GDPR Compliance: Tildea is committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679, applicable Italian data protection laws (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018), and the EU AI Act (Regulation 2024/1689). The Italian Data Protection Authority (Garante per la protezione dei dati personali) is the competent supervisory authority.
1. Data Controller
The data controller responsible for your personal data is:
For data protection inquiries, you may contact us at privacy@tildea.ai. A formal Data Protection Officer (DPO) will be appointed when required under GDPR Article 37.
2. Information We Collect
We collect the following categories of personal data:
Account Data: Name, email address, and authentication credentials (or OAuth tokens for Google/LinkedIn sign-in).
Profile Data: Professional information, skills, work experience, education, and other details you voluntarily provide for resume generation.
Usage Data: Job descriptions, company URLs, preferences, feature interactions, and session data submitted to our platform.
Generated Content: Resumes, cover letters, and other AI-generated documents.
Technical Data: IP address, browser type, device information, and cookies necessary for the Service's operation.
3. Legal Basis for Processing (GDPR Art. 6)
We process your personal data under the following legal bases:
Contractual necessity (Art. 6(1)(b)): Processing necessary to provide the Service you requested (account management, AI document generation, application tracking).
Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for marketing communications or optional analytics. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests, including service improvement, security, fraud prevention, and generation of anonymized aggregated insights — provided such interests are not overridden by your fundamental rights. We conduct a balancing test for each legitimate interest activity.
Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable legal requirements.
4. How We Use Your Information
To provide, maintain, and improve the Service.
To generate personalized resumes, cover letters, and career materials using our AI pipeline.
To communicate with you about your account, updates, and support requests.
To analyze usage patterns and improve our AI agents' performance.
To detect and prevent fraud, abuse, and security incidents.
To generate anonymized and aggregated insights (see Section 5).
5. Anonymized & Aggregated Data
We may create anonymized and aggregated datasets derived from user activity that cannot be used to identify individual users. This includes:
Industry and job market trend analytics
Skill demand and frequency data
Feature usage and adoption metrics
Resume optimization patterns and best practices
Such anonymized data is no longer personal data under GDPR (Recital 26) and may be used, shared, or licensed by Tildea for commercial purposes, including market research, industry reports, and partnerships — without restriction or further notice.
Anonymization safeguards: We employ industry-standard anonymization techniques including statistical aggregation and k-anonymity thresholds. Aggregated datasets are never published or shared unless they contain data from a minimum of 100 users, preventing re-identification through small sample analysis. We regularly audit our anonymization processes to ensure irreversibility.
6. AI Processing & Transparency
Your professional data is processed by our AI agents to generate career documents. In accordance with the EU AI Act (Article 50) and Italian Law 132/2025, you should be aware that:
You are interacting with AI systems when using our content generation features — not human professionals.
All AI-generated content is clearly labeled as artificially generated within the platform.
Processing occurs on secure, encrypted servers.
We do not use your identifiable personal data to train general-purpose AI models.
AI outputs are generated on-demand and are not shared with other users.
You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (GDPR Art. 22). The Service's AI features are tools to assist your decisions, not make them for you.
7. Data Sharing & Third-Party Processors
We do not sell your identifiable personal information. We may share data with:
Infrastructure Providers: Cloud hosting, database services (self-hosted Supabase), and CDN providers (Cloudflare), under strict data processing agreements (DPAs).
AI Model Providers: For document generation purposes, with data transmitted securely and not retained by providers beyond the processing session.
Email Services: Resend (for transactional emails), operating under DPA.
Analytics: Anonymized data only; no PII is shared with analytics providers.
Legal Requirements: When required by Italian law, EU regulations, court orders, or legitimate law enforcement requests.
8. International Data Transfers
Your data may be processed in countries outside the European Economic Area (EEA). When this occurs, we ensure adequate protection through:
EU Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission
Binding Corporate Rules where applicable
You may request information about the specific safeguards applied to international transfers by contacting privacy@tildea.ai.
9. Data Portability & Export (EU Data Act)
In accordance with the EU Data Act (Regulation 2023/2854) and GDPR Article 20:
Export: You may request a full export of your personal data and generated content at any time in structured, commonly used, machine-readable formats (JSON, PDF).
Switching: You may terminate your use of the Service and migrate to another provider at any time with no more than a two (2) month notice period.
Retrieval: Upon termination, you have 30 days to retrieve all your data before permanent deletion.
No Exit Barriers: We impose no exit fees, switching charges, or technical barriers.
Cooperation: We will provide reasonable technical assistance to facilitate data migration.
10. Data Retention
Active accounts: Data is retained for as long as your account remains active.
Generated documents: Stored until you delete them.
Account deletion: Upon request, all personal data is permanently and irreversibly deleted within 30 days, except where retention is required by law.
Anonymized data: Retained indefinitely, as it is no longer personal data under GDPR Recital 26.
Inactive accounts: Accounts inactive for more than 24 months may be flagged for deletion after notification.
11. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR Articles 15–22:
Right of Access (Art. 15): Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”).
Right to Restriction (Art. 18): Request temporary restriction of processing.
Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (see also Section 9).
Right to Object (Art. 21): Object to processing based on legitimate interest, including profiling.
Right Regarding Automated Decisions (Art. 22): Not be subject to decisions based solely on automated processing with legal or significant effects.
Right to Withdraw Consent: Withdraw any previously given consent at any time, without affecting the lawfulness of prior processing.
To exercise any of these rights, email privacy@tildea.ai. We will respond within 30 days as required by GDPR. If the request is complex, this period may be extended by an additional 60 days with prior notice.
You also have the right to lodge a complaint with the Italian Data Protection Authority:
Garante per la protezione dei dati personali Website: www.garanteprivacy.it Email: protocollo@gpdp.it PEC: protocollo@pec.gpdp.it
12. Data Security
We implement industry-standard security measures including:
Encryption in transit (TLS 1.3)
Encryption at rest for stored data
Access controls and authentication (including CAPTCHA protection)
Regular security reviews
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to taking all reasonable measures to protect your data.
13. Data Protection Impact Assessment (DPIA)
In accordance with GDPR Article 35, we have conducted a Data Protection Impact Assessment for our AI processing activities, which involve systematic evaluation of personal aspects through automated means. This assessment evaluates:
The necessity and proportionality of our data processing
Risks to the rights and freedoms of data subjects
Measures taken to mitigate identified risks
The DPIA is reviewed and updated annually, or whenever significant changes are made to our processing activities. A summary is available upon request to privacy@tildea.ai.
14. Cookies & Tracking Technologies
In accordance with the Italian Garante's cookie guidelines (Provvedimento 10 giugno 2021), we use only essential (technical) cookies required for the Service to function:
Authentication cookies: To keep you logged in securely (Supabase session).
Session cookies: To maintain your session state across pages.
Security cookies: Cloudflare Turnstile (CAPTCHA) sets clearance cookies to verify you are not a bot. These cookies are strictly necessary for security and do not track your activity.
We do not use third-party advertising cookies, social media trackers, cross-site tracking technologies, or profiling cookies. Because we use only essential cookies, no cookie consent is required under the ePrivacy Directive (2009/136/EC), but we inform you of their use for full transparency.
15. Children's Privacy
The Service is not directed at children under 16, in accordance with Italian data protection requirements. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at privacy@tildea.ai and we will promptly delete such data.
16. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 30 days in advance. Your continued use of the Service after changes take effect constitutes acceptance. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your data.
Privacy Inquiries
For privacy-related questions, data requests, or to exercise your GDPR rights, contact our team at privacy@tildea.ai.