Legal
Support
legal@huunt.ai

Privacy Policy

Privacy Policy of Huunt GmbH

Last updated: 06.04.2026

1. General Information

This Privacy Policy provides information about the processing of personal data when using the website huunt.ai, the Huunt app, and the related services.

We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TDDDG).

2. Controller

Huunt GmbH
Knesebeckstraße 76
10623 Berlin
Germany
E-Mail: legal@huunt.ai
Telefon: +49 30 25323679

A data protection officer has not currently been appointed.

3. What Data We Process

3.1 Registration and Account Data

In particular, we process:

  • email address,
  • where applicable, name,
  • account settings,
  • login information,
  • where applicable, profile picture and technical account information when registering via Google or LinkedIn.

3.2 Application and Profile Data

Depending on use, we process in particular:

  • resume data,
  • where applicable, application photo,
  • information on education, work experience, knowledge, and skills,
  • job-search preferences,
  • uploaded attachments such as references, certificates, or portfolio files,
  • cover letters, email templates, and application documents,
  • job-match ratings and user feedback,
  • communication content related to applications.

3.3 Optional Data

Users may optionally provide additional information, such as:

  • OCEAN / Big Five personality information,
  • digitally configured signature,
  • other voluntarily provided profile data.

3.4 Pre-Contractual Entries Before Registration

Before registration is completed, Huunt may process job-search-related entries or an uploaded resume in order to prepare use of the services. If registration is not completed, this data is not stored permanently.

3.5 Payment and Contract Data

For paid bookings, we process in particular:

  • plan,
  • price,
  • term,
  • order history,
  • payment status,
  • billing period.

Payment data itself is generally processed by our payment service provider.

3.6 Technical Usage Data

When visiting our website and app, we process in particular:

  • IP address,
  • times of access,
  • device data,
  • browser and system information,
  • log data,
  • security-related events.

We process personal data in particular for the following purposes:

4.1 Performance of Contract (Art. 6(1)(b) GDPR)

To provide our services, in particular for:

  • registration and account management,
  • job search and job matching,
  • resume and application functions,
  • sending and managing applications,
  • payment processing,
  • handling cancellations,
  • customer communication.

Where required, we process data on the basis of consent, in particular for:

  • newsletters and other promotional emails,
  • cookies and tracking technologies requiring consent,
  • optional functions, insofar as they are designed on a separate consent basis.

4.3 Legitimate Interests (Art. 6(1)(f) GDPR)

To safeguard our legitimate interests, in particular for:

  • IT security,
  • misuse and fraud prevention,
  • product improvement,
  • error analysis,
  • assertion, exercise, or defense of legal claims,
  • permissible communication with existing customers regarding similar own services.

To comply with statutory retention and documentation obligations, in particular under tax and commercial law.

5. AI Processing and OpenAI

5.1 Use of AI Functions

We use AI-supported systems to support our services, in particular for:

  • parsing, structuring, and analyzing resumes,
  • generating and optimizing resumes,
  • job matching and explaining ratings,
  • creating cover letters and emails,
  • adapting resumes to job postings,
  • chat functions with our AI agent “Ethain”.

5.2 AI Service Provider

For certain AI functions, we currently use OpenAI in particular as an external AI service provider and processor.

5.3 Data Minimization Before Transmission

Where technically possible and appropriate for the respective purpose, we separate or reduce directly identifying information such as names or contact details before transmitting data to AI services.

5.4 No Training Based on Our API Usage

According to OpenAI, data processed via the API is not used by default to train OpenAI models unless explicit permission for this has been granted.

5.5 Processing in the EU and Possible Third-Country Transfers

We process personal data primarily within the European Union. Where technically possible and appropriate for the respective purpose, we reduce or separate directly identifying information before transmitting data to external AI service providers.

However, in connection with the use of external service providers — in particular in the fields of AI, payment processing, security functions, and other technical infrastructure — personal data or pseudonymized data may, in individual cases, be processed outside the EU or EEA.

Where required, we base such transfers on appropriate safeguards, in particular an adequacy decision or the Standard Contractual Clauses of the European Commission. Further information may be requested using the contact details provided in this Privacy Policy.

6. Recipients and Service Providers

In particular, we use the following service providers or categories of services:

  • AWS for hosting, infrastructure, and technical email / communication functions,
  • Stripe for payment processing,
  • OpenAI for AI functions,
  • PostHog for analytics (consent-based),
  • Sentry for error analysis and system security,
  • Affonso for affiliate tracking (consent-based),
  • Google Ads Conversion Tracking (consent-based),
  • Google reCAPTCHA on the cancellation page for abuse prevention.

