Privacy Policy

1. Who We Are

Myapplykit ("we", "us", or "our") operates the job-search workspace available at https://www.myapplykit.com. For the purposes of UK GDPR and EU GDPR, Myapplykit is the data controller — we decide why and how your personal data is processed.

Our registered correspondence address and data-protection contact: privacy@myapplykit.com.

2. Data We Collect

2.1 Data you give us

• Account data: name, email address, and a hashed password (or a Google account identifier if you sign in via Google).
• Profile and career data: CV/resume text, target roles, seniority, headline, career narrative, compensation targets, remote preference, deal-breakers, and any other fields you complete in your profile.
• Job application data: job descriptions you evaluate, application status, notes, and interview stories you save.
• Company watchlist: company names and career-page URLs you add to your scanner.
• Support communications: messages you send to our support address.
• Payment data: billing and payment details collected on our behalf by Stripe (we never see or store your full card number).

2.2 Data collected automatically

• Authentication logs: login timestamps, IP addresses, and session version numbers — used to detect unauthorised access and honour "sign out everywhere" requests.
• Usage meters: counts of how many times you use each AI feature within a billing period (used to enforce plan limits).
• Audit logs: a record of security-relevant actions (account creation, password resets, subscription changes) with a timestamp and, where available, an IP address.
• Error and performance data: stack traces, request paths, and browser version collected by our error-monitoring provider (Sentry) when an application error occurs.
• Standard server logs: HTTP request method, URL, status code, timestamp, and User-Agent, retained briefly for operational troubleshooting.

We do not use third-party analytics scripts, advertising trackers, or social-media pixels.

3. How We Use Your Data

• Providing the service: storing your profile, running AI evaluations against the job descriptions you submit, generating tailored CV suggestions, interview-prep content, and all other features you use.
• Authentication and account security: verifying your identity at login, sending email verification and password-reset messages, detecting suspicious sessions, and letting you revoke all active sessions.
• Billing and subscriptions: processing payments through Stripe, maintaining your subscription status, and enforcing plan limits via usage meters.
• Transactional email: delivering account-verification emails, password-reset emails, and billing receipts via Resend.
• Service reliability and security: monitoring for errors, abuse, and security incidents; maintaining audit logs; enforcing rate limits.
• Legal compliance: retaining records we are obliged to keep by law (e.g., financial/tax records related to transactions).
• Service improvement: understanding how features are used in aggregate (without identifying you individually) to guide product decisions.

We do not use your data for advertising, profiling for third-party commercial purposes, or to train AI models. Anthropic's API is called on your behalf when you trigger a feature; see Section 5 for details.

4. Legal Basis for Processing (UK GDPR / EU GDPR)

If you are in the UK or European Economic Area, we rely on the following lawful bases under Article 6 of UK GDPR / EU GDPR:

• Contractual necessity (Art. 6(1)(b)): processing your account data, profile, career data, and AI usage in order to deliver the service you signed up for. Without this processing the service cannot function.
• Legal obligation (Art. 6(1)(c)): retaining transaction records as required by tax and accounting law.
• Legitimate interests (Art. 6(1)(f)): security monitoring, fraud prevention, audit logging, error monitoring, and aggregate service analytics. Our legitimate interest is to operate a secure and reliable service. We have assessed that these interests are not overridden by your rights, given the limited nature of the data involved and the security measures in place.

We do not currently rely on consent as a legal basis for any routine processing. If that changes (e.g., if we introduce an optional newsletter), we will ask for your consent separately and you will be able to withdraw it at any time.

5. Data Sharing and Sub-Processors

We never sell your personal data. We share it only with the service providers listed below, each acting as a data processor on our instructions, and only to the extent necessary to perform the service.

• Anthropic (Claude API) — AI inference provider. When you trigger an AI feature (evaluation, CV generation, interview prep, etc.) your profile data and the relevant input are sent to Anthropic's API for processing. Anthropic does not use API inputs to train its models under its enterprise API terms. See Anthropic's Privacy Policy.
• Stripe — Payment processing and subscription management. Stripe collects billing information directly and is an independent data controller for payment data. See Stripe's Privacy Policy.
• Resend — Transactional email delivery (verification emails, password resets). Resend receives your email address and the email content we send to you. See Resend's Privacy Policy.
• Sentry — Error monitoring. Sentry receives error reports that may include your IP address, browser/OS version, and the URL where an error occurred. It does not receive your CV or profile content. See Sentry's Privacy Policy.
• Auth0 (Okta) — Social login (Google) is handled via Auth0. If you sign in with Google, Auth0 receives your Google email address and profile information as part of the OAuth flow. See Auth0's Privacy Policy.
• Database hosting provider — Our production PostgreSQL database is hosted by a managed cloud provider. All data at rest is encrypted. The provider acts as a data processor under a data processing agreement.
• Adzuna — Job listing data. We query the Adzuna API to populate your job feed. We send search terms (your target role keywords) to Adzuna; we do not send your personal profile. See Adzuna's Privacy Policy.

We may also disclose personal data if required by law, court order, or to protect the rights, property, or safety of Myapplykit, our users, or the public.

6. International Data Transfers

Several of our sub-processors (Anthropic, Stripe, Sentry, Resend, Auth0) are based in the United States. Transferring personal data from the UK or EEA to the US requires appropriate safeguards.

