Privacy Policy

Last updated: 14 June 2025

1. Identity of the Data Controller

The data controller responsible for the processing of your personal data under this Privacy Policy is:

Zivagoo Interactive Newmedia di Trigiani Antonio
Via Industria 8, 40128 Bologna, Italy
Email: info@aicoverletterpro.com
VAT ID (if applicable): [Insert VAT number]

2. Legal Basis for Processing

We process your personal data lawfully, fairly, and in a transparent manner. The legal bases we rely on include:

Performance of a contract: when you sign up and use our service, we process your data to fulfill our contractual obligations.
Consent: for optional data processing activities such as analytics cookies or receiving marketing emails (where applicable).
Legitimate interests: to improve the security, performance, and usability of our platform, unless your interests or rights override ours.
Legal obligation: where we are required to process your data to comply with legal or regulatory requirements.

3. Purpose of Processing

We collect and process personal data for the following specific purposes:

Account registration and authentication: to allow you to create and securely access your account.
Subscription and billing management: to process payments, manage invoices, and maintain transaction history using third-party processors like Stripe.
Cover letter generation and platform functionality: to enable access to AI-powered features, manage your generation history, and improve recommendations.
Security and fraud prevention: to monitor suspicious behavior and protect against misuse of our service.
Analytics and performance monitoring: to understand how users interact with our platform and improve the experience, subject to your consent where required (e.g., Google Analytics).
Customer support: to assist with inquiries, bug reports, and account issues.
Legal compliance: to fulfill our obligations under applicable laws and regulations.

4. Categories of Personal Data Collected

Category	Examples	Legal Basis
Account Information	Full name, email address, password (hashed), language preference	Performance of a contract
Billing Data	Subscription status, Stripe customer ID, payment history	Performance of a contract / Legal obligation
Authentication Data	NextAuth session cookie (next-auth.session-token)	Performance of a contract
Usage Data	Pages visited, buttons clicked, timestamps, generation actions	Legitimate interest
Analytics Data	Anonymized IP address, events (via Google Analytics)	Consent
Support Communications	Emails or messages sent to support	Performance of a contract
Security Data	reCAPTCHA interactions, session IP risk checks	Legitimate interest
Third-Party API Data	OpenRouter or OpenAI API usage metadata (e.g., prompt ID, token count)	Performance of a contract

5. Data Sharing and Third-Party Processors

We do not sell or rent your personal data. However, we share data with carefully selected third-party service providers who help us deliver our service. These processors act under our instructions and only for the purposes outlined below:

Stripe (EU/US): for secure payment processing, invoicing, and subscription management. Data shared includes billing information, payment method, and transaction history.
Google Analytics (EU via SCCs): for anonymized analytics data to improve our platform. Only non-identifiable data (IP anonymized) is processed based on your consent.
Google reCAPTCHA: for spam and abuse prevention during sign-up and authentication flows.
OpenRouter / OpenAI: for processing AI-generated content (e.g., cover letters). We do not send your personal identity, but usage metadata (such as prompts or token count) may be processed.
Hosting Providers (Vercel, MongoDB Atlas): for website hosting and secure database storage in the EU or using Standard Contractual Clauses (SCCs) where required.

All third parties are contractually bound to comply with applicable data protection laws and are subject to regular reviews.

6. International Data Transfers

Some of our service providers are located or operate in countries outside the European Economic Area (EEA), including the United States. Whenever we transfer your personal data internationally, we ensure appropriate safeguards are in place to protect your rights and freedoms.

Transfers to countries recognized by the European Commission as offering adequate protection are permitted without further safeguards.
For other countries, such as the United States, we rely on Standard Contractual Clauses (SCCs) or other appropriate legal mechanisms approved by the European Commission.
We assess each data transfer to ensure it offers sufficient protection in light of the Schrems II ruling and supplement it with additional technical, organizational, or contractual measures when required.

You may request more information about the safeguards we use for specific transfers by contacting us at info@aicoverletterpro.com.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purposes outlined in this policy, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Account and billing information: retained for as long as the account is active and up to 6 years thereafter, in compliance with financial and tax laws.
Cover letters and usage history: retained until you delete them or until 24 months of inactivity.
Analytics and event logs: retained in anonymized or pseudonymized form for up to 12 months.
Email and support communications: retained for up to 24 months to assist with ongoing support or compliance purposes.

After the retention period ends, personal data is securely deleted or anonymized.

