days.
6. Contact
For all privacy-related inquiries, please contact:
EliteX GbRData Protection Contact
privacy@alchema.eu
7. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for EliteX GbR is:
Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany
https://www.lda.bayern.de
8. Cookies and Similar Technologies
We use the following types of cookies and local storage:
- Essential cookies: Authentication session tokens required for the service to function. No consent needed.
- Analytics (PostHog): Product usage analytics, loaded only after your explicit consent. You can withdraw consent at any time via the cookie settings in the footer.
- Error monitoring (Sentry): Technical error tracking to maintain service quality. Based on legitimate interest (Art. 6(1)(f) GDPR). IP addresses are anonymized.
9. Automated Decision-Making and AI Processing
Alchema uses artificial intelligence (Mistral AI) to provide resume tailoring, ATS score optimization, cover letter generation, and interview preparation. This processing is integral to the service you requested and is based on contract performance (Art. 6(1)(b) GDPR). AI-generated content is always presented as suggestions for your review — no automated decisions with legal or similarly significant effects are made without your involvement. No profiling as defined in Art. 22 GDPR occurs. You may request human review of any AI-generated output by contacting us. For full details on our AI processing, see Section 13 (AI Processing and EU AI Act) below.
10. Data Breach Notification
In the event of a personal data breach, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR). If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay (Art. 34 GDPR). If you suspect a data breach, please contact us immediately at privacy@alchema.eu.
11. Children
Alchema is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.
12. Data Minimization
We collect only the personal data that is necessary to provide our services. We do not collect or retain data beyond what is required for the specified purposes.
13. AI Processing and EU AI Act
Alchema uses artificial intelligence (provided by Mistral AI, Paris, France) to analyze and optimize resumes, generate cover letters, and provide interview preparation suggestions. When you use these features, the AI receives your resume text, job descriptions, and user preferences. All AI outputs are suggestions only — you review, edit, and approve all content before use. No automated decisions with legal or similarly significant effects are made (Art. 22 GDPR does not apply). No automated profiling or scoring that produces legal effects occurs. Alchema is classified as a user-directed tool under EU AI Act Art. 6(3). Resume optimization improves a previously completed human activity. No automated employment decisions are made. In accordance with EU AI Act Article 52, we inform you that AI-generated content is clearly marked in the application. The AI produces suggestions that you review and edit before use. Mistral AI processes data in real-time via API and does not store your data for training purposes. A Data Processing Agreement is in place with Mistral AI.