Legal

Privacy Policy

Status: 28 Mar 2025

This English translation is provided for convenience only. The German version is legally binding. German law applies.

1. Controller

Controller within the meaning of the GDPR: Internities UG (haftungsbeschränkt), Hansastraße 42, 20144 Hamburg, Germany

E-mail: hello@internities.de

Data Protection Officer (DPO): No statutory obligation to appoint a Data Protection Officer currently applies. For data protection enquiries, please contact us at the address above.

2. Overview: Which data we process

We process personal data when you use our website and platform, in particular:

  • Account data: name, e-mail address, password hash, role (student / company)
  • Student profile data: education / university, skills, experience, preferences, uploaded documents (e.g. CV, certificates, proof of enrollment), links (e.g. LinkedIn / GitHub), enrollment verification status
  • Company profile data: company details, contact persons, internship role listings, questionnaire responses, skill-radar data
  • Usage / log data: IP address, timestamps, device / browser information, application events (e.g. login, page views, applications)
  • Communication data: support requests, platform messages
  • Application / matching data: application status, AI-generated match scores and recommendations, feedback signals (e.g. interview / offer, if provided)

2.1. Cost Calculator

We provide a cost calculator on our website. Information entered in the cost calculator is processed and stored exclusively in anonymised form. No assignment to a specific person or company occurs.

No personal data (e.g. name, e-mail address, contact person) are collected or stored in the cost calculator.

The anonymously collected data are used exclusively for statistical evaluation, product improvement, and internal market analysis.

No consolidation with other data sources takes place.

3. Purposes and legal bases

We process personal data for the following purposes:

  1. Provision of the platform / contract performance (registration, login, profiles, applications, matching, skill-radar generation) – Art. 6(1)(b) GDPR.
  2. Enrollment verification of students using AI-assisted document analysis (see Section 4) – Art. 6(1)(b) GDPR (necessary to verify eligibility before granting platform access) and Art. 6(1)(f) GDPR (legitimate interest in preventing misuse).
  3. Security, abuse prevention, rate limiting, bot protection (Cloudflare Turnstile) – Art. 6(1)(f) GDPR (legitimate interest: a secure platform).
  4. Support & communication – Art. 6(1)(b) and/or Art. 6(1)(f) GDPR.
  5. Web analytics (Vercel Analytics) – only with your prior consent – Art. 6(1)(a) GDPR and Section 25 TDDDG (consent).
  6. Payment processing – Art. 6(1)(b) GDPR; and statutory retention obligations (Art. 6(1)(c) GDPR).

4. Use of artificial intelligence, profiling, and automated decisions

We use AI systems (currently: Anthropic Claude) in several parts of the platform. We describe each use case, the data involved, and the significance for you below.

4.1 Skill-radar generation for company roles — When a company fills out a role questionnaire, we send the questionnaire responses (not student data) to an AI model that generates a multi-axis skill radar visualisation. A second AI model reviews the output for quality. This is a tool assisting companies in describing their roles and does not evaluate or affect students. Legal basis: Art. 6(1)(b) GDPR.

4.2 Document analysis — When students upload documents (e.g. CV, certificates), the text content of those documents may be sent to an AI model for classification and structured data extraction (e.g. identifying skills, education, work experience). No raw document files are sent; only the extracted plain text is transmitted. Legal basis: Art. 6(1)(b) GDPR.

4.3 Enrollment verification (automated decision-making) — To verify that a user is an enrolled student, uploaded proof-of-enrollment documents are analysed by an AI model that assigns a confidence score. If the score meets a defined threshold, platform access is granted automatically; if it does not, access is denied. This constitutes an automated individual decision within the meaning of Art. 22(1) GDPR that significantly affects you (it determines whether you can use the platform).

We rely on Art. 22(2)(a) GDPR (the verification is necessary for entering into the user contract) for this automated decision. In accordance with Art. 22(3) GDPR, you have the right to: (a) obtain human intervention — contact us at hello@internities.de and a team member will review your case manually; (b) express your point of view; and (c) contest the decision. We aim to respond to such requests within 5 business days.

4.4 Match recommendations — Profile and role data may in future be used to generate match recommendations between students and company roles (profiling within the meaning of Art. 4(4) GDPR). These recommendations serve as suggestions only; the final decision on any application is always made by the company, not by an automated system. No solely automated decision with legal effect is made in the matching process. Legal basis: Art. 6(1)(b) GDPR.

You may object to processing based on legitimate interests at any time (see Section 9 — Your rights).

5. Website, cookies, local storage, and consent (TDDDG / GDPR)

5.1 Technically necessary storage — We use technically necessary cookies and browser local storage for authentication sessions (managed by Supabase Auth) and security purposes. Legal basis: Art. 6(1)(f) GDPR; access to information on the end-user device is permitted under Section 25(2) TDDDG without consent where it is strictly necessary.

5.2 Analytics consent — We use Vercel Analytics to understand how visitors use our public pages. Analytics scripts are loaded only after you give explicit consent via our consent banner. No analytics data is collected if you do not consent or if you decline. Your consent decision is stored in browser local storage (key: internities_analytics_consent). You can change your choice at any time via the "Cookie Settings" link in the page footer. Legal basis for analytics: Art. 6(1)(a) GDPR and Section 25(1) TDDDG (consent).