For transfers from the UK: we rely on the International Data Transfer Agreement (IDTA) and, where applicable, the UK–US Data Bridge (in force since 12 October 2023) for processors that are certified under it.

For transfers from the EEA: we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework adequacy decision.

You can request a copy of the relevant transfer mechanisms by contacting privacy@myapplykit.com.

7. How Long We Keep Your Data

• Account and profile data: retained for as long as your account is active. If you request deletion, we remove your personal data within 30 days, subject to any legal hold obligations (e.g., transaction records).
• Transaction and billing records: retained for 7 years to comply with financial and tax regulations (the data is limited to billing records, not your CV or profile).
• Audit and security logs: retained for 12 months, then deleted. We need this window to detect and investigate security incidents.
• Email-verification and password-reset tokens: expire within 24 hours and 1 hour respectively; token hashes are cleared on use or expiry.
• Error logs (Sentry): retained for 90 days by default under Sentry's standard retention policy.

8. Your Rights

Under UK GDPR and EU GDPR you have the following rights. To exercise any of them, email privacy@myapplykit.com. We will respond within one calendar month (extendable by a further two months for complex requests).

• Right of access (Art. 15): request a copy of the personal data we hold about you and information about how it is used.
• Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data. You can update most of your data directly in your profile settings.
• Right to erasure / "right to be forgotten" (Art. 17): ask us to delete your personal data. We will comply unless we are legally required to retain certain records.
• Right to restrict processing (Art. 18): ask us to pause processing your data in certain circumstances (e.g., while a rectification request is resolved).
• Right to data portability (Art. 20): receive a structured, machine-readable copy of the data you gave us, where processing is based on contract or consent and carried out by automated means.
• Right to object (Art. 21): object to processing based on our legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests.
• Right not to be subject to automated decisions (Art. 22): we do not make solely automated decisions that produce legal or similarly significant effects about you. AI-generated evaluations are always subject to your own review and control.
• Right to lodge a complaint: if you are unhappy with how we handle your data, you have the right to complain to a supervisory authority. In the UK that is the Information Commissioner's Office (ICO). In the EU, contact your local data-protection authority.

9. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you additional rights:

• Right to know: the categories and specific pieces of personal information we have collected, and the purposes for which it is used.
• Right to delete: request deletion of your personal information, subject to certain exceptions.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale / sharing: we do not sell or share your personal information for cross-context behavioural advertising. There is no opt-out needed, but you may direct a request to privacy@myapplykit.com at any time.
• Right to non-discrimination: we will not discriminate against you for exercising any CCPA rights.
• Sensitive personal information: we do not use sensitive personal information (as defined by CPRA) for any purpose other than providing the service.

To exercise your CCPA rights, email privacy@myapplykit.com with "California Privacy Request" in the subject line. We will respond within 45 days.

10. Cookies and Browser Storage

Myapplykit uses only strictly necessary cookies. No advertising, analytics, or social-media tracking cookies are used.

• career_ops_session — Authentication session token. HTTP-only, Secure, SameSite=Lax. 7-day lifetime. Required to keep you signed in.
• career_ops_session_ok — Session validation timestamp (avoids a database round-trip on every page load). HTTP-only, SameSite=Lax. 30-second lifetime. Strictly necessary for performance of the authentication check.
• career_ops_auth_state, career_ops_auth_nonce,career_ops_auth_pkce, career_ops_auth_return_to — Short-lived cookies used only during the Google OAuth login flow (10-minute lifetime). Deleted immediately after login completes.

Because all cookies are strictly necessary for the service to function, no cookie consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR) or EU ePrivacy Directive. You can delete these cookies at any time in your browser settings; doing so will sign you out.

Sentry's client-side SDK may use browser memory (not persistent cookies) for internal session context. No persistent tracking identifiers are written to localStorage or sessionStorage by Myapplykit.

11. Children's Privacy

Myapplykit is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has created an account, please contact us at privacy@myapplykit.com and we will delete the account promptly.

12. Sensitive Data in Your CV

Your CV or profile may incidentally contain special-category personal data (e.g., information about health, disability, religion, or ethnicity) if you have included such information. We process this data only as part of your CV text submitted to the AI evaluation service, relying on your explicit action of submitting it (Article 9(2)(a) — explicit consent through deliberate submission).

We recommend you review your CV and redact any sensitive personal data that is not directly relevant to your job applications before uploading it to any platform, including Myapplykit.

13. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• All data in transit encrypted with TLS 1.2+
• All data at rest encrypted by the database hosting provider
• Passwords stored using bcrypt with a cost factor of 12 (never stored in plain text)
• Session tokens signed with HS256 and verified on every authenticated request
• HTTP-only, Secure, SameSite session cookies to prevent XSS and CSRF attacks
• Rate limiting on all authentication endpoints to prevent brute-force attacks
• Content Security Policy headers on all pages
• SSRF protection on all outbound URL fetches
• Audit logging of all security-relevant events

Despite these measures, no internet service can guarantee absolute security. If you become aware of a security concern, please report it to privacy@myapplykit.com promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top and notify you by email at least 14 days before the change takes effect. We will also display a notice on the service. Your continued use of Myapplykit after the effective date constitutes acceptance of the updated policy.

15. Contact Us

For any privacy-related questions, data access or deletion requests, or to raise a concern, please contact:

• Email: privacy@myapplykit.com
• General support: support@myapplykit.com

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (UK) or your local data-protection supervisory authority.