Privacy Policy.
How your data is collected, used, and protected.
Last updated: February 2026
Data Controller
The controller responsible for the processing of your personal data on this website is:
What Data We Collect
Contact Form Submissions
When you submit the contact form, we collect your name, email address, and message. Your IP address is stored as a one-way SHA-256 hash (not in plain text) for spam prevention.
AI Assistant Interactions
When you use the “Ask My CV” assistant, your questions are sent to our server for processing. We do not store your questions or the assistant's responses. Only latency metrics and token counts are logged (without message content).
Voice Input
If you use the voice input feature, your audio is sent to our server and immediately forwarded to OpenAI's Whisper API for transcription. The audio is never stored on our servers — it is streamed and discarded.
Analytics
We use Umami, a self-hosted, privacy-first analytics tool. It does not use cookies, does not track you across websites, and does not collect any personally identifiable information. Only aggregate page view and event data is collected.
Purposes & Legal Basis
| Purpose | Legal Basis (GDPR) | Retention |
|---|---|---|
| Respond to contact inquiries | Consent (Art. 6(1)(a) GDPR) | 12 months |
| Provide AI assistant responses | Legitimate interest (Art. 6(1)(f) GDPR) | Not stored |
| Voice transcription | Legitimate interest (Art. 6(1)(f) GDPR) | Not stored |
| Website analytics | Legitimate interest (Art. 6(1)(f) GDPR) | Aggregated, no PII |
| Spam prevention (IP hashing) | Legitimate interest (Art. 6(1)(f) GDPR) | 12 months |
Recipients & Processors
Your personal data may be shared with the following third-party processors:
OpenAI, Inc.
United States — AI chat, embeddings, and voice transcription
Resend, Inc.
United States — Contact form email delivery
International Transfers
Some of our processors are based in the United States. Data transfers to the US are conducted under the EU-U.S. Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) as appropriate, in accordance with Chapter V of the GDPR.
Your Rights
Under the GDPR, you have the right to:
- •Access: Request a copy of the personal data we hold about you
- •Rectification: Request correction of inaccurate personal data
- •Erasure: Request deletion of your personal data
- •Restriction: Request limitation of processing of your data
- •Portability: Receive your data in a structured, machine-readable format
- •Objection: Object to processing based on legitimate interest
- •Withdraw consent: Withdraw consent at any time without affecting prior processing
To exercise any of these rights, contact us at andreversteeg@hotmail.com. We will respond within 30 days.
Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
Cookies & Tracking
This website does not use tracking cookies. Our analytics tool (Umami) is cookieless and privacy-first. For more details, see our Cookie Information page.
Changes to This Policy
We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the website after changes constitutes acceptance of the updated policy.
Questions about your data?
Don't hesitate to reach out if you have questions about how your data is handled.