Skip to main content

Legal

Privacy Policy

Effective 19 May 2026 · Terms of Service

Summary (one screen)

  • We collect only what we need to run your account and the editor.
  • Your CV content is yours. We do not sell it, share it for advertising, or use it to train AI models.
  • When you ask for AI help, the relevant text is sent to an AI sub-processor (Google Gemini by default, OpenRouter as fallback) and a copy of the request and response is logged so we can debug and bill credits.
  • You can export or delete your data at any time.

1. Who is responsible for your data (controller)

The data controller for personal data processed through Job Application Tracker is the operator of the Service, reachable at [email protected] or via the contact form. This Policy applies to the website jobapplicationtracker.co and any subdomains (the “Service”).

The operator’s full corporate / trading details will be published here once our company registration is finalised. Until then, contact the email above for any data-protection enquiry.

2. What we collect, why, and on what lawful basis

2.1 Account data

  • What: name, email address, password hash (we never see your password in plain text), optional personal info you choose to add (e.g. location, phone, links).
  • Why: to create and secure your account, sign you in, send transactional email (password reset, billing).
  • Lawful basis (GDPR): performance of contract (Art. 6(1)(b)).

2.2 CV content & uploads

  • What: CV files you upload, pasted CV text, parsed CV structure (sections, bullets, dates), cover-letter drafts, edits, and any “base CV” you save.
  • Why: to store, parse, display, edit, diff, and export your CVs and cover letters at your request.
  • Lawful basis: performance of contract.
  • Sensitive data: a CV may contain information about your nationality, religion, disability, health, or political views. We treat all CV content as confidential. You should avoid uploading documents that contain special-category data you do not want processed.

2.3 Application tracker data

  • What: jobs you add (title, company, link, status), notes, dates, files you attach, the job description text or URL you submitted.
  • Why: to give you a board / pipeline of the jobs you are tracking.
  • Lawful basis: performance of contract.

2.4 AI request & response logs

  • What: when you use an AI-assisted feature, we record metadata about the request (which feature, which model, tokens used, timestamp, success/failure, cost) along with the prompt sent and the response received. This necessarily includes any CV/JD text that was part of the request.
  • Why: to debug failed calls, prevent abuse, count credits, and improve reliability.
  • Lawful basis: legitimate interests (Art. 6(1)(f)) — operating and securing the Service. You can object: [email protected].
  • Not used to train models. See section 4.

2.5 Payment data

  • What: we use a third-party payment processor (e.g. Stripe) to handle subscriptions. We see the metadata of the transaction (amount, currency, plan, status, your customer ID with the processor). We do not see or store your card number.
  • Why: to charge you for paid plans.
  • Lawful basis: performance of contract + legal obligation (tax/accounting).

2.6 Contact form & newsletter

  • What: any message you send us; email address if you subscribe to the newsletter.
  • Lawful basis: consent (Art. 6(1)(a)) for the newsletter (you can unsubscribe any time); legitimate interest for replying to your support message.

2.7 Technical & server logs

  • What: IP address, user-agent, timestamp, requested URL, response status, error stack traces.
  • Why: to keep the Service secure and diagnose problems.
  • Lawful basis: legitimate interest in network and information security.

2.8 Cookies

  • We use only strictly necessary cookies: a session cookie (to keep you signed in) and an anti-CSRF cookie (to protect form submissions). No advertising or cross-site tracking cookies.
  • Browser localStorage may store your theme preference (light/dark).
  • Because these are strictly necessary or set with your explicit choice, no separate cookie banner is required under PECR / ePrivacy.

3. Sub-processors (who else touches your data)

We use a small number of trusted third parties to run the Service. They process data on our instructions, under written contracts that meet GDPR Article 28 (and equivalent UK law).

Sub-processor Purpose Region
Google LLC (Gemini / Google AI) Default AI model for parsing CVs, suggesting edits, scoring job fit. Global (US-headquartered)
OpenRouter, Inc. Fallback AI routing when the default provider is unavailable. US
DigitalOcean LLC (via Laravel Forge) Application hosting, database, file storage. EU / UK datacentre
Cloudflare, Inc. DNS, CDN, TLS, DDoS protection in front of the site. Global edge
Stripe Payments Europe Ltd Card and subscription processing (if you subscribe). EU / global
Transactional email provider Sending password resets, billing and account emails. EU / US

Where a sub-processor is outside the UK / EEA, we rely on the UK Addendum and the EU Standard Contractual Clauses (SCCs), plus any applicable adequacy decisions, to keep your data protected. You can request the current sub-processor list and details by emailing [email protected].

4. We do not train AI models on your content

  • We do not feed your CVs, cover letters, prompts, or AI outputs into any model-training pipeline of our own.
  • We use AI sub-processors under their commercial API terms, which prohibit them from using your data to train their general models (for example, Google’s paid Gemini API and OpenRouter explicitly do not use API requests for training under the contracts in force on the effective date of this Policy).
  • If a sub-processor changes its terms in a way that would allow training, we will switch or update this Policy and notify users.

5. How long we keep your data

  • Account data: until you delete your account, then removed within 30 days from production systems (longer from encrypted backups, which rotate within 60 days).
  • CVs & application data: until you delete them or your account.
  • AI request/response logs: 90 days, then deleted or fully anonymised.
  • Server logs: typically 30 days.
  • Billing records: kept for the period required by tax law (typically 6–7 years).
  • Contact form messages: up to 24 months after the issue is resolved.

6. Sharing

We do not sell your personal data and we do not share it for advertising. We share data only:

  • with the sub-processors listed above, strictly to provide the Service;
  • if compelled by a valid legal process (court order, subpoena), in which case we will, where lawful, notify you;
  • to protect the rights, property, or safety of users or third parties (e.g. fraud or abuse);
  • in connection with a corporate transaction (e.g. reorganisation, acquisition), in which case the acquirer must continue to honour this Policy.

7. Your rights

If you are in the UK, EEA, or somewhere with similar laws, you have the right to:

  • Access the data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to legal hold periods (e.g. billing records).
  • Restrict or object to processing based on legitimate interests.
  • Port your data in a structured, machine-readable format.
  • Withdraw consent at any time (for newsletter, for example).
  • Complain to a supervisory authority — in the UK that is the Information Commissioner’s Office; in the EU it is the data protection authority of the member state where you live.

To exercise any of these rights, email [email protected]. We respond within one month. Many actions (data export, account deletion) are available from inside your account.

8. Security

We protect your data with industry-standard measures: TLS in transit, encryption at rest on hosted volumes, hashed passwords (bcrypt/argon), tightly scoped IAM, automated backups, and access logging. No system is perfectly secure; we never claim 100 % — but we work to keep risk low and respond quickly to incidents. We will notify affected users and, where required, the supervisory authority of any qualifying personal-data breach without undue delay.

9. Children

The Service is not for under-16s (or the higher age of digital consent in your country). If we learn that a child has created an account, we will delete it.

10. International users

The Service is operated from the UK and hosted in the EU/UK. If you use it from elsewhere, you understand that your data is transferred to and processed in those regions and in the regions where our sub-processors operate. We use SCCs / UK Addendum where applicable.

11. Automated decision-making

AI suggestions are decision support, not automated decisions about you. We do not produce legal or similarly significant decisions about you using automated processing under Art. 22 GDPR.

12. Changes to this Policy

We may update this Policy. The effective date at the top will change. Material changes will be communicated by email or in-product notice before they take effect.

13. Contact

Privacy questions and data-rights requests: [email protected] or via the contact form.