Privacy Policy
This page describes how the AI Career Agent service ("the service") collects, uses, and protects your personal data. The service is operated by Lavelin Consulting AB (org. nr 559554-6259), Stockholm, Sweden.
1. Data controller
- Controller: Lavelin Consulting AB, org. nr 559554-6259, Stockholm, Sweden
- Contact for privacy questions: lavelinconsulting@gmail.com
- We are an SME and not required to appoint a formal Data Protection Officer; the email above is monitored for all data-related requests.
2. What personal data we collect
- Intake form: name, email, LinkedIn URL, current role and company, target market, situation summary. Stored in Tally and exported to our internal records.
- Payment data: processed by Stripe. We receive transaction metadata (amount, status, customer ID, billing country) but do not store full card details. Stripe stores card data on its own systems.
- Strategy questionnaire (after payment): detailed responses about background, achievements, target roles, geographic preferences, salary expectations, and other career-relevant information.
- CV and cover-letter content: documents and text you upload or paste for adaptation.
- LinkedIn profile data: when you provide a LinkedIn URL or grant access for outreach features (Tier 3+), we may extract publicly visible profile information to inform recommendations.
- Telegram identifiers: for subscription tiers, your Telegram user ID is stored to deliver job updates, CV adaptations, and chat support.
- Service usage: records of which jobs were delivered, which CVs were adapted, which messages were generated — used to operate the service and to maintain your weekly tracker.
- Server logs: standard web logs (IP, user agent, timestamps) on the hosting infrastructure, retained briefly for security and operational diagnostics.
3. Why we collect it (lawful basis under GDPR)
- Contract performance (Art. 6(1)(b)): intake, questionnaire, CV content, LinkedIn data, Telegram ID, and service-usage records are all necessary to deliver the service you purchased.
- Legal obligation (Art. 6(1)(c)): payment records are retained for accounting and tax purposes under Swedish law (Bokföringslagen — minimum 7 years).
- Legitimate interest (Art. 6(1)(f)): server logs and basic security monitoring; transactional emails about your subscription.
- Consent (Art. 6(1)(a)): any optional marketing communications, future case-study use, or testimonials. You can withdraw consent at any time.
4. Sub-processors and where data goes
We use the following sub-processors to operate the service. Each is bound by appropriate data-processing terms.
| Sub-processor | Purpose | Location |
|---|---|---|
| Tally | Intake form hosting | EU (Belgium) |
| Stripe | Payment processing, invoicing, VAT | EU + United States |
| Telegram | Messaging channel for subscription tiers | Globally distributed |
| Anthropic (Claude API) | AI processing of strategy, CV content, cover letters | United States |
| OpenAI | Selected AI components (job parsing, scoring) | United States |
| Hetzner | Hosting and server logs | EU (Germany) |
| Kit | Transactional and (if subscribed) newsletter email | United States |
5. International data transfers
Several sub-processors (Stripe, Anthropic, OpenAI, Kit) are located in the United States. Transfers to these processors rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework. We have assessed these transfers and consider them adequate for the limited categories of data shared.
AI processing disclosure. Your strategy responses, CV content, and cover letter inputs are sent to large language model APIs (Anthropic Claude and, in some components, OpenAI) for processing. We use API endpoints that are contractually committed not to train on customer data. The data transmitted is the minimum needed for the requested output and is not retained by the AI provider beyond standard abuse-monitoring windows (typically 30 days at Anthropic, similar at OpenAI).
If you prefer not to have specific information processed by these providers, do not include it in the questionnaire or CV; contact us first to discuss alternatives.
6. How long we keep it
- Active subscribers: we retain your data for the duration of the service plus 30 days after cancellation (to allow re-activation and reasonable post-cancellation requests).
- Career Blueprint customers: 12 months after delivery, then deleted on request.
- Payment and invoice records: 7 years (Swedish accounting law).
- Intake forms from declined applications: 90 days, then deleted.
- Server logs: 30 days.
7. Your rights under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete data where we no longer have a legal basis to keep it.
- Restrict or object to processing.
- Data portability — receive your data in a machine-readable format.
- Withdraw consent for any consent-based processing.
- Lodge a complaint with the Swedish supervisory authority — Integritetsskyddsmyndigheten (IMY) — or the supervisory authority in your country of residence.
To exercise any of these rights, email lavelinconsulting@gmail.com from the address associated with your account. We will respond within 30 days.
8. Cookies and tracking
This landing page itself sets no analytics cookies, no advertising pixels, and no third-party trackers. The intake form is hosted by Tally, which sets functional cookies necessary to operate the form (see Tally's cookie policy). When you proceed to checkout, Stripe sets cookies necessary to process payment. We do not use Google Analytics, Meta Pixel, Hotjar, or similar tools.
9. Data security
We use HTTPS for all communication, restrict access to operational accounts to the founder, and rely on the security practices of our sub-processors (each of which is SOC 2 / ISO 27001 certified or equivalent). No system is perfectly secure; if a breach affects you, we will notify you and the supervisory authority within 72 hours of becoming aware, as required by GDPR.
10. Children
The service is not intended for individuals under the age of 18. We do not knowingly collect data from children.
11. Changes to this policy
This policy may be updated as the service evolves or as sub-processors change. The "Last updated" date at the top reflects the latest revision. Material changes will be notified by email to active subscribers at least 30 days in advance.
12. Contact
Privacy questions, data requests, complaints:
- Email: lavelinconsulting@gmail.com
- Company: Lavelin Consulting AB, org. nr 559554-6259, Stockholm, Sweden