Privacy · Effective 16 July 2026
Privacy policy
This policy explains what little kairos stores, why it needs the data, which providers process it for us, and how you can exercise your rights. Last updated 16 July 2026.
Data controller
Little KairosBrooke Whatnall
Babelsberger Str. 49
10715 Berlin
Germany
brookewhatnall@icloud.com
What we store, and why
- Your account: email address and sign-in records, so we can authenticate you and provide the service. Legal basis: contract.
- Your beta application: country, job industry, where you are in your search, how you found us, and optional willingness to join a feedback call. We use it to run the limited beta and choose or support early testers. Legal basis: steps taken at your request before providing the service.
- Your profile: work history, skills, education, languages, and search preferences that you confirm during onboarding. Nothing enters your profile without your confirmation, drafting is constrained to the facts you confirmed, and you review every document before you send it. Legal basis: contract.
- Your uploaded CV: kept so you can re-run extraction and so it remains the source of your confirmed facts. Legal basis: contract.
- Your optional CV photo: stored privately and used only for a country-specific document template where a photo is customary. Legal basis: contract.
- Writing samples and voice profile:used to make drafts sound like you. Legal basis: contract.
- Job postings and match scores: job ads are public data; your scores against them are visible only to you. Recruiter names, emails, or phone numbers in an ad are used only for the specific application you choose to make. Legal basis: legitimate interest.
- Job-board preferences: used only to decide which already-collected, attributed sources can enter your queue. They do not start a search or send your profile to a job board. Legal basis: contract.
- Generated documents and edits:drafts, changes, and writing rules learned from those changes. You can see and disable learned rules on your Profile page. Legal basis: contract.
- Usage and cost records: token counts and costs per feature, kept for billing integrity, service operation, and abuse prevention. Legal basis: legitimate interest.
Who processes it for us
The following providers process data only as needed to provide their part of the service. Supabase stores the application data in the EU region eu-west-1 (Ireland).
| Provider | Purpose | Data |
|---|---|---|
| Anthropic | Drafting, extraction, voice analysis, and other Claude API calls. | CV text, confirmed profile facts, writing samples, job details, and drafts. |
| Supabase | Database, authentication, and private file storage in the EU. | Account, profile, application, job-score, and stored-file data. |
| Vercel | Web hosting, request handling, and aggregate site analytics. | Request and operational logs, plus aggregate page-use measurements. |
| Trigger.dev | Running background processing tasks. | User IDs, task inputs, and references or diffs needed for background work. |
| Resend | Magic-link and other transactional email delivery. | Email addresses and the content of transactional messages. |
| Apify | Collecting public job postings from configured sources. | Public job postings, plus search terms derived from active users' job lanes. The terms are sent without any account identifier and are combined when multiple profiles contribute to the same search. No name, contact detail, or document ever goes to Apify. |
These providers offer standard data-processing terms. Where data is transferred outside the European Economic Area, including to Anthropic in the United States, the transfer relies on the provider’s standard data-processing terms and the EU Standard Contractual Clauses incorporated into them, where applicable. We do not describe that arrangement as an individually negotiated agreement with each provider.
Anthropic API inputs are not used to train its models under the applicable API terms.
What we never do
- Nothing sends itself. You approve every application before it goes anywhere.
- We never submit to job platforms on your behalf.
- We never sell your data or share it for advertising.
- We never build a searchable recruiter-contact database.
- We do not use your profile to make an employment decision. Match scores and drafts are tools for your own review.
Retention and deletion
You can close your account in Settings. Sign-in stops immediately, and ninety days later the profile, CV, drafts, application dossiers, voice rules, usage records, and stored files are permanently erased. The ninety-day window exists so an accidental closure can be recovered. Contact us within that window if you need access restored.
One exception is anonymized quality telemetry: document-gate scores and derived edit metrics such as edit distance and length changes. It contains no user identifier and no document text, so it cannot be linked back to you, and it is retained to improve the writing engine.
Your rights
You can export the data we hold about you from Settings and correct profile facts in the app. You can also contact us for any of the following rights under the GDPR:
- Access (Art. 15): ask what personal data we process and receive a copy.
- Rectification (Art. 16): correct inaccurate or incomplete data.
- Erasure (Art. 17): ask us to delete data where the legal conditions apply.
- Restriction (Art. 18): ask us to limit processing in the situations set out by the GDPR.
- Notification (Art. 19): be informed about recipients when we rectify, erase, or restrict data where the law requires it.
- Data portability (Art. 20): receive certain data in a structured, commonly used, machine-readable format.
- Object (Art. 21): object to processing based on legitimate interest, including direct marketing if that ever applies.
- No decision based solely on automated processing (Art. 22): ask for human intervention and challenge a decision where this right applies. little kairos does not make employment decisions about you; you decide whether and how to apply.
Send requests to brookewhatnall@icloud.com. We may need to verify your identity before fulfilling a request.
Supervisory authority
You may complain to the supervisory authority in your place of residence or work. For the Berlin operator, the competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI). We encourage you to contact us first so we can try to resolve the issue directly.
Contact and updates
For privacy questions, contact Brooke Whatnall at brookewhatnall@icloud.com. The controller details are also available in the Impressum. This policy may be updated when the service or its processing changes; the effective date at the top records the current version.
A note on legal review
This policy is the accurate beta version based on the processing currently wired into the product. The outstanding provider-record filing and the final lawyer review remain operational launch work.