8. Your Rights under the GDPR

As a data subject within the European Economic Area (EEA), you have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you.
Right to rectification: You can ask us to correct any inaccuracies in your data.
Right to erasure ("right to be forgotten"): You may request that we delete your data, under certain conditions.
Right to restriction of processing: You can ask us to limit how we use your data.
Right to data portability: You may request that your data be transferred to another controller, where technically feasible.
Right to object: You may object to certain types of processing, including direct marketing or profiling.
Right to withdraw consent: If processing is based on your consent, you can withdraw it at any time.
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, please contact us at info@aicoverletterpro.com.

9. International Data Transfers

We may transfer your personal data to countries outside the European Economic Area (EEA) if our service providers or partners operate there. This includes countries such as the United States where our infrastructure providers (e.g., Stripe, Google, Vercel, MongoDB Atlas) are located.

In all such cases, we ensure appropriate safeguards are in place, such as:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with all relevant third-party processors
Additional technical and organizational measures to protect your data

By using our Service, you consent to the transfer of your personal data to jurisdictions outside of your home country, including countries that may not have equivalent data protection laws.

10. Data Breach Notification

We take data security seriously. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms (e.g., identity theft, financial loss, or reputational damage), we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Our incident response plan includes:

Immediate containment and assessment of the breach
Identification of affected individuals and data categories
Notification to the relevant supervisory authority (if required)
Direct communication with impacted users via email
Post-incident analysis and preventive measures

If you believe your personal data has been compromised while using our Service, please contact us immediately at info@aicoverletterpro.com.

11. Your Data Protection Rights

Under the General Data Protection Regulation (GDPR), you have the following rights concerning your personal data:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of any inaccurate or incomplete data.
Right to erasure: Request deletion of your data under specific circumstances ("right to be forgotten").
Right to restrict processing: Request the restriction of data processing under certain conditions.
Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to data portability: Receive your data in a structured, commonly used, and machine-readable format and transfer it to another controller.
Right to withdraw consent: Withdraw consent at any time when processing is based on your consent.
Right to lodge a complaint: File a complaint with a supervisory authority if you believe your rights have been violated.

To exercise any of these rights, please contact us at info@aicoverletterpro.com. We may request proof of identity to protect your data from unauthorized access.

12. International Data Transfers

Some of our service providers and partners are located outside the European Economic Area (EEA). When personal data is transferred to countries that do not provide an adequate level of data protection, we ensure that appropriate safeguards are in place to protect your data.

These safeguards may include:

Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules (BCRs)
Transfers to countries with an adequacy decision by the European Commission

You can request a copy of the relevant safeguards by contacting us at info@aicoverletterpro.com.

13. Automated Decision-Making and Profiling

Our service uses artificial intelligence (AI) to generate personalized cover letters based on the job description you provide. This process is entirely automated and does not involve human intervention.

The generated content is based solely on the text you submit and is not intended to produce legal or significant effects on you. We do not perform profiling for advertising, credit scoring, or employment decisions.

If you have questions about this process or wish to object to automated processing, you may contact us at info@aicoverletterpro.com.

14. Data Protection Officer

At this time, AICoverLetterPro is not required to appoint a Data Protection Officer under Article 37 of the General Data Protection Regulation (GDPR). However, we take data privacy seriously and have appointed a contact person responsible for overseeing data protection compliance.

For any questions or concerns related to data protection, you may contact:

Antonio Trigiani
Zivagoo Interactive Newmedia
Via Industria 8, 40128 Bologna, Italy
Email: info@aicoverletterpro.com

15. Supervisory Authority and Right to Lodge a Complaint

If you believe that we have not complied with applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. You may contact the data protection authority in the country of your habitual residence, place of work, or where the alleged infringement occurred.

Our lead supervisory authority in the EU is:

Garante per la protezione dei dati personali (Italian Data Protection Authority)
Piazza Venezia, 11 - 00187 Rome, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

16. International Data Transfers

Some of our service providers and partners are located outside the European Economic Area (EEA), including in countries that may not offer the same level of data protection as the EEA. When we transfer your personal data to these countries, we ensure that appropriate safeguards are in place in compliance with GDPR.

These safeguards may include:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements (DPAs) with appropriate security commitments
Transfers to countries recognized by the European Commission as providing adequate protection

If you would like more information about the specific transfer mechanisms used for your personal data, please contact us at info@aicoverletterpro.com.

17. Data Protection Officer (DPO)

While our data processing activities currently do not require the mandatory appointment of a Data Protection Officer (DPO) under GDPR Article 37, we are committed to upholding the highest standards of data protection and transparency.

