Privacy Policy

Last updated: 16 April 2026

1. Introduction & Controller Identity

This Privacy Policy explains how Zumia ('we', 'us', or 'our') collects, uses, stores, and protects your personal data when you use our AI-powered CV optimisation service at zumia.app.

Zumia is operated by an individual based in Switzerland. There is no formal corporate entity. For the purposes of the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP), the operator acts as the data controller. Contact details are provided in Section 12.

By using Zumia, you agree to the practices described in this policy. Please also review our Terms of Service.

2. Data We Collect

Account Information

  • Email address - used for authentication, account recovery, and transactional notifications
  • Password - securely hashed using industry-standard hashing (we never store plaintext passwords)
  • Account timestamps - when your account was created and your last activity date

Access Request Information

  • Email address submitted for early access - collected when you request access so we can review your request and contact you when access is granted

CV & Job Data

  • Base CV content - the CV you upload or paste into the service
  • Job specifications - job descriptions and requirements you provide
  • AI-generated optimised CVs - tailored versions created by the AI assistant
  • Conversation history - your interactions with the AI assistant. This is treated with the same care as your CV content and is included in all data exports and deletions.
  • Knowledge library items - reusable experience facts you save for future CV optimisations

User Preferences

  • AI guidelines (custom instructions for the AI assistant)
  • File name template
  • Print margins
  • Preferred language

Billing Data

  • Credit balance and transaction history - managed via Lemon Squeezy. We do not store payment card details directly.

Analytics Data (Opt-In Only)

  • PostHog analytics - page views, feature usage, and exceptions. This data is only collected if you opt in to analytics. If you decline, no tracking data is collected.

3. How We Use Your Data

We process your personal data for the following purposes, each with a specific legal basis under GDPR:

Providing the CV Optimisation Service

Purpose: Processing your CV content, job specifications, and conversation history to generate personalised CV optimisation suggestions.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) - this processing is necessary to deliver the service you signed up for.

Account Management & Notifications

Purpose: Sending transactional emails (account verification, password resets) via Loops.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Billing & Credit Management

Purpose: Managing your credit balance and processing transactions via Lemon Squeezy.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Managing Access Requests

Purpose: Managing access requests and notifying users when access is granted.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - we need to control access to the beta and contact requestees about their status.

Account Security

Purpose: CAPTCHA verification via Cloudflare Turnstile to prevent abuse and automated attacks.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - protecting the service and its users from fraud and abuse.

Analytics & Service Improvement

Purpose: Understanding how the service is used to improve quality and fix issues, via PostHog analytics.

Legal basis: Consent (Art. 6(1)(a) GDPR) - analytics are only collected if you explicitly opt in.

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

Is providing your data mandatory? Providing your email to request access, and later your email address and CV content to use the service, are necessary steps at each stage. Without them, we cannot process your request or deliver the service. Analytics data is entirely optional.

4. AI Processing & Third-Party Services

OpenAI - AI Processing

Zumia uses OpenAI's API to power its AI assistant. OpenAI is based in the United States. We use OpenAI's current language models for chat interactions, CV analysis, content extraction, and semantic embeddings.

Data sent to OpenAI:

  • Your CV content
  • Job specifications
  • Conversation history
  • Knowledge library items
  • AI guidelines you have configured

Important safeguards:

  • Zero-retention mode is enabled - OpenAI does not retain any request or response data after processing your request.
  • No model training - per OpenAI's API terms, data submitted via the API is not used to train or improve OpenAI's models.
  • No autonomous decisions - the AI assists you in optimising your CV by generating suggestions. It does not make autonomous decisions that have legal or similarly significant effects on you. You retain full control over accepting, modifying, or rejecting any AI-generated suggestions.

Other Third-Party Services

  • Supabase - database hosting and authentication (EU-hosted, Frankfurt)
  • Digital Ocean - server infrastructure (EU-hosted, Frankfurt)
  • Lemon Squeezy - billing and payment processing (United States)
  • Loops - transactional email delivery (United States)
  • Cloudflare Turnstile - CAPTCHA verification for account security (United States)
  • PostHog - analytics (opt-in only, EU-hosted)

We have data processing agreements in place with all third-party processors.

5. Data Storage & Security

We take the security of your data seriously and implement the following measures:

  • Database: - Your data is stored in Supabase with strict access controls ensuring each user can only access their own data.
  • Encryption in transit: - All data transmitted between your browser, our servers, and third-party services is encrypted.
  • Encryption at rest: - Data stored in the database is encrypted at rest.
  • Password security: - Passwords are hashed using industry-standard hashing via Supabase Auth. We never store or have access to plaintext passwords.
  • Server infrastructure: - The application is deployed on Digital Ocean with secure defaults.