Additional service providers may be used where this is necessary for the technical or organizational provision of the services.

7.1 General

We use cookies and similar technologies. Some of these are technically necessary; others are used only with consent.

Where information is stored on or accessed from your end device by cookies or similar technologies, this is governed by Section 25 TDDDG. The subsequent processing of personal data is governed by the GDPR.

7.2 Technically Necessary Technologies

Technically necessary technologies may be used where this is required to provide our services, ensure security, or carry out functions expressly requested by the user.

We use technologies requiring consent in particular for analytics, advertising, and affiliate purposes. These currently include in particular:

  • PostHog for usage analytics,
  • Affonso for affiliate tracking,
  • Google Ads Conversion Tracking for measuring advertising campaigns.

The legal basis for setting or reading such technologies is Section 25(1) TDDDG. The legal basis for the subsequent processing of personal data is Art. 6(1)(a) GDPR.

For affiliate tracking via Affonso, the cookie affonso_referral in particular may be used with a current duration of up to 90 days. The specific technical setup may change; the decisive factor is the current consent and tracking configuration.

Consent to technologies requiring consent may be withdrawn or changed at any time with effect for the future. For this purpose, we provide a permanently accessible “Cookie Settings” function.

7.5 Google reCAPTCHA

We use Google reCAPTCHA on the cancellation page to protect against abusive automated entries. This serves to protect our services and our users against unauthorized cancellation processes.

8. Login with Google and LinkedIn

If you sign in with Google or LinkedIn, we receive from the respective provider the data required for authentication and the setup of your account. The exact scope depends on the interface provided by the provider and your settings there.

At present, these logins essentially serve the purpose of signing in; additional profile content is not imported from those accounts to any significant extent.

9. Communication and Application Functions

Where you use application functions, we process application-related communication data, such as:

  • sent application emails,
  • incoming replies,
  • metadata relating to applications,
  • message histories related to applications.

At present, Huunt uses for automated dispatch only such application email addresses as are expressly stated in a job posting as application addresses.

Where the user sends an application to employers outside the EU or EEA — for example in the case of remote positions based abroad — the application-related data is transmitted to the respective recipient at the user’s express request. The legal basis for this transfer is Art. 49(1)(b) GDPR. Users should be aware that the destination country may not provide a level of data protection comparable to that of the EU.

10. OCEAN (Big Five) and Enneagram

Use of the OCEAN (Big Five) / Enneagram function is voluntary. Such information is processed only if the user actively uses the function. It is used in applications only following the user’s active approval.

Users may remove such information again in the account settings, where technically provided.

11. Storage Period

We store personal data only for as long as necessary for the respective purposes or as long as statutory retention obligations apply.

At present, the following principles apply in particular:

  • Account data: generally until account deletion, unless statutory retention obligations prevent this
  • Application documents, attachments, application history, and messages in the Huunt inbox: generally until account deletion, unless earlier deletion occurs or statutory retention obligations prevent this
  • Job-match data and rating information: generally until account deletion; in the future, we may archive, anonymize, or delete older job-match data for technical, organizational, or economic reasons after giving appropriate advance notice
  • Billing and accounting data: 10 years, where legally required
  • Communication data: 3 years until the end of the calendar year, unless longer retention is required
  • PostHog raw data: 14 days
  • Sentry error reports: 14 days
  • Protocol data / logs: 30 days
  • Cancellation form data: after processing, no later than 30 days, unless longer retention is required

We may adjust storage periods in the future if there are objective reasons for doing so and users are informed in advance with reasonable notice where required.

12. Rights of Data Subjects

Subject to the statutory requirements, you have in particular the following rights:

  • right of access,
  • right to rectification,
  • right to erasure,
  • right to restriction of processing,
  • right to data portability,
  • right to object,
  • right to withdraw granted consents with effect for the future,
  • right to lodge a complaint with a supervisory authority.

The competent data protection supervisory authority is in particular:

Berlin Commissioner for Data Protection and Freedom of Information
Alt-Moabit 59-61
10555 Berlin
Germany

To exercise your rights, a message to legal@huunt.ai is sufficient.

13. No Solely Automated Decision-Making Within the Meaning of Art. 22 GDPR

Our AI functions support users in job search and applications. Huunt does not make legally significant or similarly significant decisions about users exclusively by automated means. The decision whether to use suggestions, documents, and the dispatch of applications remains with the user.

14. Changes to This Privacy Policy

We may amend this Privacy Policy if our services, the technologies used, or the legal framework change. The current version is available on our website.