Privacy Policy

This Privacy Policy applies to JobsApply (sole proprietorship) ("we", "us", "our"), the operator of JobsApply (the "Service"). It explains what personal information we collect, how we use it, who we share it with, how long we keep it, how we protect it, and what rights you have over it.

This policy is written to apply globally. Depending on where you live, additional rights or disclosures may apply — those are set out in the regional addenda in Section 15. If a mandatory law in your jurisdiction conflicts with any part of this policy, the mandatory law controls for you.

1. Who is responsible for your personal information

We are the "controller" of personal information collected through the Service (GDPR, UK GDPR, LGPD), the "organization" responsible (PIPEDA), and the "business" (CCPA/CPRA).

• Operating entity: JobsApply (sole proprietorship)
• Jurisdiction of establishment: Ontario, Canada
• Privacy contact: privacy@jobsapply.app
• Mailing address: [Business mailing address to be added]

2. Personal information we collect

2.1 Information you provide

• Account data: email address, password (hashed), name, username, phone, social/portfolio URLs, bio, timezone, country (if provided).
• Profile data for job applications: address, city, region/province/state, postal code, country, work authorization, desired salary, years of experience, current role and employer, education, languages, certifications, skills, references.
• Sensitive / special-category information (optional): date of birth, gender, ethnicity or race, disability status, veteran status, Indigenous status, and similar characteristics that some employers collect on equal-opportunity or diversity forms. You control whether to provide any of this. We use it only to fill corresponding fields on applications you direct us to submit and to display it back to you. Under GDPR, UK GDPR, and LGPD this is "special category" data processed on the basis of your explicit consent (which you can withdraw at any time) and your entry of it into a profile field is that consent. Under Quebec Law 25, this is "sensitive personal information" and you will be separately informed of any new use before we begin it.
• Documents you upload or generate: resumes, CVs, cover letters, and their markdown or PDF content.
• Career facts and anecdotes: items you add to help tailor application content.
• Third-party site credentials: usernames/emails and passwords you store in the Service so we can log you in to job-board or employer sites. Passwords are encrypted at rest using symmetric encryption (Fernet / AES-128-CBC + HMAC). Your provision of these credentials is your authorization for us to use them for the purpose you set up.
• Job-tracking data: jobs you save, their descriptions, notes, application status, contacts you add.
• Custom answers: responses you enter to questions we could not auto-fill.
• Payment information: billing name, address, and payment method, collected and processed by Stripe. We do not receive or store your full card number. For U.S., EU, UK, and other taxable jurisdictions, we may collect additional tax information (VAT ID, GST/HST number, state/ZIP for U.S. sales-tax) so Stripe Tax can compute the correct tax.
• Consent records: what version of these policies you agreed to, when, and your IP address at the time of consent.

2.2 Information collected automatically

• Usage data: actions you take, features used, timestamps, AI model usage, token counts (for billing and usage limits).
• Technical data: IP address, browser type, device type, timezone. IP addresses are stored with waitlist signups and consent records; otherwise they appear in ephemeral server logs.
• Cookies and similar technologies: essential cookies for authentication and session management; a timezone cookie for display formatting; a cookie-consent preference cookie. Optional analytics are off by default and only activated if you opt in where the law requires opt-in consent. See our Cookie Policy.

2.3 Information generated by Auto-Apply

• Screenshots of application pages, including the pre-submit state, so you can review what was submitted.
• Logs of each step the automated agent took, including URLs visited, form fields filled, and AI tool calls.
• Browser state including cookies and local storage from the sites you interact with, kept in a profile we maintain for you so that you do not have to repeatedly pass CAPTCHA or two-factor verification.

2.4 Information we do not collect

We do not knowingly collect biometric identifiers, precise geolocation (beyond the city-level inference from an IP), health or genetic data other than what you voluntarily enter in optional EEO fields, information about children under 16, or information about people who are not you. If you inadvertently share any such information, contact us and we will delete it.

3. How we use your personal information

We use personal information only for the purposes listed below. We will not use it for a new, materially different purpose without first giving you notice and — where required by law — obtaining your consent.

Automated decision-making. We do not make any decision that produces a legal or similarly significant effect about you without a human in the loop. AI is used to draft content; the final decision to submit anything is yours.