6. International Data Transfers

As Zumia is operated from Switzerland and uses international service providers, your data may be transferred outside of Switzerland and the European Economic Area (EEA). We ensure appropriate safeguards are in place for all transfers:

  • OpenAI (United States) - CV content and conversation data is sent to OpenAI servers in the US for AI processing. OpenAI is certified under the EU-US Data Privacy Framework. Additionally, zero-retention mode means your data is not persisted by OpenAI after processing.
  • PostHog (European Union) - analytics data is hosted within the EU and is only collected if you opt in.
  • Supabase (EU-hosted, Frankfurt) - database hosting and authentication services. No transfer outside the EEA.
  • Digital Ocean (EU-hosted, Frankfurt) - server infrastructure. No transfer outside the EEA.
  • Lemon Squeezy (United States) - billing and payment data processing.
  • Loops (United States) - transactional email delivery.
  • Cloudflare (United States) - CAPTCHA verification (Turnstile).

Switzerland is recognised by the European Commission as providing an adequate level of data protection. For transfers to the United States, we rely on the EU-US Data Privacy Framework where applicable, standard contractual clauses (SCCs) approved by the European Commission, or other appropriate safeguards as required by law.

7. Data Retention

  • Pending access requests - email addresses submitted through the request-access waitlist are retained for up to 12 months while the request is pending and then deleted automatically.
  • Active account data - your CV content, job specifications, conversation history, knowledge library, preferences, and other account data are retained for as long as your account is active.
  • Inactive accounts - if your account has no meaningful activity for 365 days, we send warning emails 30 days and 7 days before purging your saved job contexts, knowledge library items, CV versions, notifications, base CV, and AI guidance. Your account, authentication credentials, credit balances, credit history, preferred language, file name template, and print margins remain available so you can start fresh.
  • AI processing data - zero-retention mode is enabled. OpenAI does not retain any request or response data after processing.
  • Analytics data - subject to PostHog's retention policies. Analytics is opt-in only.
  • Credit transactions - transaction history is retained for billing records while your account exists and is deleted when your account is deleted.
  • Meaningful activity - creating or updating a job context, creating or updating a knowledge library item, generating or downloading a CV, or updating your settings resets the inactivity timer. Logging in or refreshing your session by itself does not.

8. Your Rights

Under the GDPR and the Swiss FADP, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR) - you can request a copy of your personal data. Zumia provides a built-in data export feature in your account settings.
  • Right to rectification (Art. 16 GDPR) - you can correct inaccurate data. All your data (CV content, knowledge library, preferences, etc.) can be edited directly within the app.
  • Right to erasure (Art. 17 GDPR) - you can delete your account and all associated data at any time via the account deletion feature in your settings. This action is irreversible and includes deletion of your account and authentication credentials, CV content and job specifications, AI-generated optimised CVs, conversation history, knowledge library items, user preferences and settings, and credit balance and transaction history.
  • Right to data portability (Art. 20 GDPR) - you can export all your data in a structured, machine-readable file via the export feature in your account settings. This includes your CV content, job specifications, conversation history, knowledge library items, and preferences, allowing you to transfer your data to another service if you choose.
  • Right to restriction of processing (Art. 18 GDPR) - you can request that we restrict how your data is processed. Contact us at [email protected].
  • Right to object (Art. 21 GDPR) - you can object to processing based on legitimate interest. Contact us at [email protected].
  • Rights related to automated decision-making (Art. 22 GDPR) - Zumia's AI assistant provides suggestions and recommendations only. It does not make autonomous decisions that produce legal or similarly significant effects on you. You always have full control over whether to accept, modify, or reject AI suggestions.

To exercise any of these rights, you can use the in-app features or contact us at [email protected]. We will respond to your request within 30 days.

9. Cookies & Tracking Technologies

Essential Storage

We use your browser's local storage (not cookies) for essential functionality:

  • Supabase auth session - keeps you logged in
  • Language preference - remembers your chosen language

These are strictly necessary for the service to function and do not require consent.

Analytics (Opt-In Only)

If you opt in to analytics, PostHog collects usage data (page views, feature usage, exceptions) to help us improve the service. If you decline analytics, no cookies or tracking identifiers are set.

What We Don't Use

  • No advertising cookies
  • No third-party marketing trackers
  • No social media tracking pixels

You can change your analytics consent at any time through the cookie settings in the app, or by clearing your browser's local storage.

10. Children's Privacy

Zumia is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided us with personal data, please contact us at [email protected] and we will take steps to delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will notify you by email or through a prominent notice within the app before the changes take effect.

We encourage you to review this page periodically. The 'Last updated' date at the top indicates when the policy was last revised.

12. Contact & Supervisory Authority

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority:

  • For Swiss users: The Federal Data Protection and Information Commissioner (FDPIC) - www.edoeb.admin.ch
  • For EU users: Your local Data Protection Authority (DPA) in the EU member state where you reside, work, or where the alleged infringement occurred.