NastepnyEtap.pl

Privacy Policy

Last Updated: May 4, 2026 Language Focus: NastepnyEtap.pl operates primarily in Poland. As such, our primary and legally binding language of service is Polish. This English version is provided strictly as a convenience translation for our non-Polish speaking users. In the event of any legal discrepancies, the Polish version (Polityka Prywatności) served at /privacy shall govern.

Privacy Policy for NastepnyEtap.pl

Last Updated: May 4, 2026

1. Introduction and Age Requirement

NastepnyEtap.pl ("we", "us", "our") operates a platform utilizing artificial intelligence (AI) systems for the educational linguistic and technical analysis of texts. The service enables the automated comparison of resume (CV) content with job descriptions to support the self-correction of application documents and enhance the user's self-presentation skills.

Important: The tool is advisory and educational in nature. It is not a recruitment system or a tool for candidate selection by employers.

Age Limit: The service is intended for users over 16 years of age.

Controller: Przemysław Dudek, operating NastepnyEtap.pl as an unregistered business activity. Contact: prywatnosc@nastepnyetap.pl

2. Data We Collect and Retention Periods

Data is stored only for the duration necessary to fulfill the purposes for which it was collected.

A. Account Data

  • Scope: Name, email address, hashed password, or OAuth provider ID (Google/Facebook).
  • Retention: Until the user deletes their account.

B. Content of CVs and Job Descriptions

  • Scope: PDF files, document text, pseudonymized data.
  • Retention: Source files and texts submitted for analysis are stored for 30 days from the time of submission, after which they are permanently deleted (including from AI sub-processor logs).

Art. 9 GDPR (Sensitive Data): CVs may contain photos or health information.

  • Consent: Processing is based on your explicit, prior consent (checkbox).
  • Accountability: We log the consent timestamp (cv_processing_consent_at).

C. Analysis Results

  • Scope: AI-generated opinions, evaluations, and suggestions.
  • Retention: Until the user deletes their account (this allows access to the history of evaluations).

3. Purposes and Principles of Processing (AI)

  1. Service Provision (Art. 6(1)(b) GDPR): Linguistic and technical analysis using Large Language Models (LLM). Results are probabilistic and may contain inaccuracies.
  2. Security (Art. 6(1)(f) GDPR): Legitimate interest. We use automated pattern monitoring (profiling) to detect abuse (e.g., mass scanning by third parties). Flagging an account leads to manual verification by a human.

4. International Transfers and Sub-processors

All transfers outside the EEA are conducted in compliance with the highest data protection standards. The Controller has concluded Data Processing Agreements (DPA) with service providers, which govern security standards.

4.A OpenAI (AI Infrastructure)

Services provided by OpenAI Ireland Ltd. (utilizing OpenAI LLC infrastructure in the USA).

  • Legal Basis: The primary basis is the Standard Contractual Clauses (SCC), which are an integral part of the DPA concluded with the sub-processor. Because data is processed in a third country (USA), an additional basis is your explicit consent to such a transfer (Art. 49(1)(a) GDPR).
  • Security Measures: Automatic technical pseudonymization (Regex/NER) before text transmission. The Controller uses the API Opt-out mode, which ensures that data is not used to train OpenAI models.
  • Risk: You acknowledge that despite the use of SCCs and technical security measures, the transfer of data to the USA involves risks resulting from the specificities of the local legal system (potential access to data by government services). Consenting to the transfer is voluntary but necessary to perform the analysis via the AI model.

4.B Other Providers

For the entities below, transfers are based on the European Commission's adequacy decisions (EU-U.S. Data Privacy Framework - DPF):

  • Stripe Payments (USA/Ireland): Payment processing.
  • Google / Meta (USA/Ireland): Authentication services (OAuth 2.0).
  • AWS EC2 (Region: eu-north-1, Stockholm): Main cloud infrastructure (data stored in the EEA).

5. Your Rights

You have the right to: access data, data portability (JSON format), rectification, erasure ("right to be forgotten"), and the right to object to profiling. Complaints may be filed with the President of the Personal Data Protection Office (UODO) (ul. Stawki 2, Warsaw).

6. Security and Responsibility

  • DPIA: We have conducted a Data Protection Impact Assessment (Art. 35 GDPR).
  • Technology: AES-256 encryption at rest, TLS 1.3 transmission, argon2/bcrypt password hashing.
  • Oversight: Every decision regarding an account block is subject to verification by the administrator.

7. Contact

Controller: Przemysław Dudek, ul. Radwańska 40/42 m. 316, 93-574 Łódź, Poland. E-mail: prywatnosc@nastepnyetap.pl