GDPR Compliance

1. Overview

Westbridge is committed to protecting the privacy and personal data of all users in compliance with the General Data Protection Regulation (EU) 2016/679. This page outlines our GDPR-specific commitments and how we uphold your data protection rights.

The data controller is Jonathan Schneider, based in Bautzen, Germany. For any GDPR-related inquiries, contact us at js@jonathanschneider.co.

2. Legal Bases for Processing

We process personal data under the following legal bases. Contract fulfillment (Art. 6(1)(b)) covers processing necessary to provide the Service, including account management, interview sessions, transcription, AI analysis, and credit management. Consent (Art. 6(1)(a)) applies to processing that requires your explicit permission, such as microphone recording during interviews, which you may withdraw at any time. Legitimate interest (Art. 6(1)(f)) covers service improvement, security, fraud prevention, and anonymized analytics, where we balance our interests against your rights. Legal obligation (Art. 6(1)(c)) applies to the retention of payment and transaction records as required by German tax and commercial law.

3. Your Data Subject Rights

Right of Access (Art. 15)

You may request confirmation of whether we process your personal data and obtain a copy, including the purposes of processing, categories of data, recipients, and retention periods.

Right to Rectification (Art. 16)

You may request correction of inaccurate personal data or completion of incomplete data without undue delay.

Right to Erasure (Art. 17)

You may request deletion of your personal data. You can also delete your account directly through the account settings page, which removes your account data, interview recordings and transcriptions, session history and AI-generated feedback, and credit balance records. Certain data may be retained where we have a legal obligation, such as payment records under tax law.

Right to Restrict Processing (Art. 18)

You may request restriction of processing in certain circumstances, such as when you contest data accuracy or object to processing.

Right to Data Portability (Art. 20)

You may request your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.

Right to Object (Art. 21)

You may object to processing based on legitimate interest at any time. We will cease processing unless we demonstrate compelling grounds that override your interests.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Automated Decision-Making (Art. 22)

Our AI-generated interview scores and feedback are informational and educational tools. They do not constitute legally binding or similarly significant automated decisions. No real-world hiring, financial, or career decisions are made by our systems.

4. How to Exercise Your Rights

You can exercise your rights by deleting your account through the account settings page or by contacting us at js@jonathanschneider.co. We will respond within 30 days. In complex cases, we may extend this by up to 60 additional days with prior notification. We may ask you to verify your identity before processing your request.

5. Data Processing Agreements

We engage Supabase for database, authentication, and storage infrastructure, Vercel for application hosting and content delivery, OpenRouter for AI model routing, and Stripe for payment processing. Each processor is contractually required to process data only on our instructions and to implement appropriate technical and organizational security measures.

6. International Data Transfers

Some of our processors are located in the United States. For transfers outside the EEA, we rely on EU-U.S. Data Privacy Framework certifications, Standard Contractual Clauses approved by the European Commission, and processor-specific data processing agreements addressing transfer safeguards.

7. Data Minimization and Retention

We collect only data necessary for providing the Service. Account data and interview recordings are deleted upon account deletion or upon request. Unused credits expire after 12 months without starting an interview. Payment records are retained per German tax law, typically up to 10 years. Technical logs are retained for up to 90 days.

8. Security Measures

We implement appropriate technical and organizational measures as required by Art. 32 GDPR, including TLS/HTTPS encryption for all data in transit, encrypted database connections, row-level security policies ensuring user data isolation, secure token-based authentication, no storage of raw payment card data, and no client-side exposure of secret API keys or service role credentials.

9. Data Breach Notification

In the event of a personal data breach likely to result in risk to individuals, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR). Where the breach is likely to result in high risk, we will also notify affected users without undue delay (Art. 34 GDPR).

10. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our location is the Sächsische Datenschutz- und Transparenzbeauftragte (SDTB), Devrientstraße 5, 01067 Dresden, Germany. www.sdtb.sachsen.de

11. Contact

For any GDPR-related inquiries or to exercise your data protection rights, contact us at js@jonathanschneider.co.