No training on your data. We do not use your personal information to train any AI model ourselves, and we do not submit your data to AI providers for the purpose of training their models. See Section 4.1.

4. How we share your personal information

We share personal information only with the service providers and recipients described below, and only for the purposes described.

4.1 Categories of service providers

We use third-party service providers to operate the Service. Each is engaged under a written contract or the provider's standard terms and is permitted to process personal information only for the purposes we engage them for. The categories are:

• Hosting and infrastructure — application hosting, database hosting, DNS, CDN, and TLS termination.
• AI providers — large-language-model APIs used to generate application content and drive form-filling. Content sent includes only what is needed to complete the task (for example, a job description, your profile and resume content, and form HTML). We do not use your data to train any AI model ourselves, and we do not submit your data to AI providers for the purpose of training their models.
• Payment processing and tax calculation — for checkout, recurring billing, customer portal, and automatic sales-tax / VAT / GST computation.
• Transactional and (if you opt in) marketing email delivery.
• Error and performance monitoring — optional; configured to exclude default personally identifiable information.
• Privacy-friendly product analytics — optional, cookie-less, loaded only if you have opted in where applicable law requires opt-in consent.
• Public job-listing aggregation — public search APIs and libraries that receive only the search terms you enter, not your identity.

The identity of the specific providers we use is available on request to privacy@jobsapply.app. Where we transfer personal information from the EU, UK, Switzerland, Brazil, or another jurisdiction with cross-border rules, we rely on Standard Contractual Clauses, the UK International Data Transfer Agreement, or an adequacy decision as appropriate. Copies of the safeguards are available on request.

4.2 Third-party job sites and employers

When you use Auto-Apply or submit an application through the Service, we send your application information to the third-party site or employer you direct us to. Those recipients are independent controllers of that information and their own privacy policies apply. You authorize these transmissions each time you submit an application, and you acknowledge that we do not control and cannot see what the recipient does with the data afterwards.

4.3 Other recipients

• Legal and compliance: we may disclose personal information where required by a valid legal process, to protect our rights, users, or the public, or to comply with applicable law (including GDPR, UK GDPR, PIPEDA, CCPA/CPRA, and LGPD). We push back on overbroad requests and notify you where permitted.
• Business transfers: if we reorganize, incorporate, sell all or part of our assets, or merge, your personal information may be transferred to the successor or purchaser, subject to this Privacy Policy or a replacement that provides equivalent protection. You will be notified of any such change.

4.4 We do not sell or "share" your personal information for cross-context behavioural advertising

We do not sell personal information for money or other valuable consideration, and we do not share it with third parties for their own advertising or marketing purposes. This is true under CCPA/CPRA, Law 25, LGPD, and any other comparable standard.

5. International data transfers

We are based in Ontario, Canada. Our service providers operate in Canada, the United States, the European Union, and other jurisdictions listed on the Subprocessors page. Your personal information may be stored, accessed, and processed in those jurisdictions. Where required:

• For transfers out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (EU 2021/914) or the UK IDTA / Addendum, as well as supplementary measures (encryption in transit, access controls, processor obligations).
• For transfers out of Brazil we rely on LGPD Art. 33 mechanisms (contractual clauses and specific consent where required).
• For transfers out of Canada we disclose the cross-border transfer to you in this Policy; your continued use of the Service after notice is your acknowledgement that your data may be subject to the laws of the country in which it is processed.

You may request copies of the relevant safeguards from privacy@jobsapply.app.

6. Data retention

• Account data and related records: retained while your account is active. When you delete your account, the record is removed from our active database immediately. Residual copies may remain in encrypted backups until those backups roll off (currently up to 30 days).
• Documents, jobs, credentials, profile, career facts, anecdotes, consents, usage records: deleted together with the account (cascade). You can also delete any individual document, job, credential, or anecdote from within the Service at any time.
• Auto-Apply screenshots, logs, and browser state: retained while your account is active so you can review them; removed when the task or account is deleted.
• Payment and tax records: Stripe retains billing records as required by tax and financial-recordkeeping law (typically 6–10 years depending on jurisdiction). We retain a salted-hash fingerprint of the email of every deleted account to prevent abuse of free-tier resets; the raw email is discarded.
• Security / legal holds: we may retain information for as long as necessary to investigate an incident, comply with a legal obligation, or defend a claim.

