When you upload a CV to an AI tool, you typically hand over your full name, address, date of birth, work history at named employers, sometimes marital status and a photo. That's more personal data in one place than most people ever entrust to a single website.
The question "Is this even GDPR-compliant?" rarely gets asked — and even more rarely gets answered honestly.
What GDPR actually requires
Three requirements are particularly relevant for resume tools.
Legal basis and purpose limitation (Art. 6). The tool needs a legal basis to process your data. For paid tools, that's usually contract performance. What isn't allowed: using your data additionally for advertising, model training, or profiling without your explicit consent.
Data transfer to third countries (Art. 44-49). If the tool's servers are in the US — or it uses a US cloud provider behind another service — your data falls under the US CLOUD Act. Since the Schrems II ruling, that's a legal problem. Standard Contractual Clauses (SCCs) help formally, but don't fully resolve the conflict.
Right to erasure (Art. 17). You have the right to have your data deleted — everywhere the tool has stored it. Including backups, training data, and at sub-processors. A tool that doesn't offer a direct delete function has a problem.
Where most tools fail
We looked at 15 AI resume tools active in the European market. The pattern:
US providers with GDPR marketing. Many tools write "GDPR-compliant" on the landing page but host entirely in the US and use OpenAI without a zero-retention agreement. The fine print mentions that "Standard Contractual Clauses apply" — which after Schrems II isn't sufficient, but is legal.
EU providers with US subprocessors. Slightly better: providers headquartered in the EU but using OpenAI or Anthropic for the actual AI processing — and in most cases without a special zero-retention agreement. Your data still ends up on US servers, just with a layover.
Tools without model cards. From August 2026, the EU AI Act will require AI systems to document what they do: which model, which training data, which known weaknesses. Today, no major resume tool publishes this documentation publicly.
What a GDPR-compliant tool should look like
Concrete criteria you can check in the privacy policy:
- Servers in the EU, ideally with named location
- AI provider under an explicit zero-retention agreement (your data is not stored for training or logging)
- Direct delete function in account settings, not "email support"
- Published list of all sub-processors
- Data Protection Impact Assessment (DPIA) public or available on request
If even one of these is missing, ask explicitly. A serious answer comes within 48 hours.
The EU AI Act arrives in August
From 2 August 2026, the EU AI Act takes full effect. For resume tools, articles 13 and 14 matter most.
Article 13 requires transparency: you must be able to know how the system works, what its weaknesses are, and when AI is involved. Article 14 requires human oversight: you must actively review each AI-generated suggestion and accept, edit, or reject it — before it becomes part of your application.
In practice: tools that just produce a finished CV and ask you nothing more won't be compliant after August. Tools that walk you through each suggestion and document your decision will be.
What we do
At RefactorCV, all servers run in Falkenstein, Germany. AI processing runs through Anthropic Claude under a zero-retention agreement — your data is neither logged nor used for training. Every AI suggestion is recorded in an audit log with SHA-256 hashes you can view yourself. And export is locked until you've actively accepted, edited, flagged, or rejected every suggestion.
It's not the easiest path. It's the only one that works under Article 14 from August.
What you can do today
If you already use an AI tool: check the privacy policy. Servers in the US? Ask what happens after Schrems II. No delete function? Ask explicitly. No model card? Ask.
Most tools won't respond, or will reply with evasive standard language. That's the answer.