Legal

Privacy Policy

Last updated: March 31, 2026

1. Information We Collect

We collect the following 12 categories of data:

  1. Account data — name, email address, hashed password
  2. Resume & profile data — resume content (YAML/PDF), skills, experience, education
  3. Job preferences — target roles, locations, salary expectations, remote preferences
  4. Application records — company names, job titles, timestamps, status, ATS responses
  5. QA pairs — questions and answers generated for job applications
  6. Cover letters — AI-generated cover letters tailored to job descriptions
  7. ATS scores & intelligence — keyword match scores, resume quality assessments
  8. Usage events — feature usage analytics, API call metadata, error rates
  9. Payment data — processed via Stripe; we never store full card numbers
  10. Authentication tokens — JWT sessions, API keys (stored as SHA-256 hashes)
  11. Cookie preferences — consent choices for analytics and marketing cookies
  12. Device & browser data — IP address (anonymized), user agent, for security and rate limiting only

2. Legal Basis for Processing

We process your data under the following legal bases (GDPR Article 6):

  • Contract performance — Processing necessary to provide the Service (submitting applications, tailoring resumes, generating cover letters)
  • Legitimate interest — Security monitoring, fraud prevention, service improvement, and aggregate analytics
  • Consent — Marketing emails, analytics cookies, and marketing cookies (which you can withdraw at any time)
  • Legal obligation — Tax records and billing data retained per applicable law

3. How We Use Your Information

  • To operate the agent and submit job applications on your behalf
  • To tailor resumes and generate cover letters using AI
  • To provide dashboard analytics about your application pipeline
  • To process payments and manage your subscription
  • To send transactional emails (password resets, billing receipts)
  • To improve service quality and fix bugs

4. Third-Party Processors

We do not sell your personal information. We share data with the following processors under Data Processing Agreements (DPAs):

ProcessorPurposeData shared
AWS (Amazon Web Services)Cloud infrastructure, database hosting, S3 storageAll data (encrypted at rest with AES-256)
StripePayment processing, subscription managementEmail, name, payment method (PCI DSS Level 1 compliant)
OpenAIAI resume tailoring, cover letter generation, ATS scoringResume content, job descriptions (not used for model training per API policy)
Amazon SESTransactional and digest emailsEmail address, name
Employer ATS platformsSubmitting job applications on your behalfName, email, resume, cover letter

5. Data Retention

We retain your data for the following periods:

  • Account & profile data — while your account is active + 30 days after deletion request
  • Application records — while your account is active (exportable at any time)
  • Resumes & cover letters — while your account is active; permanently deleted 30 days after account deletion
  • Usage events — 12 months rolling window, then anonymized for aggregate analytics
  • Payment & billing data — 7 years after last transaction (tax/legal obligation)
  • Authentication tokens — JWT sessions expire after 24 hours; API key hashes deleted with account
  • Server logs — 30 days, with IP addresses anonymized after 7 days

Upon account deletion, all personal data is soft-deleted immediately (access revoked) and permanently removed within 30 days. You may export all your data at any time via the dashboard or API (GET /api/v1/me/export).

6. Data Security

We implement industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, bcrypt password hashing, JWT token rotation, and rate limiting. See our API documentation for details on authentication and security headers.

7. Your Rights (GDPR)

Under GDPR and applicable data protection laws, you have the right to:

  • Access — Request a copy of all personal data we hold about you (GET /api/v1/me/export)
  • Rectification — Correct inaccurate or incomplete personal information via your dashboard settings
  • Erasure — Request deletion of your account and all associated data (POST /api/v1/me/delete)
  • Data portability — Export your data in a machine-readable JSON format, including applications, resumes, and preferences
  • Objection — Object to processing based on legitimate interest; we will cease processing unless we have compelling grounds
  • Restriction — Request restriction of processing while we verify your objection or rectification request
  • Withdraw consent — Withdraw consent for AI processing, marketing emails, or analytics cookies at any time without affecting prior processing

To exercise any of these rights, use the dashboard settings or email our Data Protection Officer at dpo@jobapplier.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

8. Cookies

We use the following categories of cookies:

  • Essential cookies — Required for authentication (JWT session token) and security. Always active.
  • Analytics cookies — Opt-in. Used to understand feature usage patterns and improve the service.
  • Marketing cookies — Opt-in. Used for attribution tracking on marketing pages.

You can manage cookie preferences at any time via the cookie consent banner or your dashboard settings. Consent is valid for 12 months and we will ask again when it expires.

9. Children's Privacy

JobApplier.ai is intended for users aged 18 and older. We do not knowingly collect information from anyone under 18.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email and an in-app notice at least 14 days before taking effect.

11. Data Protection Officer

Our Data Protection Officer (DPO) can be reached at dpo@jobapplier.ai. For general privacy questions, email privacy@jobapplier.ai.