7. Your rights

Depending on where you live, you may have the following rights. Exercise any of them by emailing privacy@jobsapply.app or by using the links in your account. We will respond within the timeframes required by applicable law — typically 30 days (with extensions where the law permits).

• Access / "know": request a copy of the personal information we hold about you, along with the categories, sources, recipients, and purposes. Use Export my data.
• Correction / rectification: request correction of inaccurate or incomplete information via your profile settings or by contacting us.
• Deletion / erasure / "right to be forgotten": request deletion of your account and associated personal information. Use Delete my data. Some information may be retained for the limited purposes described in Section 6.
• Restriction of processing: ask us to limit how we process your data in specified circumstances (for example while a correction request is pending).
• Objection: object to processing based on legitimate interests or for direct marketing. We will comply.
• Withdrawal of consent: where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Portability: receive your data in a structured, commonly used, machine-readable format. Our export tool provides JSON.
• Non-discrimination: we will not discriminate against you for exercising any of these rights.
• Automated decision-making: you can request information about any automated decision that significantly affects you. We do not currently make such decisions.
• Complaint: you may complain to your local data protection authority. Contact details are in Section 15.

Identity verification. Before we act on a request we may need to verify that you are who you say you are, using information from your account. We will use the least-intrusive method available.

Authorized agents. If you use an authorized agent (for example, a solicitor or a legally appointed representative), we require the agent to provide signed, written permission from you and we may contact you directly to confirm the request.

8. How we protect your information

• All data in transit is encrypted using TLS 1.2 or newer.
• Third-party site credentials are encrypted at rest.
• Passwords are hashed with a modern, salted algorithm (PBKDF2).
• Production servers are firewalled; administrative access is SSH-key based.
• Access to production data is limited to the operator and, where applicable, named contractors bound by confidentiality obligations.
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are applied. Session and CSRF cookies are HttpOnly, Secure, and SameSite=Lax.
• Payment card data is handled by Stripe under PCI-DSS; we do not see or store full card numbers.
• We apply rate limiting to authentication, signup, and password-reset flows.
• We follow a documented incident-response process.

No service can guarantee absolute security. If we become aware of a security incident affecting your personal information we will notify the competent authorities and, where required, affected individuals within the timeframes mandated by applicable law (generally 72 hours under GDPR/UK GDPR and "as soon as feasible" under PIPEDA/Law 25/CCPA/LGPD).

9. Cookies

See our standalone Cookie Policy for a full list, purpose, and expiry of each cookie we use and how to control them. In short:

• Essential cookies (session, CSRF) run without your consent because the Service cannot function without them.
• Optional cookies (analytics, preferences) are off by default and, where your law requires opt-in consent (for example the EU, UK, and some U.S. states), are only activated after you click "Accept" in the cookie banner.
• We do not use third-party advertising, cross-site tracking, or "pixel" cookies.

10. Marketing and transactional communications

• We will send you marketing email only if you have opted in during signup or in your account settings.
• Every marketing email contains a one-click unsubscribe link and our postal address in the footer (CAN-SPAM / CASL / PECR / ePrivacy compliant).
• Transactional email — account verification, password reset, billing, security, application notifications, and similar — is sent while your account is active regardless of marketing consent, because it is necessary to perform the contract.
• You can withdraw marketing consent at any time by clicking "Unsubscribe" in any marketing email or by emailing privacy@jobsapply.app.

11. Artificial intelligence — transparency

The Service uses AI to draft application content and to help fill application forms. You are interacting with AI-generated text whenever you see a draft produced by the "Generate" or "Auto-Apply" features. We disclose this in-app where AI output is presented. The final decision to submit anything is yours. We do not submit your data for model training, and we do not use your data to train models ourselves.

12. Children

The Service is not directed to anyone under the age of 16 and we do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a minor, email privacy@jobsapply.app and we will delete it. We may apply a higher minimum age (18) where local law requires it, including for the purpose of creating a contract or consenting to this policy.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If a change is material we will notify you by email or through the Service at least fifteen (15) days before it takes effect, and will update the "Last updated" date and version number above. Minor clarifications are effective when posted. Your continued use of the Service after a change takes effect is your acceptance of the updated policy; if you do not accept a change you may delete your account.

14. How to contact the Privacy Officer

For privacy inquiries or to exercise the rights above:
Email: privacy@jobsapply.app
Mail: [Business mailing address to be added], Ontario, Canada

You can also submit a structured request using our Data Rights Request form.

