Privacy Policy
Last updated March 7, 2026
This Privacy Policy explains how Velario AG (“we”, “us”) collects, uses, stores, and protects your personal data when you use the Versio Cloud service. This policy does not apply to the source-available Versio Community Edition.
1. Who We Are
Versio is operated by Velario AG, Zurich, Switzerland.
Data Controller: Velario AG, Zurich, Switzerland
contact@versio-cv.com
2. Data We Collect
2.1 Account Data
| Data | Purpose | Required |
|---|---|---|
| Email address | Authentication, communications | Yes |
| Name | Display in the application | Yes |
| Password (hashed) | Authentication | Yes (unless OAuth) |
| Profile photo | Display in the application | No |
| 2FA secret | Account security | No |
| OAuth provider ID | Authentication via Google/LinkedIn | No |
2.2 CV Content
Data entered by users to build professional profiles and CV versions:
- Personal details (name, job title, location, phone, email, website, summary)
- Work experience (company, role, dates, descriptions)
- Education (institution, degree, dates)
- Skills and skill categories
- Certifications, publications, languages
- Profile photos and CV version configurations
Important: If you enter data about other people (e.g., team members), you are responsible for having a lawful basis to process their data.
2.3 Payment Data
We do not store payment card details. Payments are processed by Stripe. We store only Stripe customer ID, subscription ID, and billing status. See Stripe’s privacy policy.
2.4 Technical Data
| Data | Purpose |
|---|---|
| IP address | Security, abuse prevention |
| Browser type | Compatibility, debugging |
| Access timestamps | Security logs |
| Feature usage (anonymized) | Product improvement |
We do not use tracking cookies, advertising cookies, or third-party profiling. We use Cloudflare Turnstile to protect certain actions (e.g., registration, login) from automated abuse. Cloudflare may collect your IP address, browser type, and interaction data to distinguish humans from bots. See Cloudflare’s privacy policy.
3. How We Use Your Data
| Purpose | Legal Basis | Data Used |
|---|---|---|
| Providing the Service | Contract performance | Account data, CV Content |
| Processing payments | Contract performance | Payment references |
| AI-powered features | Contract + consent | CV Content (when AI is used) |
| Account security | Legitimate interest | Account & technical data |
| Service notifications | Contract performance | Email address |
| Abuse prevention | Legitimate interest | Technical data |
| Product improvement | Legitimate interest | Anonymized usage data |
| Legal compliance | Legal obligation | As required by law |
We do not use your data for advertising, selling to third parties, training AI models, or automated decision-making with legal effects.
4. Where Your Data Is Stored
4.1 Primary Storage
Your data is stored on servers operated by Infomaniak Network SA in Switzerland (Geneva) — ISO 27001 and ISO 9001 certified. Your data does not leave Switzerland for primary storage.
4.2 AI Processing
When you use AI Features, relevant Content is transmitted to our AI provider. See Section 6 for details.
4.3 Payment & Email
Payments are processed by Stripe (US, with SCCs). Transactional emails are sent via our email provider with minimal content.
5. Data Sharing and Sub-Processors
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Infomaniak Network SA | Database & file hosting | All Content | Switzerland |
| Stripe, Inc. | Payment processing | Payment refs, email | US (with SCCs) |
| Anthropic (API) | AI feature processing | CV text (when used) | US (SCCs via Ireland) |
| Cloudflare (Turnstile) | Bot protection (CAPTCHA) | IP address, browser metadata | Global (with SCCs) |
We maintain DPAs with all sub-processors. Full list available at contact@versio-cv.com. We do not sell or trade your data.
6. AI Features and Data Processing
6.1 When AI Processing Occurs
AI processing happens only when you actively use an AI Feature: CV import, AI generation, quality analysis, summary rewriting, ATS checking, candidate matching, or translation. If you don’t use these features, no Content is sent to AI providers.
6.2 What Data Is Sent
We send the minimum Content necessary — typically CV text, job descriptions, or version content.
We do not send profile photos, payment information, account credentials, or other users’ data (unless required for candidate matching within your Organization).
6.3 AI Provider: Anthropic (Claude API)
- No training on customer content
- 30-day retention for trust & safety, then permanent deletion
- US processing — transfers via Standard Contractual Clauses (Anthropic Ireland Ltd)
6.4 Your Control
AI is always user-initiated. You can use the Service without AI. You review all AI-generated content before accepting it. We may change AI providers while maintaining equivalent data protection standards.
7. Data Retention
| Scenario | Retention Period |
|---|---|
| Active account | Retained while account is active |
| Deletion requested | 30-day grace period (cancellable), then permanently deleted |
| Cancelled subscription | Read-only; 30 days after billing period, then deleted |
| Inactive cancelled/expired account (12 months) | Email reminder; deleted 30 days after if no login. Active subscriptions not affected. |
| AI provider (Anthropic) | Deleted within 30 days of processing |
| Security logs | Up to 12 months |
| Billing records | Up to 10 years (Swiss law) |
8. Your Rights
Under the Swiss FADP and EU GDPR (where applicable):
Access & Portability
Access all your data through the Service. Export in JSON, PDF, or Word format at any time.
Rectification & Deletion
Edit your data directly. Delete your account through settings — all Content is removed within 30 days.
Object & Restrict
Object to processing based on legitimate interest. Request restriction while disputes are resolved.
Withdraw Consent
Where processing is based on consent (e.g., AI Features), withdraw at any time by ceasing use of the feature.
Contact contact@versio-cv.com to exercise your rights. We respond within 30 days.
Complaints: Switzerland — FDPIC (edoeb.admin.ch). EU — your local supervisory authority.
9. Data Security
- Encryption in transit (TLS/HTTPS) and at rest
- Hashed passwords (bcrypt) with optional two-factor authentication
- Role-based access control within Organizations
- ISO 27001 certified infrastructure (Infomaniak)
- 72-hour breach notification to users and authorities
10. Cookies and Local Storage
We do not use tracking or advertising cookies. The Service uses only essential browser storage (authentication token and UI preferences in localStorage).
Cloudflare Turnstile may set a security cookie (cf_clearance) as part of its bot detection. This cookie is strictly necessary for security and does not track you across websites.
No cookie consent banner is required.
11. Children’s Privacy
The Service is not intended for individuals under 16. We do not knowingly collect data from children.
12. International Transfers
Primary data is stored in Switzerland (adequate protection per EU Commission). Transfers to the US (AI, payments) are governed by Standard Contractual Clauses and DPAs.
13. Changes to This Policy
Material changes are notified at least 30 days in advance. During the beta period (as defined in our Terms of Service, Section 2.1), changes to this Privacy Policy require only 7 days’ notice. Previous versions available upon request.
14. Contact
Velario AG
Zurich, Switzerland
contact@versio-cv.com