Legal
Privacy Policy
Effective: 9 May 2026 · Last updated: 9 May 2026
Tandem is an AI career co-pilot. We help you tailor CVs and track job applications. This policy explains what we collect, how we use it, and the rights you have over your data.
We are based in the European Union. The General Data Protection Regulation (GDPR, EU 2016/679) governs everything we do with your personal data.
Who we are
Tandem is operated as a sole-proprietorship business in France. The data controller is the founder of Tandem; you can reach us at contact@getandem.com for any privacy question.
What we collect
- Account information. Email address and a hashed password (handled by our auth provider, Supabase). If you sign in via Google, we receive your email and name from the OAuth provider.
- Profile data you give us. Full name, interface language, target roles, target locations, salary range, remote preference. You can edit or delete any of this from
Settings. - CV content. The PDFs and text you upload, the structured data we extract from them (experiences, education, skills, languages, bullets), and the tailored versions Tandem produces.
- Job postings. URLs, text, or screenshots you submit; the parsed structured data; and the application records you keep in the tracker (status, notes, follow-up dates).
- Usage logs. A timestamp, the event type (
parse,rebuild,regenerate,export), and the input/output token counts of the AI call. We do not log the content of your CV or job postings in this table. - Billing data. Your Stripe customer ID and subscription status. We do not store credit card numbers — Stripe handles those directly under PCI-DSS Level 1.
- Cookies and local storage. A session cookie set by Supabase Auth (essential), a language preference cookie set by next-intl (essential), and — only after you click Accept on the cookie banner — PostHog analytics cookies. Browsers signalling Do Not Track are auto-rejected and never see analytics cookies set.
How we use your data
- To provide the service: extract your CV, tailor it for a posting, render the PDF, save your application.
- To process your subscription via Stripe.
- To send transactional emails (welcome, payment failure) via Resend.
- To run anonymous product analytics via PostHog (hosted in the European Union) so we can fix bugs and improve the product. We do not autocapture clicks, do not record sessions, and do not share data with ad networks. Tracking is off by default — you must click Accept on the cookie banner for any PostHog event to fire.
- To enforce abuse limits (monthly tailoring caps, etc.).
We never use your data to train AI models. Our AI-processing partner (Anthropic) is configured under their API zero-data-retention terms; your CV and job postings are not retained on their side beyond the duration of the API request.
Third parties we share data with
| Service | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Anthropic | AI tailoring of CVs and parsing of job postings | US (zero data retention) |
| Stripe | Payment processing | EU / US (PCI-DSS Level 1) |
| Resend | Transactional emails | EU / US |
| PostHog Cloud (EU) | Anonymous product analytics. EU data residency (Frankfurt). Reverse-proxied through getandem.com/ingest so no third-party domain cookies are set. | EU (Frankfurt) |
| Vercel | Hosting and CDN | EU / US |
We use Standard Contractual Clauses for any transfer outside the EEA. We do not sell your data, ever.
Your rights under GDPR
- Access. You can see and download all your data from
My CVand the tracker at any time. - Correction. Edit any field directly in the app.
- Deletion.
Settings → Danger zone → Deletemarks your account for deletion. After a 30-day grace period your data is permanently purged by an automated job. The grace period is there so you can change your mind. - Portability. Your tailored CVs are exportable as ATS-friendly PDFs. Email us for a JSON export of everything.
- Objection / opt-out. Click Reject in the cookie banner, withdraw consent from the Cookies section of this page, enable Do Not Track in your browser, or write to us.
- Complaint. You have the right to lodge a complaint with the French data protection authority, CNIL.
Data retention
- Active accounts: data retained for the lifetime of your subscription.
- Cancelled subscriptions: account data retained for 30 days, then automatically purged.
- Backups: rolling 7-day encrypted backups, then rotated out.
- Usage logs (no content, only counters): retained for 12 months for billing and abuse prevention.
Cookies
Tandem uses cookies sparingly. None of them are used for advertising.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
sb-* | Supabase Auth | Keep you signed in | Session / 7 days |
NEXT_LOCALE | next-intl | Remember your language | 1 year |
ph_* | PostHog Cloud EU (consent-only) | Anonymous product analytics. Set only after you click Accept; never set if you signal Do Not Track. | 1 year |
__stripe_* | Stripe | Fraud prevention during checkout | Session |
You can change your choice at any time. Withdrawing consent stops PostHog from receiving any further events from this browser.
Security
- All data encrypted in transit (TLS 1.3) and at rest (AES-256).
- Database access uses row-level-security policies; you can only ever read your own rows.
- API keys and secrets are stored in Vercel-encrypted environment variables, never in the repository.
- We monitor with Sentry for runtime errors; error reports are scrubbed of personal data before transmission.
Children
Tandem is intended for working professionals and is not directed at children under 16. We do not knowingly collect data from children.
Changes to this policy
Material changes will be notified by email at least 30 days in advance. The most recent version of this policy is always at this URL, with the "Last updated" date at the top.
Contact
Questions or requests: contact@getandem.com. We reply within 5 working days.