Back to ALTYRALTYR

GDPR Compliance

Last updated: March 21, 2026

ALTYR is committed to compliance with the General Data Protection Regulation (GDPR) and respecting the privacy rights of individuals in the European Union and European Economic Area (EU/EEA). This page outlines our GDPR compliance measures and your rights as a data subject.

1. Data Controller

ALTYR acts as the data controller for personal data collected through the Service. For GDPR inquiries, contact our Data Protection contact at dpo@altyr.ai.

2. Lawful Bases for Processing

We process personal data under the following lawful bases:

  • Contractual Necessity (Art. 6(1)(b)): Processing required to provide the Service you requested (resume building, AI optimization, account management).
  • Consent (Art. 6(1)(a)): Marketing communications, optional analytics, and pre-registration data processing. You may withdraw consent at any time.
  • Legitimate Interest (Art. 6(1)(f)): Service improvement, fraud prevention, and security. We conduct balancing tests to ensure our interests do not override your rights.
  • Legal Obligation (Art. 6(1)(c)): Tax records, regulatory compliance, and law enforcement requests.

3. Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights:

  • Right of Access (Art. 15): Request a copy of all personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restrict Processing (Art. 18): Request limitation of how we process your data.
  • Right to Data Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing.
  • Right Not to Be Subject to Automated Decision-Making (Art. 22): Our AI provides recommendations only; no solely automated decisions with legal effects are made about you.

To exercise any of these rights, email dpo@altyr.ai. We will respond within 30 days. Complex requests may take up to 60 days with notice.

4. AI and Automated Processing

Our AI assistants process your resume data to generate optimization suggestions. This processing is based on contractual necessity (providing the Service you requested). Important safeguards include:

  • AI outputs are always presented as suggestions, never as final decisions.
  • You maintain full control to accept, modify, or reject any AI-generated content.
  • Your data is not used to train general AI models.
  • You can request human review of any AI-generated recommendations.

5. International Data Transfers

Our Service is hosted on Vercel infrastructure, which may involve data processing in the United States. We protect international transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data processing agreements with all sub-processors.
  • Technical measures including encryption and access controls.

6. Data Protection Impact Assessment

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals, including our AI processing features. DPIAs are reviewed annually and updated when processing activities change.

7. Data Breach Notification

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.

8. Sub-Processors

We use the following sub-processors that may process EU/EEA personal data:

  • Vercel Inc. — Hosting and infrastructure (USA, SCCs in place).
  • Stripe Inc. — Payment processing (USA/Ireland, Privacy Shield certified).
  • Resend Inc. — Transactional email delivery (USA, SCCs in place).

9. Supervisory Authority

If you are unsatisfied with our response to a data protection concern, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

10. Contact

Data Protection Contact: dpo@altyr.ai