For any inquiries, concerns, or requests related to your personal data or privacy rights, you may contact our designated privacy representative at:

Privacy Contact:
Zivagoo Interactive Newmedia di Trigiani Antonio
Via Industria 8, 40128 Bologna, Italy
Email: info@aicoverletterpro.com

18. Supervisory Authority & Right to Lodge a Complaint

If you believe that our processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do so in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

Our main establishment is located in Italy, and the competent authority is:

Garante per la Protezione dei Dati Personali
Piazza Venezia 11, 00187 Rome, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

19. International Data Transfers

We may transfer your personal data to countries outside the European Economic Area (EEA) when necessary for the provision of our services. This includes transfers to trusted third-party service providers such as hosting platforms, analytics tools, and payment processors.

When we transfer data to countries that have not been deemed to provide an adequate level of data protection by the European Commission, we implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms, in accordance with Articles 46 and 49 of the GDPR.

You can request a copy of these safeguards or inquire further by contacting us at info@aicoverletterpro.com.

20. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure GDPR compliance. If you have any questions, concerns, or complaints regarding how we handle your personal data, or if you wish to exercise your data protection rights, please contact our DPO:

Antonio Trigiani (DPO)
Email: privacy@aicoverletterpro.com

21. Supervisory Authority

If you believe that we have not adequately respected your data protection rights, you have the right to lodge a complaint with your local data protection authority. If you are located in the European Union, you may contact your national supervisory authority or our lead supervisory authority:

Garante per la Protezione dei Dati Personali (Italian DPA)
Piazza Venezia, 11 – 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

22. Records of Processing Activities

In accordance with Article 30 of the GDPR, we maintain detailed internal records of all personal data processing activities carried out in the context of our services. These records include information such as the categories of data processed, the purpose of processing, data retention periods, security measures applied, and recipients of data (if any).

These records help us ensure accountability and demonstrate our commitment to data protection principles. They are not publicly available, but may be shared with supervisory authorities upon request.

23. Data Protection Impact Assessments

We assess the potential risks of certain data processing operations to ensure they do not negatively impact your rights and freedoms. Where required under Article 35 of the GDPR, we conduct formal Data Protection Impact Assessments (DPIAs).

These assessments help us implement appropriate technical and organizational measures to mitigate risks and ensure the lawful, fair, and transparent processing of your personal data.

24. International Data Transfers

We may transfer your personal data to service providers or partners located outside the European Economic Area (EEA), including countries that may not provide the same level of data protection as your jurisdiction.

When such transfers occur, we ensure they are carried out in compliance with applicable data protection laws by using:

Standard Contractual Clauses (SCCs) approved by the European Commission
Binding Corporate Rules (where applicable)
Other lawful mechanisms as required by GDPR

You may request more information or a copy of the safeguards we use by contacting us at info@aicoverletterpro.com.

25. Right to Lodge a Complaint

If you believe that your personal data has been processed unlawfully or your rights under the GDPR have been violated, you have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

In Italy, the competent authority is:

Garante per la Protezione dei Dati Personali
Piazza Venezia, 11 – 00187 Roma, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

26. Automated Decision-Making and Profiling

We do not use your personal data to make decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects concerning you.

If this changes in the future, we will notify you and implement appropriate safeguards in accordance with applicable data protection laws, including the right to obtain human intervention, express your point of view, and contest the decision.

27. Data Breach Notification Policy

We have implemented procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where we are legally required to do so.

In the event of a breach that is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay and provide clear information on the nature of the breach, the data affected, the potential consequences, and the measures we are taking to mitigate the risks.

28. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments when our data processing is likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 of the General Data Protection Regulation (GDPR).

These assessments evaluate the necessity and proportionality of processing operations and help us implement appropriate measures to mitigate potential risks. Where required, we consult with the relevant supervisory authority prior to processing.

29. Supervisory Authority Contact

If you believe that the processing of your personal data by us infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority.

For users in the European Union, you may contact the data protection authority in your country of residence or:

Garante per la protezione dei dati personali (Italy)
Piazza Venezia, 11 – 00187 Rome, Italy
Website: www.garanteprivacy.it
Email: protocollo@gpdp.it

30. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you may contact us at:

Zivagoo Interactive Newmedia di Trigiani Antonio
Via Industria 8, 40128 Bologna, Italy
Email: info@aicoverletterpro.com

We will make every effort to respond to your inquiry promptly and address your concerns in accordance with applicable data protection laws.