15. Regional addenda

15.1 European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR / FADP)

If you are in the EEA, UK, or Switzerland, the following additional information applies:

• Controller: as identified in Section 1.
• Legal bases: as set out in the table in Section 3.
• EU / UK representative: We do not currently maintain a representative under Art. 27 GDPR / UK GDPR. You can contact us directly at privacy@jobsapply.app.
• Rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, right not to be subject to automated decision-making, and the right to lodge a complaint with your supervisory authority. You can find your authority at edpb.europa.eu. UK residents may complain to the ICO. Swiss residents may contact the FDPIC.
• Sensitive / special-category data: processed only on the basis of your explicit consent, which you can withdraw at any time by clearing the field from your profile.
• International transfers: we rely on Standard Contractual Clauses (EU 2021/914) or the UK IDTA / Addendum and supplementary measures, available on request.

15.2 California, Colorado, Connecticut, Utah, Virginia, Texas, Oregon, and other U.S. state privacy laws

Under the California Consumer Privacy Act, as amended by the CPRA ("CCPA"), and substantially similar laws in other U.S. states, you have the rights to: know what categories of personal information we collect and for what purposes; access your personal information; correct inaccurate information; delete it; opt out of "sale" or "sharing" for cross-context behavioural advertising (we do neither); limit our use of sensitive personal information; and not be discriminated against for exercising any of these rights.

• Categories collected (CCPA §1798.140): identifiers, customer records, commercial information, internet/electronic activity, geolocation (approximate), professional and employment information, education information, inferences, and (where you provide it in EEO fields) characteristics of protected classifications and sensitive personal information.
• Sources: directly from you; automatically from your interaction with the Service.
• Business purposes: as set out in Section 3.
• "Sale" / "share": we do not sell or share your personal information, including information of minors, as those terms are defined under CCPA.
• Sensitive personal information ("SPI"): we use SPI only for the purposes you directed (filling EEO / diversity fields on forms) and do not use it to infer characteristics about you.
• Retention: as set out in Section 6.
• How to exercise rights: email privacy@jobsapply.app or use the in-app export/delete tools. We verify identity using your account credentials.
• Shine the Light (California Civil Code §1798.83): we do not disclose personal information to third parties for their direct marketing purposes.

15.3 Canada — PIPEDA / Quebec Law 25 / Alberta & BC PIPA

• PIPEDA rights (access, correction, withdrawal of consent, complaint to the Office of the Privacy Commissioner at priv.gc.ca) apply to our commercial activities.
• Quebec residents — Law 25: additional rights to cessation of dissemination, de-indexing, information about automated decision-making, and notification of cross-border transfers. You may complain to the Commission d'accès à l'information du Québec. You can also request processing in the French language at privacy@jobsapply.app.
• Alberta and British Columbia residents have equivalent rights under provincial PIPA; contact details above.

15.4 Brazil — LGPD

If you are in Brazil, the Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018) applies. You have the rights set out in Art. 18 LGPD: confirmation, access, correction, anonymization/blocking/deletion, portability, information about data sharing, withdrawal of consent, and review of automated decisions. You may complain to the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

15.5 Australia — Privacy Act 1988

If you are in Australia, the Australian Privacy Principles (APPs) apply. You may complain to the Office of the Australian Information Commissioner at oaic.gov.au if we do not resolve your concern.

15.6 Other jurisdictions

We apply equivalent standards globally. If a mandatory law in your jurisdiction grants you stronger rights than those listed above, those rights apply to you. Contact us to exercise them.

16. "Do Not Track" and Global Privacy Control

Because we do not track users across sites and do not sell personal information, "Do Not Track" signals do not change our practices. We honour browser-level Global Privacy Control ("GPC") signals as an opt-out of sale or sharing, although we do not engage in either.

Changelog.
v3.0 — April 2026. Rewritten for global availability. Added GDPR / UK GDPR / FADP, CCPA/CPRA, LGPD, and Australia addenda; standardized legal-basis table; expanded international-transfer section; added GPC; added Cookie Policy and Data Rights Request form references.
v2.0 — April 2026. Canada-only rewrite: named subprocessors, disclosed cross-border transfers, added Law 25, sensitive-data handling, children.
v1.0 — March 2026. Initial version.