5.3 Analytics privacy safeguards — Even with consent, page views from authenticated dashboard areas (e.g. /company/dashboard, /student/dashboard, /student/documents, /student/applications) are not transmitted to Vercel Analytics. Sensitive URL parameters (e.g. tokens, e-mail addresses) are stripped before transmission. Vercel Analytics does not use cross-site cookies and does not track individual users.

5.4 Cloudflare Turnstile — On certain public forms (e.g. waitlist signup), we use Cloudflare Turnstile to protect against bots. Turnstile may access information stored on your device (Section 25 TDDDG) to verify that you are a human user. This is strictly necessary for security and does not require consent. Cloudflare processes your IP address and browser signals for this purpose. Legal basis: Art. 6(1)(f) GDPR (legitimate interest: bot protection).

5.5 Fonts — We use the Google Inter font, but it is bundled and served from our own infrastructure at build time (via Next.js). No requests are made to Google servers when you visit our website.

6. Recipients / processors

We use the following service providers as processors within the meaning of Art. 28 GDPR, or as recipients of personal data:

  • Vercel Inc. (San Francisco, USA) — Hosting, serverless compute, and web analytics. All website requests are routed through Vercel's infrastructure. Analytics data is collected only with your consent (see Section 5.2).
  • Supabase Inc. (USA / AWS infrastructure) — Database hosting, user authentication, and file storage (e.g. uploaded student documents). Supabase Auth also sends system e-mails such as password-reset and magic-link messages.
  • Anthropic PBC (San Francisco, USA) — AI processing. Extracted text from documents and questionnaire data is sent to Anthropic's Claude API for skill-radar generation, document classification, and enrollment verification (see Section 4). No raw files are transmitted; only plain text and structured data.
  • Google Cloud Platform (Google Ireland Ltd / Google LLC) — Optical character recognition (OCR) via Google Document AI. Used only as a fallback when primary text extraction from uploaded documents fails (e.g. scanned or image-based PDFs). Document content (raw bytes) is sent to a Google Document AI processor configured in the EU region.
  • Resend Inc. (USA) — Transactional e-mail delivery (e.g. welcome e-mails, admission magic links). Recipient e-mail addresses and e-mail content are transmitted to Resend.
  • Cloudflare Inc. (San Francisco, USA) — Bot protection via Cloudflare Turnstile on selected public forms. Cloudflare processes IP addresses and browser challenge tokens (see Section 5.4).
  • Upstash Inc. (USA) — Serverless Redis used for API rate limiting. Only user identifiers or IP addresses with request counters are stored temporarily; no business data or personal content is stored in Upstash.

We conclude data processing agreements (DPAs / AVV) with our processors in accordance with Art. 28 GDPR.

7. International transfers

Several of our processors are based in the United States. For transfers of personal data to the USA, we rely on the following safeguards as applicable to each provider:

  • EU–US Data Privacy Framework (DPF): Where a US-based provider is certified under the DPF, the transfer is covered by the European Commission's adequacy decision of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795) pursuant to Art. 45 GDPR.
  • EU Standard Contractual Clauses (SCCs): Where a provider is not certified under the DPF or where additional safeguards are appropriate, we use EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.

Google Document AI OCR processing is configured to run in the EU region, so document content processed by this service does not leave the EEA under normal operation.

8. Storage periods

We store personal data only as long as necessary for the respective purpose or as required by law:

  • Account and profile data: for the duration of your active account.
  • Uploaded documents and extracted text: for as long as the account is active or the data is needed for verification / matching purposes.
  • After account deletion: personal data is deleted or anonymised within a reasonable period, unless statutory retention obligations (e.g. commercial or tax law, typically 6–10 years for invoicing data) require longer retention.
  • Log data and rate-limiting data: typically retained for a few weeks to months for security and abuse-prevention purposes.
  • Analytics data (Vercel Analytics): processed in aggregated / anonymised form by Vercel; we do not store individual analytics data.
  • Consent records: stored for the duration of your account for accountability (Art. 5(2) GDPR).

9. Your rights

Under the GDPR, you have the following rights. You may exercise them at any time by contacting us at hello@internities.de:

  • Right of access (Art. 15 GDPR) — obtain confirmation of and access to your personal data
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR) — you may object at any time to processing based on Art. 6(1)(f) GDPR (legitimate interests), including profiling based on that provision
  • Right to withdraw consent (Art. 7(3) GDPR) — you may withdraw consent at any time with effect for the future, without affecting the lawfulness of processing before withdrawal
  • Rights related to automated individual decisions (Art. 22(3) GDPR) — where an automated decision significantly affects you (currently: enrollment verification, see Section 4.3), you have the right to obtain human intervention, express your point of view, and contest the decision

Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for our registered office is: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), Ludwig-Erhard-Str. 22, 20459 Hamburg, Tel.: 040 / 428 54 - 4040, E-Mail: mailbox@datenschutz.hamburg.de, Web: https://datenschutz-hamburg.de

Contact for data protection requests: hello@internities.de

10. Data security

We implement appropriate technical and organisational measures (e.g. TLS encryption in transit, access controls, role-based permissions, database-level security policies, encrypted storage, regular backups) to protect your data against unauthorised access, loss, or alteration.

11. Changes to this Privacy Policy

We update this Privacy Policy when the platform, our data processing practices, or legal requirements change. The current version is always available on our website. Material changes will be indicated by an updated date at the top of this page.